Skip Navigation

06.3 HHS PIA Summary for Posting (Form) / NIH CC Activity Based Cost System (ABC) (Item)






PIA Summary


Is this a new PIA 2008?: No

If this is an existing PIA, please provide a reason for revision: PIA Validation

1. Date of this Submission: Jul 5, 2007

2. OPDIV Name: NIH

3. Unique Project Identifier (UPI) Number: 009-25-01-01-02-3099-00

4. Privacy Act System of Records (SOR) Number: None

5. OMB Information Collection Approval Number: None

6. Other Identifying Number(s): None

7. System Name: NIH CC Activity Based Costing System

9. System Point of Contact (POC). The System POC is the person to whom questions about the system and the responses to this PIA may be addressed: Dan Rinehuls

10. Provide an overview of the system: The ABC System contains information about resource allocation across research protocols conducted in the Intramural Resesarch Program of the NIH, including specific protocol identification data, as well as other information related to medical care, supplies and services related to those protocols.

13. Indicate if the system is new or an existing one being modified: Existing

17. Does/Will the system collect, maintain (store), disseminate and/or pass through IIF within any database(s), record(s), file(s) or website(s) hosted by this system?: Yes

Note: This question seeks to identify any, and all, personal information associated with the system. This includes any IIF, whether or not it is subject to the Privacy Act, whether the individuals are employees, the public, research subjects, or business partners, and whether provided voluntarily or collected by mandate. Later questions will try to understand the character of the data and its applicability to the requirements under the Privacy Act or other legislation

Note: If no IIF is contained in the system, please answer questions 21, 23, 30, 31, 37, 50 and 54, then promote the PIA to the Sr. Privacy Official who will authorize the PIA.

If this system contains IIF, all remaining questions on the PIA Form Tabs must be completed prior to signature and promotion.

21. Is the system subject to the Privacy Act?: No

23. If the system shares or discloses IIF please specify with whom and for what purpose(s): NIH employees for budget review and development.

30. Please describe in detail: (1) the information the agency will collect, maintain, or disseminate; (2) why and for what purpose the agency will use the information; (3) In this description, indicate whether the information contains IIF; and (4) whether submission of personal information is voluntary or mandatory: The only IIF involved in the ABC System are the names of the investigators related to each research protocol, all of whom are NIH employees. It is mandatory that each protocol have a related principal investigator. All remaining information relates to budgetary requirements, including specific clinical services, IC budgets and resource allocation.

31. Please describe in detail any processes in place to: (1) notify and obtain consent from the individuals whose IIF is in the system when major changes occur to the system (e.g., disclosure and/or data uses have changed since the notice at the time of the original collection); and (2) notify and obtain consent from individuals regarding what IIF is being collected from them and how the information will be used or shared: Employees provide names at the time they apply for protocol approval from their IRB, which is required for protocol review and administrative approval. If any information other than employee names are collected, then notification will be sent out from OFRM to each indiviudal. However, there are no current plans to collect additional IIF in the future.

32. Does the system host a website?: No

37. Does the website have any information or pages directed at children under the age of thirteen?: No

50. Are there policies or guidelines in place with regard to the retention and destruction of IIF?: Yes

54. Briefly describe in detail how the IIF will be secured on the system using administrative, technical, and physical controls.: Only authorized person may have access to the ABC System and the system is protected through door locks and other physical controls, as well as technical controls including user identification and password protection.

PIA Reviewer Approval: Promote

Comments: This system not previously reported as full PIA because only IIF are employees' names.

PIA Reviewer Name: Jerry P. King: CC Privacy Officer, (301) 451-4954:

Sr. Official for Privacy Approval: Promote


Sr. Official for Privacy Name: Karen Pla

Sign-off Date: Aug 10, 2007

Date Published: Jun 26, 2008


06.3 HHS PIA Summary for Posting (Form) / NIH CC Admissions and Travel Voucher Application (ATV) (Item)






PIA Summary


Is this a new PIA 2008?: No

If this is an existing PIA, please provide a reason for revision: PIA Validation

1. Date of this Submission: Aug 7, 2007

2. OPDIV Name: NIH

3. Unique Project Identifier (UPI) Number: Not Applicable

4. Privacy Act System of Records (SOR) Number: 09-25-0099

5. OMB Information Collection Approval Number: Not Applicable

6. Other Identifying Number(s): None

7. System Name: Admissions and Travel Voucher (ATV) Application

9. System Point of Contact (POC). The System POC is the person to whom questions about the system and the responses to this PIA may be addressed: Jerry P. King

10. Provide an overview of the system: This is an ancillary application part of the CRIS system that allows research participants to register and procure travel requistions and payments.

13. Indicate if the system is new or an existing one being modified: Existing

17. Does/Will the system collect, maintain (store), disseminate and/or pass through IIF within any database(s), record(s), file(s) or website(s) hosted by this system?: Yes

Note: This question seeks to identify any, and all, personal information associated with the system. This includes any IIF, whether or not it is subject to the Privacy Act, whether the individuals are employees, the public, research subjects, or business partners, and whether provided voluntarily or collected by mandate. Later questions will try to understand the character of the data and its applicability to the requirements under the Privacy Act or other legislation

Note: If no IIF is contained in the system, please answer questions 21, 23, 30, 31, 37, 50 and 54, then promote the PIA to the Sr. Privacy Official who will authorize the PIA.

If this system contains IIF, all remaining questions on the PIA Form Tabs must be completed prior to signature and promotion.

21. Is the system subject to the Privacy Act?: Yes

23. If the system shares or discloses IIF please specify with whom and for what purpose(s): Shares information with travel agents so that travel arrangements can be made. Sharing is done per SOR 09-25-0200.

30. Please describe in detail: (1) the information the agency will collect, maintain, or disseminate; (2) why and for what purpose the agency will use the information; (3) In this description, indicate whether the information contains IIF; and (4) whether submission of personal information is voluntary or mandatory: Legislation authority is the Public Health Service Act. (42 U.S.C. 241, 242, 248, 281, 282, 284, 285a, 285b, 285c, 285d, 285e, 285f, 285g, 285h, 285i, 285j, 285l, 285m, 285n, 285o, 285p, 285q, 287, 287b, 287c, 289a, 289c, and 44 U.S.C. 3101.) The information collected is name, date of birth, social security number, mailing address, medical record number, and e-mail address. This information is used to register individuals as participitants in clinical trials and to assist in providing travel arrangements for those individuals. Information is disclosed to travel agents to assist in making the necessary travel arangements. Information submission is voluntary.

31. Please describe in detail any processes in place to: (1) notify and obtain consent from the individuals whose IIF is in the system when major changes occur to the system (e.g., disclosure and/or data uses have changed since the notice at the time of the original collection); and (2) notify and obtain consent from individuals regarding what IIF is being collected from them and how the information will be used or shared: Notification of all information practices are provide to every patient particpating in research upon initial registration and upon every re-registration, including any changes to collection and types of information.

32. Does the system host a website?: Yes

37. Does the website have any information or pages directed at children under the age of thirteen?: No

50. Are there policies or guidelines in place with regard to the retention and destruction of IIF?: Yes

54. Briefly describe in detail how the IIF will be secured on the system using administrative, technical, and physical controls.: IIF is secured using username/passwords, secure sockets, least privilege, seperation of duties, an intrusion detection system, firewalls, locks, badge access, background investigations. A comprehensive IRT capability is also maintained,

PIA Reviewer Approval: Promote

Comments: IIF

PIA Reviewer Name: Jerry P. King: CC Privacy Officer, (301) 451-4954:

Sr. Official for Privacy Approval: Promote


Sr. Official for Privacy Name: Karen Pla

Sign-off Date: Aug 10, 2007

Date Published: Jun 26, 2008


06.3 HHS PIA Summary for Posting (Form) / NIH CC Automated Nurse Staff Office Schedule (ANSOS) (Item)






PIA Summary


Is this a new PIA 2008?: No

If this is an existing PIA, please provide a reason for revision: PIA Validation

1. Date of this Submission: Jul 10, 2007

2. OPDIV Name: NIH

3. Unique Project Identifier (UPI) Number: 009-25-01-26-02-3008-00

4. Privacy Act System of Records (SOR) Number: 09-90-0018

5. OMB Information Collection Approval Number: None

6. Other Identifying Number(s): None

7. System Name: CC ANSOS: Automated Nurse Staff Office Schedule

9. System Point of Contact (POC). The System POC is the person to whom questions about the system and the responses to this PIA may be addressed: Barbara Quinn

10. Provide an overview of the system: The ANSOS System is used to arrange schedules and project staffing needs for nurses caring for patients at the Clinical Center and is authorized by Section 301 of the Public Health Service Act.

13. Indicate if the system is new or an existing one being modified: Existing

17. Does/Will the system collect, maintain (store), disseminate and/or pass through IIF within any database(s), record(s), file(s) or website(s) hosted by this system?: Yes

Note: This question seeks to identify any, and all, personal information associated with the system. This includes any IIF, whether or not it is subject to the Privacy Act, whether the individuals are employees, the public, research subjects, or business partners, and whether provided voluntarily or collected by mandate. Later questions will try to understand the character of the data and its applicability to the requirements under the Privacy Act or other legislation

Note: If no IIF is contained in the system, please answer questions 21, 23, 30, 31, 37, 50 and 54, then promote the PIA to the Sr. Privacy Official who will authorize the PIA.

If this system contains IIF, all remaining questions on the PIA Form Tabs must be completed prior to signature and promotion.

21. Is the system subject to the Privacy Act?: Yes

23. If the system shares or discloses IIF please specify with whom and for what purpose(s): As per SOR 09-90-0019. This information is further addressed in the HHS Privacy Act Systems of Record Notice 09-90-0018, published in the Federal Register, Volume 59, November 9, 1994.

30. Please describe in detail: (1) the information the agency will collect, maintain, or disseminate; (2) why and for what purpose the agency will use the information; (3) In this description, indicate whether the information contains IIF; and (4) whether submission of personal information is voluntary or mandatory: Includes basic identification data including name, date of birth, address, phone numbers and related information necessary to develop schedules for nurses and to project utilization and staffing needs across the Clinical Center. Submission is mandatory if the individual wishes to be employed as a nurse at the Clinical Center.

31. Please describe in detail any processes in place to: (1) notify and obtain consent from the individuals whose IIF is in the system when major changes occur to the system (e.g., disclosure and/or data uses have changed since the notice at the time of the original collection); and (2) notify and obtain consent from individuals regarding what IIF is being collected from them and how the information will be used or shared: Each individual is informed of information practices at the time of job application and subsequently when individual schedules are developed. In addition, the CC Nursing Department is responsible for notifying each nurse of major system changes related to IIF, which may be done electronically or in written form.

32. Does the system host a website?: No

37. Does the website have any information or pages directed at children under the age of thirteen?: No

50. Are there policies or guidelines in place with regard to the retention and destruction of IIF?: Yes

54. Briefly describe in detail how the IIF will be secured on the system using administrative, technical, and physical controls.: Only authorized person may have access to the ANSOS System and the system is protected through door locks and other physical controls, as well as technical controls including user identification and password protection.

PIA Reviewer Approval: Promote

Comments: IIF

PIA Reviewer Name: Jerry P. King: CC Privacy Officer, (301) 451-4954:

Sr. Official for Privacy Approval: Promote


Sr. Official for Privacy Name: Karen Pla

Sign-off Date: Aug 10, 2007

Date Published: Jun 26, 2008


06.3 HHS PIA Summary for Posting (Form) / NIH CC Blood Bank Collection System (BBCS) (Item)






PIA Summary


Is this a new PIA 2008?: No

If this is an existing PIA, please provide a reason for revision: PIA Validation

1. Date of this Submission: Jul 10, 2007

2. OPDIV Name: NIH

3. Unique Project Identifier (UPI) Number: 009-25-01-26-02-3007-00

4. Privacy Act System of Records (SOR) Number: 09-25-0011

5. OMB Information Collection Approval Number: None

6. Other Identifying Number(s): None

7. System Name: Blood Bank Collection System

9. System Point of Contact (POC). The System POC is the person to whom questions about the system and the responses to this PIA may be addressed: Boyd Conley

10. Provide an overview of the system: The systems contains data regarding donors at the Department of Transfusion Medicine used to conduct clinical care and research at the Clinical Center as authorized by Section 301 of the Public Health Service Act.

13. Indicate if the system is new or an existing one being modified: Existing

17. Does/Will the system collect, maintain (store), disseminate and/or pass through IIF within any database(s), record(s), file(s) or website(s) hosted by this system?: Yes

Note: This question seeks to identify any, and all, personal information associated with the system. This includes any IIF, whether or not it is subject to the Privacy Act, whether the individuals are employees, the public, research subjects, or business partners, and whether provided voluntarily or collected by mandate. Later questions will try to understand the character of the data and its applicability to the requirements under the Privacy Act or other legislation

Note: If no IIF is contained in the system, please answer questions 21, 23, 30, 31, 37, 50 and 54, then promote the PIA to the Sr. Privacy Official who will authorize the PIA.

If this system contains IIF, all remaining questions on the PIA Form Tabs must be completed prior to signature and promotion.

21. Is the system subject to the Privacy Act?: Yes

23. If the system shares or discloses IIF please specify with whom and for what purpose(s): None

30. Please describe in detail: (1) the information the agency will collect, maintain, or disseminate; (2) why and for what purpose the agency will use the information; (3) In this description, indicate whether the information contains IIF; and (4) whether submission of personal information is voluntary or mandatory: Information, including past donations, blood types, phenotypes, lab results, seriologic reactions and related information, is collected from donors of blood and blood components to be used for clinical care and research at the Clinical Center. Submission is mandatory since donations must be directly attributable to each individual donor.

31. Please describe in detail any processes in place to: (1) notify and obtain consent from the individuals whose IIF is in the system when major changes occur to the system (e.g., disclosure and/or data uses have changed since the notice at the time of the original collection); and (2) notify and obtain consent from individuals regarding what IIF is being collected from them and how the information will be used or shared: Each individical donor is informed of required information collection and uses before donation. Major systems changes would be sent directly to each donor and new consents obtained upon new donations.

32. Does the system host a website?: No

37. Does the website have any information or pages directed at children under the age of thirteen?: No

50. Are there policies or guidelines in place with regard to the retention and destruction of IIF?: Yes

54. Briefly describe in detail how the IIF will be secured on the system using administrative, technical, and physical controls.: Only authorized person may have access and the system is protected through door locks and other physical controls, as well as technical controls including user identification and password protection.

PIA Reviewer Approval: Promote

Comments: IIF

PIA Reviewer Name: Jerry P. King: CC Privacy Officer, (301) 451-4954:

Sr. Official for Privacy Approval: Promote


Sr. Official for Privacy Name: Karen Pla

Sign-off Date: Aug 10, 2007

Date Published: Jun 26, 2008


06.3 HHS PIA Summary for Posting (Form) / NIH CC Clinical Research Information System (CRIS Core) (Item)






PIA Summary


Is this a new PIA 2008?: No

If this is an existing PIA, please provide a reason for revision: PIA Validation

1. Date of this Submission: Jul 10, 2007

2. OPDIV Name: NIH

3. Unique Project Identifier (UPI) Number:009-25-01-06-01-3006-00-110-219

4. Privacy Act System of Records (SOR) Number: 09-25-0099

5. OMB Information Collection Approval Number: NO

6. Other Identifying Number(s): CC-1

7. System Name: Clinical Research Information System (CRIS) Core

9. System Point of Contact (POC). The System POC is the person to whom questions about the system and the responses to this PIA may be addressed: Dr. Jon McKeeby

10. Provide an overview of the system: Core system and component applications to document clinical care and research for registered patients at the Clinical Research Center: NIH. This activity is authorized by Section 301 of the Public Health and Safety Act

13. Indicate if the system is new or an existing one being modified: Existing

17. Does/Will the system collect, maintain (store), disseminate and/or pass through IIF within any database(s), record(s), file(s) or website(s) hosted by this system?: Yes

Note: This question seeks to identify any, and all, personal information associated with the system. This includes any IIF, whether or not it is subject to the Privacy Act, whether the individuals are employees, the public, research subjects, or business partners, and whether provided voluntarily or collected by mandate. Later questions will try to understand the character of the data and its applicability to the requirements under the Privacy Act or other legislation

Note: If no IIF is contained in the system, please answer questions 21, 23, 30, 31, 37, 50 and 54, then promote the PIA to the Sr. Privacy Official who will authorize the PIA.

If this system contains IIF, all remaining questions on the PIA Form Tabs must be completed prior to signature and promotion.

21. Is the system subject to the Privacy Act?: Yes

23. If the system shares or discloses IIF please specify with whom and for what purpose(s): The Mayo Clinic for contracted lab tests not performed by the Department Of Laboratory Medicine at the CC.

30. Please describe in detail: (1) the information the agency will collect, maintain, or disseminate; (2) why and for what purpose the agency will use the information; (3) In this description, indicate whether the information contains IIF; and (4) whether submission of personal information is voluntary or mandatory: Patient information collected by the NIH is described in the NIH System of Records 09-25-0099. The information contains IIF and the submission is voluntary based on an individual's consent to become a registered patient at NIH.

31. Please describe in detail any processes in place to: (1) notify and obtain consent from the individuals whose IIF is in the system when major changes occur to the system (e.g., disclosure and/or data uses have changed since the notice at the time of the original collection); and (2) notify and obtain consent from individuals regarding what IIF is being collected from them and how the information will be used or shared: Information is obtained from patient interviews, referring physicians, a multi-disciplinary care team, and diagnostic, therapeutic, and research results. Admission and protocol consent forms are signed by each patient and an information practices notification form is provided to each patient a the time of initial admission. Each patient would be advised at the time of admission about major system changes and the CC Information Practices notice would be revised and provided to each patient.

32. Does the system host a website?: No

37. Does the website have any information or pages directed at children under the age of thirteen?: No

50. Are there policies or guidelines in place with regard to the retention and destruction of IIF?: Yes

54. Briefly describe in detail how the IIF will be secured on the system using administrative, technical, and physical controls.: The system and all contained data are protected using administrative, technical, and physical security and privacy controls. System is behind locked doors, monitored by CC TV and cipher locks. In addition, only authorized users have access which is restricted based on user roles and hierarchal passwords.

PIA Reviewer Approval: Promote

Comments: IIF

PIA Reviewer Name: Jerry P. King: CC Privacy Officer, (301) 451-4954:

Sr. Official for Privacy Approval: Promote


Sr. Official for Privacy Name: Karen Pla

Sign-off Date: Aug 10, 2007

Date Published: Jun 26, 2008


06.3 HHS PIA Summary for Posting (Form) / NIH CC Clinical Research Volunteer Program (CRVP) (Item)






PIA Summary


Is this a new PIA 2008?: No

If this is an existing PIA, please provide a reason for revision: PIA Validation

1. Date of this Submission: Jul 5, 2007

2. OPDIV Name: NIH

3. Unique Project Identifier (UPI) Number: 009-25-01-05-02-3099-00-110-031

4. Privacy Act System of Records (SOR) Number: 09-25-0012

5. OMB Information Collection Approval Number: None

6. Other Identifying Number(s): None

7. System Name: Clinical Research: Candidate Potential Volunteer and Research Subject Records

9. System Point of Contact (POC). The System POC is the person to whom questions about the system and the responses to this PIA may be addressed: Jerry King

10. Provide an overview of the system: System is used to contain information about potential candidates for participation as volunteers or research subjects participating in clinical research protocols at the Clinical Center.

13. Indicate if the system is new or an existing one being modified: Existing

17. Does/Will the system collect, maintain (store), disseminate and/or pass through IIF within any database(s), record(s), file(s) or website(s) hosted by this system?: Yes

Note: This question seeks to identify any, and all, personal information associated with the system. This includes any IIF, whether or not it is subject to the Privacy Act, whether the individuals are employees, the public, research subjects, or business partners, and whether provided voluntarily or collected by mandate. Later questions will try to understand the character of the data and its applicability to the requirements under the Privacy Act or other legislation

Note: If no IIF is contained in the system, please answer questions 21, 23, 30, 31, 37, 50 and 54, then promote the PIA to the Sr. Privacy Official who will authorize the PIA.

If this system contains IIF, all remaining questions on the PIA Form Tabs must be completed prior to signature and promotion.

21. Is the system subject to the Privacy Act?: Yes

23. If the system shares or discloses IIF please specify with whom and for what purpose(s): This information is addressed in the NIH Privacy Act Systems of Record Notice 09-25-0012, published in the Federal Register, Volume 67, No. 187, September 26, 2002.

30. Please describe in detail: (1) the information the agency will collect, maintain, or disseminate; (2) why and for what purpose the agency will use the information; (3) In this description, indicate whether the information contains IIF; and (4) whether submission of personal information is voluntary or mandatory: Demographics and health information are collected from program applications, health questionnaires and records of prior participation to provide appropriate persons as volunteers or research subjects in approved research protocols conducted at the Clinical Center. Submission is voluntary if person does not want to be referred as a potential research subject but mandatory for those who do wish to be referred.

31. Please describe in detail any processes in place to: (1) notify and obtain consent from the individuals whose IIF is in the system when major changes occur to the system (e.g., disclosure and/or data uses have changed since the notice at the time of the original collection); and (2) notify and obtain consent from individuals regarding what IIF is being collected from them and how the information will be used or shared: Each person is verbally informed of information uses and verabl consent is obtained from each person who wishes to be evaluated as a potential research subject. Each indiviudal is informed of information collection and uses prior to acceptance as a volunteer or patient. Each applicant would be notified directly by phone of any major system changes and new consent would be obtained.

32. Does the system host a website?: No

37. Does the website have any information or pages directed at children under the age of thirteen?: No

50. Are there policies or guidelines in place with regard to the retention and destruction of IIF?: Yes

54. Briefly describe in detail how the IIF will be secured on the system using administrative, technical, and physical controls.: As per standard CIT procedures for the collection, maintenance and destruction of computer files, as well as as specified in the PA Systems Notice.

PIA Reviewer Approval: Promote

Comments: IIF

PIA Reviewer Name: Jerry P. King: CC Privacy Officer, (301) 451-4954:

Sr. Official for Privacy Approval: Promote


Sr. Official for Privacy Name: Karen Pla

Sign-off Date: Aug 10, 2007

Date Published: Jun 26, 2008


06.3 HHS PIA Summary for Posting (Form) / NIH CC Data Center (CCDC) (Item)






PIA Summary


Is this a new PIA 2008?: No

If this is an existing PIA, please provide a reason for revision: PIA Validation

1. Date of this Submission: Jul 5, 2007

2. OPDIV Name: NIH

3. Unique Project Identifier (UPI) Number: 009-25-01-05-02-3007-00-110-031

4. Privacy Act System of Records (SOR) Number: NO

5. OMB Information Collection Approval Number: NO

6. Other Identifying Number(s): NO

7. System Name: Clinical Center Data Center

9. System Point of Contact (POC). The System POC is the person to whom questions about the system and the responses to this PIA may be addressed: John Franco

10. Provide an overview of the system: The CC Data Center (CCDC) supports approximately 4,500 users within the NIH Clinical Center, and is located at the Institute’s headquarters on the NIH campus in Bethesda Maryland.

The CCDC comprises a variety of servers including network servers, application servers, and Web and Internet servers. CCDC has been identified as a Data Center.

While many applications reside within the servers in the CCDC, the CCDC itself does not processes or store any data that could be considered IIF.

13. Indicate if the system is new or an existing one being modified: Existing

17. Does/Will the system collect, maintain (store), disseminate and/or pass through IIF within any database(s), record(s), file(s) or website(s) hosted by this system?: No

Note: This question seeks to identify any, and all, personal information associated with the system. This includes any IIF, whether or not it is subject to the Privacy Act, whether the individuals are employees, the public, research subjects, or business partners, and whether provided voluntarily or collected by mandate. Later questions will try to understand the character of the data and its applicability to the requirements under the Privacy Act or other legislation

Note: If no IIF is contained in the system, please answer questions 21, 23, 30, 31, 37, 50 and 54, then promote the PIA to the Sr. Privacy Official who will authorize the PIA.

If this system contains IIF, all remaining questions on the PIA Form Tabs must be completed prior to signature and promotion.

21. Is the system subject to the Privacy Act?: No

23. If the system shares or discloses IIF please specify with whom and for what purpose(s): No IIF collected, stored, or processed.

30. Please describe in detail: (1) the information the agency will collect, maintain, or disseminate; (2) why and for what purpose the agency will use the information; (3) In this description, indicate whether the information contains IIF; and (4) whether submission of personal information is voluntary or mandatory: No IIF collected, stored, or processed. Private shares on CCDC file servers are used by CC personnel for storage of working documents to facilitate performance of their assigned duties. The information in working documents is not IIF.

31. Please describe in detail any processes in place to: (1) notify and obtain consent from the individuals whose IIF is in the system when major changes occur to the system (e.g., disclosure and/or data uses have changed since the notice at the time of the original collection); and (2) notify and obtain consent from individuals regarding what IIF is being collected from them and how the information will be used or shared: N/A--No IIF collected, stored, or processed.

32. Does the system host a website?: No

37. Does the website have any information or pages directed at children under the age of thirteen?: No

50. Are there policies or guidelines in place with regard to the retention and destruction of IIF?: No

54. Briefly describe in detail how the IIF will be secured on the system using administrative, technical, and physical controls.: N/A--No IIF collected, stored, or processed.

PIA Reviewer Approval: Promote

Comments: IIF

PIA Reviewer Name: John Franco: 301-496-6745

Sr. Official for Privacy Approval: Promote


Sr. Official for Privacy Name: Karen Pla

Sign-off Date: Aug 10, 2007

Date Published: Jun 26, 2008


06.3 HHS PIA Summary for Posting (Form) / NIH CC Executive Information System (EIS) (Item)






PIA Summary


Is this a new PIA 2008?: Yes

If this is an existing PIA, please provide a reason for revision: PIA Validation

1. Date of this Submission: Jul 5, 2007

2. OPDIV Name: NIH

3. Unique Project Identifier (UPI) Number: 009-25-01-09-02-3099-00-403-131

4. Privacy Act System of Records (SOR) Number: NO

5. OMB Information Collection Approval Number: No

6. Other Identifying Number(s): No

System Name: CC Executive Information System

9. System Point of Contact (POC). The System POC is the person to whom questions about the system and the responses to this PIA may be addressed: John Franco

10. Provide an overview of the system: The Executive Information System (EIS) is an application designed to provide real time reporting of key hospital performance indicators. The EIS provides query and reporting capabilities for executive decision makers, and allows staff to view daily, monthly, annual patient census information and key hospital performance metrics. Census data can be reported by hospital unit and protocol, IC, branch, and Princial Investigator.

13. Indicate if the system is new or an existing one being modified: Existing

17. Does/Will the system collect, maintain (store), disseminate and/or pass through IIF within any database(s), record(s), file(s) or website(s) hosted by this system?: No

Note: This question seeks to identify any, and all, personal information associated with the system. This includes any IIF, whether or not it is subject to the Privacy Act, whether the individuals are employees, the public, research subjects, or business partners, and whether provided voluntarily or collected by mandate. Later questions will try to understand the character of the data and its applicability to the requirements under the Privacy Act or other legislation

Note: If no IIF is contained in the system, please answer questions 21, 23, 30, 31, 37, 50 and 54, then promote the PIA to the Sr. Privacy Official who will authorize the PIA.

If this system contains IIF, all remaining questions on the PIA Form Tabs must be completed prior to signature and promotion.

21. Is the system subject to the Privacy Act?: No

23. If the system shares or discloses IIF please specify with whom and for what purpose(s): NO

30. Please describe in detail: (1) the information the agency will collect, maintain, or disseminate; (2) why and for what purpose the agency will use the information; (3) In this description, indicate whether the information contains IIF; and (4) whether submission of personal information is voluntary or mandatory: EIS reports (does not collect) census statistics. Metrics include admissions, inpatient days, outpatient visits, average length of stay, discharges, and patient counts. The information is used by nursing and clinical departments to manage operations and is used by executive leadership to track trends in hospital census activity. There is no personal information submitted to or reported from EIS.

31. Please describe in detail any processes in place to: (1) notify and obtain consent from the individuals whose IIF is in the system when major changes occur to the system (e.g., disclosure and/or data uses have changed since the notice at the time of the original collection); and (2) notify and obtain consent from individuals regarding what IIF is being collected from them and how the information will be used or shared: System does not store any IIF.

32. Does the system host a website?: No

37. Does the website have any information or pages directed at children under the age of thirteen?: No

50. Are there policies or guidelines in place with regard to the retention and destruction of IIF?: No

54. Briefly describe in detail how the IIF will be secured on the system using administrative, technical, and physical controls.: N/A

PIA Reviewer Approval: Promote

Comments: IIF

PIA Reviewer Name: John Franco: 301-496-6745

Sr. Official for Privacy Approval: Promote


Sr. Official for Privacy Name: Karen Pla

Sign-off Date: Aug 10, 2007

Date Published: Jun 26, 2008


06.3 HHS PIA Summary for Posting (Form) / NIH CC Lawson (Item)






PIA Summary


Is this a new PIA 2008?: Yes

If this is an existing PIA, please provide a reason for revision: PIA Validation

1. Date of this Submission: Jul 5, 2007

2. OPDIV Name: NIH

3. Unique Project Identifier (UPI) Number: 009-25-01-05-02-3099-00-110-031

4. Privacy Act System of Records (SOR) Number: N/A

5. OMB Information Collection Approval Number: N/A

6. Other Identifying Number(s): N/A

7. System Name: Lawson

9. System Point of Contact (POC). The System POC is the person to whom questions about the system and the responses to this PIA may be addressed: John Franco

10. Provide an overview of the system: Lawson is an Inventory Management System. Everything that is bought, received, stored, transferred, issued, or disposed of is recorded and controlled. The program is a live inventory instantaneously recording any supply activity that is entered in the system. It makes daily recommendations for both replenishing the Central Hospital Supply shelves from the Storage & Distribution Warehouse; as well as provide reorder for supplies that have fallen below their "par levels". It is the database that is linked to the Visual Supply Catalogue to provide the users the best "picture" and information on medical supplies. Finally, in the absence of a true financial link to inventory.

13. Indicate if the system is new or an existing one being modified: Existing

17. Does/Will the system collect, maintain (store), disseminate and/or pass through IIF within any database(s), record(s), file(s) or website(s) hosted by this system?: No

Note: This question seeks to identify any, and all, personal information associated with the system. This includes any IIF, whether or not it is subject to the Privacy Act, whether the individuals are employees, the public, research subjects, or business partners, and whether provided voluntarily or collected by mandate. Later questions will try to understand the character of the data and its applicability to the requirements under the Privacy Act or other legislation

Note: If no IIF is contained in the system, please answer questions 21, 23, 30, 31, 37, 50 and 54, then promote the PIA to the Sr. Privacy Official who will authorize the PIA.

If this system contains IIF, all remaining questions on the PIA Form Tabs must be completed prior to signature and promotion.

21. Is the system subject to the Privacy Act?: No

23. If the system shares or discloses IIF please specify with whom and for what purpose(s): N/A

30. Please describe in detail: (1) the information the agency will collect, maintain, or disseminate; (2) why and for what purpose the agency will use the information; (3) In this description, indicate whether the information contains IIF; and (4) whether submission of personal information is voluntary or mandatory: Lawson is a supply/inventory software that stores customer (patient care units, Clinics, ancillaries, not real people names) and product information. The information stored is a history of purchases, receipts, issues, transfers etc. of supplies purchased and equipment purchased by the Materials Management Department and consumed by the CC.

31. Please describe in detail any processes in place to: (1) notify and obtain consent from the individuals whose IIF is in the system when major changes occur to the system (e.g., disclosure and/or data uses have changed since the notice at the time of the original collection); and (2) notify and obtain consent from individuals regarding what IIF is being collected from them and how the information will be used or shared: This is an inventory management system - No IIF is collected or maintained

32. Does the system host a website?: No

37. Does the website have any information or pages directed at children under the age of thirteen?: No

50. Are there policies or guidelines in place with regard to the retention and destruction of IIF?: Yes

54. Briefly describe in detail how the IIF will be secured on the system using administrative, technical, and physical controls.: This is an inventory management system - no IIF is collected or maintained.

PIA Reviewer Approval: Promote

Comments: IIF

PIA Reviewer Name: John Franco: 301-496-6745

Sr. Official for Privacy Approval: Promote


Sr. Official for Privacy Name: Karen Pla

Sign-off Date: Aug 10, 2007

Date Published: Jun 26, 2008


06.3 HHS PIA Summary for Posting (Form) / NIH CC Medical Staff Credentialing Processes (SACRED) (Item)






PIA Summary


Is this a new PIA 2008?: No

If this is an existing PIA, please provide a reason for revision: PIA Validation

1. Date of this Submission: Jul 10, 2007

2. OPDIV Name: NIH

3. Unique Project Identifier (UPI) Number: 009-25-01-26-02-3099-00

4. Privacy Act System of Records (SOR) Number: 09-25-0169

5. OMB Information Collection Approval Number: None

6. Other Identifying Number(s): None

7. System Name: Medical Staff Credentials Files

9. System Point of Contact (POC). The System POC is the person to whom questions about the system and the responses to this PIA may be addressed: Jerry King

10. Provide an overview of the system: Information is collected from individual members of the Clinical Center Medical Staff and is used to document their credentialing and privileging under authority of Section 301 of the Public Health Service Act.

13. Indicate if the system is new or an existing one being modified: Existing

17. Does/Will the system collect, maintain (store), disseminate and/or pass through IIF within any database(s), record(s), file(s) or website(s) hosted by this system?: Yes

Note: This question seeks to identify any, and all, personal information associated with the system. This includes any IIF, whether or not it is subject to the Privacy Act, whether the individuals are employees, the public, research subjects, or business partners, and whether provided voluntarily or collected by mandate. Later questions will try to understand the character of the data and its applicability to the requirements under the Privacy Act or other legislation

Note: If no IIF is contained in the system, please answer questions 21, 23, 30, 31, 37, 50 and 54, then promote the PIA to the Sr. Privacy Official who will authorize the PIA.

If this system contains IIF, all remaining questions on the PIA Form Tabs must be completed prior to signature and promotion.

21. Is the system subject to the Privacy Act?: Yes

23. If the system shares or discloses IIF please specify with whom and for what purpose(s):Yes

23. If the system shares or discloses IIF please specify with whom and for what purpose(s): Private medical facilities, state medical boards and accrediting bodies as part of the credentialing process.

30. Please describe in detail: (1) the information the agency will collect, maintain, or disseminate; (2) why and for what purpose the agency will use the information; (3) In this description, indicate whether the information contains IIF; and (4) whether submission of personal information is voluntary or mandatory: Names, addresses, phone numbers, medical licenses, college information and related data as part of the individual's application for membership on the Clinical Center Medical Staff. Submission is voluntary since application for membership is voluntary.

31. Please describe in detail any processes in place to: (1) notify and obtain consent from the individuals whose IIF is in the system when major changes occur to the system (e.g., disclosure and/or data uses have changed since the notice at the time of the original collection); and (2) notify and obtain consent from individuals regarding what IIF is being collected from them and how the information will be used or shared: Information is obtained directly from each applicant and each is informed about information collection procedures and rules when each applicant signs the consent authorizing the collection. Major systems changes would be sent electronically to each member of the medical staff and new consents obtained at the time of reappointment to the staff.

32. Does the system host a website?: No

37. Does the website have any information or pages directed at children under the age of thirteen?: No

50. Are there policies or guidelines in place with regard to the retention and destruction of IIF?: Yes

54. Briefly describe in detail how the IIF will be secured on the system using administrative, technical, and physical controls.: As per standard CIT procedures for the maintenance, archiving and destruction of computer files and as published in the PA SOR.

PIA Reviewer Approval: Promote

Comments: IIF

PIA Reviewer Name: Jerry P. King: CC Privacy Officer, (301) 451-4954,

Sr. Official for Privacy Approval: Promote


Sr. Official for Privacy Name: Karen Pla

Sign-off Date: Aug 10, 2007

Date Published: Jun 26, 2008


06.3 HHS PIA Summary for Posting (Form) / NIH CC Medicolegal Request Tracking System (Item)






PIA Summary


Is this a new PIA 2008?: No

If this is an existing PIA, please provide a reason for revision: Initial PIA Migration to ProSight

1. Date of this Submission: Jul 10, 2007

2. OPDIV Name: NIH

3. Unique Project Identifier (UPI) Number: 009-25-01-05-02-3099-00-110-031

4. Privacy Act System of Records (SOR) Number: 09-25-0099

5. OMB Information Collection Approval Number: None

6. Other Identifying Number(s): None

7. System Name: Medicolegal Request Tracking System

9. System Point of Contact (POC). The System POC is the person to whom questions about the system and the responses to this PIA may be addressed: Jerry King

10. Provide an overview of the system: The Medicolegal Request Tracking System is used to receive requests for and track copies of medical record documentation sent out by the Medical Record Department to Clinical Center patients and the third parties they authorize to receive such information.

13. Indicate if the system is new or an existing one being modified: Existing

17. Does/Will the system collect, maintain (store), disseminate and/or pass through IIF within any database(s), record(s), file(s) or website(s) hosted by this system?: Yes

Note: This question seeks to identify any, and all, personal information associated with the system. This includes any IIF, whether or not it is subject to the Privacy Act, whether the individuals are employees, the public, research subjects, or business partners, and whether provided voluntarily or collected by mandate. Later questions will try to understand the character of the data and its applicability to the requirements under the Privacy Act or other legislation

Note: If no IIF is contained in the system, please answer questions 21, 23, 30, 31, 37, 50 and 54, then promote the PIA to the Sr. Privacy Official who will authorize the PIA.

If this system contains IIF, all remaining questions on the PIA Form Tabs must be completed prior to signature and promotion.

21. Is the system subject to the Privacy Act?: Yes

23. If the system shares or discloses IIF please specify with whom and for what purpose(s): This information is addressed in the NIH Privacy Act Systems of Record Notice 09-25-0099, published in the Federal Register, Volume 67, No. 187, September 26, 2002.

30. Please describe in detail: (1) the information the agency will collect, maintain, or disseminate; (2) why and for what purpose the agency will use the information; (3) In this description, indicate whether the information contains IIF; and (4) whether submission of personal information is voluntary or mandatory: The system collects patient names, addresses, type of documentation requested for release, as well as the name and addresses of the person/organization to which the documentation is to be sent and the dates of receipt and release. Information is voluntary since release requests are also voluntary.

31. Please describe in detail any processes in place to: (1) notify and obtain consent from the individuals whose IIF is in the system when major changes occur to the system (e.g., disclosure and/or data uses have changed since the notice at the time of the original collection); and (2) notify and obtain consent from individuals regarding what IIF is being collected from them and how the information will be used or shared: Each individual patient is informed of CC information practices before they are accepted as patients. In addition, each patient must provide a written release before information if sent out for any other purpose. The Medical Record Department would be responsible for revising release request authorization and information practices forms if any major system changes take place.

32. Does the system host a website?: No

37. Does the website have any information or pages directed at children under the age of thirteen?: No

50. Are there policies or guidelines in place with regard to the retention and destruction of IIF?: Yes

54. Briefly describe in detail how the IIF will be secured on the system using administrative, technical, and physical controls.: The system is maintained under controlled physical access and user identification as well as passwords are in effect for all users.

PIA Reviewer Approval: Promote

Comments: IIF

PIA Reviewer Name: Jerry P. King: CC Privacy Officer, (301) 451-4954,

Sr. Official for Privacy Approval: Promote


Sr. Official for Privacy Name: Karen Pla

Sign-off Date: Aug 10, 2007

Date Published: Jun 26, 2008


06.3 HHS PIA Summary for Posting (Form) / NIH CC Protocol Tracking (PROTRACK) (Item)






PIA Summary


Is this a new PIA 2008?: No

If this is an existing PIA, please provide a reason for revision: PIA Validation

1. Date of this Submission: Jul 19, 2007

2. OPDIV Name: NIH

3. Unique Project Identifier (UPI) Number: 009-25-01-26-02-3099-00

4. Privacy Act System of Records (SOR) Number: Systems Notice Submitted for Approval

5. OMB Information Collection Approval Number: None

6. Other Identifying Number(s): None

7. System Name: Jerry King

10. Provide an overview of the system: The Protocol Tracking System is used to collect, maintain and report administrative data about intramural research protocols under authority of Section 301 of the Public Health Service Act.

13. Indicate if the system is new or an existing one being modified: Existing

17. Does/Will the system collect, maintain (store), disseminate and/or pass through IIF within any database(s), record(s), file(s) or website(s) hosted by this system?: Yes

Note: This question seeks to identify any, and all, personal information associated with the system. This includes any IIF, whether or not it is subject to the Privacy Act, whether the individuals are employees, the public, research subjects, or business partners, and whether provided voluntarily or collected by mandate. Later questions will try to understand the character of the data and its applicability to the requirements under the Privacy Act or other legislation

Note: If no IIF is contained in the system, please answer questions 21, 23, 30, 31, 37, 50 and 54, then promote the PIA to the Sr. Privacy Official who will authorize the PIA.

If this system contains IIF, all remaining questions on the PIA Form Tabs must be completed prior to signature and promotion.

21. Is the system subject to the Privacy Act?: Yes

23. If the system shares or discloses IIF please specify with whom and for what purpose(s): NIH Employees for protocol approval, control and reporting.

30. Please describe in detail: (1) the information the agency will collect, maintain, or disseminate; (2) why and for what purpose the agency will use the information; (3) In this description, indicate whether the information contains IIF; and (4) whether submission of personal information is voluntary or mandatory: The only IIF involved in the Protocol Tracking System are the names of the investigators related to each protocol, all of whom are NIH employees. The name of each principal investigator is mandatory when the protocol is submitted to the IRB for approval.

31. Please describe in detail any processes in place to: (1) notify and obtain consent from the individuals whose IIF is in the system when major changes occur to the system (e.g., disclosure and/or data uses have changed since the notice at the time of the original collection); and (2) notify and obtain consent from individuals regarding what IIF is being collected from them and how the information will be used or shared: Employees provide names at the time as a part of the protocol approval process and the names of Government employees are a matter of public record. There are no plans to add additional IIF information at the current time, but the Protocol Service Center would provide notification to each investigator if additions were made in the future.

32. Does the system host a website?: Yes

37. Does the website have any information or pages directed at children under the age of thirteen?: No

50. Are there policies or guidelines in place with regard to the retention and destruction of IIF?: Yes

54. Briefly describe in detail how the IIF will be secured on the system using administrative, technical, and physical controls.: Only authorized person may have access to the Protocol Tracking System and the system is protected through door locks and other physical controls, as well as technical controls including user identification and password protection.

PIA Reviewer Approval: Promote

Comments: New SORN filed and pending approval.

PIA Reviewer Name: Jerry P. King: CC Privacy Officer, (301) 451-4954,

Sr. Official for Privacy Approval: Promote


Sr. Official for Privacy Name: Karen Pla

Sign-off Date: Aug 10, 2007

Date Published: Jun 26, 2008


06.3 HHS PIA Summary for Posting (Form) / NIH CC Softmed Automated Medical Record Processing and Tracking Applications (Item)






PIA Summary


Is this a new PIA 2008?: Yes

If this is an existing PIA, please provide a reason for revision: Initial PIA Migration to ProSight

1. Date of this Submission: Jul 10, 2007

2. OPDIV Name: NIH

3. Unique Project Identifier (UPI) Number: Not Applicable

4. Privacy Act System of Records (SOR) Number: 09-25-0099

5. OMB Information Collection Approval Number: None

6. Other Identifying Number(s): None

7. System Name: Softmed Automated Medical Record Processing and Tracking Applications

9. System Point of Contact (POC). The System POC is the person to whom questions about the system and the responses to this PIA may be addressed: Jerry King

10. Provide an overview of the system: SoftMed applications contain demographic and tracking information is maintained on registered Clinical Center patients in order to route documents for creation, recording, retention, signature and location.

13. Indicate if the system is new or an existing one being modified: Existing

17. Does/Will the system collect, maintain (store), disseminate and/or pass through IIF within any database(s), record(s), file(s) or website(s) hosted by this system?: Yes

Note: This question seeks to identify any, and all, personal information associated with the system. This includes any IIF, whether or not it is subject to the Privacy Act, whether the individuals are employees, the public, research subjects, or business partners, and whether provided voluntarily or collected by mandate. Later questions will try to understand the character of the data and its applicability to the requirements under the Privacy Act or other legislation

Note: If no IIF is contained in the system, please answer questions 21, 23, 30, 31, 37, 50 and 54, then promote the PIA to the Sr. Privacy Official who will authorize the PIA.

If this system contains IIF, all remaining questions on the PIA Form Tabs must be completed prior to signature and promotion.

21. Is the system subject to the Privacy Act?: Yes

23. If the system shares or discloses IIF please specify with whom and for what purpose(s): None

30. Please describe in detail: (1) the information the agency will collect, maintain, or disseminate; (2) why and for what purpose the agency will use the information; (3) In this description, indicate whether the information contains IIF; and (4) whether submission of personal information is voluntary or mandatory: Information is collected to identify and route clinical documentation electronically for user review and confirmation. Patient and clinician demographic information, along with clinical documentation identifiers and location information. The information is voluntarily provided at the time of dictation or authorship and each patient is informed of CC information practices before admission as a patient at the Clinical Center.

31. Please describe in detail any processes in place to: (1) notify and obtain consent from the individuals whose IIF is in the system when major changes occur to the system (e.g., disclosure and/or data uses have changed since the notice at the time of the original collection); and (2) notify and obtain consent from individuals regarding what IIF is being collected from them and how the information will be used or shared: The Softmed applications are a part of the medical record system which is an approved Privacy Act System. As such, each indiviudal is informed of all information practices and any major system changes are published under a revised SOR.

32. Does the system host a website?: No

37. Does the website have any information or pages directed at children under the age of thirteen?: No

50. Are there policies or guidelines in place with regard to the retention and destruction of IIF?: Yes

54. Briefly describe in detail how the IIF will be secured on the system using administrative, technical, and physical controls.: All information is protected by applying user ID, hierarchal passwords and administrative controls including supervisor limiting employee access on a need-to-know and minimum amount basis.

PIA Reviewer Approval: Promote


PIA Reviewer Name: Jerry P. King: CC Privacy Officer, (301) 451-4954,

Sr. Official for Privacy Approval: Promote


Sr. Official for Privacy Name: Karen Plá

Sign-off Date: Aug 10, 2007

Date Published: Jun 26, 2008


06.3 HHS PIA Summary for Posting (Form) / NIH CC Workforce Tracking (WTMS) (Item)






PIA Summary


*Is this a new PIA 2008?: Yes

If this is an existing PIA, please provide a reason for revision: PIA Validation

1. Date of this Submission: Jul 10, 2007

2. OPDIV Name: NIH

3. Unique Project Identifier (UPI) Number: 009-25-01-09-02-3099-00-403-131

4. Privacy Act System of Records (SOR) Number: 09-90-0024

5. OMB Information Collection Approval Number: None

6. Other Identifying Number(s): None

7. System Name: Workforce Tracking Management System

9. System Point of Contact (POC). The System POC is the person to whom questions about the system and the responses to this PIA may be addressed: Kathy Krisko

10. Provide an overview of the system:

Maintain financial information including salary, benefits, etc on Clinical Center Employees and contractors.

13. Indicate if the system is new or an existing one being modified: New

17. Does/Will the system collect, maintain (store), disseminate and/or pass through IIF within any database(s), record(s), file(s) or website(s) hosted by this system?: Yes

Note: This question seeks to identify any, and all, personal information associated with the system. This includes any IIF, whether or not it is subject to the Privacy Act, whether the individuals are employees, the public, research subjects, or business partners, and whether provided voluntarily or collected by mandate. Later questions will try to understand the character of the data and its applicability to the requirements under the Privacy Act or other legislation

Note: If no IIF is contained in the system, please answer questions 21, 23, 30, 31, 37, 50 and 54, then promote the PIA to the Sr. Privacy Official who will authorize the PIA.

If this system contains IIF, all remaining questions on the PIA Form Tabs must be completed prior to signature and promotion.

21. Is the system subject to the Privacy Act?: Yes

23. If the system shares or discloses IIF please specify with whom and for what purpose(s): Reference SOR# 09-90-0024. This information is further addressed in the HHS Privacy Act Systems of Record Notice 09-90-0024, published in the Federal Register, Volume 70, No. 126, July 1, 2005.

30. Please describe in detail: (1) the information the agency will collect, maintain, or disseminate; (2) why and for what purpose the agency will use the information; (3) In this description, indicate whether the information contains IIF; and (4) whether submission of personal information is voluntary or mandatory: Names, social security numbers, salaries, employment status, benefits, contract award amounts are collected to manage the Clinical Center budget. Employment is voluntary but data collection is mandatory following acceptance of employment at the Clinical Center.

31. Please describe in detail any processes in place to: (1) notify and obtain consent from the individuals whose IIF is in the system when major changes occur to the system (e.g., disclosure and/or data uses have changed since the notice at the time of the original collection); and (2) notify and obtain consent from individuals regarding what IIF is being collected from them and how the information will be used or shared: Will be developed and distributed following completion and publication of the PA Systems Notice for WTMS.

32. Does the system host a website?: Yes

37. Does the website have any information or pages directed at children under the age of thirteen?: No

50. Are there policies or guidelines in place with regard to the retention and destruction of IIF?: Yes

54. Briefly describe in detail how the IIF will be secured on the system using administrative, technical, and physical controls.: Only authorized persons may have access to the WTMS System and the system is protected through door locks and other physical controls, as well as technical controls including user identification and password protection.

PIA Reviewer Approval: Promote


PIA Reviewer Name: Jerry P. King: CC Privacy Officer, (301) 451-4954,

Sr. Official for Privacy Approval: Promote


Sr. Official for Privacy Name: Karen Plá

Sign-off Date: Aug 10, 2007

Date Published: Jun 26, 2008


06.3 HHS PIA Summary for Posting (Form) / NIH CSR Asynchronous Electronic Discussion (AED) (Item)






PIA Summary


*Is this a new PIA 2008?: Yes

If this is an existing PIA, please provide a reason for revision:

1. Date of this Submission: May 14, 2007

2. OPDIV Name: NIH

3. Unique Project Identifier (UPI) Number: 009-25-01-05-02-3222-00

4. Privacy Act System of Records (SOR) Number: 09-25-0036

5. OMB Information Collection Approval Number: N/A

6. Other Identifying Number(s): N/A

7. System Name: Asynchronous Electronic Discussion

9. System Point of Contact (POC). The System POC is the person to whom questions about the system and the responses to this PIA may be addressed: Jim Blagaich

10. Provide an overview of the system: A strategic objective of the Center for Scientific Review is to increase the methods of review. This new method, based upon the use of a threaded message board with features tailored to NIH review, permits the asynchronous discussion and private scoring of grant applications without the need for concurrent assembly or teleconference. As an alternative review format, it complements and extends the ways that CSR conducts peer-review at NIH.

13. Indicate if the system is new or an existing one being modified: New

17. Does/Will the system collect, maintain (store), disseminate and/or pass through IIF within any database(s), record(s), file(s) or website(s) hosted by this system?: Yes

Note: This question seeks to identify any, and all, personal information associated with the system. This includes any IIF, whether or not it is subject to the Privacy Act, whether the individuals are employees, the public, research subjects, or business partners, and whether provided voluntarily or collected by mandate. Later questions will try to understand the character of the data and its applicability to the requirements under the Privacy Act or other legislation

Note: If no IIF is contained in the system, please answer questions 21, 23, 30, 31, 37, 50 and 54, then promote the PIA to the Sr. Privacy Official who will authorize the PIA.

If this system contains IIF, all remaining questions on the PIA Form Tabs must be completed prior to signature and promotion.

21. Is the system subject to the Privacy Act?: Yes

23. If the system shares or discloses IIF please specify with whom and for what purpose(s): Disclosure may be madet o the National Technical Information Service (NTIS), Department of Commerce, for dissemination of scientific and fiscal information on funded awards.

Disclosure may be made to the cognizant audit agency for auditing.

Disclosure may be made to a congressional office from the record of an individual in response to an inquiry from the congressional office made at the request of that individual.

Disclosure may be made to qualified experts not within the defiinition of Department employees as prescribed in Department regulations of opinions as a part of the application review process.

Disclosure may be made to a Federal agency, in response to its request, in connection with the issuance of a license, grant or other benefit by the requesting agency, to the extent that the record is relevant and necessary to the requesting agency's decision in the matter.

Disclosure of past performance information pertaining to contractors may be made to a Federal agency upon request. In addition, routine access to past performance information on contractors will be provided to Federal agencies that subscribe to the NIH Contractor Performance System.

Disclosure may be made to a private contractor or Federal agency for the purpose of collating, analyzing, aggregating or otherwise refining records in this system. The contractor or Federal agency will be required to maintain Privacy Act safeguards with respect to these records.

Disclosure may be made to a grantee or contract institution in connection with performance or administration under the conditions of the particular award or contract.

Disclosure may be made to the Department of Justice, or to a court or other adjudicative body, from this system of records when (a) HHS, or any component thereof; or (b) any HHS officer or employee in his or her official capacity; or (c) any HHS officer or employee in his or her individual capacity where the Department of Justice (or HHS, where it is authorized to do so) has agreed to represent the officer or employee; or (d) the United States or any agency thereof where HHS determines that the proceeding is likely to affect HHS or any of its components, is a party to proceeding or has any interest in the proceeding, and HHS determines that the records are relevant and necessary to the proceeding and would help in the effective representation of the governmental party.

30. Please describe in detail: (1) the information the agency will collect, maintain, or disseminate; (2) why and for what purpose the agency will use the information; (3) In this description, indicate whether the information contains IIF; and (4) whether submission of personal information is voluntary or mandatory: Information types: User contact information - This information is used to create external active directory accounts so that permissions can be granted to reviewers to access grant application and discussion thread information that they are not in conflict with. Grant related information - This information is used during the discussion of grant applications in an online collaborative space in lieu of a physcial meeting. The review discussion group scores applications on a scientific merit basis.

The submission is mandatory and does contain IIF information

31. Please describe in detail any processes in place to: (1) notify and obtain consent from the individuals whose IIF is in the system when major changes occur to the system (e.g., disclosure and/or data uses have changed since the notice at the time of the original collection); and (2) notify and obtain consent from individuals regarding what IIF is being collected from them and how the information will be used or shared: The system does not gather any information from the public. The system only performs anaylsis on populated IMPAC II data.

Applicants use specific paper PHS 398 and electronic forms SF424 and PHS416 with instructions about the information to provide and information about how it will be used. The information is entered into the NIH IMPACII system. There are no specific consenting processes beyond this.

The information stored in the system is not disclosed to anyone outside of HHS/NIH in a manner that identifies the individual ecept for the applicants themselves and except as permitted by the Privacy Act.

AED does not change any information and does not have any consent procedures for this. There may be minor changes in IMPACII of information such as to grant application identifiers. This is done without out consent but the applicants are informed of the changes via the NIH Commons where applicants access their private information with personal passwords. Significant changes to IMPACII grant application information is achieved by voluntary resubmission of grant application forms by applicants and there are no consent procedures in place for CSR staff. Applicants are informed of major changes in internal use of their data via publication in the NIH Guide.

32. Does the system host a website?: Yes

37. Does the website have any information or pages directed at children under the age of thirteen?: No

50. Are there policies or guidelines in place with regard to the retention and destruction of IIF?: Yes

54. Briefly describe in detail how the IIF will be secured on the system using administrative, technical, and physical controls.: Technical controls: User ID and passwords have to be used for network authentication. SSL is used to secure the data AED uses from IMPAC II.

Administrative controls: AED training is available for the users. The AED system is backed up on a regular basis.

Physical controls: Security guards, identification badges, and key cards are used to gain access to building 12, where the system is located.

The password strength required is centrally controlled.

PIA Reviewer Approval: Promote


PIA Reviewer Name: Richard Panniers, TSB, Branch Chief

Sr. Official for Privacy Approval: Promote


Sr. Official for Privacy Name: Karen Plá

Sign-off Date: Aug 10, 2007

Date Published: Jun 26, 2008


06.3 HHS PIA Summary for Posting (Form) / NIH CSR Automated Referral Workflow System (Item)






PIA Summary


Is this a new PIA 2008?: Yes

If this is an existing PIA, please provide a reason for revision:

1. Date of this Submission: Feb 21, 2007

2. OPDIV Name: NIH

3. Unique Project Identifier (UPI) Number: 009-25-01-05-02-3223-00

4. Privacy Act System of Records (SOR) Number: 09-25-0036

5. OMB Information Collection Approval Number: No

6. Other Identifying Number(s): HHS/NIH/CSR/ARWS

7. System Name: NIH/CSR ARWS

9. System Point of Contact (POC). The System POC is the person to whom questions about the system and the responses to this PIA may be addressed: Dipak Bhattacharyya

10. Provide an overview of the system: The National Institutes of Health (NIH), Center for Scientific Review (CSR) is responsible for managing the receipt, referral and review of grant applications submitted to NIH. The grant applications

referral process today is a manual, time-consuming process that affects the overall elapsed time from initial receipt of an application until the time at which a peer review of the application can be completed.

CSR’s mission is to receive, refer and review NIH’s rapidly increasing flow of grant applications, now reaching several thousand applications per year. A stated goal of CSR is to speed up the grant application review process by reducing the amount of time from receipt to referral. CSR believes that automation of the referral workflow is clearly necessary to achieve CSR’s goals and is responsive to NIH, HHS, and the President Management Agenda (PMA) strategic goals and objectives.

The envisioned CSR Automated Referral Workflow System (ARWS) plans to achieve CSR’s strategic goals and objectives by (1) shortening the review process and (2) increasing the transparency, accountability, and uniformity of NIH peer review.

The primary goal of the Automated Referral Workflow System (ARWS) project is to reduce the amount of time required for referral of grant applications by CSR through the development and use of software tools to automate and assist with the assignment of grant applications to the Integrated Review Groups (IRGs) and Scientific Review Groups (SRGs). Secondary goals include providing Institutes/Centers (ICs), IRGs and SRGs with more information about how referral assignments are made and information about possible alternative referral assignments.

13. Indicate if the system is new or an existing one being modified: New

17. Does/Will the system collect, maintain (store), disseminate and/or pass through IIF within any database(s), record(s), file(s) or website(s) hosted by this system?: Yes

Note: This question seeks to identify any, and all, personal information associated with the system. This includes any IIF, whether or not it is subject to the Privacy Act, whether the individuals are employees, the public, research subjects, or business partners, and whether provided voluntarily or collected by mandate. Later questions will try to understand the character of the data and its applicability to the requirements under the Privacy Act or other legislation

Note: If no IIF is contained in the system, please answer questions 21, 23, 30, 31, 37, 50 and 54, then promote the PIA to the Sr. Privacy Official who will authorize the PIA.

If this system contains IIF, all remaining questions on the PIA Form Tabs must be completed prior to signature and promotion.

If this system contains IIF, all remaining questions on the PIA Form Tabs must be completed prior to signature and promotion.

21. Is the system subject to the Privacy Act?: Yes

23. If the system shares or discloses IIF please specify with whom and for what purpose(s): Information is disclosed only to Scientific Review Administrators who are federal staff at NIH and to the contractor, Discovery Logic, who built and maintains the system.

Disclosure may be made to the National Technical Information Service (NTIS), Department of Commerce, for dissemination of scientific and fiscal information on funded awards (abstract of research projects and relevant administrative and financial data).

Disclosure may be made to the cognizant audit agency for auditing.

Disclosure may be made to a congressional office from the record of an individual in response to an inquiry from the congressional office made at the request of that individual.

Disclosure may be made to qualified experts not within the definition of Department employees as prescribed in Department regulations for opinions as a part of the application review process.

Disclosure may be made to a Federal agency, in response to its request, in connection with the issuance of a license, grant or other benefit by the requesting agency, to the extent that the record is relevant and necessary to the requesting agency's decision in the matter.

Disclosure of past performance information pertaining to contractors may be made to a Federal agency upon request. In addition, routine access to past performance information on contractors will be provided to Federal agencies that subscribe to the NIH Contractor Performance System.

A record may be disclosed for a research purpose, when the Department: (A) has determined that the use or disclosure does not violate legal or policy limitations under which the record was provided, collected, or obtained; (B) has determined that the research purpose (1) cannot be reasonably accomplished unless the record is provided in individually identifiable form, and (2) justifies the risk to the privacy of the individual that additional exposure of the record might bring; (C) has required the recipient to (1) establish reasonable administrative, technical, and physical safeguards to prevent unauthorized use or disclosure of the record, (2) remove or destroy the information that identifies the individual at the earliest time at which removal or destruction can be accomplished consistent with the purpose of the research project, unless the recipient has presented adequate justification of a research or health nature for retaining that information, and (3) make no further use or disclosure of the record except (a) in emergency circumstances affecting the health or safety of any individual, (b) for use in another research project, under these same conditions, and with written authorization of the Department, (c) for disclosure to a properly identified person for the purpose of an audit related to the research project, if information that would enable research subjects to be identified is removed or destroyed at the earliest opportunity consistent with the purpose of the audit, or (d) when required by law; and (D) has secured a written statement attesting to the recipient's understanding of, and willingness to abide by these provisions.

Disclosure may be made to a private contractor or Federal agency for the purpose of collating, analyzing, aggregating or otherwise refining records in this system. The contractor or Federal agency will be required to maintain Privacy Act safeguards with respect to these records.

Disclosure may be made to a private contractor or Federal agency for the purpose of collating, analyzing, aggregating or otherwise refining records in this system. The contractor or Federal agency will be required to maintain Privacy Act safeguards with respect to these records.

Disclosure may be made to a grantee or contract institution in connection with performance or administration under the conditions of the particular award or contract.

Disclosure may be made to the Department of Justice, or to a court or other adjudicative body, from this system of records when (a) HHS, or any component thereof; or (b) any HHS officer or employee in his or her official capacity; or (c) any HHS officer or employee in his or her individual capacity where the Department of Justice (or HHS, where it is authorized to do so) has agreed to represent the officer or employee; or (d) the United States or any agency thereof where HHS determines that the proceeding is likely to affect HHS or any of its components, is a party to proceeding or has any interest in the proceeding, and HHS determines that the records are relevant and necessary to the proceeding and would help in the effective representation of the governmental party.

30. Please describe in detail: (1) the information the agency will collect, maintain, or disseminate; (2) why and for what purpose the agency will use the information; (3) In this description, indicate whether the information contains IIF; and (4) whether submission of personal information is voluntary or mandatory: Contains the email address of the user adding/updating the chief note. NIH IMPACII identifier for applicant Principal Investigator (PI). First, middle, last name and suffix of applicant. Title of the grant application; proprietary information until a grant award is made (which may never occur). Proprietary text excerpt from a grant application. Contains proprietary text consisting of excerpts from an applicant’s grant application cover letter. Identifying information for Scientific Review Administrators (SRAs) employed by NIH. Can be used to link an SRA back to NIH IMPAC II records. ARWS unique identifier of system user. NIH login name of ARWS user. First, middle, last name and suffix of ARWS user. Email address of ARWS user.

The grant application information is mandatory and is IIF.

Also contains a voluntary cover letter from grant applicants with name and work address. The cover letter is voluntary and may be IIF depending on voluntary content. The letter is only disclosed to their intended targets within the agency and to the contractor developing and maintaining the system.

31. Please describe in detail any processes in place to: (1) notify and obtain consent from the individuals whose IIF is in the system when major changes occur to the system (e.g., disclosure and/or data uses have changed since the notice at the time of the original collection); and (2) notify and obtain consent from individuals regarding what IIF is being collected from them and how the information will be used or shared: The system does not gather any information from the public. The system only performs anaylsis on populated IMPAC II data.

Applicants use specific paper PHS 398 and electronic form SF424 with instructions about the data to provide and information about how it will be used. The information is entered into the NIH IMPACII system. There are no specific consenting processes beyond this.

The information stored in the system is not disclosed to anyone outside of HHS/NIH in a manner that identifies the individual ecept for the applicants themselves and except as permitted by the Privacy Act.

The system does not change any information and does not have any consent procedures for this. There may be minor changes in IMPACII of information such as to grant application identifiers. This is done without out consent but the applicants are informed of the changes via the NIH Commons where applicants access their private information with personal passwords. Significant changes to IMPACII grant application information is achieved by voluntary resubmission of grant application forms by applicants and there are no consent procedures in place for CSR staff.

Applicants will be informed of major changes in internal use of PII data via publication in the NIH Guide.

32. Does the system host a website?: Yes

37. Does the website have any information or pages directed at children under the age of thirteen?: No

50. Are there policies or guidelines in place with regard to the retention and destruction of IIF?: Yes

54. Briefly describe in detail how the IIF will be secured on the system using administrative, technical, and physical controls.: ARWS requirements for security must comply with the Privacy Act System of Records Number 09-25-0036 titled, “Extramural Awards and Chartered Advisory Committees: IMPAC (Grant/Contract/Cooperative Agreement Information/Chartered Advisory Committee Information),” HHS/NIH/OER and HHS/NIH/CMO. Included in the system design is the definition of users, roles assigned to users, and system privileges that are linked to user roles. Both the roles and privileges are flexibly defined within ARWS to allow for specification of privileges required to perform specific system functions or view specific data items appropriate for each role. The system permits only authorized and authenticated user access. Additionally, there are Federal (NIST, FIPS, OMB, GAO, agency-level HHS/NIH guidelines and directives compliant) and industry-best practices security measures in place to ensure the system utilizes and ensures the effective use of security controls and authentication tools to protect privacy to the extent feasible. Access to the ARWS system user's records is restricted to authorized users behind the contractor and NIH firewall. Risk of unauthorized access is, therefore, considered low. The ARWS system is maintained in strict compliance with the Privacy Act of 1974.

Authorized user access to information is limited to authorized personnel in the performance of their duties. Authorized personnel include system managers and their staffs, computer personnel, and NIH contractors and subcontractors. Physical safeguards are in place at CSR and the contractor facilities. Procedural and Technical Safeguards: A password is required to access the terminal and a data set name controls the release of data to only authorized users. All users of personal information in connection with the performance of their jobs protect information from public view and from unauthorized personnel entering an unsupervised office. Data on local area network computer files is accessed by keyword known only to authorized personnel. Codes by which automated files may be accessed are changed periodically. This procedure also includes deletion of access codes when employees or contractors leave. New employees and contractors are briefed and the security department is notified of all staff members and contractors authorized to be in secured areas during working and nonworking hours. This list is revised as NIH requires the completion of a computer-based training (CBT) course entitled ‘Computer Security and Awareness’ for NIH staff and contractors. This CBT provides an overview of basic IT security practices and the awareness that knowing or willful disclosure of the sensitive information

processed in the system can result in criminal penalties associated with the Privacy Act, Computer Security Act, and other federal laws that apply.

All data transmitted between the server (currently at contractor location) and workstations at CSR are encrypted.

It should also be noted that the ARWS system is hosted at this time as a part of the contractor facility on an interim basis as it is currently in the proof-of-concept stage and used in a limited manner – the system will be moved in the short term as a part of the NIH (CIT) infrastructure. The NIH ISSO and Incident Response Team (IRT) (along with the Security Team Network Operations Team, Web Development Teams, and Administrator Teams) help assure the security of NIH systems, data, and information while maintaining connectivity and interoperability­ throughout NIH. The IRT responds to computer security incidents, characterizes the nature and severity of incidents, and when appropriate, provides immediate diagnostic and corrective actions. Audit logs are reviewed by appropriate staff.

These practices are in compliance with the standards of Chapter 45-13 of the HHS General Administration Manual, "Safeguarding Records Contained in Systems of Records," supplementary Chapter PHS 45-13, and the Department's Automated Information System Security Handbook.

NOTE: The primary consequence of a breach of security in the form of data erasure or contamination would be a delay in the consideration of a citizen’s grant application.

Risks associated with disclosure of privileged information about grant applications and information about individuals contained in them include, but are not limited to:

Improper disclosure of intellectual property rights.

Compromise of personal employment information.

Compromise of personal education history.

PIA Reviewer Approval: Promote


PIA Reviewer Name: Richard Panniers, TSB, Branch Chief

Sr. Official for Privacy Approval: Promote


Sr. Official for Privacy Name: Karen Plá

Sign-off Date: Aug 10, 2007

Date Published: Jun 26, 2008


06.3 HHS PIA Summary for Posting (Form) / NIH CSR Internet Website (Item)






PIA Summary


Is this a new PIA 2008?: No

If this is an existing PIA, please provide a reason for revision: PIA Validation

1. Date of this Submission: Jul 17, 2007

2. OPDIV Name: NIH

3. Unique Project Identifier (UPI) Number: 009-25-01-27-02-3204-00-305-109

4. Privacy Act System of Records (SOR) Number: N/A

5. OMB Information Collection Approval Number: N/A

6. Other Identifying Number(s): CSR-3

7. System Name: CSR Internet

9. System Point of Contact (POC). The System POC is the person to whom questions about the system and the responses to this PIA may be addressed: Jim Blagaich

10. Provide an overview of the system: Provides information on CSR work to the general public. Authorized by Section 301 of the PHS Act.

13. Indicate if the system is new or an existing one being modified: Existing

17. Does/Will the system collect, maintain (store), disseminate and/or pass through IIF within any database(s), record(s), file(s) or website(s) hosted by this system?: No

Note: This question seeks to identify any, and all, personal information associated with the system. This includes any IIF, whether or not it is subject to the Privacy Act, whether the individuals are employees, the public, research subjects, or business partners, and whether provided voluntarily or collected by mandate. Later questions will try to understand the character of the data and its applicability to the requirements under the Privacy Act or other legislation

Note: If no IIF is contained in the system, please answer questions 21, 23, 30, 31, 37, 50 and 54, then promote the PIA to the Sr. Privacy Official who will authorize the PIA.

If this system contains IIF, all remaining questions on the PIA Form Tabs must be completed prior to signature and promotion.

21. Is the system subject to the Privacy Act?: No

23. If the system shares or discloses IIF please specify with whom and for what purpose(s): N/A

30. Please describe in detail: (1) the information the agency will collect, maintain, or disseminate; (2) why and for what purpose the agency will use the information; (3) In this description, indicate whether the information contains IIF; and (4) whether submission of personal information is voluntary or mandatory: The CSR Internet website is designed to provide information about CSR's mission, resources, and important news to the general public.

30. Please describe in detail: (1) the information the agency will collect, maintain, or disseminate; (2) why and for what purpose the agency will use the information; (3) In this description, indicate whether the information contains IIF; and (4) whether submission of personal information is voluntary or mandatory: The CSR Internet website is designed to provide information about CSR's mission, resources, and important news to the general public.

31. Please describe in detail any processes in place to: (1) notify and obtain consent from the individuals whose IIF is in the system when major changes occur to the system (e.g., disclosure and/or data uses have changed since the notice at the time of the original collection); and (2) notify and obtain consent from individuals regarding what IIF is being collected from them and how the information will be used or shared: N/A

32. Does the system host a website?: Yes

37. Does the website have any information or pages directed at children under the age of thirteen?: No

50. Are there policies or guidelines in place with regard to the retention and destruction of IIF?: No

54. Briefly describe in detail how the IIF will be secured on the system using administrative, technical, and physical controls.: N/A

PIA Reviewer Approval: Promote


PIA Reviewer Name: TSB Chief/Richard Panniers/301-435-1741

Sr. Official for Privacy Approval: Promote


Sr. Official for Privacy Name: Karen Plá

Sign-off Date: Aug 10, 2007

Date Published: Jun 26, 2008


06.3 HHS PIA Summary for Posting (Form) / NIH CSR Intranet Website (Item)






PIA Summary


Is this a new PIA 2008?: No

If this is an existing PIA, please provide a reason for revision: PIA Validation

1. Date of this Submission: Jul 17, 2007

2. OPDIV Name: NIH

3. Unique Project Identifier (UPI) Number: 009-25-01-27-02-3204-00-305-109

4. Privacy Act System of Records (SOR) Number: 09-25-0106

5. OMB Information Collection Approval Number: N/A

6. Other Identifying Number(s): CSR-2

7. System Name: CSR Intranet

9. System Point of Contact (POC). The System POC is the person to whom questions about the system and the responses to this PIA may be addressed: Jim Blagaich

10. Provide an overview of the system: Provides information on CSR work to CSR and NIH staff. Authorized by Section 301 of the PHS Act.

13. Indicate if the system is new or an existing one being modified: Existing

17. Does/Will the system collect, maintain (store), disseminate and/or pass through IIF within any database(s), record(s), file(s) or website(s) hosted by this system?: Yes

Note: This question seeks to identify any, and all, personal information associated with the system. This includes any IIF, whether or not it is subject to the Privacy Act, whether the individuals are employees, the public, research subjects, or business partners, and whether provided voluntarily or collected by mandate. Later questions will try to understand the character of the data and its applicability to the requirements under the Privacy Act or other legislation

Note: If no IIF is contained in the system, please answer questions 21, 23, 30, 31, 37, 50 and 54, then promote the PIA to the Sr. Privacy Official who will authorize the PIA.

If this system contains IIF, all remaining questions on the PIA Form Tabs must be completed prior to signature and promotion.

21. Is the system subject to the Privacy Act?: Yes

23. If the system shares or discloses IIF please specify with whom and for what purpose(s): Provides information on CSR work to CSR and NIH staff. The system shares contact information with CSR supervisors for use in crisis notificiation. SOR #09-25-0106

30. Please describe in detail: (1) the information the agency will collect, maintain, or disseminate; (2) why and for what purpose the agency will use the information; (3) In this description, indicate whether the information contains IIF; and (4) whether submission of personal information is voluntary or mandatory: Provides information on CSR work (forms, publications, policies) to CSR and NIH staff. The system shares contact information (home phone #, email address, cell phone #) with CSR supervisors for use in crisis notificiation. The mandatory information will be cell phone, home address, home phone, and personal email address. Voluntary information will be out of area contact information, i.e.: contact name, address, phone, and email address.

31. Please describe in detail any processes in place to: (1) notify and obtain consent from the individuals whose IIF is in the system when major changes occur to the system (e.g., disclosure and/or data uses have changed since the notice at the time of the original collection); and (2) notify and obtain consent from individuals regarding what IIF is being collected from them and how the information will be used or shared: A message is displayed to the employee explaining the purpose and protections in place to safe guard information. There is not a consent process since this information is mandatory and critical to continue the CSR mission in case of emergency.

32. Does the system host a website?: Yes

37. Does the website have any information or pages directed at children under the age of thirteen?: No

50. Are there policies or guidelines in place with regard to the retention and destruction of IIF?: Yes Photos of staff are limited to NIHnet users. IIF in the form of home phone numbers will be restricted to a SSL enabled website and require user authentication.


To access the Intranet entry form and/or an employee listing requires an active directory account that is created and maintained by the central NIH account authority. The intial employee record is entered by the supervisor as part of a desktop support request. Once the employee is situated, he/she enters additional emergency contact information, i.e. home address, cell phone number, and home phone number. The purpose of this information is required so the Center can contact them in case of emegrency. Prior to the employee departure/termination date, the employee is required to complete an online Intranet and physical departure process. The automated record is removed from the system 30 calendar days after the departure date. All database back ups no longer have the information after 60 calendar days.


The employee entry form is located on the CSR Intranet. This server is hosted and maintained by the CIT hosting branch. It physically is located in Building 12. The building has the technical infrastructure to ensure protection of the server from physical and online attacks via ADP room access controls and WAN and LAN intrusion protection. The software program allows the following access to employee records:

Role: Director, CSR, Emergency Coordinator, Director, Division Directors (6) - Records Accessed: All

Role: Branch and IRG Chiefs - Records Accessed: Supervised Employees

Role: All Employees - Records Accessed: Their Supervisor

This access is maintained through the use of active directory usernames and passwords. The system administrator password is changed every year. Due to operational necessities, an exception to policy was granted for a year long password. The CIT hosting branch maintains the operating and database system patch level in accordance with policy set by CERT and the manufacturer.


Building 12 has access controls procedures in place to prevent unauthorized access to CSR Severs. In addition, CSR employees are not authorized without escort to enter the ADP room or access servers. All supervisors have the ability to save and/or print a hardcopy of the employee directory. The supervisor is required to keep this information in a locked file cabinet at all times. In addition, the list is stored on the local drive of the supervisor. All hard disks are encrypted using the xxxx software tool.

PIA Reviewer Approval: Promote


PIA Reviewer Name: TSB Chief/Richard Panniers/301-435-1741

Sr. Official for Privacy Approval: Promote


Sr. Official for Privacy Name: Karen Plá

Sign-off Date: Aug 10, 2007

Date Published: Jun 26, 2008


06.3 HHS PIA Summary for Posting (Form) / NIH CSR Mark Sense Score System (Item)






PIA Summary


Is this a new PIA 2008?: No

If this is an existing PIA, please provide a reason for revision: PIA Validation

1. Date of this Submission: Jul 17, 2007

2. OPDIV Name: NIH

3. Unique Project Identifier (UPI) Number: 009-25-04-00-01-4613-00-205-080

4. Privacy Act System of Records (SOR) Number: 09-25-0036

5. OMB Information Collection Approval Number: N/A

6. Other Identifying Number(s): CSR-6

7. System Name: Mark Sense Scoring System

9. System Point of Contact (POC). The System POC is the person to whom questions about the system and the responses to this PIA may be addressed: Jim Blagaich

10. Provide an overview of the system: Downloads from IMPAC II reviewer name, primary investigator name, organization, and title and prints these to Mark Sense scoring sheets. Reads scores from mark sense forms and loads scores into IMPACII. The scores are associated with application ID numbers. Authorized by Section 301 of the PHS Act.

13. Indicate if the system is new or an existing one being modified: Existing

17. Does/Will the system collect, maintain (store), disseminate and/or pass through IIF within any database(s), record(s), file(s) or website(s) hosted by this system?: Yes

Note: This question seeks to identify any, and all, personal information associated with the system. This includes any IIF, whether or not it is subject to the Privacy Act, whether the individuals are employees, the public, research subjects, or business partners, and whether provided voluntarily or collected by mandate. Later questions will try to understand the character of the data and its applicability to the requirements under the Privacy Act or other legislation

Note: If no IIF is contained in the system, please answer questions 21, 23, 30, 31, 37, 50 and 54, then promote the PIA to the Sr. Privacy Official who will authorize the PIA.

If this system contains IIF, all remaining questions on the PIA Form Tabs must be completed prior to signature and promotion.

21. Is the system subject to the Privacy Act?: Yes

23. If the system shares or discloses IIF please specify with whom and for what purpose(s): n/a

30. Please describe in detail: (1) the information the agency will collect, maintain, or disseminate; (2) why and for what purpose the agency will use the information; (3) In this description, indicate whether the information contains IIF; and (4) whether submission of personal information is voluntary or mandatory: Downloads from IMPAC II reviewer name, primary investigator name, organization, and title and prints these to Mark Sense scoring sheets.

Reads scores from mark sense forms and loads scores into IMPACII.

31. Please describe in detail any processes in place to: (1) notify and obtain consent from the individuals whose IIF is in the system when major changes occur to the system (e.g., disclosure and/or data uses have changed since the notice at the time of the original collection); and (2) notify and obtain consent from individuals regarding what IIF is being collected from them and how the information will be used or shared: Electronic Research Administration handles these processes.

32. Does the system host a website?: No

37. Does the website have any information or pages directed at children under the age of thirteen?: No

50. Are there policies or guidelines in place with regard to the retention and destruction of IIF?: Yes

54. Briefly describe in detail how the IIF will be secured on the system using administrative, technical, and physical controls.: User ID and Passwords.

PIA Reviewer Approval: Promote


PIA Reviewer Name: TSB Chief/Richard Panniers/301-435-1741

Sr. Official for Privacy Approval: Promote


Sr. Official for Privacy Name: Karen Plá

Sign-off Date: Aug 10, 2007

Date Published: Jun 26, 2008


06.3 HHS PIA Summary for Posting (Form) / NIH CSR Time Allocation Project System (TAPS) (Item)






PIA Summary


Is this a new PIA 2008?: Yes

If this is an existing PIA, please provide a reason for revision:

1. Date of this Submission: May 14, 2007

2. OPDIV Name: NIH

3. Unique Project Identifier (UPI) Number: No

3. Unique Project Identifier (UPI) Number: No

4. Privacy Act System of Records (SOR) Number: No

5. OMB Information Collection Approval Number: No

6. Other Identifying Number(s): No

7. System Name: Time Allocation Project System

9. System Point of Contact (POC). The System POC is the person to whom questions about the system and the responses to this PIA may be addressed: James Blagaich

10. Provide an overview of the system: The system is used to document government and contractor labor hours spent on IT initiatives. This information will be used for managing and forecasting CSR’s IT budget. Additionally, project and cost variances are calculated using information collected from this system. Management reports are used on a weekly basis to communicate progress.

13. Indicate if the system is new or an existing one being modified: Existing

17. Does/Will the system collect, maintain (store), disseminate and/or pass through IIF within any database(s), record(s), file(s) or website(s) hosted by this system?: No

Note: This question seeks to identify any, and all, personal information associated with the system. This includes any IIF, whether or not it is subject to the Privacy Act, whether the individuals are employees, the public, research subjects, or business partners, and whether provided voluntarily or collected by mandate. Later questions will try to understand the character of the data and its applicability to the requirements under the Privacy Act or other legislation

Note: If no IIF is contained in the system, please answer questions 21, 23, 30, 31, 37, 50 and 54, then promote the PIA to the Sr. Privacy Official who will authorize the PIA.

If this system contains IIF, all remaining questions on the PIA Form Tabs must be completed prior to signature and promotion.

21. Is the system subject to the Privacy Act?: No

23. If the system shares or discloses IIF please specify with whom and for what purpose(s): No

30. Please describe in detail: (1) the information the agency will collect, maintain, or disseminate; (2) why and for what purpose the agency will use the information; (3) In this description, indicate whether the information contains IIF; and (4) whether submission of personal information is voluntary or mandatory: The information collected is employee's first and last name, work address, work phone number, work e-mail address, and whichever project the employee is working on.

The information is not IIF.

The information is mandatory.

The information is used to track the labor hours of TSB staff on the IT initatives they are working on.

31. Please describe in detail any processes in place to: (1) notify and obtain consent from the individuals whose IIF is in the system when major changes occur to the system (e.g., disclosure and/or data uses have changed since the notice at the time of the original collection); and (2) notify and obtain consent from individuals regarding what IIF is being collected from them and how the information will be used or shared: The information is not IIF.

32. Does the system host a website?: Yes

37. Does the website have any information or pages directed at children under the age of thirteen?: No

50. Are there policies or guidelines in place with regard to the retention and destruction of IIF?: No

54. Briefly describe in detail how the IIF will be secured on the system using administrative, technical, and physical controls.: N/A

PIA Reviewer Approval: Promote


PIA Reviewer Name: Dr. Richard Panniers, 301-435-1741

Sr. Official for Privacy Approval: Promote


Sr. Official for Privacy Name: Karen Plá

Sign-off Date: Aug 10, 2007

Date Published: Jun 26, 2008


06.3 HHS PIA Summary for Posting (Form) / NIH CSR Track Record (Item)






PIA Summary


Is this a new PIA 2008?: No

If this is an existing PIA, please provide a reason for revision: PIA Validation

1. Date of this Submission: Jul 17, 2007

2. OPDIV Name: NIH

3. Unique Project Identifier (UPI) Number: N/A

4. Privacy Act System of Records (SOR) Number: N/A

5. OMB Information Collection Approval Number: N/A

6. Other Identifying Number(s): CSR-5

7. System Name: Track Record

9. System Point of Contact (POC). The System POC is the person to whom questions about the system and the responses to this PIA may be addressed: Jim Blagaich

10. Provide an overview of the system: Records and tracks tasking of Web team. The system does not record first or last name of the person requesting the change, but it does record the name of the assigned web developer. Authorized by Section 301 of the PHS Act.

13. Indicate if the system is new or an existing one being modified: Existing

17. Does/Will the system collect, maintain (store), disseminate and/or pass through IIF within any database(s), record(s), file(s) or website(s) hosted by this system?: No

Note: This question seeks to identify any, and all, personal information associated with the system. This includes any IIF, whether or not it is subject to the Privacy Act, whether the individuals are employees, the public, research subjects, or business partners, and whether provided voluntarily or collected by mandate. Later questions will try to understand the character of the data and its applicability to the requirements under the Privacy Act or other legislation

Note: If no IIF is contained in the system, please answer questions 21, 23, 30, 31, 37, 50 and 54, then promote the PIA to the Sr. Privacy Official who will authorize the PIA.

If this system contains IIF, all remaining questions on the PIA Form Tabs must be completed prior to signature and promotion.

21. Is the system subject to the Privacy Act?: No

23. If the system shares or discloses IIF please specify with whom and for what purpose(s): N/A

30. Please describe in detail: (1) the information the agency will collect, maintain, or disseminate; (2) why and for what purpose the agency will use the information; (3) In this description, indicate whether the information contains IIF; and (4) whether submission of personal information is voluntary or mandatory: Records and tracks tasking of Web team. Authorized by Section 301 of the PHS Act. The system also collects the first and last name of the web developer.

31. Please describe in detail any processes in place to: (1) notify and obtain consent from the individuals whose IIF is in the system when major changes occur to the system (e.g., disclosure and/or data uses have changed since the notice at the time of the original collection); and (2) notify and obtain consent from individuals regarding what IIF is being collected from them and how the information will be used or shared: N/A

32. Does the system host a website?: No

37. Does the website have any information or pages directed at children under the age of thirteen?: No

50. Are there policies or guidelines in place with regard to the retention and destruction of IIF?: No

54. Briefly describe in detail how the IIF will be secured on the system using administrative, technical, and physical controls.: N/A

PIA Reviewer Approval: Promote


PIA Reviewer Name: TSB Chief/Richard Panniers/301-435-1741

Sr. Official for Privacy Approval: Promote


Sr. Official for Privacy Name: Karen Plá

Sign-off Date: Aug 10, 2007

Date Published: Jun 26, 2008


06.3 HHS PIA Summary for Posting (Form) / NIH CIT Active Directory (Item)






PIA Summary


Is this a new PIA 2008?: Yes

If this is an existing PIA, please provide a reason for revision: PIA Validation

1. Date of this Submission: Jul 6, 2007

2. OPDIV Name: NIH

3. Unique Project Identifier (UPI) Number: 009-25-02-00-01-3109-00-109-026

4. Privacy Act System of Records (SOR) Number: N/A

5. OMB Information Collection Approval Number: N/A

6. Other Identifying Number(s): N/A

7. System Name: Active Directory

9. System Point of Contact (POC). The System POC is the person to whom questions about the system and the responses to this PIA may be addressed: Adrienne Yang

10. Provide an overview of the system: Active Directory is an implementation of an LDAP (Lightweight Directory Access Protocol) directory service. It is a directory containing information about users and resources and a service or services that allow access and manipulation of these resources. Active Directory is built around Domain Name System (DNS) and the Lightweight Directory Access Protocol. Active Directory acts as the central authority that manages the information about network resources and brokers the relationships among them. The information contained in AD is internal government information only. Information on users is user account information that allows them to access resources, and their work related locations and phone numbers, which is information in the public domain.

13. Indicate if the system is new or an existing one being modified: Existing

17. Does/Will the system collect, maintain (store), disseminate and/or pass through IIF within any database(s), record(s), file(s) or website(s) hosted by this system?: No

Note: This question seeks to identify any, and all, personal information associated with the system. This includes any IIF, whether or not it is subject to the Privacy Act, whether the individuals are employees, the public, research subjects, or business partners, and whether provided voluntarily or collected by mandate. Later questions will try to understand the character of the data and its applicability to the requirements under the Privacy Act or other legislation

Note: If no IIF is contained in the system, please answer questions 21, 23, 30, 31, 37, 50 and 54, then promote the PIA to the Sr. Privacy Official who will authorize the PIA.

If this system contains IIF, all remaining questions on the PIA Form Tabs must be completed prior to signature and promotion.

21. Is the system subject to the Privacy Act?: No

23. If the system shares or discloses IIF please specify with whom and for what purpose(s): Does not share or disclose IIF.

30. Please describe in detail: (1) the information the agency will collect, maintain, or disseminate; (2) why and for what purpose the agency will use the information; (3) In this description, indicate whether the information contains IIF; and (4) whether submission of personal information is voluntary or mandatory: AD contains information about computers, computer devices, user accounts (e.g., user IDs, passwords), and user mailbox information (e.g., email addresses). There is no IIF information.

31. Please describe in detail any processes in place to: (1) notify and obtain consent from the individuals whose IIF is in the system when major changes occur to the system (e.g., disclosure and/or data uses have changed since the notice at the time of the original collection); and (2) notify and obtain consent from individuals regarding what IIF is being collected from them and how the information will be used or shared: N/A

32. Does the system host a website?: No

37. Does the website have any information or pages directed at children under the age of thirteen?: No

50. Are there policies or guidelines in place with regard to the retention and destruction of IIF?: No

54. Briefly describe in detail how the IIF will be secured on the system using administrative, technical, and physical controls.: N/A

PIA Reviewer Approval: Promote


PIA Reviewer Name: Marie Lagana, NIH/CIT/OPEC

Sr. Official for Privacy Approval: Promote


Sr. Official for Privacy Name: Karen Plá

Sign-off Date: Aug 10, 2007

Date Published: Jun 26, 2008


06.3 HHS PIA Summary for Posting (Form) / NIH CIT Administrative Database (ADB) (Item)






PIA Summary


Is this a new PIA 2008?: No

If this is an existing PIA, please provide a reason for revision: PIA Validation

1. Date of this Submission: Jul 6, 2007

2. OPDIV Name: NIH

3. Unique Project Identifier (UPI) Number: 009-25-01-01-01-3104-00-402-129

4. Privacy Act System of Records (SOR) Number: 09-90-0018

5. OMB Information Collection Approval Number: N/A

6. Other Identifying Number(s): N/A

7. System Name: NIH Administrative Database System (ADB)

9. System Point of Contact (POC). The System POC is the person to whom questions about the system and the responses to this PIA may be addressed: Carol A. Perrone

10. Provide an overview of the system: The Administrative Data Base (ADB) is a legacy system project that is over twenty years old. The new NIH Business System (NBS) is projected to replace the ADB by FY06. The system provides support for a broad range of NIH business (financial and administrative) functions including the purchase, receipt, and payment of goods and services (internal and external); the tracking and supplying of inventories; services and supply fund activities; and property management. Development of the ADB began in 1978 to automate the processes related to the procurement of goods and services and to translate the procurement actions into accounting transactons that are processed by the Central Accounting System (CAS). Since then the CAS has been modified to interface with the ADB. Several other systems have been added and modifications/enhancements continue to be made to the ADB to reflect changing policies, requirements and the need for increased functionality. NIH heavily relies on this system for much of its business transactions and management information. The legislation authorizing this activity is found in the Privacy Act System of Record (SOR) Notice #09-90-0018. It is 5 U.S.C. 1302, 2951, 4118, 4308, 4506, 7501, 7511, 7521 and Executive Order 10561.

13. Indicate if the system is new or an existing one being modified: Existing

17. Does/Will the system collect, maintain (store), disseminate and/or pass through IIF within any database(s), record(s), file(s) or website(s) hosted by this system?: Yes

Note: This question seeks to identify any, and all, personal information associated with the system. This includes any IIF, whether or not it is subject to the Privacy Act, whether the individuals are employees, the public, research subjects, or business partners, and whether provided voluntarily or collected by mandate. Later questions will try to understand the character of the data and its applicability to the requirements under the Privacy Act or other legislation

Note: If no IIF is contained in the system, please answer questions 21, 23, 30, 31, 37, 50 and 54, then promote the PIA to the Sr. Privacy Official who will authorize the PIA.

If this system contains IIF, all remaining questions on the PIA Form Tabs must be completed prior to signature and promotion.

21. Is the system subject to the Privacy Act?: Yes

23. If the system shares or discloses IIF please specify with whom and for what purpose(s): The information is shared with the IRS and the Department of the Treasury. SOR 09-90-0018

30. Please describe in detail: (1) the information the agency will collect, maintain, or disseminate; (2) why and for what purpose the agency will use the information; (3) In this description, indicate whether the information contains IIF; and (4) whether submission of personal information is voluntary or mandatory: The agency collects data pertaining to the procurement of goods and services for the NIH as well as data pertaining to stipend payment to NIH Fellows. Some of the data collected is IIF such as the EIN or SSN and ACH Banking information and is required in order to effect payments and prepare 1099s and 1042s. Submission of this data is mandatory. The data is maintained on a Vendor file in the Administrative Database (ADB) System.

31. Please describe in detail any processes in place to: (1) notify and obtain consent from the individuals whose IIF is in the system when major changes occur to the system (e.g., disclosure and/or data uses have changed since the notice at the time of the original collection); and (2) notify and obtain consent from individuals regarding what IIF is being collected from them and how the information will be used or shared: Changes to the ADB system software does not affect the data collected and maintained in the ADB Vendor file. However, if changes in uses occur, notification to the individuals are done by the Institute or Center (IC) where the original request was initiated or by the Office of Financial Management (OFM) and follows the processes in place for those organizations.

32. Does the system host a website?: No

37. Does the website have any information or pages directed at children under the age of thirteen?: No

50. Are there policies or guidelines in place with regard to the retention and destruction of IIF?: Yes

54. Briefly describe in detail how the IIF will be secured on the system using administrative, technical, and physical controls.: The system is run under a secure server and access is restricted through RACF as well as security within the system.

PIA Reviewer Approval: Promote


PIA Reviewer Name: Marie Lagana NIH/CIT/OPEC

Sr. Official for Privacy Approval: Promote


Sr. Official for Privacy Name: Karen Plá

Sign-off Date: Aug 10, 2007

Date Published: Jun 26, 2008


06.3 HHS PIA Summary for Posting (Form) / NIH CIT ALTIRIS (Item)






PIA Summary


Is this a new PIA 2008?: Yes

If this is an existing PIA, please provide a reason for revision: PIA Validation

1. Date of this Submission: Jul 6, 2007

2. OPDIV Name: NIH

3. Unique Project Identifier (UPI) Number: No

4. Privacy Act System of Records (SOR) Number: No

5. OMB Information Collection Approval Number: No

6. Other Identifying Number(s): No

7. System Name: Altiris Client Management Suite

9. System Point of Contact (POC). The System POC is the person to whom questions about the system and the responses to this PIA may be addressed: Connie Latzko NIH/CIT/DCS

10. Provide an overview of the system: Altiris Client Management Suite is an agent based systems management solution used to provide hardware and software inventory, patch management, and software delivery for CIT commodity desktops.

13. Indicate if the system is new or an existing one being modified: Existing

17. Does/Will the system collect, maintain (store), disseminate and/or pass through IIF within any database(s), record(s), file(s) or website(s) hosted by this system?: No

Note: This question seeks to identify any, and all, personal information associated with the system. This includes any IIF, whether or not it is subject to the Privacy Act, whether the individuals are employees, the public, research subjects, or business partners, and whether provided voluntarily or collected by mandate. Later questions will try to understand the character of the data and its applicability to the requirements under the Privacy Act or other legislation

Note: If no IIF is contained in the system, please answer questions 21, 23, 30, 31, 37, 50 and 54, then promote the PIA to the Sr. Privacy Official who will authorize the PIA.

If this system contains IIF, all remaining questions on the PIA Form Tabs must be completed prior to signature and promotion.

21. Is the system subject to the Privacy Act?: No

23. If the system shares or discloses IIF please specify with whom and for what purpose(s): No

30. Please describe in detail: (1) the information the agency will collect, maintain, or disseminate; (2) why and for what purpose the agency will use the information; (3) In this description, indicate whether the information contains IIF; and (4) whether submission of personal information is voluntary or mandatory: The information collected includes Machine Hardware, Software, IP address, User ID, User Location (Imported from the GAL) and status of Tasks run or to be run on the machine. This data is collected to improve the efficiency of managing and the security of CIT desktops and clients supported by CIT desktop support. The purpose is to manage the client system. i.e.: Provide missing patches, deliver software packages, to provide assistance for determining hardware/software upgrades required (such as minimum hardware requirements to run a new OS or Application). No IIF is collected.

31. Please describe in detail any processes in place to: (1) notify and obtain consent from the individuals whose IIF is in the system when major changes occur to the system (e.g., disclosure and/or data uses have changed since the notice at the time of the original collection); and (2) notify and obtain consent from individuals regarding what IIF is being collected from them and how the information will be used or shared: No IIF is collected.

32. Does the system host a website?: No

37. Does the website have any information or pages directed at children under the age of thirteen?: No

50. Are there policies or guidelines in place with regard to the retention and destruction of IIF?: Yes

54. Briefly describe in detail how the IIF will be secured on the system using administrative, technical, and physical controls.: No IIF is collected

PIA Reviewer Approval: Promote


PIA Reviewer Name: Marie Lagana NIH/CIT/OPEC

Sr. Official for Privacy Approval: Promote


Sr. Official for Privacy Name: Karen Plá

Sign-off Date: Aug 10, 2007

Date Published: Jun 26, 2008


06.3 HHS PIA Summary for Posting (Form) / NIH CIT Business Intelligence System (formerly nVision) (Item)






PIA Summary


Is this a new PIA 2008?: No

If this is an existing PIA, please provide a reason for revision: PIA Validation

1. Date of this Submission: Jul 6, 2007

2. OPDIV Name: NIH

3. Unique Project Identifier (UPI) Number: 009-25-01-09-01-3105-00-404-142

4. Privacy Act System of Records (SOR) Number: 09-90-0018 and 09-90-0024

5. OMB Information Collection Approval Number: No

6. Other Identifying Number(s): No

7. System Name: NIH Business Intelligence System (NBIS) (nVision)

9. System Point of Contact (POC). The System POC is the person to whom questions about the system and the responses to this PIA may be addressed: John L. Price

10. Provide an overview of the system: The NIH Business Intelligence System (NBIS) is an enhanced data warehouse that is a consolidation of the legacy data warehouse, and the next generation data warehouse, nVision. It is designed to improve reporting capabilities of the NIH business source systems. This consolidation integrates the query and reporting capabilities of NIH business systems into one system. The legal authority is referenced in HHS Privacy Act Systems of Record 09-90-0018 and 09-90-0024.

13. Indicate if the system is new or an existing one being modified: Existing

17. Does/Will the system collect, maintain (store), disseminate and/or pass through IIF within any database(s), record(s), file(s) or website(s) hosted by this system?: Yes

Note: This question seeks to identify any, and all, personal information associated with the system. This includes any IIF, whether or not it is subject to the Privacy Act, whether the individuals are employees, the public, research subjects, or business partners, and whether provided voluntarily or collected by mandate. Later questions will try to understand the character of the data and its applicability to the requirements under the Privacy Act or other legislation

Note: If no IIF is contained in the system, please answer questions 21, 23, 30, 31, 37, 50 and 54, then promote the PIA to the Sr. Privacy Official who will authorize the PIA.

If this system contains IIF, all remaining questions on the PIA Form Tabs must be completed prior to signature and promotion.

21. Is the system subject to the Privacy Act?: Yes

23. If the system shares or discloses IIF please specify with whom and for what purpose(s): Only authorized personnel have access to this data. Data may be obtained through FOIA requests. SOR 09-90-0018 and 09-90-0024

HHS, Congress and via FOIA requests.

30. Please describe in detail: (1) the information the agency will collect, maintain, or disseminate; (2) why and for what purpose the agency will use the information; (3) In this description, indicate whether the information contains IIF; and (4) whether submission of personal information is voluntary or mandatory: The agency collects both administrative and financial data. This data is collected from NIH source systems and includes name, DOB, SSN, education records, employee status, business mailing address, e-mail address and phone numbers, and is used for business reporting purposes.

31. Please describe in detail any processes in place to: (1) notify and obtain consent from the individuals whose IIF is in the system when major changes occur to the system (e.g., disclosure and/or data uses have changed since the notice at the time of the original collection); and (2) notify and obtain consent from individuals regarding what IIF is being collected from them and how the information will be used or shared: Agreements have been obtained from the NIH source systems in collaboration with the business community requirement groups to provide the data needed to support the mission of NIH. The warehouse and source systems teams are in constant communication with regard to the data and changes in that data or access permissions granted to users..

32. Does the system host a website?: Yes

37. Does the website have any information or pages directed at children under the age of thirteen?: No

50. Are there policies or guidelines in place with regard to the retention and destruction of IIF?: Yes

54. Briefly describe in detail how the IIF will be secured on the system using administrative, technical, and physical controls.: NBIS administrative controls include C&A, a System Security Plan, a Contingency Plan, system backups, and documented procedures. Technical controls include a User ID and strong password to access the system and access is only granted when there is a documented request by an authorized official. Other technical controls include Firewalls and VPN. Physical controls to the server room include guards, ID Badges, Key Cards and locks.

PIA Reviewer Approval: Promote


PIA Reviewer Name: Marie Lagana NIH/CIT/OPEC

Sr. Official for Privacy Approval: Promote


Sr. Official for Privacy Name: Karen Plá

Sign-off Date: Jan 25, 2007

Date Published: Jun 26, 2008


06.3 HHS PIA Summary for Posting (Form) / NIH CIT Central Accounting System (CAS) (FISMA) (Item)






PIA Summary


Is this a new PIA 2008?: No

If this is an existing PIA, please provide a reason for revision: PIA Validation

1. Date of this Submission: Jul 6, 2007

2. OPDIV Name: NIH

3. Unique Project Identifier (UPI) Number: 009-25-01-01-01-310

5. OMB Information Collection Approval Number: N/A

6. Other Identifying Number(s): N/A

7. System Name: NIH Central Accounting System (CAS)

9. System Point of Contact (POC). The System POC is the person to whom questions about the system and the responses to this PIA may be addressed: Carol A. Perrone

10. Provide an overview of the system: The NIH CIT Central Accounting System is a legacy system that processes all accounting and financial transactions for the NIH from systems: ADB, Central Payroll, PMS and IMPAC II.

The CAS will be replaced by the new NIH Business System (NBS). Please refer to project # 009-25-01-4601. The CAS project resides in the Division of Enterprise and Custom Applications, Center for Information Technology, NIH. The CAS is a legacy system project that is over twenty years old, and processes accounting and financial transactions for the NIH. It processes data from several sources including: the Administrative Data Base (ADB); Central Payroll; Payment Management System (PMS); and Information for Management, Planning, Analysis and Coordination (IMPAC). The CAS provides data exchange to the ADB, PMS and IMPAC. Data is extracted from the CAS nightly and made available to the NIH through the NIH Data Warehouse. The CAS produces a wide range of reports that detail spending within the Agency. Financial reports are generated for the Department of Health and Human Services, the Treasury Department, the Office of Management and Budget, and the Public Health Service. The legal authority for SOR #09-90-0024 is found in the Budget and Accounting Act of 1950 (P.L. 81-784) and Debt Collection Act of 1982 (P.L. 97-365).

13. Indicate if the system is new or an existing one being modified: Existing

17. Does/Will the system collect, maintain (store), disseminate and/or pass through IIF within any database(s), record(s), file(s) or website(s) hosted by this system?: Yes

Note: This question seeks to identify any, and all, personal information associated with the system. This includes any IIF, whether or not it is subject to the Privacy Act, whether the individuals are employees, the public, research subjects, or business partners, and whether provided voluntarily or collected by mandate. Later questions will try to understand the character of the data and its applicability to the requirements under the Privacy Act or other legislation

Note: If no IIF is contained in the system, please answer questions 21, 23, 30, 31, 37, 50 and 54, then promote the PIA to the Sr. Privacy Official who will authorize the PIA.

If this system contains IIF, all remaining questions on the PIA Form Tabs must be completed prior to signature and promotion.

21. Is the system subject to the Privacy Act?: Yes

23. If the system shares or discloses IIF please specify with whom and for what purpose(s): Department of Treasury for payments and IRS for 1099 reporting. SOR 09-90-0024

Financial reports are generated for the Department of Health and Human Services, the Treasury Department, the Office of Management and Budget, and the Public Health Service.

30. Please describe in detail: (1) the information the agency will collect, maintain, or disseminate; (2) why and for what purpose the agency will use the information; (3) In this description, indicate whether the information contains IIF; and (4) whether submission of personal information is voluntary or mandatory: The agency collects data pertaining to the procurement of goods and services for the NIH as well as data pertaining to stipend payment to NIH Fellows. Some of the data collected is IIF such as the EIN or SSN and ACH Banking information and is required in order to effect payments and prepare 1099s and 1042s. Submission of this data is mandatory. The data is maintained on a Vendor file in the Administrative Database (ADB) System and is only passed through the CAS.

31. Please describe in detail any processes in place to: (1) notify and obtain consent from the individuals whose IIF is in the system when major changes occur to the system (e.g., disclosure and/or data uses have changed since the notice at the time of the original collection); and (2) notify and obtain consent from individuals regarding what IIF is being collected from them and how the information will be used or shared: No processes are in place other than those specified through the ADB, Central Payroll, IMPAC and PMS systems.

32. Does the system host a website?: No

37. Does the website have any information or pages directed at children under the age of thirteen?: No

50. Are there policies or guidelines in place with regard to the retention and destruction of IIF?: Yes

54. Briefly describe in detail how the IIF will be secured on the system using administrative, technical, and physical controls.: The CAS is a mainframe legacy system that operates in a batch environment. The CAS is not accessible to users other than the individuals who maintain it. Those individuals must have proper RACF security in order to access the system.

PIA Reviewer Approval: Promote


PIA Reviewer Name: Marie Lagana NIH/CIT/OPEC

Sr. Official for Privacy Approval: Promote


Sr. Official for Privacy Name: Karen Plá

Sign-off Date: Aug 10, 2007

Date Published: Jun 26, 2008


06.3 HHS PIA Summary for Posting (Form) / NIH CIT Computer Installation Management System (Item)






PIA Summary


Is this a new PIA 2008?: No

If this is an existing PIA, please provide a reason for revision: PIA Validation

1. Date of this Submission: Jul 6, 2007

2. OPDIV Name: NIH

3. Unique Project Identifier (UPI) Number: N/A

4. Privacy Act System of Records (SOR) Number: N/A

5. OMB Information Collection Approval Number: N/A

6. Other Identifying Number(s): N/A

7. System Name: Computer Installation Management System (CIMS)

9. System Point of Contact (POC). The System POC is the person to whom questions about the system and the responses to this PIA may be addressed: John Burke

10. Provide an overview of the system: CIMS is a COTS product. CIMS is an automated, non-intrusive system used to collect for resources consumed by CIT users, computer charges are collected from various CIT system administrators and does not affect the performance or operation of the computer center. This data is used to create invoices and summary reporting files for the central accounting system. CIMS supports fee for service and flat fee standard rates. CMIS collects no sensitive information.

13. Indicate if the system is new or an existing one being modified: Existing

17. Does/Will the system collect, maintain (store), disseminate and/or pass through IIF within any database(s), record(s), file(s) or website(s) hosted by this system?: No

Note: This question seeks to identify any, and all, personal information associated with the system. This includes any IIF, whether or not it is subject to the Privacy Act, whether the individuals are employees, the public, research subjects, or business partners, and whether provided voluntarily or collected by mandate. Later questions will try to understand the character of the data and its applicability to the requirements under the Privacy Act or other legislation

Note: If no IIF is contained in the system, please answer questions 21, 23, 30, 31, 37, 50 and 54, then promote the PIA to the Sr. Privacy Official who will authorize the PIA.

If this system contains IIF, all remaining questions on the PIA Form Tabs must be completed prior to signature and promotion.

21. Is the system subject to the Privacy Act?: No

23. If the system shares or discloses IIF please specify with whom and for what purpose(s): N/A

30. Please describe in detail: (1) the information the agency will collect, maintain, or disseminate; (2) why and for what purpose the agency will use the information; (3) In this description, indicate whether the information contains IIF; and (4) whether submission of personal information is voluntary or mandatory: The information collected are account usage and costs associated with use. This data is used to create invoices and summary reporting files for the central accounting system. CIMS supports fee for service and flat fee standard rates. CMIS collects no sensitive information.

31. Please describe in detail any processes in place to: (1) notify and obtain consent from the individuals whose IIF is in the system when major changes occur to the system (e.g., disclosure and/or data uses have changed since the notice at the time of the original collection); and (2) notify and obtain consent from individuals regarding what IIF is being collected from them and how the information will be used or shared: N/A

32. Does the system host a website?: No

37. Does the website have any information or pages directed at children under the age of thirteen?: No

50. Are there policies or guidelines in place with regard to the retention and destruction of IIF?: No

54. Briefly describe in detail how the IIF will be secured on the system using administrative, technical, and physical controls.: N/A

PIA Reviewer Approval: Promote


PIA Reviewer Name: Marie Lagana, NIH/CIT/OPEC

Sr. Official for Privacy Approval: Promote


Sr. Official for Privacy Name: Karen Plá

Sign-off Date: Aug 10, 2007

Date Published: Jun 26, 2008


06.3 HHS PIA Summary for Posting (Form) / NIH CIT Data Center (Item)






PIA Summary


Is this a new PIA 2008?: No

If this is an existing PIA, please provide a reason for revision: PIA Validation

1. Date of this Submission: Aug 8, 2007

2. OPDIV Name: NIH

3. Unique Project Identifier (UPI) Number: 009-25-02-00-01-3109-00-109-026

4. Privacy Act System of Records (SOR) Number: N/A

5. OMB Information Collection Approval Number: N/A

6. Other Identifying Number(s): N/A

7. System Name: NIH Data Center

9. System Point of Contact (POC). The System POC is the person to whom questions about the system and the responses to this PIA may be addressed: Adriane Burton

10. Provide an overview of the system: Information processing services.

The computers located in the Data Center are general support systems that may host sensitive data and applications. Data and applications are the sole responsibility of the application owners. CIT provides the environment and utilities that enable customers to effectively manage the security of their applications and data.

13. Indicate if the system is new or an existing one being modified: Existing

17. Does/Will the system collect, maintain (store), disseminate and/or pass through IIF within any database(s), record(s), file(s) or website(s) hosted by this system?: No

Note: This question seeks to identify any, and all, personal information associated with the system. This includes any IIF, whether or not it is subject to the Privacy Act, whether the individuals are employees, the public, research subjects, or business partners, and whether provided voluntarily or collected by mandate. Later questions will try to understand the character of the data and its applicability to the requirements under the Privacy Act or other legislation

Note: If no IIF is contained in the system, please answer questions 21, 23, 30, 31, 37, 50 and 54, then promote the PIA to the Sr. Privacy Official who will authorize the PIA.

If this system contains IIF, all remaining questions on the PIA Form Tabs must be completed prior to signature and promotion.

21. Is the system subject to the Privacy Act?: No

23. If the system shares or discloses IIF please specify with whom and for what purpose(s): This system does not share or disclose IIF.

30. Please describe in detail: (1) the information the agency will collect, maintain, or disseminate; (2) why and for what purpose the agency will use the information; (3) In this description, indicate whether the information contains IIF; and (4) whether submission of personal information is voluntary or mandatory: office locations, phone numbers, etc., solely for the purpose of establishing user accounts on the Data Center host systems. No personally-identifying information is collected, maintained, or dissemenated as part of customer support for Data Center services. This information is collected from government employees and contractors only.

31. Please describe in detail any processes in place to: (1) notify and obtain consent from the individuals whose IIF is in the system when major changes occur to the system (e.g., disclosure and/or data uses have changed since the notice at the time of the original collection); and (2) notify and obtain consent from individuals regarding what IIF is being collected from them and how the information will be used or shared: N/A

32. Does the system host a website?: No

37. Does the website have any information or pages directed at children under the age of thirteen?: No

50. Are there policies or guidelines in place with regard to the retention and destruction of IIF?: No

54. Briefly describe in detail how the IIF will be secured on the system using administrative, technical, and physical controls.: N/APIA Reviewer Approval: Promote


PIA Reviewer Name: Marie Lagana NIH/CIT/OPEC

Sr. Official for Privacy Approval: Promote


Sr. Official for Privacy Name: Karen Plá

Sign-off Date: Aug 10, 2007

Date Published: Jun 26, 2008


06.3 HHS PIA Summary for Posting (Form) / NIH CIT DCB Systems (Item)






PIA Summary


Is this a new PIA 2008?: No

If this is an existing PIA, please provide a reason for revision: PIA Validation

1. Date of this Submission: Jul 6, 2007

2. OPDIV Name: NIH

3. Unique Project Identifier (UPI) Number: 009-25-01-26-02-3103-00

4. Privacy Act System of Records (SOR) Number: 09-25-0200

5. OMB Information Collection Approval Number: N/A

6. Other Identifying Number(s): N/A

7. System Name: DCB Systems

9. System Point of Contact (POC). The System POC is the person to whom questions about the system and the responses to this PIA may be addressed: Anthony Iano Fletcher NIH/CIT/DCB

10. Provide an overview of the system: This system (“DCB Systems”) is used to provide CIT support for the Institutes and Centers (IC) at NIH. DCB collaborates with the NIH intramural research program to provide expertise and develop software on computational research problems of significance to the ICs. DCB Systems host this software which includes development and pre-production versions. The application areas include molecular modeling, protein structure prediction, biomedical imaging, mathematical modeling, and biomedical informatics.

13. Indicate if the system is new or an existing one being modified: Existing

17. Does/Will the system collect, maintain (store), disseminate and/or pass through IIF within any database(s), record(s), file(s) or website(s) hosted by this system?: Yes

Note: This question seeks to identify any, and all, personal information associated with the system. This includes any IIF, whether or not it is subject to the Privacy Act, whether the individuals are employees, the public, research subjects, or business partners, and whether provided voluntarily or collected by mandate. Later questions will try to understand the character of the data and its applicability to the requirements under the Privacy Act or other legislation

Note: If no IIF is contained in the system, please answer questions 21, 23, 30, 31, 37, 50 and 54, then promote the PIA to the Sr. Privacy Official who will authorize the PIA.

If this system contains IIF, all remaining questions on the PIA Form Tabs must be completed prior to signature and promotion.

21. Is the system subject to the Privacy Act?: Yes

23. If the system shares or discloses IIF please specify with whom and for what purpose(s): SOR 09-25-0200 This information is addressed in the NIH Privacy Act Systems of Record Notice 09-25-0200, published in the Federal Register, Volume 67, No. 187, September 26, 2002.

30. Please describe in detail: (1) the information the agency will collect, maintain, or disseminate; (2) why and for what purpose the agency will use the information; (3) In this description, indicate whether the information contains IIF; and (4) whether submission of personal information is voluntary or mandatory: CIT/DCB does not collect any of the data it uses in its research and collaborations with the Institutes. DCB develops tools for principal investigators to use in collecting data. DCB merely keeps a copy of the data, which depends on the protocol but may include IIF such as name, date of birth, phone number, medical records, medical notes, and gender. The principal investigators with whom DCB collaborates determine which data will be collected. All data are provided voluntarily.

31. Please describe in detail any processes in place to: (1) notify and obtain consent from the individuals whose IIF is in the system when major changes occur to the system (e.g., disclosure and/or data uses have changed since the notice at the time of the original collection); and (2) notify and obtain consent from individuals regarding what IIF is being collected from them and how the information will be used or shared: Any IIF data in the system are obtained from the ICs with which DCB collaborates, particularly NINDS. The processes by which the IIF data are collected are determined by the principal investigators in charge of the protocols. The clinical staff at NINDS handle all consent forms and notifications. DCB has no processes in place in addition to those processes provided by NINDS.

32. Does the system host a website?: Yes

37. Does the website have any information or pages directed at children under the age of thirteen?: No

50. Are there policies or guidelines in place with regard to the retention and destruction of IIF?: Yes

54. Briefly describe in detail how the IIF will be secured on the system using administrative, technical, and physical controls.: Restricted physical and logical access; no project personnel will be allowed to see project data.

PIA Reviewer Approval: Promote


PIA Reviewer Name: Marie Lagana NIH/CIT/OPEC

Sr. Official for Privacy Approval: Promote


Sr. Official for Privacy Name: Karen Plá

Sign-off Date: Aug 10, 2007

Date Published: Jun 26, 2008


06.3 HHS PIA Summary for Posting (Form) / NIH CIT Infrastructure Graphical Database (IGDB) (Item)






PIA Summary


Is this a new PIA 2008?: Yes

If this is an existing PIA, please provide a reason for revision:

1. Date of this Submission: Mar 18, 2008

2. OPDIV Name: NIH

3. Unique Project Identifier (UPI) Number: There is no unique identifier for this system

4. Privacy Act System of Records (SOR) Number: There is no SOR needed - no IIF exists in this system

5. OMB Information Collection Approval Number: This does not apply - there is no IIF in this system

6. Other Identifying Number(s): There are no other identifying numbers

7. System Name: Infrastructure Graphical Database (CIT Archibus)

9. System Point of Contact (POC). The System POC is the person to whom questions about the system and the responses to this PIA may be addressed: Tony Trang, NIH/CIT/DNST

10. Provide an overview of the system: This is the infrastructure assets management system used to track cabling and telecommunications infrastructure information.

13. Indicate if the system is new or an existing one being modified: New

17. Does/Will the system collect, maintain (store), disseminate and/or pass through IIF within any database(s), record(s), file(s) or website(s) hosted by this system?: No

Note: This question seeks to identify any, and all, personal information associated with the system. This includes any IIF, whether or not it is subject to the Privacy Act, whether the individuals are employees, the public, research subjects, or business partners, and whether provided voluntarily or collected by mandate. Later questions will try to understand the character of the data and its applicability to the requirements under the Privacy Act or other legislation

Note: If no IIF is contained in the system, please answer questions 21, 23, 30, 31, 37, 50 and 54, then promote the PIA to the Sr. Privacy Official who will authorize the PIA.

If this system contains IIF, all remaining questions on the PIA Form Tabs must be completed prior to signature and promotion.

21. Is the system subject to the Privacy Act?: No

23. If the system shares or discloses IIF please specify with whom and for what purpose(s): There is no IIF.

30. Please describe in detail: (1) the information the agency will collect, maintain, or disseminate; (2) why and for what purpose the agency will use the information; (3) In this description, indicate whether the information contains IIF; and (4) whether submission of personal information is voluntary or mandatory: There is no IIF. This system collects infrastructure, telecommunications and cabling pair information.

31. Please describe in detail any processes in place to: (1) notify and obtain consent from the individuals whose IIF is in the system when major changes occur to the system (e.g., disclosure and/or data uses have changed since the notice at the time of the original collection); and (2) notify and obtain consent from individuals regarding what IIF is being collected from them and how the information will be used or shared: There is no IIF.

32. Does the system host a website?: Yes

37. Does the website have any information or pages directed at children under the age of thirteen?: No

50. Are there policies or guidelines in place with regard to the retention and destruction of IIF?: No

54. Briefly describe in detail how the IIF will be secured on the system using administrative, technical, and physical controls.: There is no IIF.

PIA Reviewer Approval: Promote


PIA Reviewer Name: Marie Lagana

Sr. Official for Privacy Approval: Promote


Sr. Official for Privacy Name: Karen Plá

Sign-off Date: Aug 10, 2007

Date Published: Jun 26, 2008


06.3 HHS PIA Summary for Posting (Form) / NIH CIT KNOVA (Item)






PIA Summary


Is this a new PIA 2008?: Yes

If this is an existing PIA, please provide a reason for revision:

1. Date of this Submission: Mar 18, 2008

2. OPDIV Name: NIH

3. Unique Project Identifier (UPI) Number: none

4. Privacy Act System of Records (SOR) Number: none

5. OMB Information Collection Approval Number: none

6. Other Identifying Number(s): none

7. System Name: KNOVA

9. System Point of Contact (POC). The System POC is the person to whom questions about the system and the responses to this PIA may be addressed: Geoff Marsh

10. Provide an overview of the system: This is a Commercial-Off-The-Shelf (COTS) product that provides help desk knowledge base services. It allows agents to type in the customer issue and then be presented with a variety of options depending on their search, including tailored search results, Q&A dialogs, and fields to fill in. It can exchange problem and incident management data with the Customer Relationship Management (CRM) system however no IIF data from the CRM system will be available to Knova. All customer information and IIF is collected in the CRM system, only technical problem related information is entered into Knova. Any integration between the two will strictly pass non-uniquely-identifiable problem information from the CRM to Knova, and then pass resolution information back from Knova to the CRM. No IIF will enter Knova.

13. Indicate if the system is new or an existing one being modified: New

17. Does/Will the system collect, maintain (store), disseminate and/or pass through IIF within any database(s), record(s), file(s) or website(s) hosted by this system?: No

Note: This question seeks to identify any, and all, personal information associated with the system. This includes any IIF, whether or not it is subject to the Privacy Act, whether the individuals are employees, the public, research subjects, or business partners, and whether provided voluntarily or collected by mandate. Later questions will try to understand the character of the data and its applicability to the requirements under the Privacy Act or other legislation

Note: If no IIF is contained in the system, please answer questions 21, 23, 30, 31, 37, 50 and 54, then promote the PIA to the Sr. Privacy Official who will authorize the PIA.

If this system contains IIF, all remaining questions on the PIA Form Tabs must be completed prior to signature and promotion.

21. Is the system subject to the Privacy Act?: No

23. If the system shares or discloses IIF please specify with whom and for what purpose(s): There is no IIF contained within this system

30. Please describe in detail: (1) the information the agency will collect, maintain, or disseminate; (2) why and for what purpose the agency will use the information; (3) In this description, indicate whether the information contains IIF; and (4) whether submission of personal information is voluntary or mandatory: The system is a help desk knowledge management tool and as such, non-uniquely-identifiable information about technical problems and how to solve them will be housed in the system. These solutions are technical in nature (how-to's etc) and do not contain IIF. These solutions will be available to the NIH Help Desk and, in the future, support staff and the NIH user community. The information will be used to assist the NIH community with technical issues. There is no IIF in the system.

31. Please describe in detail any processes in place to: (1) notify and obtain consent from the individuals whose IIF is in the system when major changes occur to the system (e.g., disclosure and/or data uses have changed since the notice at the time of the original collection); and (2) notify and obtain consent from individuals regarding what IIF is being collected from them and how the information will be used or shared: There is no IIF contained within this system

32. Does the system host a website?: No

37. Does the website have any information or pages directed at children under the age of thirteen?: No

50. Are there policies or guidelines in place with regard to the retention and destruction of IIF?: No

54. Briefly describe in detail how the IIF will be secured on the system using administrative, technical, and physical controls.: There is no IIF contained within this system

PIA Reviewer Approval: Promote


PIA Reviewer Name: Marie Lagana

Sr. Official for Privacy Approval: Promote


Sr. Official for Privacy Name: Karen Plá

Sign-off Date: Apr 2, 2008

Date Published: Jun 26, 2008


06.3 HHS PIA Summary for Posting (Form) / NIH CIT National Database for Autism Research (NDAR) (Item)






PIA Summary


Is this a new PIA 2008?: No

If this is an existing PIA, please provide a reason for revision: Alteration in Character of Data

1. Date of this Submission: Feb 8, 2008

2. OPDIV Name: NIH

3. Unique Project Identifier (UPI) Number: 009-25-01-05-02-3110-00

4. Privacy Act System of Records (SOR) Number: 09-25-0200; 09-25-0156

5. OMB Information Collection Approval Number: No

6. Other Identifying Number(s): No

7. System Name: National Database for Autism Research

9. System Point of Contact (POC). The System POC is the person to whom questions about the system and the responses to this PIA may be addressed: Matthew McAuliffe

10. Provide an overview of the system: NDAR, the National Database for Autism Research, is a collaborative biomedical informatics system being created by the National Institutes of Health to provide a national resource to support and accelerate research in autism.

NDAR will make it easier and faster for researchers to gather, evaluate, and share autism research data from a variety of sources. By giving researchers access to more data than they can collect on their own and making their own data collection more efficient, the time to discovery can be reduced.

13. Indicate if the system is new or an existing one being modified: New

17. Does/Will the system collect, maintain (store), disseminate and/or pass through IIF within any database(s), record(s), file(s) or website(s) hosted by this system?: Yes

Note: This question seeks to identify any, and all, personal information associated with the system. This includes any IIF, whether or not it is subject to the Privacy Act, whether the individuals are employees, the public, research subjects, or business partners, and whether provided voluntarily or collected by mandate. Later questions will try to understand the character of the data and its applicability to the requirements under the Privacy Act or other legislation

Note: If no IIF is contained in the system, please answer questions 21, 23, 30, 31, 37, 50 and 54, then promote the PIA to the Sr. Privacy Official who will authorize the PIA.

If this system contains IIF, all remaining questions on the PIA Form Tabs must be completed prior to signature and promotion.

21. Is the system subject to the Privacy Act?: Yes

23. If the system shares or discloses IIF please specify with whom and for what purpose(s): IIF information is not shared on research participants. However the PI’s granted access to data will give permission to post their name on the NDAR Web site with the research aims. The purpose of this is facilitate transparency in how NDAR data is being used. PIs who submit information to NDAR will not have their information posted on the Web site.

30. Please describe in detail: (1) the information the agency will collect, maintain, or disseminate; (2) why and for what purpose the agency will use the information; (3) In this description, indicate whether the information contains IIF; and (4) whether submission of personal information is voluntary or mandatory: The system will collect a wide variety of clinical information including images of the brain, genetics information, and data from diagnostic criteria specific to clinicians in the autism field. None of this information will be IIF. Recent changes to NDAR make sure that all IIF on research subjects (used to generate encrypted hashes that allow cross checking studies for the same individuals) is kept at the researcher’s institution.

NIH will collect IIF on PIs who submit information about research participants to NDAR. This information will be used by NIH to document, track, monitor and evaluate NIH clinical, basic, and population-based research activities.

NIH will also collect IIF on PIs who wish to gain access to the information. This information will be used to document, track, monitor, and evaluate the use of NDAR datasets and to notify recipients of updates, corrections or other changes to NDAR.

31. Please describe in detail any processes in place to: (1) notify and obtain consent from the individuals whose IIF is in the system when major changes occur to the system (e.g., disclosure and/or data uses have changed since the notice at the time of the original collection); and (2) notify and obtain consent from individuals regarding what IIF is being collected from them and how the information will be used or shared: As part of the research protocol, all subjects will be required to fill out consents that describe how their information will be used even though NDAR will contain no IIF on research participants. If these change or expire, all participants will be contacted.

PIs submitting information to NDAR and accessing information from NDAR will sign relevant agreements for submission and access, both of which include a Privacy Act notification.

32. Does the system host a website?: Yes

37. Does the website have any information or pages directed at children under the age of thirteen?: No

50. Are there policies or guidelines in place with regard to the retention and destruction of IIF?: Yes

54. Briefly describe in detail how the IIF will be secured on the system using administrative, technical, and physical controls.:

1) Management policies require that all new users be part of an approved site, with the request coming through a system administrator.

2) Technical Controls require that each user log in to the NDAR application with a unique user name and password. Additionally, the password is set to expire after 75 days, must be at least 8 characters long, with at least 2 of the following character types: Control Character, Number, Capital Letter.

3) Physical Controls require badged access to all server rooms, with badge lockdown policies in line with existing NIH procedures.

Physical rack will be key-locked.

Physical rack will be located in data center behind both biometric and keycard access with 100% identification badge check by 24/7 security guard. The Data Center is behind 3 independent 24/7 security guards that will perform identification badge checks.

PIA Reviewer Approval: Promote


PIA Reviewer Name: Marie Lagana

Sr. Official for Privacy Approval: Promote


Sr. Official for Privacy Name: Karen Plá

Sign-off Date: Mar 3, 2008

Date Published: Jun 26, 2008


06.3 HHS PIA Summary for Posting (Form) / NIH CIT NIH Application Manager (NappMan) (Item)






PIA Summary


Is this a new PIA 2008?: Yes

If this is an existing PIA, please provide a reason for revision: PIA Validation

1. Date of this Submission: Jul 6, 2007

2. OPDIV Name: NIH

3. Unique Project Identifier (UPI) Number: This system does not require a UPI.

4. Privacy Act System of Records (SOR) Number: N/A

5. OMB Information Collection Approval Number: N/A

6. Other Identifying Number(s): N/A

7. System Name: NIH Application Manager (NAppMan)

9. System Point of Contact (POC). The System POC is the person to whom questions about the system and the responses to this PIA may be addressed: Doug Meyer NIH/CIT/DECA

10. Provide an overview of the system: The intention of NAppMan is to alert a responsible individual when an application is not available or is suffering a problem of some sort. It summarizes information received from underlying monitors that more directly monitor the application and maintains statistics

13. Indicate if the system is new or an existing one being modified: New

17. Does/Will the system collect, maintain (store), disseminate and/or pass through IIF within any database(s), record(s), file(s) or website(s) hosted by this system?: No

Note: This question seeks to identify any, and all, personal information associated with the system. This includes any IIF, whether or not it is subject to the Privacy Act, whether the individuals are employees, the public, research subjects, or business partners, and whether provided voluntarily or collected by mandate. Later questions will try to understand the character of the data and its applicability to the requirements under the Privacy Act or other legislation

Note: If no IIF is contained in the system, please answer questions 21, 23, 30, 31, 37, 50 and 54, then promote the PIA to the Sr. Privacy Official who will authorize the PIA.

If this system contains IIF, all remaining questions on the PIA Form Tabs must be completed prior to signature and promotion.

21. Is the system subject to the Privacy Act?: No

23. If the system shares or discloses IIF please specify with whom and for what purpose(s): The NAppMan system does not collect IIF and therefore cannot disclose or share IIF.

30. Please describe in detail: (1) the information the agency will collect, maintain, or disseminate; (2) why and for what purpose the agency will use the information; (3) In this description, indicate whether the information contains IIF; and (4) whether submission of personal information is voluntary or mandatory: NAppMan stores application up-time information including the date and time of occurrence, the name of the application component, and the status of the component, its relationship to other components, and business rules to represent the status properly at higher levels. No personal information, or IIF is gathered.

31. Please describe in detail any processes in place to: (1) notify and obtain consent from the individuals whose IIF is in the system when major changes occur to the system (e.g., disclosure and/or data uses have changed since the notice at the time of the original collection); and (2) notify and obtain consent from individuals regarding what IIF is being collected from them and how the information will be used or shared: No IIF is being collected.

32. Does the system host a website?: Yes

37. Does the website have any information or pages directed at children under the age of thirteen?: No

50. Are there policies or guidelines in place with regard to the retention and destruction of IIF?: No

54. Briefly describe in detail how the IIF will be secured on the system using administrative, technical, and physical controls.: No IIF is available in the NAppMan system.

PIA Reviewer Approval: Promote


PIA Reviewer Name: Marie Lagana NIH/CIT/OPEC

Sr. Official for Privacy Approval: Promote


Sr. Official for Privacy Name: Karen Plá

Sign-off Date: Aug 10, 2007

Date Published: Jun 26, 2008


06.3 HHS PIA Summary for Posting (Form) / NIH CIT NIH Enterprise Directory (NED) (Item)






PIA Summary


Is this a new PIA 2008?: Yes

If this is an existing PIA, please provide a reason for revision: PIA Validation

1. Date of this Submission: Jul 6, 2007

2. OPDIV Name: NIH

3. Unique Project Identifier (UPI) Number: 009-25-02-00-01-3109-00-109-026 (under NIH IT infrastructure)

4. Privacy Act System of Records (SOR) Number: 09-25-0216

5. OMB Information Collection Approval Number: No

6. Other Identifying Number(s): 009-25-02-00-01-3109-00-109-026 (under NIH IT Infrastructure)

7. System Name: NIH Electronic Directory (NED), HHS/NIH

9. System Point of Contact (POC). The System POC is the person to whom questions about the system and the responses to this PIA may be addressed: Helen Schmitz

10. Provide an overview of the system: The purpose of the NIH Electronic Directory (NED) is to maintain accurate, current locator and organization information for individuals utilizing NIH services or facilities, and to provide the basis for physical and information security systems. NED is also used to authorize NIH services such as ID badges, NIH Library access, Listing in the NIH Telephone and Services Directory, red parking permits, Active Directory accounts, and Exchange mailboxes.

13. Indicate if the system is new or an existing one being modified: Existing

17. Does/Will the system collect, maintain (store), disseminate and/or pass through IIF within any database(s), record(s), file(s) or website(s) hosted by this system?: Yes

Note: This question seeks to identify any, and all, personal information associated with the system. This includes any IIF, whether or not it is subject to the Privacy Act, whether the individuals are employees, the public, research subjects, or business partners, and whether provided voluntarily or collected by mandate. Later questions will try to understand the character of the data and its applicability to the requirements under the Privacy Act or other legislation

Note: If no IIF is contained in the system, please answer questions 21, 23, 30, 31, 37, 50 and 54, then promote the PIA to the Sr. Privacy Official who will authorize the PIA.

If this system contains IIF, all remaining questions on the PIA Form Tabs must be completed prior to signature and promotion.

21. Is the system subject to the Privacy Act?: Yes

23. If the system shares or discloses IIF please specify with whom and for what purpose(s): System submits public information to the HHS Directory. SOR 09-25-0216

30. Please describe in detail: (1) the information the agency will collect, maintain, or disseminate; (2) why and for what purpose the agency will use the information; (3) In this description, indicate whether the information contains IIF; and (4) whether submission of personal information is voluntary or mandatory: NED contains individual identifying information, such as a person’s name, NIH ID number, date of birth, place of birth, Social Security Number (SSN), and ID photo as well as information for locating or contacting a person at work or home, such as their email address, postal and delivery addresses, telephone numbers, organizational affiliation and classification (e.g., Employee, Contractor).

NED was developed to provide a convenient, single, logical source of identity and locator information at NIH. NED assigns and maintains a public identifier (NIH ID number) that follows a person throughout his or her NIH career. NIH ID numbers have been incorporated into numerous NIH systems and business processes and are tied to a common set of normalized data for all members of the NIH workforce. NED eliminates the need for application-specific repositories of people data, thus reducing the cost of application development and maintenance. This also reduces the amount of redundant data entry, since NED provides a single place to update people data used by a number of major applications.

NED makes deregistration of individuals occur more reliably when they leave NIH. Applications connected to NED can take advantage of this to deactivate accounts and revoke authorizations, thereby improving security. For example, when an individual is deregistered in NED, this deactivates their record in the ID badge system, which revokes their card key door lock access.

Submission of personal information is mandatory.

31. Please describe in detail any processes in place to: (1) notify and obtain consent from the individuals whose IIF is in the system when major changes occur to the system (e.g., disclosure and/or data uses have changed since the notice at the time of the original collection); and (2) notify and obtain consent from individuals regarding what IIF is being collected from them and how the information will be used or shared: The following notice is displayed to users following authentication to NED.

"Collection of this information is authorized under 5 U.S.C. 301 and 302, 44 U.S.C. 3101 and 3102 and Executive Order 9397. The primary use of this information is to establish a centrally coordinated electronic directory to conduct administrative business processes at the National Institutes of Health. Information from this system may be disclosed to personnel with a valid need for access to the information in order to conduct agency business. To the extent that they are relevant and necessary, additional disclosures of the information may be made for the following purposes: to contractors or consultants engaged by the agency to assist in the performance of a service; to respond to another Federal agency’s request made in connection with the hiring, clearance or retention of an employee or letting of a contract; or to the Department of Justice, or to a court or other adjudicative body for litigation. Failure to provide all or part of the information requested may limit your ability to perform official duties, impact your ability to qualify for an NIH contract or limit your access to NIH services and facilities."

There are no other processes currently in place to obtain additional consent from the individual whose IIF is stored in NED regarding what IIF is being collected for them or how the information will be used or shared. There are also no processes in place at this time to obtain consent from the individuals whose IIF is in the system when major changes occur to the system.

32. Does the system host a website?: Yes

37. Does the website have any information or pages directed at children under the age of thirteen?: No

50. Are there policies or guidelines in place with regard to the retention and destruction of IIF?: Yes

54. Briefly describe in detail how the IIF will be secured on the system using administrative, technical, and physical controls.: Between September and December 2004, NED underwent an independent C&A by Carson Associates. As part of the C&A, security

controls were reviewed, validated and tested to ensure that NED adheres to the standards required for operating as an HHS Tier 3

system. As part of the C&A process, a Plan of Action and Milestones was developed, addressing all areas requiring attention in order to achieve full compliance.

NED production servers and some development servers are maintained at the NIH Computer Center machine room operated by the

NIH Center for Information Technology/Division of Computer System Services (CIT/DCSS). Physical and environmental controls are described in the NIH Computer Center C&A documentation, and is sufficient for the sensitivity level of the NED system. Two development application servers are located in the Fernwood Building lower level computer room. NED utilizes the NIH computer network (NIHnet) operated by CIT's Division of Network Systems and Telecommunications. NED physical, network and operating system security controls are maintained by CIT/DCSS and CIT/DNST as part of a service level agreement (SLA). The NED C&A defers to the DCSS and DNST C&A information on controls. In addition, the NIH Computer Center undergoes a SAS 70 audit and is currently in compliance.

All staff on the NED development and management team have appropriate position sensitivity levels. Background investigations are either complete or underway. Users of the NED Web application (NEDWeb) are responsible for the professional use of their accounts and user passwords as outlined in the NIH Rules of Behavior and are required to take NIH Security Awareness Training with annual refresher modules. Users are granted access to NEDWeb by a NED IC Coordinator or supervisor using the NEDWeb user administration module. Scope of authority for NEDWeb users is always limited to their own Institute or Center (IC) and may be further restricted to specific organizations within the user's IC. Access is automatically removed when a user's NED record is deactivated or transferred to a different IC. Authentication to NEDWeb is via NIH Login, which is based on NIH Active Directory-controlled accounts.

CIT/DCSS is responsible for the operation, maintenance, and support of NIH Active Directory. Following authentication using NIH

Login, NED record owners are also able to view private information contained in their own record via a secure Web site from a computer attached to NIHnet. NED public data can be accessed via the Web without authenticating.

NED Oracle database administration (backups, logging and operating system support) is performed by a separate team from DCSS. DB2 accounts for access to NED public information are managed by the DCSS accounts group. Oracle accounts for access to NED public information are managed by the NED team. NED staff provides written confirmation to DCSS when requesting that access to

private data be granted to an account. NED staff will not make such a request unless the account has been authorized for private data access by the NIH Privacy Act Officer.

The NIH Incident Response Team (IRT) has established the NIH Incident Handling Procedures, which outline how to handle, report,

and track incidents and/or problems. The procedures describe the roles of the IRT and ISSOs. The IRT has a 24 x 7 contact number available to ISSOs (301-881-9726) and can be reached at

NED has a configuration management process where all system code is maintained under change control. All proposed changes are

reviewed by a team for operational and security impact, coded, unit tested in development, and regression tested in a development

environment. Once testing has been completed, and a rollback plan created, approval to move to production is given.

PIA Reviewer Approval: Promote


PIA Reviewer Name: Marie Lagana NIH/CIT/OPEC

Sr. Official for Privacy Approval: Promote


Sr. Official for Privacy Name: Karen Plá

Sign-off Date: Aug 10, 2007

Date Published: Jun 26, 2008


06.3 HHS PIA Summary for Posting (Form) / NIH CIT NIH Listserv (Item)






PIA Summary


Is this a new PIA 2008?: No

If this is an existing PIA, please provide a reason for revision: PIA Validation

1. Date of this Submission: Jul 6, 2007

2. OPDIV Name: NIH

3. Unique Project Identifier (UPI) Number: No

4. Privacy Act System of Records (SOR) Number: No

5. OMB Information Collection Approval Number: No

6. Other Identifying Number(s): No

7. System Name: NIH Listserv

9. System Point of Contact (POC). The System POC is the person to whom questions about the system and the responses to this PIA may be addressed: Renita Anderson, Director, NIH/CIT/DNST

10. Provide an overview of the system: The NIH LISTSERV facility is an e-mail-based server that allows users to create, manage, and control electronic "mailing lists" on a network. LISTSERV manages list subscriptions, maintains archives of posted messages, optimizes mass mail delivery, and so forth. LISTSERV allows any networked user to subscribe to lists, receive list postings, query LISTSERV, set up a new list, access list archives, etc. These functions are available either via e-mail or via a secure web server.

13. Indicate if the system is new or an existing one being modified: Existing

17. Does/Will the system collect, maintain (store), disseminate and/or pass through IIF within any database(s), record(s), file(s) or website(s) hosted by this system?: No

Note: This question seeks to identify any, and all, personal information associated with the system. This includes any IIF, whether or not it is subject to the Privacy Act, whether the individuals are employees, the public, research subjects, or business partners, and whether provided voluntarily or collected by mandate. Later questions will try to understand the character of the data and its applicability to the requirements under the Privacy Act or other legislation

Note: If no IIF is contained in the system, please answer questions 21, 23, 30, 31, 37, 50 and 54, then promote the PIA to the Sr. Privacy Official who will authorize the PIA.

If this system contains IIF, all remaining questions on the PIA Form Tabs must be completed prior to signature and promotion.

21. Is the system subject to the Privacy Act?: No

23. If the system shares or discloses IIF please specify with whom and for what purpose(s): No

30. Please describe in detail: (1) the information the agency will collect, maintain, or disseminate; (2) why and for what purpose the agency will use the information; (3) In this description, indicate whether the information contains IIF; and (4) whether submission of personal information is voluntary or mandatory: Listserv is an email list service for HHS. To perform this function a user must supply an email address. A user has the option to supply their name, but it is not required information. Listserv does not contain IIF.

31. Please describe in detail any processes in place to: (1) notify and obtain consent from the individuals whose IIF is in the system when major changes occur to the system (e.g., disclosure and/or data uses have changed since the notice at the time of the original collection); and (2) notify and obtain consent from individuals regarding what IIF is being collected from them and how the information will be used or shared: No

32. Does the system host a website?: Yes

37. Does the website have any information or pages directed at children under the age of thirteen?: No

50. Are there policies or guidelines in place with regard to the retention and destruction of IIF?: No

54. Briefly describe in detail how the IIF will be secured on the system using administrative, technical, and physical controls.: No

PIA Reviewer Approval: Promote


PIA Reviewer Name: Marie Lagana, NIH/CIT/OPEC

Sr. Official for Privacy Approval: Promote


Sr. Official for Privacy Name: Karen Plá

Sign-off Date: Aug 10, 2007

Date Published: Jun 26, 2008


06.3 HHS PIA Summary for Posting (Form) / NIH CIT NIH Login (Item)






PIA Summary


Is this a new PIA 2008?: No

If this is an existing PIA, please provide a reason for revision: PIA Validation

1. Date of this Submission: Jul 6, 2007

2. OPDIV Name: NIH

3. Unique Project Identifier (UPI) Number: 009-25-02-00-01-3109-00-109-026

4. Privacy Act System of Records (SOR) Number: N/A

5. OMB Information Collection Approval Number: N/A

6. Other Identifying Number(s): N/A

7. System Name: NIH Login/NIH Common Services

9. System Point of Contact (POC). The System POC is the person to whom questions about the system and the responses to this PIA may be addressed: Debbie Bucci

10. Provide an overview of the system: NIH Login provides a single authentication mechanism for NIH enterprise systems and IC specific applications.

13. Indicate if the system is new or an existing one being modified: Existing

17. Does/Will the system collect, maintain (store), disseminate and/or pass through IIF within any database(s), record(s), file(s) or website(s) hosted by this system?: No

Note: This question seeks to identify any, and all, personal information associated with the system. This includes any IIF, whether or not it is subject to the Privacy Act, whether the individuals are employees, the public, research subjects, or business partners, and whether provided voluntarily or collected by mandate. Later questions will try to understand the character of the data and its applicability to the requirements under the Privacy Act or other legislation

Note: If no IIF is contained in the system, please answer questions 21, 23, 30, 31, 37, 50 and 54, then promote the PIA to the Sr. Privacy Official who will authorize the PIA.

If this system contains IIF, all remaining questions on the PIA Form Tabs must be completed prior to signature and promotion.

21. Is the system subject to the Privacy Act?: No

23. If the system shares or discloses IIF please specify with whom and for what purpose(s): No IIF is shared or disclosed.

30. Please describe in detail: (1) the information the agency will collect, maintain, or disseminate; (2) why and for what purpose the agency will use the information; (3) In this description, indicate whether the information contains IIF; and (4) whether submission of personal information is voluntary or mandatory: There is no data collected.

31. Please describe in detail any processes in place to: (1) notify and obtain consent from the individuals whose IIF is in the system when major changes occur to the system (e.g., disclosure and/or data uses have changed since the notice at the time of the original collection); and (2) notify and obtain consent from individuals regarding what IIF is being collected from them and how the information will be used or shared: There is no data collected.

32. Does the system host a website?: No

37. Does the website have any information or pages directed at children under the age of thirteen?: No

50. Are there policies or guidelines in place with regard to the retention and destruction of IIF?: Yes

54. Briefly describe in detail how the IIF will be secured on the system using administrative, technical, and physical controls.: There is no IIF

PIA Reviewer Approval: Promote


PIA Reviewer Name: Marie Lagana, NIH/CIT/OPEC

Sr. Official for Privacy Approval: Promote


Sr. Official for Privacy Name: Karen Plá

Sign-off Date: Aug 10, 2007

Date Published: Jun 26, 2008


06.3 HHS PIA Summary for Posting (Form) / NIH CIT NIH Portal (Item)






PIA Summary


Is this a new PIA 2008?: No

If this is an existing PIA, please provide a reason for revision: PIA Validation

1. Date of this Submission: Jul 3, 2007

2. OPDIV Name: NIH

3. Unique Project Identifier (UPI) Number: None

4. Privacy Act System of Records (SOR) Number: N/A

5. OMB Information Collection Approval Number: N/A

6. Other Identifying Number(s): N/A

7. System Name: NIH Portal

9. System Point of Contact (POC). The System POC is the person to whom questions about the system and the responses to this PIA may be addressed: Renee Edwards

10. Provide an overview of the system: The NIH Portal is a web-based application that gives NIH staff a single point of access to the data, documents, applications and services available at the National Institutes of Health.

The NIH portal enables employees to bring together in one site the links to NIH data and documents used to support the mission of the NIH.

13. Indicate if the system is new or an existing one being modified: Existing

17. Does/Will the system collect, maintain (store), disseminate and/or pass through IIF within any database(s), record(s), file(s) or website(s) hosted by this system?: No

Note: This question seeks to identify any, and all, personal information associated with the system. This includes any IIF, whether or not it is subject to the Privacy Act, whether the individuals are employees, the public, research subjects, or business partners, and whether provided voluntarily or collected by mandate. Later questions will try to understand the character of the data and its applicability to the requirements under the Privacy Act or other legislation

Note: If no IIF is contained in the system, please answer questions 21, 23, 30, 31, 37, 50 and 54, then promote the PIA to the Sr. Privacy Official who will authorize the PIA.

If this system contains IIF, all remaining questions on the PIA Form Tabs must be completed prior to signature and promotion.

21. Is the system subject to the Privacy Act?: No

23. If the system shares or discloses IIF please specify with whom and for what purpose(s): N/A

30. Please describe in detail: (1) the information the agency will collect, maintain, or disseminate; (2) why and for what purpose the agency will use the information; (3) In this description, indicate whether the information contains IIF; and (4) whether submission of personal information is voluntary or mandatory: The NIH Portal maintains links to NIH data and documents that NIH staff use to support the mission of the NIH.

31. Please describe in detail any processes in place to: (1) notify and obtain consent from the individuals whose IIF is in the system when major changes occur to the system (e.g., disclosure and/or data uses have changed since the notice at the time of the original collection); and (2) notify and obtain consent from individuals regarding what IIF is being collected from them and how the information will be used or shared: N/A

32. Does the system host a website?: Yes

37. Does the website have any information or pages directed at children under the age of thirteen?: No

50. Are there policies or guidelines in place with regard to the retention and destruction of IIF?: No

54. Briefly describe in detail how the IIF will be secured on the system using administrative, technical, and physical controls.: N/A - There is no IIF.

PIA Reviewer Approval: Promote


PIA Reviewer Name: Marie Lagana, NIH/CIT/OPEC

Sr. Official for Privacy Approval: Promote


Sr. Official for Privacy Name: Karen Plá

Sign-off Date: Aug 10, 2007

Date Published: Jun 26, 2008


06.3 HHS PIA Summary for Posting (Form) / NIH CIT NIHnet (Item)






PIA Summary


Is this a new PIA 2008?: No

If this is an existing PIA, please provide a reason for revision: PIA Validation

1. Date of this Submission: Jul 5, 2007

2. OPDIV Name: NIH

3. Unique Project Identifier (UPI) Number: 009-25-02-00-01-3109-00-109-026

4. Privacy Act System of Records (SOR) Number: No

5. OMB Information Collection Approval Number: No

6. Other Identifying Number(s): No

7. System Name: NIHnet

9. System Point of Contact (POC). The System POC is the person to whom questions about the system and the responses to this PIA may be addressed: Renita Anderson

10. Provide an overview of the system: NIHnet provides centralized network intercommunication/transport services and network security services between NIH Institutes and Centers and external resources such as the Internet and HHSnet.

13. Indicate if the system is new or an existing one being modified: Existing

17. Does/Will the system collect, maintain (store), disseminate and/or pass through IIF within any database(s), record(s), file(s) or website(s) hosted by this system?: No

Note: This question seeks to identify any, and all, personal information associated with the system. This includes any IIF, whether or not it is subject to the Privacy Act, whether the individuals are employees, the public, research subjects, or business partners, and whether provided voluntarily or collected by mandate. Later questions will try to understand the character of the data and its applicability to the requirements under the Privacy Act or other legislation

Note: If no IIF is contained in the system, please answer questions 21, 23, 30, 31, 37, 50 and 54, then promote the PIA to the Sr. Privacy Official who will authorize the PIA.

If this system contains IIF, all remaining questions on the PIA Form Tabs must be completed prior to signature and promotion.

21. Is the system subject to the Privacy Act?: No

23. If the system shares or discloses IIF please specify with whom and for what purpose(s): No

30. Please describe in detail: (1) the information the agency will collect, maintain, or disseminate; (2) why and for what purpose the agency will use the information; (3) In this description, indicate whether the information contains IIF; and (4) whether submission of personal information is voluntary or mandatory: NIHnet provides data transport services for NIH Institutes and Centers. Per NIST SP 800-60 NIHnet maintains Information and Technology Management information (e.g., IT infrastructure maintenance, IT security, system development, etc.). NIHnet does not collect, maintain or disseminate IIF.

31. Please describe in detail any processes in place to: (1) notify and obtain consent from the individuals whose IIF is in the system when major changes occur to the system (e.g., disclosure and/or data uses have changed since the notice at the time of the original collection); and (2) notify and obtain consent from individuals regarding what IIF is being collected from them and how the information will be used or shared: No

32. Does the system host a website?: No

37. Does the website have any information or pages directed at children under the age of thirteen?: No

50. Are there policies or guidelines in place with regard to the retention and destruction of IIF?: No

54. Briefly describe in detail how the IIF will be secured on the system using administrative, technical, and physical controls.: No

PIA Reviewer Approval: Promote


PIA Reviewer Name: Promote

Sr. Official for Privacy Approval: Promote


Sr. Official for Privacy Name:

Sign-off Date: Aug 10, 2007

Date Published: Jun 26, 2008


06.3 HHS PIA Summary for Posting (Form) / NIH CIT Remedy (Item)






PIA Summary


Is this a new PIA 2008?: No

If this is an existing PIA, please provide a reason for revision: PIA Validation

1. Date of this Submission: Jul 6, 2007

2. OPDIV Name: NIH

3. Unique Project Identifier (UPI) Number: 009-25-02-00-01-3109-00-109-026

4. Privacy Act System of Records (SOR) Number: 09-25-0216

5. OMB Information Collection Approval Number: N/A

6. Other Identifying Number(s): N/A

7. System Name: Help Desk Ticket Tracking System (CIT Remedy)

9. System Point of Contact (POC). The System POC is the person to whom questions about the system and the responses to this PIA may be addressed: Jennifer Czajkowski

10. Provide an overview of the system: The system is used by the IT Support Community at NIH to track customer technical issues from the time of first contact to the point of problem resolution. Authorized users from NIH and certain sister agencies can log in, enter tickets, track their own tickets, and view tickets for other users within their own area.

13. Indicate if the system is new or an existing one being modified: Existing

17. Does/Will the system collect, maintain (store), disseminate and/or pass through IIF within any database(s), record(s), file(s) or website(s) hosted by this system?: Yes

Note: This question seeks to identify any, and all, personal information associated with the system. This includes any IIF, whether or not it is subject to the Privacy Act, whether the individuals are employees, the public, research subjects, or business partners, and whether provided voluntarily or collected by mandate. Later questions will try to understand the character of the data and its applicability to the requirements under the Privacy Act or other legislation

Note: If no IIF is contained in the system, please answer questions 21, 23, 30, 31, 37, 50 and 54, then promote the PIA to the Sr. Privacy Official who will authorize the PIA.

If this system contains IIF, all remaining questions on the PIA Form Tabs must be completed prior to signature and promotion.

21. Is the system subject to the Privacy Act?: Yes

23. If the system shares or discloses IIF please specify with whom and for what purpose(s): Information is disclosed only to other support organizations within NIH or with DHHS organizations outside of NIH with whom we share an SLA. SOR 09-25-0216

30. Please describe in detail: (1) the information the agency will collect, maintain, or disseminate; (2) why and for what purpose the agency will use the information; (3) In this description, indicate whether the information contains IIF; and (4) whether submission of personal information is voluntary or mandatory: Name, business contact information, business computer information, and IT support issue information is collected. Submission is voluntary. Information is shared in order to provide technical support, training, and other support services to the customer.

31. Please describe in detail any processes in place to: (1) notify and obtain consent from the individuals whose IIF is in the system when major changes occur to the system (e.g., disclosure and/or data uses have changed since the notice at the time of the original collection); and (2) notify and obtain consent from individuals regarding what IIF is being collected from them and how the information will be used or shared: Consent is voluntary and is provided by users of NIH services in order to obtain IT support. Any changes to data collected will be addressed at the next contact with the customer. No disclosure is made outside the scope of this statement therefore no additional consent is needed.

32. Does the system host a website?: Yes

37. Does the website have any information or pages directed at children under the age of thirteen?: No

50. Are there policies or guidelines in place with regard to the retention and destruction of IIF?: Yes

54. Briefly describe in detail how the IIF will be secured on the system using administrative, technical, and physical controls.: Physical hardware is located in a secured machine room environment and accessible only via cardkey and/or biometric retinal scanning.

PIA Reviewer Approval: Promote


PIA Reviewer Name: Marie Lagana NIH/CIT/OPEC

Sr. Official for Privacy Approval: Promote


Sr. Official for Privacy Name: Karen Plá

Sign-off Date: Aug 10, 2007

Date Published: Jun 26, 2008


06.3 HHS PIA Summary for Posting (Form) / NIH CIT Scientific Coding System (SCS) (Item)






PIA Summary


Is this a new PIA 2008?: Yes

If this is an existing PIA, please provide a reason for revision: PIA Validation

1. Date of this Submission: Jul 3, 2007

2. OPDIV Name: NIH

3. Unique Project Identifier (UPI) Number: 009-25-04-00-02-3106-00-110-219

4. Privacy Act System of Records (SOR) Number: 09-25-0036

5. OMB Information Collection Approval Number: N/A

6. Other Identifying Number(s): N/A

7. System Name: Scientific Coding System (SCS) OnDemand

9. System Point of Contact (POC). The System POC is the person to whom questions about the system and the responses to this PIA may be addressed: Renee Edwards

10. Provide an overview of the system: SCS is a scientific coding and reporting IMPAC II extension system application. The data included in the system is required for NIH to fulfill its scientific reporting obligation to the Public, Congress, and the White House, for national health policy and goals.

SCS uses the IMPAC II Reporting Database (IRDB) as the primary data source. SCS users also have the ability to add projects (e.g. contracts) to the system that are not included in the IRDB.

13. Indicate if the system is new or an existing one being modified: New

17. Does/Will the system collect, maintain (store), disseminate and/or pass through IIF within any database(s), record(s), file(s) or website(s) hosted by this system?: Yes

Note: This question seeks to identify any, and all, personal information associated with the system. This includes any IIF, whether or not it is subject to the Privacy Act, whether the individuals are employees, the public, research subjects, or business partners, and whether provided voluntarily or collected by mandate. Later questions will try to understand the character of the data and its applicability to the requirements under the Privacy Act or other legislation

Note: If no IIF is contained in the system, please answer questions 21, 23, 30, 31, 37, 50 and 54, then promote the PIA to the Sr. Privacy Official who will authorize the PIA.

If this system contains IIF, all remaining questions on the PIA Form Tabs must be completed prior to signature and promotion.

21. Is the system subject to the Privacy Act?: Yes

23. If the system shares or discloses IIF please specify with whom and for what purpose(s): The system does not disclose IIF. SOR is 09-25-0036


30. Please describe in detail: (1) the information the agency will collect, maintain, or disseminate; (2) why and for what purpose the agency will use the information; (3) In this description, indicate whether the information contains IIF; and (4) whether submission of personal information is voluntary or mandatory: 1) PI Name (mandatory and extracted from IMPAC II) – used as a business point of contact on grants and contracts

2) PI Birth Year (mandatory and extracted from bio-sketch info from the abstract/summary statement, or other internet data sources, and then entered into SCS by the Scientific Coder) – used for analysis of the NIH scientific program

3) PI Gender (mandatory and extracted from bio-sketch info from the abstract/summary statement, or other internet data sources, and then entered into SCS by the Scientific Coder) – used for analysis of the NIH scientific program.

31. Please describe in detail any processes in place to: (1) notify and obtain consent from the individuals whose IIF is in the system when major changes occur to the system (e.g., disclosure and/or data uses have changed since the notice at the time of the original collection); and (2) notify and obtain consent from individuals regarding what IIF is being collected from them and how the information will be used or shared: Will use Privacy Act Notification Statement as defined by IMPAC II. Wil use the same format as that of IMPAC II to notify users.

32. Does the system host a website?: Yes

37. Does the website have any information or pages directed at children under the age of thirteen?: No

50. Are there policies or guidelines in place with regard to the retention and destruction of IIF?: Yes

54. Briefly describe in detail how the IIF will be secured on the system using administrative, technical, and physical controls.: The SCS is hosted by the NIH Data Center which provides the administrative, technical and physical controls. Technical controls will include the use of user ids, passwords, and a firewall. Physical access controls will include the use of identification badges and key cards. Administrative controls will include a security and contingency plan. Additionally, files will be backed up using the schedule defined by the NIH Data Center. User manuals will also be provided.

PIA Reviewer Approval: Promote


PIA Reviewer Name: Marie Lagana, NIH/CIT/OPEC

Sr. Official for Privacy Approval: Promote


Sr. Official for Privacy Name: Karen Plá

Sign-off Date: Aug 10, 2007

Date Published: Jun 26, 2008


06.3 HHS PIA Summary for Posting (Form) / NIH NCCAM AdvantageEDC (Item)






PIA Summary


Is this a new PIA 2008?: No

If this is an existing PIA, please provide a reason for revision: PIA Validation

1. Date of this Submission: Jul 6, 2007

2. OPDIV Name: NIH

3. Unique Project Identifier (UPI) Number: Not applicable

4. Privacy Act System of Records (SOR) Number: 09-25-0200

5. OMB Information Collection Approval Number: No

6. Other Identifying Number(s): NCCAM-009

7. System Name: AdvantageEDC

9. System Point of Contact (POC). The System POC is the person to whom questions about the system and the responses to this PIA may be addressed: Patrick Mansky

10. Provide an overview of the system: Internet data entry system. Purpose is to provide database and data management system for the conduct of clinical investigation at the Division of Intramural Research / NCCAM. Authorizing legislation: 42 USC 287c-21.

13. Indicate if the system is new or an existing one being modified: Existing

17. Does/Will the system collect, maintain (store), disseminate and/or pass through IIF within any database(s), record(s), file(s) or website(s) hosted by this system?: Yes

Note: This question seeks to identify any, and all, personal information associated with the system. This includes any IIF, whether or not it is subject to the Privacy Act, whether the individuals are employees, the public, research subjects, or business partners, and whether provided voluntarily or collected by mandate. Later questions will try to understand the character of the data and its applicability to the requirements under the Privacy Act or other legislation

Note: If no IIF is contained in the system, please answer questions 21, 23, 30, 31, 37, 50 and 54, then promote the PIA to the Sr. Privacy Official who will authorize the PIA.

If this system contains IIF, all remaining questions on the PIA Form Tabs must be completed prior to signature and promotion.

21. Is the system subject to the Privacy Act?: Yes

23. If the system shares or discloses IIF please specify with whom and for what purpose(s): The study information will be shared with collaborating study investigators only. SOR: 09-25-0200

30. Please describe in detail: (1) the information the agency will collect, maintain, or disseminate; (2) why and for what purpose the agency will use the information; (3) In this description, indicate whether the information contains IIF; and (4) whether submission of personal information is voluntary or mandatory: Patient information without identifiers (i.e. date of birth and biometric identifiers) is collected for the purpose of the conduct of clinical investigations in Complementary and Alternative Medicine (CAM). Clinical data collected in accordance with NCCAM protocols of clinical investigations enable study investigators to advance knowledge about CAM according to study outcomes set forth in clinical study protocols, and to advance the knowledge about the safety and efficacy of CAM for the treatment of human diseases. This system does collect IIF (date of birth and biometric identifiers) and the submission of this personal information is voluntary.

31. Please describe in detail any processes in place to: (1) notify and obtain consent from the individuals whose IIF is in the system when major changes occur to the system (e.g., disclosure and/or data uses have changed since the notice at the time of the original collection); and (2) notify and obtain consent from individuals regarding what IIF is being collected from them and how the information will be used or shared: If major changes occur to the system than the principle or associate investigator would have to be obtain new consent forms from study subjects. Study information will be collected only from study subjects, and their medical records, according to written consent forms read, explained to, and signed by study subjects prior to study entry.

32. Does the system host a website?: Yes

37. Does the website have any information or pages directed at children under the age of thirteen?: No

50. Are there policies or guidelines in place with regard to the retention and destruction of IIF?: Yes

54. Briefly describe in detail how the IIF will be secured on the system using administrative, technical, and physical controls.: Information will be collected and stored without patient identifiers. Stored information will be password protected and accessible only for identified study investigators . Information is also secured through an intrusion detection system, firewalls, locks, badges and background investigations. A comprehensive IRT is also maintained.

PIA Reviewer Approval: Promote


PIA Reviewer Name: Kathleen Stephan (301) 496-5826

Sr. Official for Privacy Approval: Promote


Sr. Official for Privacy Name: Karen Plá

Sign-off Date: Aug 10, 2007

Date Published: Jun 26, 2008


06.3 HHS PIA Summary for Posting (Form) / NIH NCCAM Applications Database (Item)






PIA Summary


Is this a new PIA 2008?: No

If this is an existing PIA, please provide a reason for revision: PIA Validation

1. Date of this Submission: Jul 9, 2007

2. OPDIV Name: NIH

3. Unique Project Identifier (UPI) Number: Not applicable

4. Privacy Act System of Records (SOR) Number: 09-25-0036

5. OMB Information Collection Approval Number: No

6. Other Identifying Number(s): NCCAM-003

7. System Name: Application Database

9. System Point of Contact (POC). The System POC is the person to whom questions about the system and the responses to this PIA may be addressed: Linda Rich

10. Provide an overview of the system: The system holds grant application information that is retrieved from the IMPAC II database with additional tracking information added for the purpose of application grant approval. The system tracks grant applications under authority 42 USC 287c-21.

13. Indicate if the system is new or an existing one being modified: Existing

17. Does/Will the system collect, maintain (store), disseminate and/or pass through IIF within any database(s), record(s), file(s) or website(s) hosted by this system?: Yes

Note: This question seeks to identify any, and all, personal information associated with the system. This includes any IIF, whether or not it is subject to the Privacy Act, whether the individuals are employees, the public, research subjects, or business partners, and whether provided voluntarily or collected by mandate. Later questions will try to understand the character of the data and its applicability to the requirements under the Privacy Act or other legislation

Note: If no IIF is contained in the system, please answer questions 21, 23, 30, 31, 37, 50 and 54, then promote the PIA to the Sr. Privacy Official who will authorize the PIA.

If this system contains IIF, all remaining questions on the PIA Form Tabs must be completed prior to signature and promotion.

21. Is the system subject to the Privacy Act?: Yes

23. If the system shares or discloses IIF please specify with whom and for what purpose(s): For internal purposes only; it will not be shared. SOR #09-25-0036

30. Please describe in detail: (1) the information the agency will collect, maintain, or disseminate; (2) why and for what purpose the agency will use the information; (3) In this description, indicate whether the information contains IIF; and (4) whether submission of personal information is voluntary or mandatory: The information collected is from the NIH IMPAC II system and is used to communicate with the applicants and to disseminate information to staff involved in the applications process. The information collected does contain Names, Mailing Addresses, and Email Addresses of applicants. IIF is obtained from the IMPAC II system and all notifications and consent procedures with subjects are handled at that level. Personal information is required to complete an application however, submissions are voluntary.

31. Please describe in detail any processes in place to: (1) notify and obtain consent from the individuals whose IIF is in the system when major changes occur to the system (e.g., disclosure and/or data uses have changed since the notice at the time of the original collection); and (2) notify and obtain consent from individuals regarding what IIF is being collected from them and how the information will be used or shared: All IIF information is obtained from the NIH IMPAC II system. Any major changes to the system should be handled at the NIH level. Notifications and consent procedures with subjects are also handled at the NIH level. NCCAM does not have a notification process in place as the applications database does not collect the initial IIF. It is only a recipient of IIF collected by another database that is maintained at the NIH level thus we do not have our own notification process to obtain IIF from individuals. This system does not have any notification procedures in place in addition to those in place for the IMPACII system.

32. Does the system host a website?: No

37. Does the website have any information or pages directed at children under the age of thirteen?: No

50. Are there policies or guidelines in place with regard to the retention and destruction of IIF?: Yes

54. Briefly describe in detail how the IIF will be secured on the system using administrative, technical, and physical controls.: The information is physically secured by a required key card and employee badge, and electronically secured by a password login procedure to the NIH computer system, a restricted folder location, and a requirement of a password when accessing the database. Information is also secured by least privilege, separation of duties, an intrusion detection system, firewalls, locks and background investigations. A comprehensive IRT is also maintained.

PIA Reviewer Approval: Promote


PIA Reviewer Name: Kathleen Stephan (301) 496-5826

Sr. Official for Privacy Approval:


Sr. Official for Privacy Name: Karen Plá

Sign-off Date: Aug 10, 2007

Date Published: Jun 26, 2008


06.3 HHS PIA Summary for Posting (Form) / NIH NCCAM Grantee Bibliographic Database (Item)






PIA Summary


Is this a new PIA 2008?: No

If this is an existing PIA, please provide a reason for revision: PIA Validation

1. Date of this Submission: Jul 9, 2007

2. OPDIV Name: NIH

3. Unique Project Identifier (UPI) Number: Not applicable

4. Privacy Act System of Records (SOR) Number: 09-25-0036

5. OMB Information Collection Approval Number: No

6. Other Identifying Number(s): NCCAM 007

7. System Name: NCCAM Grantee Bibliographic Database

9. System Point of Contact (POC). The System POC is the person to whom questions about the system and the responses to this PIA may be addressed: Linda Rich

10. Provide an overview of the system: The database was developed for internal use to collect information about research articles that have resulted from the work funded by NCCAM grants.

13. Indicate if the system is new or an existing one being modified: Existing

17. Does/Will the system collect, maintain (store), disseminate and/or pass through IIF within any database(s), record(s), file(s) or website(s) hosted by this system?: Yes

Note: This question seeks to identify any, and all, personal information associated with the system. This includes any IIF, whether or not it is subject to the Privacy Act, whether the individuals are employees, the public, research subjects, or business partners, and whether provided voluntarily or collected by mandate. Later questions will try to understand the character of the data and its applicability to the requirements under the Privacy Act or other legislation

Note: If no IIF is contained in the system, please answer questions 21, 23, 30, 31, 37, 50 and 54, then promote the PIA to the Sr. Privacy Official who will authorize the PIA.

If this system contains IIF, all remaining questions on the PIA Form Tabs must be completed prior to signature and promotion.

21. Is the system subject to the Privacy Act?: Yes

23. If the system shares or discloses IIF please specify with whom and for what purpose(s): The information is used only by NCCAM staff for internal purposes to assess the scientific results of funded research projects. SOR#09-25-0036

30. Please describe in detail: (1) the information the agency will collect, maintain, or disseminate; (2) why and for what purpose the agency will use the information; (3) In this description, indicate whether the information contains IIF; and (4) whether submission of personal information is voluntary or mandatory: The legislation authorizing this activity is 42 USC 287c-21. The purpose is to collect research results to be internally used to assess the scientific results of funded grants. Personal/IIF information (including the grantee's name and grant number) is required/collected to complete an application, however, submissions are voluntary. The information is gathered from reports submitted by the investigator, disseminated to NCCAM staff involved in the grants process, and maintained in the grantee file.

31. Please describe in detail any processes in place to: (1) notify and obtain consent from the individuals whose IIF is in the system when major changes occur to the system (e.g., disclosure and/or data uses have changed since the notice at the time of the original collection); and (2) notify and obtain consent from individuals regarding what IIF is being collected from them and how the information will be used or shared: All IIF information is obtained from the NIH IMPAC II system. Any major changes to the system should be handled at the NIH level. Notifications and consent procedures with subjects are also handled at the NIH level. Consent is given by the investigator when she/he submits the application or progress report. NCCAM does not have a notification process in place as the grantee bibliographic database does not collect the initial IIF becasue it is only a recipient of IIF collected by another database that is maintained at the NIH level. This system does not have any notification procedures in place in addition to those in place for the IMPACII system.

32. Does the system host a website?: No

37. Does the website have any information or pages directed at children under the age of thirteen?: No

50. Are there policies or guidelines in place with regard to the retention and destruction of IIF?: Yes

54. Briefly describe in detail how the IIF will be secured on the system using administrative, technical, and physical controls.: SOR: 09-25-0036

Information is secured by a required key card and employee badge, and electronically secured by a password login procedure to the NIH computer system, and a requirement of a password when accessing the database. Information is also secured through least privilege, separation of duties, an intrusion detection system, firewalls, locks, and background investigations. A comprehensive IRT capability is also maintained.

PIA Reviewer Approval: Promote


PIA Reviewer Name: Kathleen Stephan (301) 496-5826

Sr. Official for Privacy Approval: Promote


Sr. Official for Privacy Name: Karen Plá

Sign-off Date: Aug 10, 2007

Date Published: Jun 26, 2008


06.3 HHS PIA Summary for Posting (Form) / NIH NCCAM Grantee Bibliographic Database (Item)






PIA Summary


Is this a new PIA 2008?: No

If this is an existing PIA, please provide a reason for revision: PIA Validation

1. Date of this Submission: Jul 9, 2007

2. OPDIV Name: NIH

3. Unique Project Identifier (UPI) Number: Not applicable

4. Privacy Act System of Records (SOR) Number: 09-25-0036

5. OMB Information Collection Approval Number: No

6. Other Identifying Number(s): NCCAM 007

7. System Name: NCCAM Grantee Bibliographic Database

9. System Point of Contact (POC). The System POC is the person to whom questions about the system and the responses to this PIA may be addressed: Linda Rich

10. Provide an overview of the system: The database was developed for internal use to collect information about research articles that have resulted from the work funded by NCCAM grants.

13. Indicate if the system is new or an existing one being modified: Existing

17. Does/Will the system collect, maintain (store), disseminate and/or pass through IIF within any database(s), record(s), file(s) or website(s) hosted by this system?: Yes

Note: This question seeks to identify any, and all, personal information associated with the system. This includes any IIF, whether or not it is subject to the Privacy Act, whether the individuals are employees, the public, research subjects, or business partners, and whether provided voluntarily or collected by mandate. Later questions will try to understand the character of the data and its applicability to the requirements under the Privacy Act or other legislation

Note: If no IIF is contained in the system, please answer questions 21, 23, 30, 31, 37, 50 and 54, then promote the PIA to the Sr. Privacy Official who will authorize the PIA.

If this system contains IIF, all remaining questions on the PIA Form Tabs must be completed prior to signature and promotion.

21. Is the system subject to the Privacy Act?: Yes

23. If the system shares or discloses IIF please specify with whom and for what purpose(s): The information is used only by NCCAM staff for internal purposes to assess the scientific results of funded research projects. SOR#09-25-0036

30. Please describe in detail: (1) the information the agency will collect, maintain, or disseminate; (2) why and for what purpose the agency will use the information; (3) In this description, indicate whether the information contains IIF; and (4) whether submission of personal information is voluntary or mandatory: The legislation authorizing this activity is 42 USC 287c-21. The purpose is to collect research results to be internally used to assess the scientific results of funded grants. Personal/IIF information (including the grantee's name and grant number) is required/collected to complete an application, however, submissions are voluntary. The information is gathered from reports submitted by the investigator, disseminated to NCCAM staff involved in the grants process, and maintained in the grantee file.

31. Please describe in detail any processes in place to: (1) notify and obtain consent from the individuals whose IIF is in the system when major changes occur to the system (e.g., disclosure and/or data uses have changed since the notice at the time of the original collection); and (2) notify and obtain consent from individuals regarding what IIF is being collected from them and how the information will be used or shared: All IIF information is obtained from the NIH IMPAC II system. Any major changes to the system should be handled at the NIH level. Notifications and consent procedures with subjects are also handled at the NIH level. Consent is given by the investigator when she/he submits the application or progress report. NCCAM does not have a notification process in place as the grantee bibliographic database does not collect the initial IIF becasue it is only a recipient of IIF collected by another database that is maintained at the NIH level. This system does not have any notification procedures in place in addition to those in place for the IMPACII system.

32. Does the system host a website?: No

37. Does the website have any information or pages directed at children under the age of thirteen?: No

50. Are there policies or guidelines in place with regard to the retention and destruction of IIF?: Yes

*54. Briefly describe in detail how the IIF will be secured on the system using administrative, technical, and physical controls.: SOR: 09-25-0036

Information is secured by a required key card and employee badge, and electronically secured by a password login procedure to the NIH computer system, and a requirement of a password when accessing the database. Information is also secured through least privilege, separation of duties, an intrusion detection system, firewalls, locks, and background investigations. A comprehensive IRT capability is also maintained.

PIA Reviewer Approval: Promote


PIA Reviewer Name: Kathleen Stephan (301) 496-5826

Sr. Official for Privacy Approval: Promote


Sr. Official for Privacy Name: Karen Plá

Sign-off Date: Aug 10, 2007

Date Published: Jun 26, 2008


06.3 HHS PIA Summary for Posting (Form) / NIH NCCAM Internet Website (Item)






PIA Summary


Is this a new PIA 2008?: No

If this is an existing PIA, please provide a reason for revision: PIA Validation

1. Date of this Submission: Jul 6, 2007

2. OPDIV Name: NIH

3. Unique Project Identifier (UPI) Number: Not applicable

4. Privacy Act System of Records (SOR) Number: 09-25-0106

5. OMB Information Collection Approval Number: No

6. Other Identifying Number(s): NCCAM-001

7. System Name: NCCAM Internet Web Site

9. System Point of Contact (POC). The System POC is the person to whom questions about the system and the responses to this PIA may be addressed: Irene Liu

10. Provide an overview of the system: The NCCAM Web site ( is used to disseminate scientifically accurate information about complementary and alternative medicine to the public and to health officials via the World Wide Web.

13. Indicate if the system is new or an existing one being modified: Existing

17. Does/Will the system collect, maintain (store), disseminate and/or pass through IIF within any database(s), record(s), file(s) or website(s) hosted by this system?: No

Note: This question seeks to identify any, and all, personal information associated with the system. This includes any IIF, whether or not it is subject to the Privacy Act, whether the individuals are employees, the public, research subjects, or business partners, and whether provided voluntarily or collected by mandate. Later questions will try to understand the character of the data and its applicability to the requirements under the Privacy Act or other legislation

Note: If no IIF is contained in the system, please answer questions 21, 23, 30, 31, 37, 50 and 54, then promote the PIA to the Sr. Privacy Official who will authorize the PIA.

If this system contains IIF, all remaining questions on the PIA Form Tabs must be completed prior to signature and promotion.

21. Is the system subject to the Privacy Act?: No

23. If the system shares or discloses IIF please specify with whom and for what purpose(s): No - SOR#09-25-0106

30. Please describe in detail: (1) the information the agency will collect, maintain, or disseminate; (2) why and for what purpose the agency will use the information; (3) In this description, indicate whether the information contains IIF; and (4) whether submission of personal information is voluntary or mandatory: The NCCAM Web site ( is used to disseminate scientifically accurate information about complementary and alternative medicine to the public and to health officials via the World Wide Web. NCCAM is not collecting personal information through the NCCAM Web site. Note: NCCAM has submitted a separate PIA for the NCCAM Online Continuing Education Series (please reference that PIA for more information).

31. Please describe in detail any processes in place to: (1) notify and obtain consent from the individuals whose IIF is in the system when major changes occur to the system (e.g., disclosure and/or data uses have changed since the notice at the time of the original collection); and (2) notify and obtain consent from individuals regarding what IIF is being collected from them and how the information will be used or shared: No

32. Does the system host a website?: Yes

37. Does the website have any information or pages directed at children under the age of thirteen?: No

54. Briefly describe in detail how the IIF will be secured on the system using administrative, technical, and physical controls.: No

PIA Reviewer Approval: Promote


PIA Reviewer Name: Kathleen Stephan (301) 496-5826

Sr. Official for Privacy Approval: Promote


Sr. Official for Privacy Name: Karen Plá

Sign-off Date: Aug 10, 2007

Date Published: Jun 26, 2008


06.3 HHS PIA Summary for Posting (Form) / NIH NCCAM Intranet Website (Item)






PIA Summary


Is this a new PIA 2008?: No

If this is an existing PIA, please provide a reason for revision: PIA Validation

1. Date of this Submission: Jul 6, 2007

2. OPDIV Name: NIH

3. Unique Project Identifier (UPI) Number: Not applicable

4. Privacy Act System of Records (SOR) Number: 09-25-0106

5. OMB Information Collection Approval Number: No

6. Other Identifying Number(s): NCCAM-002

7. System Name: NCCAM Intranet Web Site

9. System Point of Contact (POC). The System POC is the person to whom questions about the system and the responses to this PIA may be addressed: Irene Liu

10. Provide an overview of the system: The NCCAM Intranet Web site ( is used to disseminate relevant information and useful dynamic applications to employees of the National Center for Complementary and Alternative Medicine (NCCAM). The key legislation authorizing this Web site is 42 USC 287c-21.

13. Indicate if the system is new or an existing one being modified: Existing

17. Does/Will the system collect, maintain (store), disseminate and/or pass through IIF within any database(s), record(s), file(s) or website(s) hosted by this system?: No

Note: This question seeks to identify any, and all, personal information associated with the system. This includes any IIF, whether or not it is subject to the Privacy Act, whether the individuals are employees, the public, research subjects, or business partners, and whether provided voluntarily or collected by mandate. Later questions will try to understand the character of the data and its applicability to the requirements under the Privacy Act or other legislation

Note: If no IIF is contained in the system, please answer questions 21, 23, 30, 31, 37, 50 and 54, then promote the PIA to the Sr. Privacy Official who will authorize the PIA.

If this system contains IIF, all remaining questions on the PIA Form Tabs must be completed prior to signature and promotion.

21. Is the system subject to the Privacy Act?: No

23. If the system shares or discloses IIF please specify with whom and for what purpose(s): No - SOR#09-25-0106

30. Please describe in detail: (1) the information the agency will collect, maintain, or disseminate; (2) why and for what purpose the agency will use the information; (3) In this description, indicate whether the information contains IIF; and (4) whether submission of personal information is voluntary or mandatory: The NCCAM Intranet Web site ( is used to disseminate relevant information and useful dynamic applications to employees of the National Center for Complementary and Alternative Medicine (NCCAM). We are not collecting personal information through the NCCAM intranet Web site.

31. Please describe in detail any processes in place to: (1) notify and obtain consent from the individuals whose IIF is in the system when major changes occur to the system (e.g., disclosure and/or data uses have changed since the notice at the time of the original collection); and (2) notify and obtain consent from individuals regarding what IIF is being collected from them and how the information will be used or shared: No

32. Does the system host a website?: Yes

37. Does the website have any information or pages directed at children under the age of thirteen?: No

50. Are there policies or guidelines in place with regard to the retention and destruction of IIF?: No

54. Briefly describe in detail how the IIF will be secured on the system using administrative, technical, and physical controls.: No

PIA Reviewer Approval: Promote


PIA Reviewer Name: Kathleen Stephan (301) 496-5826

Sr. Official for Privacy Approval: Promote


Sr. Official for Privacy Name: Karen Plá

Sign-off Date: Aug 10, 2007

Date Published: Jun 26, 2008


06.3 HHS PIA Summary for Posting (Form) / NIH NCCAM Online Continuing Education Series (Item)






PIA Summary


Is this a new PIA 2008?: No

If this is an existing PIA, please provide a reason for revision: PIA Validation

1. Date of this Submission: Jul 6, 2007

2. OPDIV Name: NIH

3. Unique Project Identifier (UPI) Number: Not Applicable

4. Privacy Act System of Records (SOR) Number: 09-25-0106

5. OMB Information Collection Approval Number: No

6. Other Identifying Number(s): NCCAM-010

7. System Name: NCCAM Online Continuing Education Series

9. System Point of Contact (POC). The System POC is the person to whom questions about the system and the responses to this PIA may be addressed: Irene Liu

10. Provide an overview of the system: This program is for health care providers, and the public, to view lectures on CAM and receive continuing education credit.

13. Indicate if the system is new or an existing one being modified: Existing

17. Does/Will the system collect, maintain (store), disseminate and/or pass through IIF within any database(s), record(s), file(s) or website(s) hosted by this system?: Yes

Note: This question seeks to identify any, and all, personal information associated with the system. This includes any IIF, whether or not it is subject to the Privacy Act, whether the individuals are employees, the public, research subjects, or business partners, and whether provided voluntarily or collected by mandate. Later questions will try to understand the character of the data and its applicability to the requirements under the Privacy Act or other legislation

Note: If no IIF is contained in the system, please answer questions 21, 23, 30, 31, 37, 50 and 54, then promote the PIA to the Sr. Privacy Official who will authorize the PIA.

If this system contains IIF, all remaining questions on the PIA Form Tabs must be completed prior to signature and promotion.

21. Is the system subject to the Privacy Act?: Yes

23. If the system shares or discloses IIF please specify with whom and for what purpose(s): No - SOR#09-25-0106

30. Please describe in detail: (1) the information the agency will collect, maintain, or disseminate; (2) why and for what purpose the agency will use the information; (3) In this description, indicate whether the information contains IIF; and (4) whether submission of personal information is voluntary or mandatory: Users may VOLUNTARILY provide the following information:

Name, Mailing address, Email, Degree or Credentials, Phone number, Fax number, Specialty, Hospital affiliation.

The purpose is to provide continuing education credits. The information is only to be used by Cine-med Inc, an accrediting entity.

Collection of this data is authorized under authority 42 USC 287c-21

31. Please describe in detail any processes in place to: (1) notify and obtain consent from the individuals whose IIF is in the system when major changes occur to the system (e.g., disclosure and/or data uses have changed since the notice at the time of the original collection); and (2) notify and obtain consent from individuals regarding what IIF is being collected from them and how the information will be used or shared: NCCAM does not expect to have major changes to the system.

A privacy policy is posted to inform users of the purpose of data collection and explain that data will only be used to confirm registrant participation in the continuing education program ( in case they request a copy of their certificate).

32. Does the system host a website?: Yes

37. Does the website have any information or pages directed at children under the age of thirteen?: No

50. Are there policies or guidelines in place with regard to the retention and destruction of IIF?: Yes

54. Briefly describe in detail how the IIF will be secured on the system using administrative, technical, and physical controls.: Personnel using the system have been trained and made aware of their responsibilities­ for protecting the information being collected. Technical controls are in place to minimize the possibility of unauthorized access, use, or dissemination of the data.

PIA Reviewer Approval: Promote


PIA Reviewer Name: Kathleen Stephan (301) 496-5826

Sr. Official for Privacy Approval: Promote


Sr. Official for Privacy Name: Karen Plá

Sign-off Date: Aug 10, 2007

Date Published: Jun 26, 2008


06.3 HHS PIA Summary for Posting (Form) / NIH NCCAM Records Management Database (Item)






PIA Summary


Is this a new PIA 2008?: No

If this is an existing PIA, please provide a reason for revision: PIA Validation

1. Date of this Submission: Jul 6, 2007

2. OPDIV Name: NIH

3. Unique Project Identifier (UPI) Number: Not applicable

4. Privacy Act System of Records (SOR) Number: 09-25-0106

5. OMB Information Collection Approval Number: No

6. Other Identifying Number(s): NCCAM-008

7. System Name: NCCAM Records Management Database

9. System Point of Contact (POC). The System POC is the person to whom questions about the system and the responses to this PIA may be addressed: Kathleen G. Stephan

10. Provide an overview of the system: The purpose of this system is to track the disposition of records sent to the Federal Records Center or the National Archives. Authorizing legislation: 42 USC 287c-21.

13. Indicate if the system is new or an existing one being modified: Existing

17. Does/Will the system collect, maintain (store), disseminate and/or pass through IIF within any database(s), record(s), file(s) or website(s) hosted by this system?: No

Note: This question seeks to identify any, and all, personal information associated with the system. This includes any IIF, whether or not it is subject to the Privacy Act, whether the individuals are employees, the public, research subjects, or business partners, and whether provided voluntarily or collected by mandate. Later questions will try to understand the character of the data and its applicability to the requirements under the Privacy Act or other legislation

Note: If no IIF is contained in the system, please answer questions 21, 23, 30, 31, 37, 50 and 54, then promote the PIA to the Sr. Privacy Official who will authorize the PIA.

If this system contains IIF, all remaining questions on the PIA Form Tabs must be completed prior to signature and promotion.

21. Is the system subject to the Privacy Act?: No

23. If the system shares or discloses IIF please specify with whom and for what purpose(s): No - SOR#09-25-0106

30. Please describe in detail: (1) the information the agency will collect, maintain, or disseminate; (2) why and for what purpose the agency will use the information; (3) In this description, indicate whether the information contains IIF; and (4) whether submission of personal information is voluntary or mandatory: The information collected includes file names and disposition dates in an effort to effectively manage records. Only necessary information is collected. No IIF is collected.

31. Please describe in detail any processes in place to: (1) notify and obtain consent from the individuals whose IIF is in the system when major changes occur to the system (e.g., disclosure and/or data uses have changed since the notice at the time of the original collection); and (2) notify and obtain consent from individuals regarding what IIF is being collected from them and how the information will be used or shared: No

32. Does the system host a website?: No

37. Does the website have any information or pages directed at children under the age of thirteen?: No

50. Are there policies or guidelines in place with regard to the retention and destruction of IIF?: No

54. Briefly describe in detail how the IIF will be secured on the system using administrative, technical, and physical controls.: No

PIA Reviewer Approval: Promote


PIA Reviewer Name: Kathleen Stephan (301) 496-5826

Sr. Official for Privacy Approval: Promote


Sr. Official for Privacy Name: Karen Plá

Sign-off Date: Aug 10, 2007

Date Published: Jun 26, 2008


06.3 HHS PIA Summary for Posting (Form) / NIH NCCAM SharePoint (Item)






PIA Summary


Is this a new PIA 2008?: Yes

If this is an existing PIA, please provide a reason for revision:

1. Date of this Submission: Oct 17, 2007

2. OPDIV Name: NIH

3. Unique Project Identifier (UPI) Number: No

4. Privacy Act System of Records (SOR) Number: 09-25-0036

5. OMB Information Collection Approval Number: No

6. Other Identifying Number(s): NCCAM-013

7. System Name: NCCAM SharePoint

9. System Point of Contact (POC). The System POC is the person to whom questions about the system and the responses to this PIA may be addressed: Linda Rich

10. Provide an overview of the system: The system holds grant application information that is retrieved from the IMPAC II database with additional tracking information added for the purpose of application grant approval. The system tracks grant applications under authority 42 USC 287c-21

13. Indicate if the system is new or an existing one being modified: New

17. Does/Will the system collect, maintain (store), disseminate and/or pass through IIF within any database(s), record(s), file(s) or website(s) hosted by this system?: Yes

Note: This question seeks to identify any, and all, personal information associated with the system. This includes any IIF, whether or not it is subject to the Privacy Act, whether the individuals are employees, the public, research subjects, or business partners, and whether provided voluntarily or collected by mandate. Later questions will try to understand the character of the data and its applicability to the requirements under the Privacy Act or other legislation

Note: If no IIF is contained in the system, please answer questions 21, 23, 30, 31, 37, 50 and 54, then promote the PIA to the Sr. Privacy Official who will authorize the PIA.

If this system contains IIF, all remaining questions on the PIA Form Tabs must be completed prior to signature and promotion.

21. Is the system subject to the Privacy Act?: Yes

23. If the system shares or discloses IIF please specify with whom and for what purpose(s): For internal purposes only; IIF will not be shared OR disclosed. SOR #09-25-0036

30. Please describe in detail: (1) the information the agency will collect, maintain, or disseminate; (2) why and for what purpose the agency will use the information; (3) In this description, indicate whether the information contains IIF; and (4) whether submission of personal information is voluntary or mandatory: A grant application is submitted voluntary by the Investigator through the electronic application submission process in That information subsequently is stored in the centralized NIH eRA/IMPAC II database - all notifications and consent procedures with subjects are handled at that level. For the purpose of preparation and tracking of selected grants for funding at the IC/NCCAM level, selected data are downloaded from the eRA database into SharePoint. The selected IIF data are restricted to: Investigator Name and Degrees, Institution, Project Title, e-mail address. In SharePoint that data is used only by NCCAM staff members who have been selected and approved by senior level staff for the purpose of grant preparation and tracking. The data is not shared with nor disclosed to any party, and is deleted on a routine basis (each fiscal year) when it is no longer needed.

31. Please describe in detail any processes in place to: (1) notify and obtain consent from the individuals whose IIF is in the system when major changes occur to the system (e.g., disclosure and/or data uses have changed since the notice at the time of the original collection); and (2) notify and obtain consent from individuals regarding what IIF is being collected from them and how the information will be used or shared: All IIF information is obtained from the NIH IMPAC II system. Any major changes to the system should be handled at the NIH level. Notifications and consent procedures with subjects are also handled at the NIH level. NCCAM does not have a notification process in place as the applications database does not collect the initial IIF. It is only a recipient of IIF collected by another database that is maintained at the NIH level thus we do not have our own notification process to obtain IIF from individuals. This system does not have any notification procedures in place in addition to those in place for the IMPAC II system.

32. Does the system host a website?: Yes

37. Does the website have any information or pages directed at children under the age of thirteen?: No

50. Are there policies or guidelines in place with regard to the retention and destruction of IIF?: Yes

54. Briefly describe in detail how the IIF will be secured on the system using administrative, technical, and physical controls.: The SharePoint system is electronically behind the NIH firewall and can only be accessed from behind the firewall. The information is physically secured by a required key card and employee badge, and electronically secured by a password login procedure to the NIH computer system, and a requirement of a password when accessing the database. A comprehensive IRT is also maintained. Information is also secured by least privilege, separation of duties, an intrusion detection system, locks and background investigations.

PIA Reviewer Approval: Promote

Comments: Requested revisions completed / additional information supplied - 2/21/08.

PIA Reviewer Name: Robin Klevins

Sr. Official for Privacy Approval: Promote


Sr. Official for Privacy Name: Karen Plá

Sign-off Date: Feb 22, 2008

Date Published: Jun 26, 2008


06.3 HHS PIA Summary for Posting (Form) / NIH NCCAM Smart Study Version 4.1 (Item)






PIA Summary


Is this a new PIA 2008?: Yes

If this is an existing PIA, please provide a reason for revision:

1. Date of this Submission: Sep 4, 2007

2. OPDIV Name: NIH

3. Unique Project Identifier (UPI) Number: No

4. Privacy Act System of Records (SOR) Number: 09-25-0200

5. OMB Information Collection Approval Number: No

6. Other Identifying Number(s): NCCAM-012

7. System Name: NCCAM Smart Study Version 4.1

9. System Point of Contact (POC). The System POC is the person to whom questions about the system and the responses to this PIA may be addressed: Laura Lee Johnson

10. Provide an overview of the system: Internet data entry system. Purpose is to provide database and data management system for the conduct of clinical investigation at the Division of Intramural Research / NCCAM. Authorizing legislation: 42 USC 287c-21.

13. Indicate if the system is new or an existing one being modified: Existing

17. Does/Will the system collect, maintain (store), disseminate and/or pass through IIF within any database(s), record(s), file(s) or website(s) hosted by this system?: Yes

Note: This question seeks to identify any, and all, personal information associated with the system. This includes any IIF, whether or not it is subject to the Privacy Act, whether the individuals are employees, the public, research subjects, or business partners, and whether provided voluntarily or collected by mandate. Later questions will try to understand the character of the data and its applicability to the requirements under the Privacy Act or other legislation

Note: If no IIF is contained in the system, please answer questions 21, 23, 30, 31, 37, 50 and 54, then promote the PIA to the Sr. Privacy Official who will authorize the PIA.

If this system contains IIF, all remaining questions on the PIA Form Tabs must be completed prior to signature and promotion.

21. Is the system subject to the Privacy Act?: Yes

23. If the system shares or discloses IIF please specify with whom and for what purpose(s): The data is restricted to NCCAM data management, monitoring, and analysis personnel, collaborating study investigators, and KAI Research Inc. staff. No outside access is permitted. For internal purposes only; it will not be shared. SOR #09-25-0200

30. Please describe in detail: (1) the information the agency will collect, maintain, or disseminate; (2) why and for what purpose the agency will use the information; (3) In this description, indicate whether the information contains IIF; and (4) whether submission of personal information is voluntary or mandatory: Patient information without identifiers (i.e. date of birth and biometric identifiers) is collected for the purpose of the conduct of clinical investigations in Complementary and Alternative Medicine (CAM). Clinical data collected in accordance with NCCAM protocols of clinical investigations enable study investigators to advance knowledge about CAM according to study outcomes set forth in clinical study protocols, and to advance the knowledge about the safety and efficacy of CAM for the treatment of human diseases. This system does collect IIF (date of birth and biometric identifiers) and the submission of this personal information is voluntary.

31. Please describe in detail any processes in place to: (1) notify and obtain consent from the individuals whose IIF is in the system when major changes occur to the system (e.g., disclosure and/or data uses have changed since the notice at the time of the original collection); and (2) notify and obtain consent from individuals regarding what IIF is being collected from them and how the information will be used or shared: If major changes occur to the system then the principle or associate investigator would have to obtain new consent forms from study subjects. Study information will be collected only from study subjects, and their medical records, according to written consent forms read, explained to, and signed by study subjects prior to study entry.

32. Does the system host a website?: No

37. Does the website have any information or pages directed at children under the age of thirteen?: No

50. Are there policies or guidelines in place with regard to the retention and destruction of IIF?: Yes

54. Briefly describe in detail how the IIF will be secured on the system using administrative, technical, and physical controls.: All access to the Smart Study™ system is restricted to those with appropriate user names and passwords. Passwords expire at regular intervals and inactive users have their access removed. The system makes use of thin client architecture and all data transmitted is encrypted (128 bit encryption). The data base servers are maintained at KAI research offices which are locked 24/7. Access is permitted using magnetic pass cards. Doors make use of dead bolt and magnetic locks. The database servers are kept in a temperature controlled room behind a double locked metal door. Access to the server room is restricted to the network support staff, two lead programmers and the IT director. DataWatch Inc. monitors entry to KAI facilities during the off hours.

There is no wireless access to the KAI network and KAI network is protected by a Cisco Pix firewall.

PIA Reviewer Approval: Promote


PIA Reviewer Name: Robin Klevins (301) 451-6574

Sr. Official for Privacy Approval: Promote


Sr. Official for Privacy Name: Karen Plá

Sign-off Date: Feb 15, 2008

Date Published: Jun 26, 2008


06.3 HHS PIA Summary for Posting (Form) / NIH NCCAM Status of Funds Internet Edition (SOFie) (Item)






PIA Summary


Is this a new PIA 2008?: Yes

If this is an existing PIA, please provide a reason for revision:

1. Date of this Submission: Jul 6, 2007

2. OPDIV Name: NIH

3. Unique Project Identifier (UPI) Number: no

4. Privacy Act System of Records (SOR) Number: no

5. OMB Information Collection Approval Number: no

6. Other Identifying Number(s): NCCAM-011

7. System Name: NIH NCCAM Status of Funds Intranet Edition (SOFie)

9. System Point of Contact (POC). The System POC is the person to whom questions about the system and the responses to this PIA may be addressed: Celena Shirley

10. Provide an overview of the system: SOFie is a financial tracking tool that allows users to access financial data and download data into spreadsheets in order to perform analysis.

13. Indicate if the system is new or an existing one being modified: New

17. Does/Will the system collect, maintain (store), disseminate and/or pass through IIF within any database(s), record(s), file(s) or website(s) hosted by this system?: No

Note: This question seeks to identify any, and all, personal information associated with the system. This includes any IIF, whether or not it is subject to the Privacy Act, whether the individuals are employees, the public, research subjects, or business partners, and whether provided voluntarily or collected by mandate. Later questions will try to understand the character of the data and its applicability to the requirements under the Privacy Act or other legislation

Note: If no IIF is contained in the system, please answer questions 21, 23, 30, 31, 37, 50 and 54, then promote the PIA to the Sr. Privacy Official who will authorize the PIA.

If this system contains IIF, all remaining questions on the PIA Form Tabs must be completed prior to signature and promotion.

21. Is the system subject to the Privacy Act?: No

23. If the system shares or discloses IIF please specify with whom and for what purpose(s): No

30. Please describe in detail: (1) the information the agency will collect, maintain, or disseminate; (2) why and for what purpose the agency will use the information; (3) In this description, indicate whether the information contains IIF; and (4) whether submission of personal information is voluntary or mandatory: Status of Funds internet edition (SOFie) is required by the Administrative and Budget offices of NCCAM for tracking and monitoring the Center’s budget. Utilizing client-server technology, SOFie gives users flexible views and summaries of their accounting structure. The Accounting data and related document information is downloaded from CAS and is relevant to/specific to NCCAM for its fiscal year operations. It is necessary to have access to this data in order to comply with appropriation laws and regulations. The system contains no IIF.

31. Please describe in detail any processes in place to: (1) notify and obtain consent from the individuals whose IIF is in the system when major changes occur to the system (e.g., disclosure and/or data uses have changed since the notice at the time of the original collection); and (2) notify and obtain consent from individuals regarding what IIF is being collected from them and how the information will be used or shared: No IIF

32. Does the system host a website?: Yes

37. Does the website have any information or pages directed at children under the age of thirteen?: No

50. Are there policies or guidelines in place with regard to the retention and destruction of IIF?: No

54. Briefly describe in detail how the IIF will be secured on the system using administrative, technical, and physical controls.: Information is secured using user name and password, least privilege, separation of duties and intrusion detection system, firewalls, locks, badge access, background investigations.

PIA Reviewer Approval: Promote


PIA Reviewer Name: Kathleen Stephan (301) 496-5826

Sr. Official for Privacy Approval: Promote


Sr. Official for Privacy Name: Karen Plá

Sign-off Date: Aug 10, 2007

Date Published: Jun 26, 2008


06.3 HHS PIA Summary for Posting (Form) / NIH NCCAM Visual Employee Database System (VEDS) (Item)






PIA Summary


Is this a new PIA 2008?: No

If this is an existing PIA, please provide a reason for revision: PIA Validation

1. Date of this Submission: Jul 6, 2007

2. OPDIV Name: NIH

3. Unique Project Identifier (UPI) Number: 009-25-01-09-02-3196-00-403-131

4. Privacy Act System of Records (SOR) Number: 09-90-0018

5. OMB Information Collection Approval Number: No

6. Other Identifying Number(s): NCCAM 005

7. System Name: Visual Employee Data System

9. System Point of Contact (POC). The System POC is the person to whom questions about the system and the responses to this PIA may be addressed: Denise Simmonds-Barnes

10. Provide an overview of the system: VEDS is a windows-based application primarily used to manage and track personnel information.

13. Indicate if the system is new or an existing one being modified: Existing

17. Does/Will the system collect, maintain (store), disseminate and/or pass through IIF within any database(s), record(s), file(s) or website(s) hosted by this system?: Yes

Note: This question seeks to identify any, and all, personal information associated with the system. This includes any IIF, whether or not it is subject to the Privacy Act, whether the individuals are employees, the public, research subjects, or business partners, and whether provided voluntarily or collected by mandate. Later questions will try to understand the character of the data and its applicability to the requirements under the Privacy Act or other legislation

Note: If no IIF is contained in the system, please answer questions 21, 23, 30, 31, 37, 50 and 54, then promote the PIA to the Sr. Privacy Official who will authorize the PIA.

If this system contains IIF, all remaining questions on the PIA Form Tabs must be completed prior to signature and promotion.

21. Is the system subject to the Privacy Act?: Yes

23. If the system shares or discloses IIF please specify with whom and for what purpose(s): SOR#09-90-0018. This information is further addressed in the HHS Privacy Act Systems of Record Notice 09-90-0018, published in the Federal Register, Volume 59, November 9, 1994.

30. Please describe in detail: (1) the information the agency will collect, maintain, or disseminate; (2) why and for what purpose the agency will use the information; (3) In this description, indicate whether the information contains IIF; and (4) whether submission of personal information is voluntary or mandatory: The information collected is all information pertinent to a personnel file. There are many uses for this information: (a) tracking a time-limited appointment to ensure renewals are done in a timely manner thereby avoiding any break in service; (b) ensuring that allocated FTE ceilings are maintained; (c) ensuring salary equality for various hiring mechanisms; (d) the ability to provide reports requested by the NIH Director; (e) maintaining lists of non FTEs, special volunteers, contractors, etc. Information is mandatory at time of hire.

31. Please describe in detail any processes in place to: (1) notify and obtain consent from the individuals whose IIF is in the system when major changes occur to the system (e.g., disclosure and/or data uses have changed since the notice at the time of the original collection); and (2) notify and obtain consent from individuals regarding what IIF is being collected from them and how the information will be used or shared: Information is collected from documents provided by employees (CV, resumes, etc) at the time of appointment. It is provided in personnel packages submitted through channels in order to affect a hire. This information is put into the EHRP system and subsequently downloaded into VEDS. Individuals are notified of the collection and use of data as a part of the hiring process. Changes to the system or use of the information is relayed to employees via official notices from HR and the system owner.

32. Does the system host a website?: No

37. Does the website have any information or pages directed at children under the age of thirteen?: No

50. Are there policies or guidelines in place with regard to the retention and destruction of IIF?: Yes

54. Briefly describe in detail how the IIF will be secured on the system using administrative, technical, and physical controls.: Access to sensitive data fields is limited on need to know basis. Each user signs a security statement and received a password. Any violations results in loss of access to system. Information is also secured by separation of duties, and intrusion detection system, firewalls, locks and background investigations. A comprehensive IRT capability is also maintained.

PIA Reviewer Approval: Promote


PIA Reviewer Name: Kathleen Stephan (301) 496-5826

Sr. Official for Privacy Approval: Promote


Sr. Official for Privacy Name: Karen Plá

Sign-off Date: Aug 10, 2007

Date Published: Jun 26, 2008


06.3 HHS PIA Summary for Posting (Form) / NIH NCCAM Visual Status of Funds (VSOF) (Item)






PIA Summary


Is this a new PIA 2008?: No

If this is an existing PIA, please provide a reason for revision: PIA Validation

1. Date of this Submission: Jul 6, 2007

2. OPDIV Name: NIH

3. Unique Project Identifier (UPI) Number: 009-25-01-01-02-3198-00-402-125

4. Privacy Act System of Records (SOR) Number: 09-90-0024

5. OMB Information Collection Approval Number: No

6. Other Identifying Number(s): NCCAM-006

7. System Name: Visual Status of Funds (VSOF)

9. System Point of Contact (POC). The System POC is the person to whom questions about the system and the responses to this PIA may be addressed: Celena Shirley

10. Provide an overview of the system: The purpose of this system is for query and review of accounting data in order to monitor obligations and expenditures associated with a current fiscal year. Authorizing legislation: 42 USC 287c-21

13. Indicate if the system is new or an existing one being modified: Existing

17. Does/Will the system collect, maintain (store), disseminate and/or pass through IIF within any database(s), record(s), file(s) or website(s) hosted by this system?: No

Note: This question seeks to identify any, and all, personal information associated with the system. This includes any IIF, whether or not it is subject to the Privacy Act, whether the individuals are employees, the public, research subjects, or business partners, and whether provided voluntarily or collected by mandate. Later questions will try to understand the character of the data and its applicability to the requirements under the Privacy Act or other legislation

Note: If no IIF is contained in the system, please answer questions 21, 23, 30, 31, 37, 50 and 54, then promote the PIA to the Sr. Privacy Official who will authorize the PIA.

If this system contains IIF, all remaining questions on the PIA Form Tabs must be completed prior to signature and promotion.

21. Is the system subject to the Privacy Act?: No

23. If the system shares or discloses IIF please specify with whom and for what purpose(s): No - SOR#09-90-0024

30. Please describe in detail: (1) the information the agency will collect, maintain, or disseminate; (2) why and for what purpose the agency will use the information; (3) In this description, indicate whether the information contains IIF; and (4) whether submission of personal information is voluntary or mandatory: Accounting data and related document information is downloaded from CAS and is relevant or specific to NCCAM for its fiscal year operations. The system contains no IIF.

31. Please describe in detail any processes in place to: (1) notify and obtain consent from the individuals whose IIF is in the system when major changes occur to the system (e.g., disclosure and/or data uses have changed since the notice at the time of the original collection); and (2) notify and obtain consent from individuals regarding what IIF is being collected from them and how the information will be used or shared: No

32. Does the system host a website?: No

37. Does the website have any information or pages directed at children under the age of thirteen?: No

50. Are there policies or guidelines in place with regard to the retention and destruction of IIF?: No

54. Briefly describe in detail how the IIF will be secured on the system using administrative, technical, and physical controls.: No

PIA Reviewer Approval: Promote


PIA Reviewer Name: Kathleen Stephan (301) 496-5826

Sr. Official for Privacy Approval: Kathleen Stephan (301) 496-5826


Sr. Official for Privacy Name: Karen Plá

Sign-off Date: Aug 10, 2007

Date Published: Jun 26, 2008


06.3 HHS PIA Summary for Posting (Form) / NIH NCI Advanced Biomedical Computing Center (ABCC) (Item)






PIA Summary


Is this a new PIA 2008?: No

If this is an existing PIA, please provide a reason for revision: PIA Validation

1. Date of this Submission: Jul 12, 2007

2. OPDIV Name: NIH

3. Unique Project Identifier (UPI) Number: Not Applicable

4. Privacy Act System of Records (SOR) Number: No

5. OMB Information Collection Approval Number: No

6. Other Identifying Number(s): NCI-15

7. System Name: NCI Advanced Biomedical Computing Center ABCC

9. System Point of Contact (POC). The System POC is the person to whom questions about the system and the responses to this PIA may be addressed: William Boyer

10. Provide an overview of the system: The mission of the Advanced Biomedical Computing Center (ABCC) is to provide high performance computing for the National Cancer Institute, both for its intramural and extramural scientists.

Public Health Act, TITLE 42, CHAPTER 6A, SUBCHAPTER III, Part C, subpart 1, Sec. 285, Sec. 285a

13. Indicate if the system is new or an existing one being modified: Existing

17. Does/Will the system collect, maintain (store), disseminate and/or pass through IIF within any database(s), record(s), file(s) or website(s) hosted by this system?: No

Note: This question seeks to identify any, and all, personal information associated with the system. This includes any IIF, whether or not it is subject to the Privacy Act, whether the individuals are employees, the public, research subjects, or business partners, and whether provided voluntarily or collected by mandate. Later questions will try to understand the character of the data and its applicability to the requirements under the Privacy Act or other legislation

Note: If no IIF is contained in the system, please answer questions 21, 23, 30, 31, 37, 50 and 54, then promote the PIA to the Sr. Privacy Official who will authorize the PIA.

If this system contains IIF, all remaining questions on the PIA Form Tabs must be completed prior to signature and promotion.

21. Is the system subject to the Privacy Act?: No

23. If the system shares or discloses IIF please specify with whom and for what purpose(s): No IIF in the system

30. Please describe in detail: (1) the information the agency will collect, maintain, or disseminate; (2) why and for what purpose the agency will use the information; (3) In this description, indicate whether the information contains IIF; and (4) whether submission of personal information is voluntary or mandatory: The information collected consists of name, work phone number, work address, and work e-mail of government employees. This is collected when people sign up to take a class on how to use the ABCC. None of the data collected is information subject to the Privacy Act

31. Please describe in detail any processes in place to: (1) notify and obtain consent from the individuals whose IIF is in the system when major changes occur to the system (e.g., disclosure and/or data uses have changed since the notice at the time of the original collection); and (2) notify and obtain consent from individuals regarding what IIF is being collected from them and how the information will be used or shared: No IIF in this system

32. Does the system host a website?: Yes

37. Does the website have any information or pages directed at children under the age of thirteen?: No

50. Are there policies or guidelines in place with regard to the retention and destruction of IIF?: No

54. Briefly describe in detail how the IIF will be secured on the system using administrative, technical, and physical controls.: No IIF collected. System uses firewalls, passwords, locks, id badges, background investigations, network monitoring and an Incidence Response team.

PIA Reviewer Approval: Promote


PIA Reviewer Name: Suzy Milliard

Sr. Official for Privacy Approval: Promote


Sr. Official for Privacy Name: Karen Plá

Sign-off Date: Aug 10, 2007

Date Published: Jun 26, 2008


06.3 HHS PIA Summary for Posting (Form) / NIH NCI Cancer Data Standards Repository-Standards Reporting-Common Data Elements (caDSR-SBR-CDE) (Item)






PIA Summary


Is this a new PIA 2008?: No

If this is an existing PIA, please provide a reason for revision: PIA Validation

1. Date of this Submission: Jul 23, 2007

2. OPDIV Name: NIH

3. Unique Project Identifier (UPI) Number: 009-25-01-05-02-4921-00-110-219

4. Privacy Act System of Records (SOR) Number: No

5. OMB Information Collection Approval Number: No

6. Other Identifying Number(s): NCI-31

7. System Name: NIH NCI Standards Based Report (caDSR)

9. System Point of Contact (POC). The System POC is the person to whom questions about the system and the responses to this PIA may be addressed: Ken Buetow/Jeff Shilling

10. Provide an overview of the system: One of the problems confronting the biomedical data management community is the panoply of ways that similar or identical concepts are described. Such inconsistency in data descriptors (metadata) makes it nearly impossible to aggregate and manage even modest-sized data sets in order to be able to ask basic questions. The NCI, together with partners in the research community, develops common data elements (CDEs) that are used as metadata descriptors for NCI-sponsored research. The caDSR is a database and tool set that the NCI and its partners use to create, edit and deploy the CDEs.

13. Indicate if the system is new or an existing one being modified: Existing

17. Does/Will the system collect, maintain (store), disseminate and/or pass through IIF within any database(s), record(s), file(s) or website(s) hosted by this system?: No

Note: This question seeks to identify any, and all, personal information associated with the system. This includes any IIF, whether or not it is subject to the Privacy Act, whether the individuals are employees, the public, research subjects, or business partners, and whether provided voluntarily or collected by mandate. Later questions will try to understand the character of the data and its applicability to the requirements under the Privacy Act or other legislation

Note: If no IIF is contained in the system, please answer questions 21, 23, 30, 31, 37, 50 and 54, then promote the PIA to the Sr. Privacy Official who will authorize the PIA.

If this system contains IIF, all remaining questions on the PIA Form Tabs must be completed prior to signature and promotion.

21. Is the system subject to the Privacy Act?: No

23. If the system shares or discloses IIF please specify with whom and for what purpose(s): No IIF in the system

30. Please describe in detail: (1) the information the agency will collect, maintain, or disseminate; (2) why and for what purpose the agency will use the information; (3) In this description, indicate whether the information contains IIF; and (4) whether submission of personal information is voluntary or mandatory : The NCI, together with partners in the research community, develops common data elements (CDEs) that are used as metadata descriptors for NCI-sponsored research. The system does not collect IIF.

31. Please describe in detail any processes in place to: (1) notify and obtain consent from the individuals whose IIF is in the system when major changes occur to the system (e.g., disclosure and/or data uses have changed since the notice at the time of the original collection); and (2) notify and obtain consent from individuals regarding what IIF is being collected from them and how the information will be used or shared: No

32. Does the system host a website?: Yes

37. Does the website have any information or pages directed at children under the age of thirteen?: No

50. Are there policies or guidelines in place with regard to the retention and destruction of IIF?: No

54. Briefly describe in detail how the IIF will be secured on the system using administrative, technical, and physical controls.: No IIF

PIA Reviewer Approval: Promote


PIA Reviewer Name: Suzy Milliard

Sr. Official for Privacy Approval: Promote


Sr. Official for Privacy Name: Karen Plá

Sign-off Date: Aug 10, 2007

Date Published: Jun 26, 2008


06.3 HHS PIA Summary for Posting (Form) / NIH NCI Cancer Diagnosis Program (CDP) (Item)






PIA Summary


Is this a new PIA 2008?: No

If this is an existing PIA, please provide a reason for revision: PIA Validation

1. Date of this Submission: Jul 12, 2007

2. OPDIV Name: NIH

3. Unique Project Identifier (UPI) Number: Not Applicable

4. Privacy Act System of Records (SOR) Number: Not Appliciable

5. OMB Information Collection Approval Number: Not Applicable

6. Other Identifying Number(s): NCI-7

7. System Name: NIH NCI DCTD Cancer Diagnosis Program (CDP)

9. System Point of Contact (POC). The System POC is the person to whom questions about the system and the responses to this PIA may be addressed: Magdalena Thurin, Ph.D.

10. Provide an overview of the system: A contractor independently receives de-identified data or minimal datasets with data use agreement from cooperative agreement funded participants in NCI supported human specimen resources and makes subsets of that data available to researchers using the specimens. A contractor manages password-secure websites that provide logistics support for the research projects.

13. Indicate if the system is new or an existing one being modified: Existing

17. Does/Will the system collect, maintain (store), disseminate and/or pass through IIF within any database(s), record(s), file(s) or website(s) hosted by this system?: No

Note: This question seeks to identify any, and all, personal information associated with the system. This includes any IIF, whether or not it is subject to the Privacy Act, whether the individuals are employees, the public, research subjects, or business partners, and whether provided voluntarily or collected by mandate. Later questions will try to understand the character of the data and its applicability to the requirements under the Privacy Act or other legislation

Note: If no IIF is contained in the system, please answer questions 21, 23, 30, 31, 37, 50 and 54, then promote the PIA to the Sr. Privacy Official who will authorize the PIA.

If this system contains IIF, all remaining questions on the PIA Form Tabs must be completed prior to signature and promotion.

21. Is the system subject to the Privacy Act?: No

23. If the system shares or discloses IIF please specify with whom and for what purpose(s): Does not share IIF

30. Please describe in detail: (1) the information the agency will collect, maintain, or disseminate; (2) why and for what purpose the agency will use the information; (3) In this description, indicate whether the information contains IIF; and (4) whether submission of personal information is voluntary or mandatory: No IIF is collected. De-identified information is being provided from the records of cooperative agreement funded institutions participating in NCI funded human specimen resources. The purposes and procedures of these activities have been reviewed by institutional review boards and deemed appropriate.

31. Please describe in detail any processes in place to: (1) notify and obtain consent from the individuals whose IIF is in the system when major changes occur to the system (e.g., disclosure and/or data uses have changed since the notice at the time of the original collection); and (2) notify and obtain consent from individuals regarding what IIF is being collected from them and how the information will be used or shared: No IIF is collected. Only de-identifiad or a limited dataset with data use agreements under the DHHS the Privacy Rule is involved.

32. Does the system host a website?: Yes

37. Does the website have any information or pages directed at children under the age of thirteen?: No

50. Are there policies or guidelines in place with regard to the retention and destruction of IIF?: No

54. Briefly describe in detail how the IIF will be secured on the system using administrative, technical, and physical controls.: No IIF in the system, however username/passwords, least privilege, seperation of duties, an intrusion detection system, firewalls, locks, badge access, background investigations. A comprehensive IRT capability is also maintained,

PIA Reviewer Approval: Promote


PIA Reviewer Name: Suzy Milliard

Sr. Official for Privacy Approval: Promote


Sr. Official for Privacy Name: Karen Plá

Sign-off Date: Aug 10, 2007

Date Published: Jun 26, 2008


06.3 HHS PIA Summary for Posting (Form) / NIH NCI Cancer Ethics Data System (CEDS) (Item)






PIA Summary


Is this a new PIA 2008?: No

If this is an existing PIA, please provide a reason for revision: PIA Validation

1. Date of this Submission: Jul 16, 2007

2. OPDIV Name: NIH

3. Unique Project Identifier (UPI) Number: Not Applicable

4. Privacy Act System of Records (SOR) Number: 09-90-0008

5. OMB Information Collection Approval Number: No

6. Other Identifying Number(s): NCI-8

7. System Name: Cancer Ethics Data System (CEDS)

9. System Point of Contact (POC). The System POC is the person to whom questions about the system and the responses to this PIA may be addressed: Maureen Wilson / Moli Perkins

10. Provide an overview of the system: Records in CEDS are used to determine whether an employee’s financial interests or outside activities are in conflict with the employee’s duties as a Federal employee. CEDS records actions taken to alleviate conflict of interest and to authorize official duty participation in travel and with non-federal entities to assure compliance with the law. This system is maintained for archival purposes only and will be retired once the 7 year records storage requirement is met.

13. Indicate if the system is new or an existing one being modified: Existing

17. Does/Will the system collect, maintain (store), disseminate and/or pass through IIF within any database(s), record(s), file(s) or website(s) hosted by this system?: Yes

Note: This question seeks to identify any, and all, personal information associated with the system. This includes any IIF, whether or not it is subject to the Privacy Act, whether the individuals are employees, the public, research subjects, or business partners, and whether provided voluntarily or collected by mandate. Later questions will try to understand the character of the data and its applicability to the requirements under the Privacy Act or other legislation

Note: If no IIF is contained in the system, please answer questions 21, 23, 30, 31, 37, 50 and 54, then promote the PIA to the Sr. Privacy Official who will authorize the PIA.

If this system contains IIF, all remaining questions on the PIA Form Tabs must be completed prior to signature and promotion.

21. Is the system subject to the Privacy Act?: Yes

23. If the system shares or discloses IIF please specify with whom and for what purpose(s): Information may be shared with agencies and inquiries as noted in SOR 09-90-0008. This information is further addressed in the HHS Privacy Act Systems of Record Notice 09-90-0008, published in the Federal Register, Volume 59, November 9, 1994.

30. Please describe in detail: (1) the information the agency will collect, maintain, or disseminate; (2) why and for what purpose the agency will use the information; (3) In this description, indicate whether the information contains IIF; and (4) whether submission of personal information is voluntary or mandatory: Authority for maintenance of this system comes from Executive Order 11222. Employment information imported from NIH personnel systems inluding name and paygrade. The collected information will be used to assure compliance with the law in matters of conflicts of interest. Submission of personal information is mandantory

31. Please describe in detail any processes in place to: (1) notify and obtain consent from the individuals whose IIF is in the system when major changes occur to the system (e.g., disclosure and/or data uses have changed since the notice at the time of the original collection); and (2) notify and obtain consent from individuals regarding what IIF is being collected from them and how the information will be used or shared:

Privacy Act Notification was given at time of collection.

If any IIF information has changed, or any major system changes occur, people are notified electronically.

Employees give consent for their IIF to be stored prior to the information being downloaded into CEDS, at the start of employment.

32. Does the system host a website?: No

37. Does the website have any information or pages directed at children under the age of thirteen?: No

50. Are there policies or guidelines in place with regard to the retention and destruction of IIF?: Yes

54. Briefly describe in detail how the IIF will be secured on the system using administrative, technical, and physical controls.: Records are maintained according to the system of records 09-90-0008. This information is further addressed in the HHS Privacy Act Systems of Record Notice 09-90-0008, published in the Federal Register, Volume 59, November 9, 1994.

PIA Reviewer Approval: Promote

Comments: IIF.

PIA Reviewer Name: Suzy Milliard

Sr. Official for Privacy Approval: Promote


Sr. Official for Privacy Name: Karen Plá

Sign-off Date: Aug 10, 2007

Date Published: Jun 26, 2008


06.3 HHS PIA Summary for Posting (Form) / NIH NCI Cancer Genome Anatomy Project (CGAP) (Item)






PIA Summary


Is this a new PIA 2008?: No

If this is an existing PIA, please provide a reason for revision: PIA Validation

1. Date of this Submission: Jul 23, 2007

2. OPDIV Name: NIH

3. Unique Project Identifier (UPI) Number: Not Applicable

4. Privacy Act System of Records (SOR) Number: No

5. OMB Information Collection Approval Number: No

6. Other Identifying Number(s): NCI-25

7. System Name: NCI Cancer Genome Anatomy Project (CGAP)

9. System Point of Contact (POC). The System POC is the person to whom questions about the system and the responses to this PIA may be addressed: Ken Buetow/Jeff Shilling

10. Provide an overview of the system: The goal of the NCI's Cancer Genome Anatomy Project is to determine the gene expression profiles of normal, precancer, and cancer cells, leading eventually to improved detection, diagnosis, and treatment for the patient. By collaborating with scientists worldwide, such as the Ludwig Institute for Cancer Research and Lund University, CGAP seeks to increase its scientific expertise and expand its databases for the benefit of all cancer researchers. Public Health Act, TITLE 42, CHAPTER 6A, SUBCHAPTER III, Part C, subpart 1, Sec. 285, Sec. 285a and 44 U.S.C. 3101

13. Indicate if the system is new or an existing one being modified: Existing

17. Does/Will the system collect, maintain (store), disseminate and/or pass through IIF within any database(s), record(s), file(s) or website(s) hosted by this system?: No

Note: This question seeks to identify any, and all, personal information associated with the system. This includes any IIF, whether or not it is subject to the Privacy Act, whether the individuals are employees, the public, research subjects, or business partners, and whether provided voluntarily or collected by mandate. Later questions will try to understand the character of the data and its applicability to the requirements under the Privacy Act or other legislation

Note: If no IIF is contained in the system, please answer questions 21, 23, 30, 31, 37, 50 and 54, then promote the PIA to the Sr. Privacy Official who will authorize the PIA.

If this system contains IIF, all remaining questions on the PIA Form Tabs must be completed prior to signature and promotion.

21. Is the system subject to the Privacy Act?: No

23. If the system shares or discloses IIF please specify with whom and for what purpose(s): No IIF in the system

30. Please describe in detail: (1) the information the agency will collect, maintain, or disseminate; (2) why and for what purpose the agency will use the information; (3) In this description, indicate whether the information contains IIF; and (4) whether submission of personal information is voluntary or mandatory: The Cancer Genome Anatomy Project determines the gene expression profiles of normal, precancer, and cancer cells, with the goal of improved detection, diagnosis, and treatment for the patient. Gene expressions are not identified with any individual.

No IIF is collected. Data is downloaded by NIH NCI NCICB authorized users, in this case, cancer researchers.

31. Please describe in detail any processes in place to: (1) notify and obtain consent from the individuals whose IIF is in the system when major changes occur to the system (e.g., disclosure and/or data uses have changed since the notice at the time of the original collection); and (2) notify and obtain consent from individuals regarding what IIF is being collected from them and how the information will be used or shared: No

32. Does the system host a website?: Yes

37. Does the website have any information or pages directed at children under the age of thirteen?: No

50. Are there policies or guidelines in place with regard to the retention and destruction of IIF?: No

54. Briefly describe in detail how the IIF will be secured on the system using administrative, technical, and physical controls.: No IIF collected. System uses firewalls, passwords, locks, id badges, background investigations, network monitoring and an Incidence Response team.

PIA Reviewer Approval: Promote


PIA Reviewer Name: Suzy Milliard

Sr. Official for Privacy Approval: Promote


Sr. Official for Privacy Name: Karen Plá

Sign-off Date: Aug 10, 2007

Date Published: Jun 26, 2008


06.3 HHS PIA Summary for Posting (Form) / NIH NCI Cancer Imaging Camp (CIC) (Item)






PIA Summary


Is this a new PIA 2008?: Yes

If this is an existing PIA, please provide a reason for revision:

1. Date of this Submission: Jan 4, 2007

2. OPDIV Name: NIH

3. Unique Project Identifier (UPI) Number: This is a minor app and does need a UPI

4. Privacy Act System of Records (SOR) Number: 09-25-0106

5. OMB Information Collection Approval Number: None

6. Other Identifying Number(s): NCI-79

7. System Name: NIH NCI Cancer Imaging Camp

9. System Point of Contact (POC). The System POC is the person to whom questions about the system and the responses to this PIA may be addressed: Anita LoMonico

10. Provide an overview of the system: This application supports a workshop and allows potential participants of the to workshop to submit information to the workshop organizers.

13. Indicate if the system is new or an existing one being modified: New

17. Does/Will the system collect, maintain (store), disseminate and/or pass through IIF within any database(s), record(s), file(s) or website(s) hosted by this system?: Yes

Note: This question seeks to identify any, and all, personal information associated with the system. This includes any IIF, whether or not it is subject to the Privacy Act, whether the individuals are employees, the public, research subjects, or business partners, and whether provided voluntarily or collected by mandate. Later questions will try to understand the character of the data and its applicability to the requirements under the Privacy Act or other legislation

Note: If no IIF is contained in the system, please answer questions 21, 23, 30, 31, 37, 50 and 54, then promote the PIA to the Sr. Privacy Official who will authorize the PIA.

If this system contains IIF, all remaining questions on the PIA Form Tabs must be completed prior to signature and promotion.

21. Is the system subject to the Privacy Act?: Yes

23. If the system shares or discloses IIF please specify with whom and for what purpose(s): The collected information is shared with the workshop 's reviewers and organizers.

30. Please describe in detail: (1) the information the agency will collect, maintain, or disseminate; (2) why and for what purpose the agency will use the information; (3) In this description, indicate whether the information contains IIF; and (4) whether submission of personal information is voluntary or mandatory: 5 U.S.C. 301; 44 U.S.C. 3101. Workshop participatns post a limited ammount of work-related information and a presentation(s) to a website. IIF includes name, e-mail address, telephone number, CV, insititution, and their experiences. The information is used to identify the participants and collect their submission information. Information is submitted voluntarily.

31. Please describe in detail any processes in place to: (1) notify and obtain consent from the individuals whose IIF is in the system when major changes occur to the system (e.g., disclosure and/or data uses have changed since the notice at the time of the original collection); and (2) notify and obtain consent from individuals regarding what IIF is being collected from them and how the information will be used or shared: There are no procedures in place for notifying individuals when major changes occur to the system.

32. Does the system host a website?: Yes

37. Does the website have any information or pages directed at children under the age of thirteen?: No

50. Are there policies or guidelines in place with regard to the retention and destruction of IIF?: Yes

54. Briefly describe in detail how the IIF will be secured on the system using administrative, technical, and physical controls.: Information is secured using username/passwords, least privilege, separation of duties, an intrusion detection system, firewalls, locks, badge access, and background investigations. A comprehensive IRT capability is also maintained.

PIA Reviewer Approval: Promote


PIA Reviewer Name: Blaise Czekalski

Sr. Official for Privacy Approval: Promote


Sr. Official for Privacy Name: Karen Plá

Sign-off Date: Aug 10, 2007

Date Published: Jun 26, 2008


06.3 HHS PIA Summary for Posting (Form) / NIH NCI Cancer Imaging Program Website (CIP) (Item)






PIA Summary


Is this a new PIA 2008?: No

If this is an existing PIA, please provide a reason for revision: PIA Validation

1. Date of this Submission: Jul 12, 2007

2. OPDIV Name: NIH

3. Unique Project Identifier (UPI) Number: Not Applicable

4. Privacy Act System of Records (SOR) Number: Not Applicable

5. OMB Information Collection Approval Number: Not Applicable

6. Other Identifying Number(s): NCI-74

7. System Name: Cancer Imaging Program

9. System Point of Contact (POC). The System POC is the person to whom questions about the system and the responses to this PIA may be addressed: Barbara Y Croft / Anne Menkens

10. Provide an overview of the system: This is the public website for the NCI Cancer Imaging Program. It is used to provide information concerning the program to the public and research community.

13. Indicate if the system is new or an existing one being modified: Existing

17. Does/Will the system collect, maintain (store), disseminate and/or pass through IIF within any database(s), record(s), file(s) or website(s) hosted by this system?: No

Note: This question seeks to identify any, and all, personal information associated with the system. This includes any IIF, whether or not it is subject to the Privacy Act, whether the individuals are employees, the public, research subjects, or business partners, and whether provided voluntarily or collected by mandate. Later questions will try to understand the character of the data and its applicability to the requirements under the Privacy Act or other legislation

Note: If no IIF is contained in the system, please answer questions 21, 23, 30, 31, 37, 50 and 54, then promote the PIA to the Sr. Privacy Official who will authorize the PIA.

If this system contains IIF, all remaining questions on the PIA Form Tabs must be completed prior to signature and promotion.

21. Is the system subject to the Privacy Act?: No

23. If the system shares or discloses IIF please specify with whom and for what purpose(s): No IIF in the system

30. Please describe in detail: (1) the information the agency will collect, maintain, or disseminate; (2) why and for what purpose the agency will use the information; (3) In this description, indicate whether the information contains IIF; and (4) whether submission of personal information is voluntary or mandatory: The Cancer Imaging Program uses this website to disseminate information concerning the Program to the public. It is for information purposes. There is no IIF contained in the system. There is a webpage form used to generate an e-mail to CIP staff which allows individuals to ask questions. The information on the webpage is not kept and is the equivilant of an individual sending an e-mail to the program

31. Please describe in detail any processes in place to: (1) notify and obtain consent from the individuals whose IIF is in the system when major changes occur to the system (e.g., disclosure and/or data uses have changed since the notice at the time of the original collection); and (2) notify and obtain consent from individuals regarding what IIF is being collected from them and how the information will be used or shared: No IIF in the system

32. Does the system host a website?: Yes

37. Does the website have any information or pages directed at children under the age of thirteen?: No

50. Are there policies or guidelines in place with regard to the retention and destruction of IIF?: No

54. Briefly describe in detail how the IIF will be secured on the system using administrative, technical, and physical controls.: No IIF in the system, however the site is protected by NCICB infrastructure security measures including firewalls, server password protection mechanisms and is monitored by the IRT for intrusion detection.

PIA Reviewer Approval: Promote

Comments: No IIF.

PIA Reviewer Name: Suzy Milliard

Sr. Official for Privacy Approval: Promote


Sr. Official for Privacy Name: Karen Plá

Sign-off Date: Jun 26, 2008

Date Published: Jun 26, 2008


06.3 HHS PIA Summary for Posting (Form) / NIH NCI Cancer Integrator (caIntegrator) (Item)






PIA Summary


Is this a new PIA 2008?: No

If this is an existing PIA, please provide a reason for revision: PIA Validation

1. Date of this Submission: Jul 16, 2007

2. OPDIV Name: NIH

3. Unique Project Identifier (UPI) Number: No

4. Privacy Act System of Records (SOR) Number: No

5. OMB Information Collection Approval Number: No

6. Other Identifying Number(s): NCI-76

7. System Name: NIH NCI Cancer Integrator (caIntegrator)

9. System Point of Contact (POC). The System POC is the person to whom questions about the system and the responses to this PIA may be addressed: Subhashree Madhavan

10. Provide an overview of the system: The caIntegrator knowledge framework provides cancer researchers with the ability to perform ad hoc querying and reporting across multiple domains of cancer data. This application framework comprises an n-tier service oriented architecture that allows pluggable web-based graphical user interfaces, a business object layer, server components that process the queries and result sets, a data access layer and a robust data warehouse. At the heart of caIntegrator is the Clinical Genomics Object Model (CGOM) that provides standardized programmatic access to the integrated biomedical data collected in the caIntegrator data system. Design of the CGOM is driven by usecases from two critical NCI-sponsored studies, a brain tumor trail called GMDI (Glioma Molecular Diagnostic Initiative) and a breast cancer study called I-SPY TRIAL (Investigation of Serial Studies to Predict Your Therapeutic Response with Imaging And moLecular analysis). The model represents data from clinical trials, microarray-based gene expression, SNP genotyping and copy number experiments, and Immunohistochemistry-based protein assays. Clinical domain objects in CGOM allow access to Clinical trial protocol, treatment arms, patient information, sample histology, clinical observations and assessments. Genomic domain objects allow access to biospecimen information, raw experimental data, in-silico transformation and analyses performed on the raw experimental datasets and biomarker findings. The clinical and genomic findings domain objects have relationships to the FindingsOntology object, as the findings can be complex concepts which, in turn, can be generically represented as items occurring in an ontology (for example, WHO histopathological classification for brain tumor histology findings). caIntegrator supports the mission of the National Cancer Institute, NIH Center for Bioinformatics as a web application for cancer research.

13. Indicate if the system is new or an existing one being modified: New

17. Does/Will the system collect, maintain (store), disseminate and/or pass through IIF within any database(s), record(s), file(s) or website(s) hosted by this system?: No

Note: This question seeks to identify any, and all, personal information associated with the system. This includes any IIF, whether or not it is subject to the Privacy Act, whether the individuals are employees, the public, research subjects, or business partners, and whether provided voluntarily or collected by mandate. Later questions will try to understand the character of the data and its applicability to the requirements under the Privacy Act or other legislation

Note: If no IIF is contained in the system, please answer questions 21, 23, 30, 31, 37, 50 and 54, then promote the PIA to the Sr. Privacy Official who will authorize the PIA.

If this system contains IIF, all remaining questions on the PIA Form Tabs must be completed prior to signature and promotion.

21. Is the system subject to the Privacy Act?: No

23. If the system shares or discloses IIF please specify with whom and for what purpose(s): No

30. Please describe in detail: (1) the information the agency will collect, maintain, or disseminate; (2) why and for what purpose the agency will use the information; (3) In this description, indicate whether the information contains IIF; and (4) whether submission of personal information is voluntary or mandatory: The agency collects from authorized researchers, maintains, and disseminates via a strictly controlled process to authorized researchers de-identified medical data consisting of de-identified imaging and molecular analysis cancer data, including DNA snippets. This information is submitted on a voluntary basis. No personal information is collected.

31. Please describe in detail any processes in place to: (1) notify and obtain consent from the individuals whose IIF is in the system when major changes occur to the system (e.g., disclosure and/or data uses have changed since the notice at the time of the original collection); and (2) notify and obtain consent from individuals regarding what IIF is being collected from them and how the information will be used or shared: No IIF is collected.

32. Does the system host a website?: Yes

37. Does the website have any information or pages directed at children under the age of thirteen?: No

50. Are there policies or guidelines in place with regard to the retention and destruction of IIF?: No

54. Briefly describe in detail how the IIF will be secured on the system using administrative, technical, and physical controls.: No IIF

PIA Reviewer Approval: Promote


PIA Reviewer Name: Suzy Milliard

Sr. Official for Privacy Approval: Promote


Sr. Official for Privacy Name: Karen Plá

Sign-off Date: Jan 26, 2007

Date Published: Jun 26, 2008


06.3 HHS PIA Summary for Posting (Form) / NIH NCI Cancer Therapy Evaluation Program (CTEP FISMA) (Item)






PIA Summary


Is this a new PIA 2008?: No

If this is an existing PIA, please provide a reason for revision: Alteration in Character of Data

1. Date of this Submission: Dec 6, 2007

2. OPDIV Name: NIH

3. Unique Project Identifier (UPI) Number: 009-25-01-05-02-4902­-00-110-219

4. Privacy Act System of Records (SOR) Number: NA

5. OMB Information Collection Approval Number: NA

6. Other Identifying Number(s): NCI-14

7. System Name: NIH NCI Cancer Therapy Evaluation Program (CTEP)

9. System Point of Contact (POC). The System POC is the person to whom questions about the system and the responses to this PIA may be addressed: Steve Friedman (George Redmond is alternate POC)

10. Provide an overview of the system: The purpose of the system is to assure patient safety and meet the NCI CTEP scientific, regulatory, administrative and operational program mission. Specifically, it is used to document, track, monitor and evaluate NCI clinical research activities. The Cancer Therapy Evaluation Program Enterprise System (CTEP-ESYS) project is the primary data collection mechanism for NCI's vast clinical trials program. CTEP-ESYS collects safety and clinical results data on 1,500 ongoing cancer clinical trials (trials not yet completed) that monitor more than 30,000 patients per year in more than 17 disease areas. Data reporting and analysis in real time is critical to ensuring adequate monitoring of the ongoing clinical research. Timely data reporting and analysis also assures effective planning for the required successor studies, thus accelerating the evaluation of promising new agents and regimens for patients with cancer.

13. Indicate if the system is new or an existing one being modified: Existing

17. Does/Will the system collect, maintain (store), disseminate and/or pass through IIF within any database(s), record(s), file(s) or website(s) hosted by this system?: No

Note: This question seeks to identify any, and all, personal information associated with the system. This includes any IIF, whether or not it is subject to the Privacy Act, whether the individuals are employees, the public, research subjects, or business partners, and whether provided voluntarily or collected by mandate. Later questions will try to understand the character of the data and its applicability to the requirements under the Privacy Act or other legislation

Note: If no IIF is contained in the system, please answer questions 21, 23, 30, 31, 37, 50 and 54, then promote the PIA to the Sr. Privacy Official who will authorize the PIA.

If this system contains IIF, all remaining questions on the PIA Form Tabs must be completed prior to signature and promotion.

21. Is the system subject to the Privacy Act?: No

23. If the system shares or discloses IIF please specify with whom and for what purpose(s): No IIF in the system

30. Please describe in detail: (1) the information the agency will collect, maintain, or disseminate; (2) why and for what purpose the agency will use the information; (3) In this description, indicate whether the information contains IIF; and (4) whether submission of personal information is voluntary or mandatory: 287, 287b, 287c, 289a, 289c, and 44 U.S.C. 3101.).

There is No IIF in CTEP-ES.

The types of data used are scientific and health data about cancer clinical trials, including clinical and pre-clinical data with associated regulatory and administrative supporting information. Patient participation in CTEP clinical trials is voluntary and participants in CTEP clinical trials sign an informed consent. Types of information available in the enterprise include protocols and protocol attributes, drug inventory and site distribution records, adverse event report, site audit reports, IND submission records, Investigator registration details, and Non-IIF patient accrual details. The information is used to assure patient safety, for scientific decision making, drug distribution, regulatory oversight (i.e., investigator registration; trial audits), and to facilitate administrative operations.

CTEP Staff routinely generate standard reports and request ad-hoc reports that display CTEP-ESYS data. The reports are used by CTEP Staff to analyze clinical trial operations and are also used to communicate with external collaborators. In addition to CTEP initiated reports, occasionally ad-hoc reports are created from CTEP-ESYS to support a response to a FOIA request. In all cases no IIF information is included reports because no IIF information is stored in CTEP-ESYS.

CTEP has coordinated a procedure where commercial pharmaceutical companies can request reports that display CTEP-ESYS data. This procedure requires review and approval by the CTEP Regulatory Affairs Branch (RAB) prior to the generation of reports. In all cases no IIF information is included reports because no IIF information is stored in CTEP-ESYS.

31. Please describe in detail any processes in place to: (1) notify and obtain consent from the individuals whose IIF is in the system when major changes occur to the system (e.g., disclosure and/or data uses have changed since the notice at the time of the original collection); and (2) notify and obtain consent from individuals regarding what IIF is being collected from them and how the information will be used or shared: No IIF

32. Does the system host a website?: Yes

37. Does the website have any information or pages directed at children under the age of thirteen?: No

50. Are there policies or guidelines in place with regard to the retention and destruction of IIF?: No

54. Briefly describe in detail how the IIF will be secured on the system using administrative, technical, and physical controls.: No IIF

PIA Reviewer Approval: Promote

Comments: No IIF.

PIA Reviewer Name Suzy Milliard

Sr. Official for Privacy Approval: Promote


Sr. Official for Privacy Name: Karen Plá

Sign-off Date: Aug 10, 2007

Date Published: Jun 26, 2008


06.3 HHS PIA Summary for Posting (Form) / NIH NCI CB caAmel (Item)






PIA Summary


Is this a new PIA 2008?: Yes

If this is an existing PIA, please provide a reason for revision:

1. Date of this Submission: Jan 4, 2007

2. OPDIV Name: NIH

3. Unique Project Identifier (UPI) Number: 009-25-01-26-02-4918-00

4. Privacy Act System of Records (SOR) Number: None

5. OMB Information Collection Approval Number: none

6. Other Identifying Number(s): NCI-77

7. System Name: NIH NCI CB caAmel

9. System Point of Contact (POC). The System POC is the person to whom questions about the system and the responses to this PIA may be addressed: Mervi Heiskanan

10. Provide an overview of the system: caAMEL is part of the National Cancer Institute, NIH Center for Bioinformatics set of web applications. caAMEL is a web-based utility that can validate MAGE-ML documents, and, more importantly, can load valid files (MAGE-ML documents) into a caArray (the main Bioinformatics program) repository. Hence, it serves as an valid input program to input cancer data for caArray. caAMEL supports the mission of the National Cancer Institute, NIH Center for Bioinformatics as a web application for cancer research.

13. Indicate if the system is new or an existing one being modified: New

17. Does/Will the system collect, maintain (store), disseminate and/or pass through IIF within any database(s), record(s), file(s) or website(s) hosted by this system?: No

Note: This question seeks to identify any, and all, personal information associated with the system. This includes any IIF, whether or not it is subject to the Privacy Act, whether the individuals are employees, the public, research subjects, or business partners, and whether provided voluntarily or collected by mandate. Later questions will try to understand the character of the data and its applicability to the requirements under the Privacy Act or other legislation

Note: If no IIF is contained in the system, please answer questions 21, 23, 30, 31, 37, 50 and 54, then promote the PIA to the Sr. Privacy Official who will authorize the PIA.

If this system contains IIF, all remaining questions on the PIA Form Tabs must be completed prior to signature and promotion.

21. Is the system subject to the Privacy Act?: No

23. If the system shares or discloses IIF please specify with whom and for what purpose(s): No

30. Please describe in detail: (1) the information the agency will collect, maintain, or disseminate; (2) why and for what purpose the agency will use the information; (3) In this description, indicate whether the information contains IIF; and (4) whether submission of personal information is voluntary or mandatory: The agency collects deidentified medical data from cancer subjects that is voluntarily submitted by cancer researchers. The patients have voluntarily signed a release form to participate in the study. The information does not contain Information in Identifiable Form (IIF).

31. Please describe in detail any processes in place to: (1) notify and obtain consent from the individuals whose IIF is in the system when major changes occur to the system (e.g., disclosure and/or data uses have changed since the notice at the time of the original collection); and (2) notify and obtain consent from individuals regarding what IIF is being collected from them and how the information will be used or shared: System does not contain IIF

32. Does the system host a website?: Yes

37. Does the website have any information or pages directed at children under the age of thirteen?: No

50. Are there policies or guidelines in place with regard to the retention and destruction of IIF?: No

54. Briefly describe in detail how the IIF will be secured on the system using administrative, technical, and physical controls.: There is no IIF in the system.

PIA Reviewer Approval: Promote


PIA Reviewer Name: Bruce Woodcock

Sr. Official for Privacy Approval: Promote


Sr. Official for Privacy Name: Karen Plá

Sign-off Date: Jan 25, 2007

Date Published: Jun 26, 2008


06.3 HHS PIA Summary for Posting (Form) / NIH NCI CB Clinical Trials - Bioinformatics (C3D) (Item)






PIA Summary


Is this a new PIA 2008?: No

If this is an existing PIA, please provide a reason for revision: PIA Validation

1. Date of this Submission: Jul 12, 2007

2. OPDIV Name: NIH

3. Unique Project Identifier (UPI) Number: 009-25-01-05-02-4917-00-110-219

4. Privacy Act System of Records (SOR) Number: No

5. OMB Information Collection Approval Number: No

6. Other Identifying Number(s): NCI-27

7. System Name: NCI CB Clinical Trials – Bioinformatics

9. System Point of Contact (POC). The System POC is the person to whom questions about the system and the responses to this PIA may be addressed: Christo Andonyadis

10. Provide an overview of the system: The Cancer Centralized Clinical Data System (C3DS) is leading the National Cancer Institute's (NCI) effort to create and distribute information technology infrastructure to support the conduct all aspects of NCI's supported clinical trials. Public Health Act, Title 42, Chapter 6A, Subchapter III, Part C, Subpart 1, Sec. 285, Sec. 285A And 44 U.S.C. 3101

13. Indicate if the system is new or an existing one being modified: Existing

17. Does/Will the system collect, maintain (store), disseminate and/or pass through IIF within any database(s), record(s), file(s) or website(s) hosted by this system?: Yes

Note: This question seeks to identify any, and all, personal information associated with the system. This includes any IIF, whether or not it is subject to the Privacy Act, whether the individuals are employees, the public, research subjects, or business partners, and whether provided voluntarily or collected by mandate. Later questions will try to understand the character of the data and its applicability to the requirements under the Privacy Act or other legislation

Note: If no IIF is contained in the system, please answer questions 21, 23, 30, 31, 37, 50 and 54, then promote the PIA to the Sr. Privacy Official who will authorize the PIA.

If this system contains IIF, all remaining questions on the PIA Form Tabs must be completed prior to signature and promotion.

21. Is the system subject to the Privacy Act?: No

23. If the system shares or discloses IIF please specify with whom and for what purpose(s): IIF data is limited to the doctors and nurses specifically linked to that study.

30. Please describe in detail: (1) the information the agency will collect, maintain, or disseminate; (2) why and for what purpose the agency will use the information; (3) In this description, indicate whether the information contains IIF; and (4) whether submission of personal information is voluntary or mandatory: DOB, Medical Notes and Medical Record Numbers. The C3D will collect clinical trial data for efficacy analysis and safety monitoring. Clinical Centers collect the data that is stored in C3D voluntarily.

31. Please describe in detail any processes in place to: (1) notify and obtain consent from the individuals whose IIF is in the system when major changes occur to the system (e.g., disclosure and/or data uses have changed since the notice at the time of the original collection); and (2) notify and obtain consent from individuals regarding what IIF is being collected from them and how the information will be used or shared: Notification and consent for individuals is covered under the Privacy Policy provided on the site. Alll NCICB websites contain a Privacy Preference statement which enables NCICB to express its privacy practices in a standard format that can be retrieved automatically and interpreted easily by user agents to automate decision-making based on these practices when appropriate

Notices of consent is provided via an electronic notice. (in both machine- and human-readable formats)

32. Does the system host a website?: Yes

37. Does the website have any information or pages directed at children under the age of thirteen?: No

50. Are there policies or guidelines in place with regard to the retention and destruction of IIF?: No

54. Briefly describe in detail how the IIF will be secured on the system using administrative, technical, and physical controls.: System uses firewalls, passwords, locks, id badges, background investigations, network monitoring and an Incidence Response team.

PIA Reviewer Approval: Promote

Comments: No IIF.

PIA Reviewer Name: Suzy Milliard

Sr. Official for Privacy Approval: Promote


Sr. Official for Privacy Name: Karen Plá

Sign-off Date: Aug 10, 2007

Date Published: Jun 26, 2008


06.3 HHS PIA Summary for Posting (Form) / NIH NCI CB Mouse Models (CaMOD) (Item)






PIA Summary


Is this a new PIA 2008?: No

If this is an existing PIA, please provide a reason for revision: PIA Validation

1. Date of this Submission: Jul 23, 2007

2. OPDIV Name: NIH

3. Unique Project Identifier (UPI) Number: 009-25-01-05-02-4919-00-110-219

4. Privacy Act System of Records (SOR) Number: No

5. OMB Information Collection Approval Number: No

6. Other Identifying Number(s): NCI-30

7. System Name: NIH NCI CB Mouse Models

9. System Point of Contact (POC). The System POC is the person to whom questions about the system and the responses to this PIA may be addressed: Ken Buetow/Jeff Shilling

10. Provide an overview of the system: The NCI Mouse Models of Human Cancers Consortium (MMHCC) is a collaborative program designed to derive and characterize mouse models, and to generate resources, information, and innovative approaches to the application of mouse models in cancer research. In addition to the MMHCC initiative, the NCI sponsors numerous other projects to develop, analyze, and apply mouse cancer models. This NCI Mouse Model project provide the cancer research community with information about mouse models and mouse research generated by the MMHCC and other NCI-supported projects. Public Health Act, TITLE 42, CHAPTER 6A, SUBCHAPTER III, Part C, subpart 1, Sec. 285, Sec. 285a and 44 U.S.C. 3101

13. Indicate if the system is new or an existing one being modified: Existing

17. Does/Will the system collect, maintain (store), disseminate and/or pass through IIF within any database(s), record(s), file(s) or website(s) hosted by this system?: No

Note: This question seeks to identify any, and all, personal information associated with the system. This includes any IIF, whether or not it is subject to the Privacy Act, whether the individuals are employees, the public, research subjects, or business partners, and whether provided voluntarily or collected by mandate. Later questions will try to understand the character of the data and its applicability to the requirements under the Privacy Act or other legislation

Note: If no IIF is contained in the system, please answer questions 21, 23, 30, 31, 37, 50 and 54, then promote the PIA to the Sr. Privacy Official who will authorize the PIA.

If this system contains IIF, all remaining questions on the PIA Form Tabs must be completed prior to signature and promotion.

21. Is the system subject to the Privacy Act?: No

23. If the system shares or discloses IIF please specify with whom and for what purpose(s): No IIF in the system

30. Please describe in detail: (1) the information the agency will collect, maintain, or disseminate; (2) why and for what purpose the agency will use the information; (3) In this description, indicate whether the information contains IIF; and (4) whether submission of personal information is voluntary or mandatory: The system does not collect any IIF. The only data collected is non-human mouse cancer model information. The agency distributes this information to cancer researchers; no human data is collected.

31. Please describe in detail any processes in place to: (1) notify and obtain consent from the individuals whose IIF is in the system when major changes occur to the system (e.g., disclosure and/or data uses have changed since the notice at the time of the original collection); and (2) notify and obtain consent from individuals regarding what IIF is being collected from them and how the information will be used or shared: No IIF Collected

32. Does the system host a website?: Yes

37. Does the website have any information or pages directed at children under the age of thirteen?: No

50. Are there policies or guidelines in place with regard to the retention and destruction of IIF?: No

54. Briefly describe in detail how the IIF will be secured on the system using administrative, technical, and physical controls.: No IIF collected. System uses firewalls, passwords, locks, id badges, background investigations, network monitoring and an Incidence Response team.

PIA Reviewer Approval: Promote

Comments: No IIF.

PIA Reviewer Name: Suzy Milliard

Sr. Official for Privacy Approval: Promote


Sr. Official for Privacy Name: Karen Plá

Sign-off Date: Aug 10, 2007

Date Published: Jun 26, 2008


06.3 HHS PIA Summary for Posting (Form) / NIH NCI Clinical Research Information Exchange Federal Investigator Registry (CRIX FIREBIRD) (Item)






PIA Summary


Is this a new PIA 2008?: No

If this is an existing PIA, please provide a reason for revision: PIA Validation

1. Date of this Submission: Jul 25, 2007

2. OPDIV Name: NIH

3. Unique Project Identifier (UPI) Number: Not Applicable (this is a minor application)

4. Privacy Act System of Records (SOR) Number: 09-25-0200

5. OMB Information Collection Approval Number: Not Applicable

6. Other Identifying Number(s): NCI-75

7. System Name: Clinical Research Exchange Federal Investigator Registry CRIX FIREBIRD

9. System Point of Contact (POC). The System POC is the person to whom questions about the system and the responses to this PIA may be addressed: John Speakman Project Manager Federal Investigsation Registry

10. Provide an overview of the system: Firebird will automate the existing FDA Form 1572 registration process and enable investigators to register online with NCI and other sponsors, including pharmaceutical companies, thus removing paper based latencies and infrastructure costs and allowing investigators to centrally maintain and manage all 1572 registrations. Through a single web-based platform, investigators will be able to maintain a secure profile of the most common information required when participating in drug trials.

13. Indicate if the system is new or an existing one being modified: New

17. Does/Will the system collect, maintain (store), disseminate and/or pass through IIF within any database(s), record(s), file(s) or website(s) hosted by this system?: Yes

Note: This question seeks to identify any, and all, personal information associated with the system. This includes any IIF, whether or not it is subject to the Privacy Act, whether the individuals are employees, the public, research subjects, or business partners, and whether provided voluntarily or collected by mandate. Later questions will try to understand the character of the data and its applicability to the requirements under the Privacy Act or other legislation

Note: If no IIF is contained in the system, please answer questions 21, 23, 30, 31, 37, 50 and 54, then promote the PIA to the Sr. Privacy Official who will authorize the PIA.

If this system contains IIF, all remaining questions on the PIA Form Tabs must be completed prior to signature and promotion.

21. Is the system subject to the Privacy Act?: Yes

23. If the system shares or discloses IIF please specify with whom and for what purpose(s): The IIF may be shared with Pharmaceutical companies and the Food and Drug Administration via an Oracle link. The IIF is under SOR 09-25-0200, Clinical, Basic and Population-based Research Studies of the National Institutes of Health (NIH), HHS/NIH/OD

30. Please describe in detail: (1) the information the agency will collect, maintain, or disseminate; (2) why and for what purpose the agency will use the information; (3) In this description, indicate whether the information contains IIF; and (4) whether submission of personal information is voluntary or mandatory: The agency collects voluntarily given data on researcher’s name, mailing address, phone numbers, e-mail address, Medical license number and the State in which it was issued, and the researcher’s Unique Physical ID number (UPIN) in order to identify the researcher to authorized viewers and provide contact information and credential information to authorized users. The Food and Drug Administration authorizes all users.

31. Please describe in detail any processes in place to: (1) notify and obtain consent from the individuals whose IIF is in the system when major changes occur to the system (e.g., disclosure and/or data uses have changed since the notice at the time of the original collection); and (2) notify and obtain consent from individuals regarding what IIF is being collected from them and how the information will be used or shared: Researchers give only their own personal information and do so voluntarily. The Firebird web site will disclose any changes to how IIF is used or shared on the website itself.

32. Does the system host a website?: Yes

37. Does the website have any information or pages directed at children under the age of thirteen?: No

50. Are there policies or guidelines in place with regard to the retention and destruction of IIF?: Yes

54. Briefly describe in detail how the IIF will be secured on the system using administrative, technical, and physical controls.: The IIF will be secured by management, operational, and technical controls. Some of these controls include user identification and authentication, public key encryption (PKI) certificates on a required SAFE hardware plugin device for users, the concept of least privilege, and firewalls. The PKI certificates will be validated by SAFE. Infrastructure product, username and password, annual risk assessments, background checks on administrative employees, and key locks, cipher locks and keycards necessary to enter server rooms.

PIA Reviewer Approval: Promote

Comments: IIF

PIA Reviewer Name: Suzy Milliard

Sr. Official for Privacy Approval: Promote


Sr. Official for Privacy Name: Karen Plá

Sign-off Date: Aug 10, 2007

Date Published: Jun 26, 2008


06.3 HHS PIA Summary for Posting (Form) / NIH NCI Clinical Trial Universal System (caCTUS) (Item)






PIA Summary


Is this a new PIA 2008?: Yes

If this is an existing PIA, please provide a reason for revision:

1. Date of this Submission: Jul 30, 2007

2. OPDIV Name: NIH

3. Unique Project Identifier (UPI) Number: none

4. Privacy Act System of Records (SOR) Number: none

5. OMB Information Collection Approval Number: none

6. Other Identifying Number(s): NIH-85

7. System Name: NIH NCI Clinical Trial Universal System (caCTUS)

9. System Point of Contact (POC). The System POC is the person to whom questions about the system and the responses to this PIA may be addressed: Anand Basu

10. Provide an overview of the system: Clinical Trial Unified System (caCTUS) is a light Web-based computer application for managing cancer protocols. The caCTUS - Protocol enables the users to create, modify and manage cancer protocols, such as NCI Identifier, Local Identifier, Monitoring Code, Protocol Title, Trial Type, Trial Phase, Status, Lead Organization, and other similiar information.

13. Indicate if the system is new or an existing one being modified: New

17. Does/Will the system collect, maintain (store), disseminate and/or pass through IIF within any database(s), record(s), file(s) or website(s) hosted by this system?: No

Note: This question seeks to identify any, and all, personal information associated with the system. This includes any IIF, whether or not it is subject to the Privacy Act, whether the individuals are employees, the public, research subjects, or business partners, and whether provided voluntarily or collected by mandate. Later questions will try to understand the character of the data and its applicability to the requirements under the Privacy Act or other legislation

Note: If no IIF is contained in the system, please answer questions 21, 23, 30, 31, 37, 50 and 54, then promote the PIA to the Sr. Privacy Official who will authorize the PIA.

If this system contains IIF, all remaining questions on the PIA Form Tabs must be completed prior to signature and promotion.

21. Is the system subject to the Privacy Act?: No

23. If the system shares or discloses IIF please specify with whom and for what purpose(s): no IIF

30. Please describe in detail: (1) the information the agency will collect, maintain, or disseminate; (2) why and for what purpose the agency will use the information; (3) In this description, indicate whether the information contains IIF; and (4) whether submission of personal information is voluntary or mandatory: The agency collects cancer research protocol data from authorized Researchers. No personal information is collected. No medical information is collected at this time. If medical information is collected in the future, it is expected to be fully de-identified, so that no patient names or social security numbers or any HIPAA identifiers are attached.

31. Please describe in detail any processes in place to: (1) notify and obtain consent from the individuals whose IIF is in the system when major changes occur to the system (e.g., disclosure and/or data uses have changed since the notice at the time of the original collection); and (2) notify and obtain consent from individuals regarding what IIF is being collected from them and how the information will be used or shared: no IIF

32. Does the system host a website?: Yes

37. Does the website have any information or pages directed at children under the age of thirteen?: No

50. Are there policies or guidelines in place with regard to the retention and destruction of IIF?: No

54. Briefly describe in detail how the IIF will be secured on the system using administrative, technical, and physical controls.: no IIF

PIA Reviewer Approval: Promote


PIA Reviewer Name: Suzy Milliard

Sr. Official for Privacy Approval: Promote


Sr. Official for Privacy Name: Karen Plá

Sign-off Date: Aug 10, 2007

Date Published: Jun 26, 2008


06.3 HHS PIA Summary for Posting (Form) / NIH NCI CMBB Trainee Supplements (CMBB) (Item)






PIA Summary


Is this a new PIA 2008?: No

1. Date of this Submission: Jul 12, 2007

2. OPDIV Name: NIH

3. Unique Project Identifier (UPI) Number: Not Applicable

4. Privacy Act System of Records (SOR) Number: 09-25-0036

5. OMB Information Collection Approval Number: No

6. Other Identifying Number(s): NCI-20

7. System Name: NCI CMBB Trainee Supplements

9. System Point of Contact (POC). The System POC is the person to whom questions about the system and the responses to this PIA may be addressed: Anita LoMonico

10. Provide an overview of the system: This system is used to provide metrics to assess the success rate of the NCI Comprehensive Minority Biomedical Branch (CMBB) program and to provide grantees information about other training opportunities.

13. Indicate if the system is new or an existing one being modified: Existing

17. Does/Will the system collect, maintain (store), disseminate and/or pass through IIF within any database(s), record(s), file(s) or website(s) hosted by this system?: Yes

Note: This question seeks to identify any, and all, personal information associated with the system. This includes any IIF, whether or not it is subject to the Privacy Act, whether the individuals are employees, the public, research subjects, or business partners, and whether provided voluntarily or collected by mandate. Later questions will try to understand the character of the data and its applicability to the requirements under the Privacy Act or other legislation

Note: If no IIF is contained in the system, please answer questions 21, 23, 30, 31, 37, 50 and 54, then promote the PIA to the Sr. Privacy Official who will authorize the PIA.

If this system contains IIF, all remaining questions on the PIA Form Tabs must be completed prior to signature and promotion.

21. Is the system subject to the Privacy Act?: Yes

23. If the system shares or discloses IIF please specify with whom and for what purpose(s): No information shared. The disclosures permitted in SOR 09-25-0036 are not utilized.

30. Please describe in detail: (1) the information the agency will collect, maintain, or disseminate; (2) why and for what purpose the agency will use the information; (3) In this description, indicate whether the information contains IIF; and (4) whether submission of personal information is voluntary or mandatory: Authority for maintenance of the system is per SOR 09-25-0036: 5. U.S.C. 301; 42 U.S.C. 217a, 241, 282(b)(6), 284a, and 288. 48 CFR Subpart 15.3 and Subpart 42.15. Information collected consists of name, date of birth, social security number, mailing address, phone number, e-mail address, financial information, education records, race, ethnicity, and gender. This demographic information is collected as a part of the standard NIH grants application process. It is also used to provide metrics to judge the success of the NCI Comprehensive Minority Biomedical Branch in fulfilling its mission to help grantees become competitive researchers over time. In addition, CMBB sends each new minority trainee a Personal Data Sheet attached to collect address and contact information which is used to add the trainees to a mailing list to receive updates from CMBB about funding opportunities. The Personal Data Sheet is optional for the trainee and is thus voluntary.

31. Please describe in detail any processes in place to: (1) notify and obtain consent from the individuals whose IIF is in the system when major changes occur to the system (e.g., disclosure and/or data uses have changed since the notice at the time of the original collection); and (2) notify and obtain consent from individuals regarding what IIF is being collected from them and how the information will be used or shared: There is no process in place to notify individuals of major changes in the system. CMBB sends each new minority trainee a Personal Data Sheet attached to collect address and contact information which is used to add the trainees to a mailing list to receive updates from CMBB about funding opportunities. The use of this information is described and they consent when they fill out the form.

32. Does the system host a website?: Yes

37. Does the website have any information or pages directed at children under the age of thirteen?: No

50. Are there policies or guidelines in place with regard to the retention and destruction of IIF?: Yes

54. Briefly describe in detail how the IIF will be secured on the system using administrative, technical, and physical controls.: The information is secured via access restrictions including database roles, passwords, and firewall. There is also physical security in place for the servers consisting of guards, cardkeys, cipher locks and storage of backup files at a different physical location.

PIA Reviewer Approval: Promote

Comments: IIF.

PIA Reviewer Name: Suzy Milliard

Sr. Official for Privacy Approval: Promote


Sr. Official for Privacy Name: Karen Plá

Sign-off Date: Aug 10, 2007

Date Published: Jun 26, 2008


06.3 HHS PIA Summary for Posting (Form) / NIH NCI DCEG Intramural (DCEG) (Item)






PIA Summary


Is this a new PIA 2008?: No

If this is an existing PIA, please provide a reason for revision: PIA Validation

1. Date of this Submission: Jul 12, 2007

2. OPDIV Name: NIH

3. Unique Project Identifier (UPI) Number: 009-25-01-05-02-4926-00-110-219

4. Privacy Act System of Records (SOR) Number: No

5. OMB Information Collection Approval Number: No

6. Other Identifying Number(s): NCI-17

7. System Name: NCI DCEG Information System (Intramural)

9. System Point of Contact (POC). The System POC is the person to whom questions about the system and the responses to this PIA may be addressed: Anita LoMonico / Dennis Leggett

10. Provide an overview of the system: This system allows the users in the Division of Cancer Epidemiology and Genetics (DCEG) to analyze costs of scientific studies and provide more efficient and accurate reporting to both NIH and

13. Indicate if the system is new or an existing one being modified: Existing

17. Does/Will the system collect, maintain (store), disseminate and/or pass through IIF within any database(s), record(s), file(s) or website(s) hosted by this system?: No

Note: This question seeks to identify any, and all, personal information associated with the system. This includes any IIF, whether or not it is subject to the Privacy Act, whether the individuals are employees, the public, research subjects, or business partners, and whether provided voluntarily or collected by mandate. Later questions will try to understand the character of the data and its applicability to the requirements under the Privacy Act or other legislation

Note: If no IIF is contained in the system, please answer questions 21, 23, 30, 31, 37, 50 and 54, then promote the PIA to the Sr. Privacy Official who will authorize the PIA.

If this system contains IIF, all remaining questions on the PIA Form Tabs must be completed prior to signature and promotion

21. Is the system subject to the Privacy Act?: No

23. If the system shares or discloses IIF please specify with whom and for what purpose(s): No IIF in the system

30. Please describe in detail: (1) the information the agency will collect, maintain, or disseminate; (2) why and for what purpose the agency will use the information; (3) In this description, indicate whether the information contains IIF; and (4) whether submission of personal information is voluntary or mandatory: Work-related information is used from other systems. This includes name, work address, e-mail address, and phone number for government employees. A limited amount is entered by staff. This includes such things as research title, research description, lead investigator, collaborators, risk factors, study type, cancer sites, research category, common scientific outlne coding, keywords, and study population accrual. Information is then available for dissemination about the research within NCI and to the NIH.

31. Please describe in detail any processes in place to: (1) notify and obtain consent from the individuals whose IIF is in the system when major changes occur to the system (e.g., disclosure and/or data uses have changed since the notice at the time of the original collection); and (2) notify and obtain consent from individuals regarding what IIF is being collected from them and how the information will be used or shared: No IIF collected

32. Does the system host a website?: Yes37. Does the website have any information or pages directed at children under the age of thirteen?: No

50. Are there policies or guidelines in place with regard to the retention and destruction of IIF?: No

54. Briefly describe in detail how the IIF will be secured on the system using administrative, technical, and physical controls.: No IIF collected. System uses firewalls, passwords, locks, id badges, background investigations, network monitoring and an Incidence Response team.

PIA Reviewer Approval: Promote

Comments: No IIF.

PIA Reviewer Name: Suzy Milliard

Sr. Official for Privacy Approval: Promote


Sr. Official for Privacy Name: Karen Plá

Sign-off Date: Aug 10, 2007

Date Published: Jun 26, 2008


06.3 HHS PIA Summary for Posting (Form) / NIH NCI DCP Enterprise System Knowledgebase (DESK) (Item)






PIA Summary


Is this a new PIA 2008?: No

If this is an existing PIA, please provide a reason for revision: Initial PIA Migration to ProSight

1. Date of this Submission: Feb 9, 2007

2. OPDIV Name: NIH

3. Unique Project Identifier (UPI) Number: Not Applicable

4. Privacy Act System of Records (SOR) Number: No

5. OMB Information Collection Approval Number: No

6. Other Identifying Number(s): NCI-45

7. System Name: NIH NCI DCP Enterprise System Knowledgebase (DESK)

9. System Point of Contact (POC). The System POC is the person to whom questions about the system and the responses to this PIA may be addressed: Linda Parreco

10. Provide an overview of the system: DESK supports the administrative work of DCP. It helps DCP carry out study monitoring, research, agent development, drug distribution to research sites, protocol review, administration, and reporting to DHHS entities and other activities required by DCP to carry out its mission

13. Indicate if the system is new or an existing one being modified: Existing

17. Does/Will the system collect, maintain (store), disseminate and/or pass through IIF within any database(s), record(s), file(s) or website(s) hosted by this system?: No

Note: This question seeks to identify any, and all, personal information associated with the system. This includes any IIF, whether or not it is subject to the Privacy Act, whether the individuals are employees, the public, research subjects, or business partners, and whether provided voluntarily or collected by mandate. Later questions will try to understand the character of the data and its applicability to the requirements under the Privacy Act or other legislation

Note: If no IIF is contained in the system, please answer questions 21, 23, 30, 31, 37, 50 and 54, then promote the PIA to the Sr. Privacy Official who will authorize the PIA.

If this system contains IIF, all remaining questions on the PIA Form Tabs must be completed prior to signature and promotion.

21. Is the system subject to the Privacy Act?: No

23. If the system shares or discloses IIF please specify with whom and for what purpose(s): No IIF is present in the system

30. Please describe in detail: (1) the information the agency will collect, maintain, or disseminate; (2) why and for what purpose the agency will use the information; (3) In this description, indicate whether the information contains IIF; and (4) whether submission of personal information is voluntary or mandatory: It tracks the receipt, abstraction, review, approval, and implementation of concepts and protocols. It collects information to facilitate study analysis and planning for future clinical trials. It contains business contact information for investigators, contractors, and government personnel.

31. Please describe in detail any processes in place to: (1) notify and obtain consent from the individuals whose IIF is in the system when major changes occur to the system (e.g., disclosure and/or data uses have changed since the notice at the time of the original collection); and (2) notify and obtain consent from individuals regarding what IIF is being collected from them and how the information will be used or shared: No IIF is present in the system

32. Does the system host a website?: Yes

37. Does the website have any information or pages directed at children under the age of thirteen?: No

50. Are there policies or guidelines in place with regard to the retention and destruction of IIF?: No

54. Briefly describe in detail how the IIF will be secured on the system using administrative, technical, and physical controls.: No IIF is present in the system.

PIA Reviewer Approval: Promote


PIA Reviewer Name: Bruce Woodcock

Sr. Official for Privacy Approval: Promote


Sr. Official for Privacy Name: Karen Plá

Sign-off Date: Aug 10, 2007

Date Published: Jun 26, 2008


06.3 HHS PIA Summary for Posting (Form) / NIH NCI DCTD Developmental Therapeutics Program (DCTD DTP) (Item)






PIA Summary


Is this a new PIA 2008?: No

If this is an existing PIA, please provide a reason for revision: PIA Validation

1. Date of this Submission: Jul 12, 2007

2. OPDIV Name: NIH

3. Unique Project Identifier (UPI) Number: 009-25-01-27-02-AD;4999-00-202-072

4. Privacy Act System of Records (SOR) Number: No

5. OMB Information Collection Approval Number: No

6. Other Identifying Number(s): NCI-22

7. System Name: NIH NCI DCTD Developmental Therapeutics Program (DCTD DTP)

9. System Point of Contact (POC). The System POC is the person to whom questions about the system and the responses to this PIA may be addressed: Daniel Zaharevitz

10. Provide an overview of the system: This is the NCI DCTD DTP Program website.

The main function of the DTP web site is to provide the research community with access to DTP data, policies and procedures. The data include over 250,000 chemical structures, growth inhibition data in human tumor cell lines for over 40,000 compounds, gene expression data measured in human tumor cell lines, results in mouse tumor models for over 100,000 compounds and much other data. Almost all of this data is freely available to all and no registration is required and no personal information is collected. The exception is for people who wish to submit compounds for testing. They must register and personal information necessary to contact them is collected (name, address, phone, email).

13. Indicate if the system is new or an existing one being modified: Existing

17. Does/Will the system collect, maintain (store), disseminate and/or pass through IIF within any database(s), record(s), file(s) or website(s) hosted by this system?: No

Note: This question seeks to identify any, and all, personal information associated with the system. This includes any IIF, whether or not it is subject to the Privacy Act, whether the individuals are employees, the public, research subjects, or business partners, and whether provided voluntarily or collected by mandate. Later questions will try to understand the character of the data and its applicability to the requirements under the Privacy Act or other legislation

Note: If no IIF is contained in the system, please answer questions 21, 23, 30, 31, 37, 50 and 54, then promote the PIA to the Sr. Privacy Official who will authorize the PIA.

If this system contains IIF, all remaining questions on the PIA Form Tabs must be completed prior to signature and promotion.

21. Is the system subject to the Privacy Act?: No

23. If the system shares or discloses IIF please specify with whom and for what purpose(s): No IIF in the system

30. Please describe in detail: (1) the information the agency will collect, maintain, or disseminate; (2) why and for what purpose the agency will use the information; (3) In this description, indicate whether the information contains IIF; and (4) whether submission of personal information is voluntary or mandatory: Public Health Act, TITLE 42, CHAPTER 6A, SUBCHAPTER III, PART C, subpart 1, Sec.285, Sec. 285a, and 44 U.S.C. 3101. General Program and support information for grantees and clinical trial personnel. Workplace contact information is collected for users that wish to submit compounds for screening. No IIF is collected.

31. Please describe in detail any processes in place to: (1) notify and obtain consent from the individuals whose IIF is in the system when major changes occur to the system (e.g., disclosure and/or data uses have changed since the notice at the time of the original collection); and (2) notify and obtain consent from individuals regarding what IIF is being collected from them and how the information will be used or shared: No IIF, however investigating partners are emailed notification of use of information.

32. Does the system host a website?: Yes

37. Does the website have any information or pages directed at children under the age of thirteen?: No

50. Are there policies or guidelines in place with regard to the retention and destruction of IIF?: No

54. Briefly describe in detail how the IIF will be secured on the system using administrative, technical, and physical controls.: No IIF collected. We have business contact information with business partners.

PIA Reviewer Approval: Promote


PIA Reviewer Name: Suzy Milliard

Sr. Official for Privacy Approval: Promote


Sr. Official for Privacy Name: Karen Plá

Sign-off Date: Aug 10, 2007

Date Published: Jun 26, 2008


06.3 HHS PIA Summary for Posting (Form) / NIH NCI Director's Challenge Toward a Molecular Classification of Cancer (CaArray) (Item)






PIA Summary


Is this a new PIA 2008?: No

If this is an existing PIA, please provide a reason for revision: PIA Validation

1. Date of this Submission: Jul 23, 2007

2. OPDIV Name: NIH

3. Unique Project Identifier (UPI) Number: Not Applicable

4. Privacy Act System of Records (SOR) Number: No

5. OMB Information Collection Approval Number: No

6. Other Identifying Number(s): NCI-28

7. System Name: Director's Challenge Toward a Molecular Classification of Cancer

9. System Point of Contact (POC). The System POC is the person to whom questions about the system and the responses to this PIA may be addressed: Ken Buetow/Jeff Shilling

10. Provide an overview of the system: NCI Center for Bioinformatics sponsors this activity; the goal is to challenge the scientific community to harness the power of comprehensive molecular analysis technologies to redefine tumor classification, moving from morphological to molecular classification. Defining and understanding the changes associated with individual tumors can identify patient subsets and be used to tailor treatment regimens. There are several software tools developed to support the activity.

· Gene Expression Data Portal (GEDP): This data portal that allows users to submit and search microarray experiments.

· Cancer Workbench (caWorkBench) is a suite of software tools for loading, visualizing and analyzing gene expression data.

Public Health Act, Title 42, Chapter 6A, Subchapter III, Part C, Subpart 1, Sec. 285, Sec. 285A And 44 U.S.C. 3101

13. Indicate if the system is new or an existing one being modified: Existing

17. Does/Will the system collect, maintain (store), disseminate and/or pass through IIF within any database(s), record(s), file(s) or website(s) hosted by this system?: No

Note: This question seeks to identify any, and all, personal information associated with the system. This includes any IIF, whether or not it is subject to the Privacy Act, whether the individuals are employees, the public, research subjects, or business partners, and whether provided voluntarily or collected by mandate. Later questions will try to understand the character of the data and its applicability to the requirements under the Privacy Act or other legislation

Note: If no IIF is contained in the system, please answer questions 21, 23, 30, 31, 37, 50 and 54, then promote the PIA to the Sr. Privacy Official who will authorize the PIA.

If this system contains IIF, all remaining questions on the PIA Form Tabs must be completed prior to signature and promotion.

21. Is the system subject to the Privacy Act?: No

23. If the system shares or discloses IIF please specify with whom and for what purpose(s): No IIF in the system

30. Please describe in detail: (1) the information the agency will collect, maintain, or disseminate; (2) why and for what purpose the agency will use the information; (3) In this description, indicate whether the information contains IIF; and (4) whether submission of personal information is voluntary or mandatory: No IIF is collected. The data is de-identified gene data obtained from biological samples. The agency distributes this information to authorized users of the system.

31. Please describe in detail any processes in place to: (1) notify and obtain consent from the individuals whose IIF is in the system when major changes occur to the system (e.g., disclosure and/or data uses have changed since the notice at the time of the original collection); and (2) notify and obtain consent from individuals regarding what IIF is being collected from them and how the information will be used or shared: No IIF is collected.

32. Does the system host a website?: Yes

37. Does the website have any information or pages directed at children under the age of thirteen?: No

50. Are there policies or guidelines in place with regard to the retention and destruction of IIF?: No

54. Briefly describe in detail how the IIF will be secured on the system using administrative, technical, and physical controls.: No IIF collected. System uses firewalls, passwords, locks, id badges, background investigations, network monitoring and an Incidence Response team.

PIA Reviewer Approval: Promote

Comments: No IIF.

PIA Reviewer Name: Suzy Milliard

Sr. Official for Privacy Approval: Promote


Sr. Official for Privacy Name: Karen Pla

Sign-off Date: Aug 10, 2007

Date Published: Jun 26, 2008


06.3 HHS PIA Summary for Posting (Form) / NIH NCI e-Grants/web-Grants (e-Grants) (Item)






PIA Summary


Is this a new PIA 2008?: No

If this is an existing PIA, please provide a reason for revision: PIA Validation

1. Date of this Submission: Jul 16, 2007

2. OPDIV Name: NIH

3. Unique Project Identifier (UPI) Number: 009-25-04-00-02-4930-00-110-219

4. Privacy Act System of Records (SOR) Number: 09-25-0036

5. OMB Information Collection Approval Number: No

6. Other Identifying Number(s): NCI-38

7. System Name: NCI e-Grants/web-Grants

9. System Point of Contact (POC). The System POC is the person to whom questions about the system and the responses to this PIA may be addressed: Terry Dunne

10. Provide an overview of the system: The eGrants/web-Gran­ts provides online access over the web to the official grant files including the ability to search for particular grants or documents.

13. Indicate if the system is new or an existing one being modified: Existing

17. Does/Will the system collect, maintain (store), disseminate and/or pass through IIF within any database(s), record(s), file(s) or website(s) hosted by this system?: Yes

Note: This question seeks to identify any, and all, personal information associated with the system. This includes any IIF, whether or not it is subject to the Privacy Act, whether the individuals are employees, the public, research subjects, or business partners, and whether provided voluntarily or collected by mandate. Later questions will try to understand the character of the data and its applicability to the requirements under the Privacy Act or other legislation

Note: If no IIF is contained in the system, please answer questions 21, 23, 30, 31, 37, 50 and 54, then promote the PIA to the Sr. Privacy Official who will authorize the PIA.

If this system contains IIF, all remaining questions on the PIA Form Tabs must be completed prior to signature and promotion.

21. Is the system subject to the Privacy Act?: Yes

23. If the system shares or discloses IIF please specify with whom and for what purpose(s): The name and contact information is shared with the NIH IMPACII system. Other information is not shared. Sharing is done in accordance with SOR 09-25-0036.

30. Please describe in detail: (1) the information the agency will collect, maintain, or disseminate; (2) why and for what purpose the agency will use the information; (3) In this description, indicate whether the information contains IIF; and (4) whether submission of personal information is voluntary or mandatory: Authority for collection of this information is 5. U.S.C. 301; 42 U.S.C. 217a, 241, 282(b)(6), 284a, and 288. 48 CFR Subpart 15.3 and Subpart 42.15. IIF contained in this system consists of the following information about grantees: name, social security number, mailing address, telephone number, financial information, e-mail address, education records, and a notice of grant award. This is information is maintained as part of the grants management system. The majority of this information is not shared outside of NCI. The name and contact information is shared with the NIH IMPAC II system. Information is submitted voluntarily.

31. Please describe in detail any processes in place to: (1) notify and obtain consent from the individuals whose IIF is in the system when major changes occur to the system (e.g., disclosure and/or data uses have changed since the notice at the time of the original collection); and (2) notify and obtain consent from individuals regarding what IIF is being collected from them and how the information will be used or shared:

There is no process in place to notify individuals in the event of major changes to system.

The grantees submit their information voluntarily and are made aware that it will be used in the grant funding process.

32. Does the system host a website?: Yes

37. Does the website have any information or pages directed at children under the age of thirteen?: No

50. Are there policies or guidelines in place with regard to the retention and destruction of IIF?: Yes

54. Briefly describe in detail how the IIF will be secured on the system using administrative, technical, and physical controls.: Information is secured using username/passwords, least privilege, separation of duties, an intrusion detection system, firewalls, locks, badge access, background investigations. A comprehensive IRT capability is also maintained.

PIA Reviewer Approval: Promote

Comments: IIF.

PIA Reviewer Name: Suzy Milliard

Sr. Official for Privacy Approval: Promote


Sr. Official for Privacy Name: Karen Plá

Sign-off Date: Aug 10, 2007

Date Published: Jun 26, 2008


06.3 HHS PIA Summary for Posting (Form) / NIH NCI Electronic Early Concurrence System (EEC) (Item)






PIA Summary


Is this a new PIA 2008?: No

If this is an existing PIA, please provide a reason for revision: PIA Validation

1. Date of this Submission: Jul 12, 2007

2. OPDIV Name: NIH

3. Unique Project Identifier (UPI) Number: Not Applicable

4. Privacy Act System of Records (SOR) Number: 09-25-0036

5. OMB Information Collection Approval Number: Not Applicable

6. Other Identifying Number(s): NCI-41

7. System Name: NCI DEA Electronic Early Concurrence System (EEC)

9. System Point of Contact (POC). The System POC is the person to whom questions about the system and the responses to this PIA may be addressed: Greg Fischetti

10. Provide an overview of the system: Records National Cancer Advisory Board concurrence and Program staff approval for early funding of highly scored grant applications. Public Health Act, TITLE 42, CHAPTER 6A, SUBCHAPTER III, Part C, subpart 1, Sec. 285, Sec. 285a and 44 U.S.C. 3101 The system downloads basic grant data from IMPACII and allows a limited number of the NCAB Members, who are special government employees, to indicate whether they concur with the initial peer review. The system also allows NCI Program Directors to indicate whether there are any reasons the grants would not be currently eligible for payment

13. Indicate if the system is new or an existing one being modified: Existing

17. Does/Will the system collect, maintain (store), disseminate and/or pass through IIF within any database(s), record(s), file(s) or website(s) hosted by this system?: Yes

Note: This question seeks to identify any, and all, personal information associated with the system. This includes any IIF, whether or not it is subject to the Privacy Act, whether the individuals are employees, the public, research subjects, or business partners, and whether provided voluntarily or collected by mandate. Later questions will try to understand the character of the data and its applicability to the requirements under the Privacy Act or other legislation

Note: If no IIF is contained in the system, please answer questions 21, 23, 30, 31, 37, 50 and 54, then promote the PIA to the Sr. Privacy Official who will authorize the PIA.

If this system contains IIF, all remaining questions on the PIA Form Tabs must be completed prior to signature and promotion.

21. Is the system subject to the Privacy Act?: Yes

23. If the system shares or discloses IIF please specify with whom and for what purpose(s): No Data is shared.

30. Please describe in detail: (1) the information the agency will collect, maintain, or disseminate; (2) why and for what purpose the agency will use the information; (3) In this description, indicate whether the information contains IIF; and (4) whether submission of personal information is voluntary or mandatory: System records approvals by NCAB and program staff. The only information about the Principal Investigators that is downloaded from IMPAC II is the Principal Investigator Name. The system maintains Name and email address for the 4 NCAB members. The system also maintains a list of NCI Program Directors which has their name, email, and phone number. This information is available to the public via the NIH Web Site.

The PI names are used along with Grant Number and Title to assist staff in identifying the grant application, the NCAB Member and Staff email addresses are used to send email reminders. No information from the system is published, it is just used by NCI Grants Management staff in helping to determine whether to send early concurrence letters to applicants.

Submission of information is voluntary.

31. Please describe in detail any processes in place to: (1) notify and obtain consent from the individuals whose IIF is in the system when major changes occur to the system (e.g., disclosure and/or data uses have changed since the notice at the time of the original collection); and (2) notify and obtain consent from individuals regarding what IIF is being collected from them and how the information will be used or shared: All data is collected and maintained by the NIH Grants Management System (IMPAC II), so notifications would be handled by that system. Changes to the NIH Grants Management System are announced in the NIH Guide.

32. Does the system host a website?: No

37. Does the website have any information or pages directed at children under the age of thirteen?: No

50. Are there policies or guidelines in place with regard to the retention and destruction of IIF?: Yes

54. Briefly describe in detail how the IIF will be secured on the system using administrative, technical, and physical controls.: Information is secured using username/passwords, least privilege, separation of duties, an intrusion detection system, firewalls, locks, badge access, background investigations. A comprehensive IRT capability is also maintained..

PIA Reviewer Approval: Promote


PIA Reviewer Name: Suzy Milliard

Sr. Official for Privacy Approval: Promote


Sr. Official for Privacy Name: Karen Pla

Sign-off Date: Aug 10, 2007

Date Published: Jun 26, 2008


06.3 HHS PIA Summary for Posting (Form) / NIH NCI Enterprise Vocabulary System (EVS) (Item)






PIA Summary


Is this a new PIA 2008?: No

If this is an existing PIA, please provide a reason for revision: PIA Validation

1. Date of this Submission: Jul 16, 2007

2. OPDIV Name: NIH

3. Unique Project Identifier (UPI) Number: 009-25-01-05-02-4920-00-110-219

4. Privacy Act System of Records (SOR) Number: No

5. OMB Information Collection Approval Number: No

6. Other Identifying Number(s): NCI-29

7. System Name: NIH NCI Enterprise Vocabulary System

9. System Point of Contact (POC). The System POC is the person to whom questions about the system and the responses to this PIA may be addressed: Gilberto Fragoso

10. Provide an overview of the system: NCI Enterprise Vocabulary Services (EVS) provides resources and services to meet NCI needs for controlled terminology, and to facilitate the standardization of terminology and information systems across the Institute and the larger biomedical community.

Two key terminology resources are produced and published by EVS:

NCI Thesaurus is a reference terminology used in a growing number of NCI and other systems. It provides rich textual and ontologic descriptions of some 50,000 key biomedical concepts.

NCI Metathesaurus is a comprehensive biomedical terminology database, connecting 2,500,000 terms from more than 50 terminologies, including some propriety vocabularies with restrictions on their use.

EVS is a partnership between the NCI Office of Communications and the NCI Center for Bioinformatics. It is a key component of the cancer Common Ontologic Resource Environment (caCORE) and the cancer Biomedical Informatics Grid (caBIG), and is used in the NCI Web Portal and Physician Data Query (PDQ) cancer information services.

13. Indicate if the system is new or an existing one being modified: Existing

17. Does/Will the system collect, maintain (store), disseminate and/or pass through IIF within any database(s), record(s), file(s) or website(s) hosted by this system?: No

Note: This question seeks to identify any, and all, personal information associated with the system. This includes any IIF, whether or not it is subject to the Privacy Act, whether the individuals are employees, the public, research subjects, or business partners, and whether provided voluntarily or collected by mandate. Later questions will try to understand the character of the data and its applicability to the requirements under the Privacy Act or other legislation

Note: If no IIF is contained in the system, please answer questions 21, 23, 30, 31, 37, 50 and 54, then promote the PIA to the Sr. Privacy Official who will authorize the PIA.

21. Is the system subject to the Privacy Act?: No

23. If the system shares or discloses IIF please specify with whom and for what purpose(s): No IIF in the system

30. Please describe in detail: (1) the information the agency will collect, maintain, or disseminate; (2) why and for what purpose the agency will use the information; (3) In this description, indicate whether the information contains IIF; and (4) whether submission of personal information is voluntary or mandatory: This system contains no IIF. It is used to provide a controlled, consistent vocabulary for use across various systems.

31. Please describe in detail any processes in place to: (1) notify and obtain consent from the individuals whose IIF is in the system when major changes occur to the system (e.g., disclosure and/or data uses have changed since the notice at the time of the original collection); and (2) notify and obtain consent from individuals regarding what IIF is being collected from them and how the information will be used or shared: No IIF collected.

32. Does the system host a website?: No

37. Does the website have any information or pages directed at children under the age of thirteen?: No

50. Are there policies or guidelines in place with regard to the retention and destruction of IIF?: No

54. Briefly describe in detail how the IIF will be secured on the system using administrative, technical, and physical controls.: No IIF in the system

PIA Reviewer Approval: Promote


PIA Reviewer Name: Suzy Milliard

Sr. Official for Privacy Approval: Promote


Sr. Official for Privacy Name: Karen Plá

Sign-off Date: Aug 10, 2007

Date Published: Jun 26, 2008


06.3 HHS PIA Summary for Posting (Form) / NIH NCI Environmental and Genetic Lung Etiology (EAGLE) (Item)






PIA Summary


Is this a new PIA 2008?: Yes

If this is an existing PIA, please provide a reason for revision: Initial PIA Migration to ProSight

1. Date of this Submission: Jul 16, 2007

2. OPDIV Name: NIH

3. Unique Project Identifier (UPI) Number: None

4. Privacy Act System of Records (SOR) Number: No

5. OMB Information Collection Approval Number: None

6. Other Identifying Number(s): NCI-80

7. System Name: NIH NCI Environmental and Genetic Lung Etiology (EAGLE)

9. System Point of Contact (POC). The System POC is the person to whom questions about the system and the responses to this PIA may be addressed: Subhashree Madhavan

10. Provide an overview of the system: Environmental and Genetic Lung Etiology (EAGLE) is an interdisciplinary multi-center case-control study of lung cancer conducted in Milan, Italy, designed to explore the genetic determinants both of lung cancer and smoking. The objectives of the EAGLE study, as identified by DCEG, are as follows:

· Perform genetic profiling of study participants by 15STR markers

· Conduct analysis of gene expression in adenocarcinoma lung cancer tissue of smokers and non-smokers

· Identify histologic characteristics of lung cancer in relation to genotype, gene expression, somatic mutations, and smoking

· Monitor therapy efficacy and survival of lung cancer patients

· Identify lung cancer-affected siblings of cases and the unaffected siblings in the same sibs hips

· Perform integrative analyses of the above-mentioned datasets in the context of the epidemiological data from the study.

13. Indicate if the system is new or an existing one being modified: New

17. Does/Will the system collect, maintain (store), disseminate and/or pass through IIF within any database(s), record(s), file(s) or website(s) hosted by this system?: No

Note: This question seeks to identify any, and all, personal information associated with the system. This includes any IIF, whether or not it is subject to the Privacy Act, whether the individuals are employees, the public, research subjects, or business partners, and whether provided voluntarily or collected by mandate. Later questions will try to understand the character of the data and its applicability to the requirements under the Privacy Act or other legislation

Note: If no IIF is contained in the system, please answer questions 21, 23, 30, 31, 37, 50 and 54, then promote the PIA to the Sr. Privacy Official who will authorize the PIA.

If this system contains IIF, all remaining questions on the PIA Form Tabs must be completed prior to signature and promotion.

21. Is the system subject to the Privacy Act?: No

23. If the system shares or discloses IIF please specify with whom and for what purpose(s): No IIF

30. Please describe in detail: (1) the information the agency will collect, maintain, or disseminate; (2) why and for what purpose the agency will use the information; (3) In this description, indicate whether the information contains IIF; and (4) whether submission of personal information is voluntary or mandatory: The agency voluntarily collects from authorized Researchers, maintains, and disseminates via a strictly controlled process to authorized researchers de-identified medical data consisting of de-identified molecular analysis cancer data, including DNA snippets. No personal information is collected.

31. Please describe in detail any processes in place to: (1) notify and obtain consent from the individuals whose IIF is in the system when major changes occur to the system (e.g., disclosure and/or data uses have changed since the notice at the time of the original collection); and (2) notify and obtain consent from individuals regarding what IIF is being collected from them and how the information will be used or shared: No IIF is collected

32. Does the system host a website?: Yes

37. Does the website have any information or pages directed at children under the age of thirteen?: No

50. Are there policies or guidelines in place with regard to the retention and destruction of IIF?: No

54. Briefly describe in detail how the IIF will be secured on the system using administrative, technical, and physical controls.: No IIF

PIA Reviewer Approval: Promote


PIA Reviewer Name: Suzy Milliard

Sr. Official for Privacy Approval: Promote


Sr. Official for Privacy Name: Karen Plá

Sign-off Date: Aug 10, 2007

Date Published: Jun 26, 2008


06.3 HHS PIA Summary for Posting (Form) / NIH NCI Fiscal Linked Analysis Research Emphasis (FLARE) (Item)






PIA Summary


Is this a new PIA 2008?: No

If this is an existing PIA, please provide a reason for revision: PIA Validation

1. Date of this Submission: Jul 12, 2007

2. OPDIV Name: NIH

3. Unique Project Identifier (UPI) Number: 009-25-01-26-02-­4920-00-202-069

4. Privacy Act System of Records (SOR) Number: 09-25-0036

5. OMB Information Collection Approval Number: No

6. Other Identifying Number(s): NCI-18

7. System Name: NIH NCI Fiscal Linked Analysis Research Emphasis (FLARE)

9. System Point of Contact (POC). The System POC is the person to whom questions about the system and the responses to this PIA may be addressed: Amir Sahar-Khiz

10. Provide an overview of the system: Supports Science Area Coding of grants and contracts for categorization of research dollars

13. Indicate if the system is new or an existing one being modified: Existing

17. Does/Will the system collect, maintain (store), disseminate and/or pass through IIF within any database(s), record(s), file(s) or website(s) hosted by this system?: No

Note: This question seeks to identify any, and all, personal information associated with the system. This includes any IIF, whether or not it is subject to the Privacy Act, whether the individuals are employees, the public, research subjects, or business partners, and whether provided voluntarily or collected by mandate. Later questions will try to understand the character of the data and its applicability to the requirements under the Privacy Act or other legislation

Note: If no IIF is contained in the system, please answer questions 21, 23, 30, 31, 37, 50 and 54, then promote the PIA to the Sr. Privacy Official who will authorize the PIA.

If this system contains IIF, all remaining questions on the PIA Form Tabs must be completed prior to signature and promotion.

21. Is the system subject to the Privacy Act?: Yes

23. If the system shares or discloses IIF please specify with whom and for what purpose(s): The system does not share IIF. The disclosures permitted by SOR 09-25-0036.

30. Please describe in detail: (1) the information the agency will collect, maintain, or disseminate; (2) why and for what purpose the agency will use the information; (3) In this description, indicate whether the information contains IIF; and (4) whether submission of personal information is voluntary or mandatory: Grants and contracts are coded by NCI staff to allow categorization of research dollars. The information about Principal Investigators is their person ID, name, and degree. No IIF is collected.

31. Please describe in detail any processes in place to: (1) notify and obtain consent from the individuals whose IIF is in the system when major changes occur to the system (e.g., disclosure and/or data uses have changed since the notice at the time of the original collection); and (2) notify and obtain consent from individuals regarding what IIF is being collected from them and how the information will be used or shared: No IIF is collected

32. Does the system host a website?: No

37. Does the website have any information or pages directed at children under the age of thirteen?: No

50. Are there policies or guidelines in place with regard to the retention and destruction of IIF?: No

54. Briefly describe in detail how the IIF will be secured on the system using administrative, technical, and physical controls.: Information is secured using username/passwords, least privilege, separation of duties, an intrusion detection system, firewalls, locks, badge access, background investigations. A comprehensive IRT capability is also maintained.

PIA Reviewer Approval: Promote

Comments: No IIF.

PIA Reviewer Name: Suzy Milliard

Sr. Official for Privacy Approval: Promote

Sr. Official for Privacy Name: Karen Plá

Sign-off Date: Aug 10, 2007

Date Published: Jun 26, 2008


06.3 HHS PIA Summary for Posting (Form) / NIH NCI IMPAC II Extensions (IMPAC II) (Item)






PIA Summary


Is this a new PIA 2008?: No

If this is an existing PIA, please provide a reason for revision: PIA Validation

1. Date of this Submission: Jul 12, 2007

2. OPDIV Name: NIH

3. Unique Project Identifier (UPI) Number: 009-25-04-00-02-4904-00-110-219

4. Privacy Act System of Records (SOR) Number: 09-25-0036

5. OMB Information Collection Approval Number: No

6. Other Identifying Number(s): NCI-1

7. System Name: NIH NCI IMPAC II Extensions (IMPAC II)

9. System Point of Contact (POC). The System POC is the person to whom questions about the system and the responses to this PIA may be addressed: Anita LoMonico

10. Provide an overview of the system: This system extends the NIH IMPACII extramural information to include the specifics of the NCI extramural business process of grant portfolio management. This includes the transition from a paper business process to an electronic process across the life cycle of an NCI sponsored grant.

13. Indicate if the system is new or an existing one being modified: Existing

17. Does/Will the system collect, maintain (store), disseminate and/or pass through IIF within any database(s), record(s), file(s) or website(s) hosted by this system?: Yes

Note: This question seeks to identify any, and all, personal information associated with the system. This includes any IIF, whether or not it is subject to the Privacy Act, whether the individuals are employees, the public, research subjects, or business partners, and whether provided voluntarily or collected by mandate. Later questions will try to understand the character of the data and its applicability to the requirements under the Privacy Act or other legislation

Note: If no IIF is contained in the system, please answer questions 21, 23, 30, 31, 37, 50 and 54, then promote the PIA to the Sr. Privacy Official who will authorize the PIA.

If this system contains IIF, all remaining questions on the PIA Form Tabs must be completed prior to signature and promotion.

21. Is the system subject to the Privacy Act?: Yes

23. If the system shares or discloses IIF please specify with whom and for what purpose(s): No information is shared. Disclosures permitted in SOR 09-25-0036 are not utilized.

30. Please describe in detail: (1) the information the agency will collect, maintain, or disseminate; (2) why and for what purpose the agency will use the information; (3) In this description, indicate whether the information contains IIF; and (4) whether submission of personal information is voluntary or mandatory: Authority for collection of this information is 5. U.S.C. 301; 42 U.S.C. 217a, 241, 282(b)(6), 284a, and 288. 48 CFR Subpart 15.3 and Subpart 42.15. The IIF that the system captures on the public concerns only grantees and is obtained from the NIH IMPACII system and the NIH Data Warehouse. The IIF that the system directly collects is about individuals employed by NCI and involved in the grants business process. IIF includes, name, work address, work phone number, and financial account information. Information is given voluntarily.

31. Please describe in detail any processes in place to: (1) notify and obtain consent from the individuals whose IIF is in the system when major changes occur to the system (e.g., disclosure and/or data uses have changed since the notice at the time of the original collection); and (2) notify and obtain consent from individuals regarding what IIF is being collected from them and how the information will be used or shared: We have a agreement with IMPAC II that describes what data we will receive and limits how it will be used. If we need to change how it will be used, the agreement will be renegotiated and notification and consent issues will be part of any new agreement.

Individuals are notified and consent to the use of their information in this type of system when they receive grants or are hired by the government.

32. Does the system host a website?: Yes

37. Does the website have any information or pages directed at children under the age of thirteen?: No

50. Are there policies or guidelines in place with regard to the retention and destruction of IIF?: Yes

54. Briefly describe in detail how the IIF will be secured on the system using administrative, technical, and physical controls Information is secured using username/passwords, least privilege, separation of duties, an intrusion detection system, firewalls, locks, badge access, background investigations. A comprehensive IRT capability is also maintained.

PIA Reviewer Approval: Promote

Comments: IIF

PIA Reviewer Name: Suzy Milliard

Sr. Official for Privacy Approval: Promote


Sr. Official for Privacy Name: Karen Plá

Sign-off Date: Aug 10, 2007

Date Published: Jun 26, 2008


06.3 HHS PIA Summary for Posting (Form) / NIH NCI Internet Website ( (Item)






PIA Summary


Is this a new PIA 2008?: No

If this is an existing PIA, please provide a reason for revision: PIA Validation

1. Date of this Submission: Jul 16, 2007

2. OPDIV Name: NIH

3. Unique Project Identifier (UPI) Number: Not Applicable

4. Privacy Act System of Records (SOR) Number: 09-25-0106

5. OMB Information Collection Approval Number: No

6. Other Identifying Number(s): NCI-5

7. System Name: NIH NCI Internet Website -

9. System Point of Contact (POC). The System POC is the person to whom questions about the system and the responses to this PIA may be addressed: Wayne Bittinger

10. Provide an overview of the system: This is the NCI's internet Web site. It disseminates cancer-related information, including information on prevention, screening, diagnosis, treatment, and survivorship. Individuals may enter their e-mail address in order to receive the NCI Cancer Bulletin.

13. Indicate if the system is new or an existing one being modified: Existing

17. Does/Will the system collect, maintain (store), disseminate and/or pass through IIF within any database(s), record(s), file(s) or website(s) hosted by this system?: Yes

Note: This question seeks to identify any, and all, personal information associated with the system. This includes any IIF, whether or not it is subject to the Privacy Act, whether the individuals are employees, the public, research subjects, or business partners, and whether provided voluntarily or collected by mandate. Later questions will try to understand the character of the data and its applicability to the requirements under the Privacy Act or other legislation

Note: If no IIF is contained in the system, please answer questions 21, 23, 30, 31, 37, 50 and 54, then promote the PIA to the Sr. Privacy Official who will authorize the PIA.

If this system contains IIF, all remaining questions on the PIA Form Tabs must be completed prior to signature and promotion.

21. Is the system subject to the Privacy Act?: Yes

23. If the system shares or discloses IIF please specify with whom and for what purpose(s): Does not share or disclose IIF. If this changes, disclosure will be done per SOR 09-25-0106

30. Please describe in detail: (1) the information the agency will collect, maintain, or disseminate; (2) why and for what purpose the agency will use the information; (3) In this description, indicate whether the information contains IIF; and (4) whether submission of personal information is voluntary or mandatory: SEC.407 (b) (4) of the National Cancer Act authorizes NCI to: “collect, analyze, and disseminate all data useful in the prevention, diagnosis, and treatment of cancer, including the establishment of an international cancer research data bank to collect, catalog, store, and disseminate insofar as feasible the results of cancer research undertaken in any country for the use of any person involved in cancer research in any country.” The only information collected is e-mail addresses. It is used to disseminate the e-newsletter, theNCI Cancer Bulletin. Submission of this information is voluntary.

31. Please describe in detail any processes in place to: (1) notify and obtain consent from the individuals whose IIF is in the system when major changes occur to the system (e.g., disclosure and/or data uses have changed since the notice at the time of the original collection); and (2) notify and obtain consent from individuals regarding what IIF is being collected from them and how the information will be used or shared: Individuals enter their e-mail address in order to receive the NCI Cancer Bulletin. They are told this on the web site when they subscribe. This is voluntary. E-mail notifications can be sent if a major change to the system is made.

32. Does the system host a website?: Yes

37. Does the website have any information or pages directed at children under the age of thirteen?: No

50. Are there policies or guidelines in place with regard to the retention and destruction of IIF?: Yes

54. Briefly describe in detail how the IIF will be secured on the system using administrative, technical, and physical controls.: Information is secured using username/passwords, least privilege, separation of duties, an intrusion detection system, firewalls, locks, badge access, background investigations. A comprehensive IRT capability is also maintained.

PIA Reviewer Approval: Promote


PIA Reviewer Name: Suzy Milliard

Sr. Official for Privacy Approval: Promote


Sr. Official for Privacy Name: Karen Pla

Sign-off Date: Aug 10, 2007

Date Published: Jun 26, 2008


06.3 HHS PIA Summary for Posting (Form) / NIH NCI Labmatrix (Labmatrix) (Item)






PIA Summary


Is this a new PIA 2008?: Yes

If this is an existing PIA, please provide a reason for revision:

1. Date of this Submission: Jul 30, 2007

2. OPDIV Name: NIH

3. Unique Project Identifier (UPI) Number: none

4. Privacy Act System of Records (SOR) Number: 09-25-0200

5. OMB Information Collection Approval Number: none

6. Other Identifying Number(s): NCI-84

7. System Name: NIH NCI Labmatrix

9. System Point of Contact (POC). The System POC is the person to whom questions about the system and the responses to this PIA may be addressed: Jason Levine

10. Provide an overview of the system: Labmatrix is a system which allows for the tracking of tissue and fluid specimens obtained as part of clinical and translational research, and the tracking and collation of the results of experiments performed on those specimens. The system uses a Microsoft SQL database for its back-end data store; data entry and reporting is performed using either a web-based application or via custom-written applications which access the system via a standardized API. Labmatrix incorporates a user-based system of security and data partitioning, providing for the ability to restrict access to the system as a whole and to restrict users to the ability to view and manipulate only the data to which they have appropriate rights. Likewise, the security system incorporates a system-wide awareness of the idea of protected health information (PHI), and enforces strict access to this information on a granular basis to only those system users with both a need and the rights to know.

13. Indicate if the system is new or an existing one being modified: New

17. Does/Will the system collect, maintain (store), disseminate and/or pass through IIF within any database(s), record(s), file(s) or website(s) hosted by this system?: Yes

Note: This question seeks to identify any, and all, personal information associated with the system. This includes any IIF, whether or not it is subject to the Privacy Act, whether the individuals are employees, the public, research subjects, or business partners, and whether provided voluntarily or collected by mandate. Later questions will try to understand the character of the data and its applicability to the requirements under the Privacy Act or other legislation

Note: If no IIF is contained in the system, please answer questions 21, 23, 30, 31, 37, 50 and 54, then promote the PIA to the Sr. Privacy Official who will authorize the PIA.

If this system contains IIF, all remaining questions on the PIA Form Tabs must be completed prior to signature and promotion.

21. Is the system subject to the Privacy Act?: Yes

23. If the system shares or discloses IIF please specify with whom and for what purpose(s): IIF is shared among clinical and translational investigators who have been approved by the NIH Institutional Review Board to collaborate on any given clinical trial, such that these individuals can maintain accurate records of the specimens and results generated on their clinical trials. As stated in the SORN 09-25-0200 under Routine Uses of Records Maintained in the system, including categories of users and purposes of such uses: Disclosure may be made to agency contractors, grantees, experts, consultants, collaborating researchers, or volunteers who have been engaged by the agency to assist in the performance of a service related to this system of records and who need to have access to the records in order to perform the activity. Recipients shall be required to comply with the requirements of the Privacy Act of 1974, as amended, pursuant to 5 U.S.C. 552a(m).

30. Please describe in detail: (1) the information the agency will collect, maintain, or disseminate; (2) why and for what purpose the agency will use the information; (3) In this description, indicate whether the information contains IIF; and (4) whether submission of personal information is voluntary or mandatory: The information which will be collected within Labmatrix will be that for which collection has been approved by the NIH Institutional Review Board for any given clinical research trial. This generally includes both IIF and non-IIF, such as: a subject’s name, date of birth, medical record numbers, contact information, notes about the subject’s clinical care, records of all biological specimens obtained from the subject during the course of participation in the clinical research trial, and results of clinical and research tests performed on specimens obtained from the subject. Submission of this information on the part of the subjects is voluntary, and permission is provided by trial participants via the standard clinical trial consent process.

31. Please describe in detail any processes in place to: (1) notify and obtain consent from the individuals whose IIF is in the system when major changes occur to the system (e.g., disclosure and/or data uses have changed since the notice at the time of the original collection); and (2) notify and obtain consent from individuals regarding what IIF is being collected from them and how the information will be used or shared: If and when major changes occur to the Labmatrix system such that data is either disclosed or the use of the data changes, our standard practice would be to inform the clinical and translational research investigators who have primary contact with the participants in their trials, and ask them to notify the subjects and obtain any further consents which are needed. Likewise, we rely on these investigators to obtain the initial consent from any subjects whose IIF will be stored in Labmatrix, and expect that the IRB-approved clinical trial consent documents will contain all relevant information about how this information is both used and shared.

32. Does the system host a website?: Yes

37. Does the website have any information or pages directed at children under the age of thirteen?: No

50. Are there policies or guidelines in place with regard to the retention and destruction of IIF?: Yes

54. Briefly describe in detail how the IIF will be secured on the system using administrative, technical, and physical controls.: Administrative: Labmatrix incorporates its own list of permitted users, and restricts administrative control of the system to only those users who are specifically granted this right within Labmatrix. Similarly, the back-end database maintains its own list of approved administrative users, and grants administrative access and control only to these approved users.

Technical: Labmatrix incorporates encryption of all communication that travels over any network interface entering or leaving the system; this includes secure HTTP for all communication with the web application, and SSL encryption of all communication using the APIs for the system.

PIA Reviewer Approval: Promote


PIA Reviewer Name: Suzy Milliard

Sr. Official for Privacy Approval: Promote


Sr. Official for Privacy Name: Karen Plá

Sign-off Date: Aug 10, 2007

Date Published: Jun 26, 2008


06.3 HHS PIA Summary for Posting (Form) / NIH NCI National Cancer Institute Initiatives and Projects System (NIPS) (Item)






PIA Summary


Is this a new PIA 2008?: No

If this is an existing PIA, please provide a reason for revision: PIA Validation

1. Date of this Submission: Jul 23, 2007

2. OPDIV Name: NIH

3. Unique Project Identifier (UPI) Number: Not Applicable

4. Privacy Act System of Records (SOR) Number: 09-25-0036

5. OMB Information Collection Approval Number: No

6. Other Identifying Number(s): NCI-68

7. System Name: NIH NCI National Cancer Institute Initiatives and Projects System (NIPS)

9. System Point of Contact (POC). The System POC is the person to whom questions about the system and the responses to this PIA may be addressed: James Corrigan

10. Provide an overview of the system: NIPS is a database enabling NCI staff to analyze NCI’s portfolio of initiatives, resources, and projects. More specifically, NIPS enables NCI staff to: 1) Retrieve all NCI initiatives, resources, and projects/awards that meet criteria chosen by the user and 2) Organize, display, and share this information in many different ways

13. Indicate if the system is new or an existing one being modified: Existing

17. Does/Will the system collect, maintain (store), disseminate and/or pass through IIF within any database(s), record(s), file(s) or website(s) hosted by this system?: Yes

Note: This question seeks to identify any, and all, personal information associated with the system. This includes any IIF, whether or not it is subject to the Privacy Act, whether the individuals are employees, the public, research subjects, or business partners, and whether provided voluntarily or collected by mandate. Later questions will try to understand the character of the data and its applicability to the requirements under the Privacy Act or other legislation

Note: If no IIF is contained in the system, please answer questions 21, 23, 30, 31, 37, 50 and 54, then promote the PIA to the Sr. Privacy Official who will authorize the PIA.

If this system contains IIF, all remaining questions on the PIA Form Tabs must be completed prior to signature and promotion.

21. Is the system subject to the Privacy Act?: Yes

23. If the system shares or discloses IIF please specify with whom and for what purpose(s): Grant investigatior name and institute is shared with the public as required by law. Employee name and email address is shared with the public as a point of contact. This is described in SOR 09-25-0036.

30. Please describe in detail: (1) the information the agency will collect, maintain, or disseminate; (2) why and for what purpose the agency will use the information; (3) In this description, indicate whether the information contains IIF; and (4) whether submission of personal information is voluntary or mandatory: Authority to Operate - 5. U.S.C. 301; 42 U.S.C. 217a, 241, 282(b)(6), 284a, and 288. 48 CFR Subpart 15.3 and Subpart 42.15. NIPS provides information about NCI-supported initiatives, resources, and projects (extramural research awards and training awards, intramural research awards, and clinical trials). Users can search any or all of these types of activities by any combination of 25 search criteria, including area of research (the Common Scientific Outline), disease site, Special Interest Category (SIC), year, status, mechanism, NCI division, funding amount, and relevance to SIC and site. IIF includes name, address, phone number, and e-mail address. Information is given voluntarily.

31. Please describe in detail any processes in place to: (1) notify and obtain consent from the individuals whose IIF is in the system when major changes occur to the system (e.g., disclosure and/or data uses have changed since the notice at the time of the original collection); and (2) notify and obtain consent from individuals regarding what IIF is being collected from them and how the information will be used or shared: All IIF information comes from IMPAC-2, the NIH Guide to Inititaitives or other public sources with the exception of some Research Resource contacts, which are provided voluntarily by NCI Divisions. Use of IIF information is limited to functions stated previously, with no plans to use in any other way. In the highly unlikely event that a change to this policy should occur, notification of this change would be sent electronically to the most current email address on record, with a return address for replies.

32. Does the system host a website?: Yes

37. Does the website have any information or pages directed at children under the age of thirteen?: No

50. Are there policies or guidelines in place with regard to the retention and destruction of IIF?: No

54. Briefly describe in detail how the IIF will be secured on the system using administrative, technical, and physical controls: Information is secured using username/passwords, least privilege, separation of duties, an intrusion detection system, firewalls, locks, badge access, background investigations. A comprehensive IRT capability is also maintained.

PIA Reviewer Approval: Promote

Comments: IIF.

PIA Reviewer Name: Suzy Milliard

Sr. Official for Privacy Approval: Promote


Sr. Official for Privacy Name: Karen Plá

Sign-off Date: Aug 10, 2007

Date Published: Jun 26, 2008


06.3 HHS PIA Summary for Posting (Form) / NIH NCI Network and Directory (eDir) (Item)






PIA Summary


Is this a new PIA 2008?: No

If this is an existing PIA, please provide a reason for revision: PIA Validation

1. Date of this Submission: Jul 18, 2007

2. OPDIV Name: NIH

3. Unique Project Identifier (UPI) Number: Not Applicable

4. Privacy Act System of Records (SOR) Number: No

5. OMB Information Collection Approval Number: No

6. Other Identifying Number(s): NCI-4

7. System Name: NIH NCI Network & Directory

9. System Point of Contact (POC). The System POC is the person to whom questions about the system and the responses to this PIA may be addressed: Doug Hosier

10. Provide an overview of the system: This system provides network and directory services to the NCI. It is used to control access to NCI computer resources. To accomplish this, it contains username/password information, contact information, and information about access rights.

13. Indicate if the system is new or an existing one being modified: Existing

17. Does/Will the system collect, maintain (store), disseminate and/or pass through IIF within any database(s), record(s), file(s) or website(s) hosted by this system?: No

Note: This question seeks to identify any, and all, personal information associated with the system. This includes any IIF, whether or not it is subject to the Privacy Act, whether the individuals are employees, the public, research subjects, or business partners, and whether provided voluntarily or collected by mandate. Later questions will try to understand the character of the data and its applicability to the requirements under the Privacy Act or other legislation

Note: If no IIF is contained in the system, please answer questions 21, 23, 30, 31, 37, 50 and 54, then promote the PIA to the Sr. Privacy Official who will authorize the PIA.

If this system contains IIF, all remaining questions on the PIA Form Tabs must be completed prior to signature and promotion.

21. Is the system subject to the Privacy Act?: No

23. If the system shares or discloses IIF please specify with whom and for what purpose(s): No IIF in the system

30. Please describe in detail: (1) the information the agency will collect, maintain, or disseminate; (2) why and for what purpose the agency will use the information; (3) In this description, indicate whether the information contains IIF; and (4) whether submission of personal information is voluntary or mandatory: Collects work related /assigned information necessary for network operations. The system contains username, password, work phone, work address, and name for NCI employees, contractors, fellows, and others who have a business relationship with NCI.

31. Please describe in detail any processes in place to: (1) notify and obtain consent from the individuals whose IIF is in the system when major changes occur to the system (e.g., disclosure and/or data uses have changed since the notice at the time of the original collection); and (2) notify and obtain consent from individuals regarding what IIF is being collected from them and how the information will be used or shared: No IIF in the system

32. Does the system host a website?: No

37. Does the website have any information or pages directed at children under the age of thirteen?: No

50. Are there policies or guidelines in place with regard to the retention and destruction of IIF?: No

54. Briefly describe in detail how the IIF will be secured on the system using administrative, technical, and physical controls.: Information is secured using username/passwords, least privilege, separation of duties, an intrusion detection system, firewalls, locks, badge access, background investigations. A comprehensive IRT capability is also maintained.

PIA Reviewer Approval: Promote


PIA Reviewer Name: Suzy Milliard

Sr. Official for Privacy Approval: Promote


Sr. Official for Privacy Name: Karen Plá

Sign-off Date: Aug 10, 2007

Date Published: Jun 26, 2008


06.3 HHS PIA Summary for Posting (Form) / NIH NCI Office of Acquisitions (OA) (Item)






PIA Summary


Is this a new PIA 2008?: No

If this is an existing PIA, please provide a reason for revision: PIA Validation

1. Date of this Submission: Jul 12, 2007

2. OPDIV Name: NIH

3. Unique Project Identifier (UPI) Number: Not Applicable

4. Privacy Act System of Records (SOR) Number: no

5. OMB Information Collection Approval Number: no

6. Other Identifying Number(s): NCI-2

7. System Name: NIH NCI Office of Acquistion System (OA)

9. System Point of Contact (POC). The System POC is the person to whom questions about the system and the responses to this PIA may be addressed: Tish Best

10. Provide an overview of the system: This system collects and maintains pre- and post-award contract data for reporting to Department and Federal Contract Information Systems (DCIS & FPDS-ng). The types of information include the socio-economic classification of the contractor (small, disadvantaged, etc.) as well as information about the type of project.

13. Indicate if the system is new or an existing one being modified: Existing

17. Does/Will the system collect, maintain (store), disseminate and/or pass through IIF within any database(s), record(s), file(s) or website(s) hosted by this system?: No

Note: This question seeks to identify any, and all, personal information associated with the system. This includes any IIF, whether or not it is subject to the Privacy Act, whether the individuals are employees, the public, research subjects, or business partners, and whether provided voluntarily or collected by mandate. Later questions will try to understand the character of the data and its applicability to the requirements under the Privacy Act or other legislation

Note: If no IIF is contained in the system, please answer questions 21, 23, 30, 31, 37, 50 and 54, then promote the PIA to the Sr. Privacy Official who will authorize the PIA.

If this system contains IIF, all remaining questions on the PIA Form Tabs must be completed prior to signature and promotion.

21. Is the system subject to the Privacy Act?: No

23. If the system shares or discloses IIF please specify with whom and for what purpose(s): No

30. Please describe in detail: (1) the information the agency will collect, maintain, or disseminate; (2) why and for what purpose the agency will use the information; (3) In this description, indicate whether the information contains IIF; and (4) whether submission of personal information is voluntary or mandatory: The primary data collected by the system is of a financial/budget­ary nature. Additional NIH reporting requirements relating to each project i.e., socioeconomic classification of the contractor (e.g. small disadvantaged business); information about the type of project, i.e. clinical trial; human subject research; animal research; epidemiological study; is also collected. No personal information (IIF) on any individual is collected in this system. The project information collected is required by the HHS Department Contract Information System (DCIS) which transmits the information to the Federal Procurement Data System-Next Generation (FPDS-NG) which provides this budget and project information to Congress.

31. Please describe in detail any processes in place to: (1) notify and obtain consent from the individuals whose IIF is in the system when major changes occur to the system (e.g., disclosure and/or data uses have changed since the notice at the time of the original collection); and (2) notify and obtain consent from individuals regarding what IIF is being collected from them and how the information will be used or shared: No IIF collected.

32. Does the system host a website?: Yes

37. Does the website have any information or pages directed at children under the age of thirteen?: No

50. Are there policies or guidelines in place with regard to the retention and destruction of IIF?: No

54. Briefly describe in detail how the IIF will be secured on the system using administrative, technical, and physical controls.: No IIF collected.

PIA Reviewer Approval: Promote


PIA Reviewer Name: Suzy Milliard

Sr. Official for Privacy Approval: Promote


Sr. Official for Privacy Name: Karen Pla

Sign-off Date: Aug 10, 2007

Date Published: Jun 26, 2008


06.3 HHS PIA Summary for Posting (Form) / NIH NCI Office of Liaison Activities Database (OLA) (Item)






PIA Summary


Is this a new PIA 2008?: No

If this is an existing PIA, please provide a reason for revision: PIA Validation

1. Date of this Submission: Jul 12, 2007

2. OPDIV Name: NIH

3. Unique Project Identifier (UPI) Number: 009-25-01-05-02-4915-00-110-219

4. Privacy Act System of Records (SOR) Number: 09-25-0106

5. OMB Information Collection Approval Number: No

6. Other Identifying Number(s): NCI-64

7. System Name: NIH NCI Office of Liaison Activities Database (OLA)

9. System Point of Contact (POC). The System POC is the person to whom questions about the system and the responses to this PIA may be addressed: Anita LoMonico

10. Provide an overview of the system: The Office of Liaison Activities Database (OLA) maintains contact information for advocacy organizations and professional societies. The system also maintains information about individual advocates that serve the NCI through the Director’s Consumer Liaison Group (DCLG) and the Consumer Advocates in Research and Related Activities (CARRA) program.

13. Indicate if the system is new or an existing one being modified: Existing

17. Does/Will the system collect, maintain (store), disseminate and/or pass through IIF within any database(s), record(s), file(s) or website(s) hosted by this system?: Yes

Note: This question seeks to identify any, and all, personal information associated with the system. This includes any IIF, whether or not it is subject to the Privacy Act, whether the individuals are employees, the public, research subjects, or business partners, and whether provided voluntarily or collected by mandate. Later questions will try to understand the character of the data and its applicability to the requirements under the Privacy Act or other legislation

Note: If no IIF is contained in the system, please answer questions 21, 23, 30, 31, 37, 50 and 54, then promote the PIA to the Sr. Privacy Official who will authorize the PIA.

If this system contains IIF, all remaining questions on the PIA Form Tabs must be completed prior to signature and promotion.

21. Is the system subject to the Privacy Act?: Yes

23. If the system shares or discloses IIF please specify with whom and for what purpose(s): Does not share outside the agency. Disclosures permitted in SOR 09-25-0106 are not made.

30. Please describe in detail: (1) the information the agency will collect, maintain, or disseminate; (2) why and for what purpose the agency will use the information; (3) In this description, indicate whether the information contains IIF; and (4) whether submission of personal information is voluntary or mandatory: Legislative authority is 42 U.S.C. 203, 241, 289l-1 and 44 U.S.C. 3101), and Section 301 and 493 of the Public Health Service Act. Information is maintained for advocates that are members of the CARRA program include membership status (active or non-active), race/ethnicity/age/gender of member, occupation, highest educational degree earned, area of educational degree, primary/personal/constituency cancer type, location/race/ethnicity of constituency, activity preferences, computer skills, ability to travel, and skills/accomplishments/activities. Information is used only within the agency. Submission of information is voluntary.

31. Please describe in detail any processes in place to: (1) notify and obtain consent from the individuals whose IIF is in the system when major changes occur to the system (e.g., disclosure and/or data uses have changed since the notice at the time of the original collection); and (2) notify and obtain consent from individuals regarding what IIF is being collected from them and how the information will be used or shared: Notification and consent in both cases is done via e-mail.

32. Does the system host a website?: Yes

37. Does the website have any information or pages directed at children under the age of thirteen?: No

50. Are there policies or guidelines in place with regard to the retention and destruction of IIF?: Yes

54. Briefly describe in detail how the IIF will be secured on the system using administrative, technical, and physical controls.: Information is secured using username/passwords, least privilege, separation of duties, an intrusion detection system, firewalls, locks, badge access, background investigations. A comprehensive IRT capability is also maintained.

PIA Reviewer Approval: Promote

Comments: IIF.

PIA Reviewer Name: Suzy Milliard

Sr. Official for Privacy Approval: Promote


Sr. Official for Privacy Name: Karen Plá

Sign-off Date: Aug 10, 2007

Date Published: Jun 26, 2008


06.3 HHS PIA Summary for Posting (Form) / NIH NCI Orientation Registration (OrienReg) (Item)






PIA Summary


Is this a new PIA 2008?: No

If this is an existing PIA, please provide a reason for revision: PIA Validation

1. Date of this Submission: Jul 12, 2007

2. OPDIV Name: NIH

3. Unique Project Identifier (UPI) Number: 009-25-01-05-02-4915-00-110-219

4. Privacy Act System of Records (SOR) Number: No

5. OMB Information Collection Approval Number: No

6. Other Identifying Number(s): NCI-35

7. System Name: NIH NCI Orientation Registration (OrienReg)

9. System Point of Contact (POC). The System POC is the person to whom questions about the system and the responses to this PIA may be addressed: Anita LoMonico

10. Provide an overview of the system: A website used to register new employees for the NCI Orientation Program.

13. Indicate if the system is new or an existing one being modified: Existing

17. Does/Will the system collect, maintain (store), disseminate and/or pass through IIF within any database(s), record(s), file(s) or website(s) hosted by this system?: No

Note: This question seeks to identify any, and all, personal information associated with the system. This includes any IIF, whether or not it is subject to the Privacy Act, whether the individuals are employees, the public, research subjects, or business partners, and whether provided voluntarily or collected by mandate. Later questions will try to understand the character of the data and its applicability to the requirements under the Privacy Act or other legislation

Note: If no IIF is contained in the system, please answer questions 21, 23, 30, 31, 37, 50 and 54, then promote the PIA to the Sr. Privacy Official who will authorize the PIA.

If this system contains IIF, all remaining questions on the PIA Form Tabs must be completed prior to signature and promotion.

21. Is the system subject to the Privacy Act?: No

23. If the system shares or discloses IIF please specify with whom and for what purpose(s): IIF not collected

30. Please describe in detail: (1) the information the agency will collect, maintain, or disseminate; (2) why and for what purpose the agency will use the information; (3) In this description, indicate whether the information contains IIF; and (4) whether submission of personal information is voluntary or mandatory: Employee names are entered into a database in order to register them for employee orientation. No IIF is collected. Submission of this information is voluntary.

31. Please describe in detail any processes in place to: (1) notify and obtain consent from the individuals whose IIF is in the system when major changes occur to the system (e.g., disclosure and/or data uses have changed since the notice at the time of the original collection); and (2) notify and obtain consent from individuals regarding what IIF is being collected from them and how the information will be used or shared: Individuals are notified when they are hired about how the information will be used. No procedures are in place to notify individuals if major changes to the system are made.

32. Does the system host a website?: Yes

37. Does the website have any information or pages directed at children under the age of thirteen?: No

50. Are there policies or guidelines in place with regard to the retention and destruction of IIF?: No

54. Briefly describe in detail how the IIF will be secured on the system using administrative, technical, and physical controls.: Information is secured using username/passwords, least privilege, separation of duties, an intrusion detection system, firewalls, locks, badge access, background investigations. A comprehensive IRT capability is also maintained.

PIA Reviewer Approval: Promote


PIA Reviewer Name: Suzy Milliard

Sr. Official for Privacy Approval: Promote


Sr. Official for Privacy Name: Karen Pla

Sign-off Date: Aug 10, 2007

Date Published: Jun 26, 2008


06.3 HHS PIA Summary for Posting (Form) / NIH NCI Patient Sample Data Management System (PSDMS) (Item)






PIA Summary


Is this a new PIA 2008?: No

If this is an existing PIA, please provide a reason for revision: PIA Validation

1. Date of this Submission: Jul 12, 2007

2. OPDIV Name: NIH

3. Unique Project Identifier (UPI) Number: 009-25-01-05-02-4915-00-110-219

4. Privacy Act System of Records (SOR) Number: 09-25-0200

5. OMB Information Collection Approval Number: No

6. Other Identifying Number(s): NCI-6

7. System Name: NIH NCI Patient Samples Data management System (PSDMS)

9. System Point of Contact (POC). The System POC is the person to whom questions about the system and the responses to this PIA may be addressed: Anita LoMonico

10. Provide an overview of the system: The system allows the users in Dr. William Figg’s lab to input patient sample data for analysis and research.

13. Indicate if the system is new or an existing one being modified: Existing

17. Does/Will the system collect, maintain (store), disseminate and/or pass through IIF within any database(s), record(s), file(s) or website(s) hosted by this system?: Yes

Note: This question seeks to identify any, and all, personal information associated with the system. This includes any IIF, whether or not it is subject to the Privacy Act, whether the individuals are employees, the public, research subjects, or business partners, and whether provided voluntarily or collected by mandate. Later questions will try to understand the character of the data and its applicability to the requirements under the Privacy Act or other legislation

Note: If no IIF is contained in the system, please answer questions 21, 23, 30, 31, 37, 50 and 54, then promote the PIA to the Sr. Privacy Official who will authorize the PIA.

If this system contains IIF, all remaining questions on the PIA Form Tabs must be completed prior to signature and promotion.

21. Is the system subject to the Privacy Act?: Yes

23. If the system shares or discloses IIF please specify with whom and for what purpose(s): No IIF is shared or disclosed, even though the SOR (09-25-0200) states that it can be.

30. Please describe in detail: (1) the information the agency will collect, maintain, or disseminate; (2) why and for what purpose the agency will use the information; (3) In this description, indicate whether the information contains IIF; and (4) whether submission of personal information is voluntary or mandatory: Government authorization: Public Health Act, TITLE 42, CHAPTER 6A, SUBCHAPTER III, Part C, subpart 1, Sec. 285, Sec. 285a and 44 U.S.C. 3101. Dr. Figg's lab inputs samples data into PSDMS. Patient information is loaded from the Orkand Clinical Data Registry (CDR). Sample data is used for research. The IIF used is name, race, ethnicity, disease, and sample information. Information is submitted voluntarily.

31. Please describe in detail any processes in place to: (1) notify and obtain consent from the individuals whose IIF is in the system when major changes occur to the system (e.g., disclosure and/or data uses have changed since the notice at the time of the original collection); and (2) notify and obtain consent from individuals regarding what IIF is being collected from them and how the information will be used or shared: PSDMS data is downloaded from the Clinical Center's Central Data Registry. Notification to patients follows clinical trials protocol establisned by NIH/NCI. Patient consent forms provide notification and obtain consent from the individuals. There are no procedures in place to notify individuals when major changes occur to the system.

32. Does the system host a website?: No

37. Does the website have any information or pages directed at children under the age of thirteen?: No

50. Are there policies or guidelines in place with regard to the retention and destruction of IIF?: Yes

54. Briefly describe in detail how the IIF will be secured on the system using administrative, technical, and physical controls.: Information is secured using username/passwords, least privilege, separation of duties, an intrusion detection system, firewalls, locks, badge access, background investigations. A comprehensive IRT capability is also maintained.

PIA Reviewer Approval: Promote

Comments: IIF

PIA Reviewer Name: Suzy Milliard

Sr. Official for Privacy Approval: Promote


Sr. Official for Privacy Name: Karen Plá

Sign-off Date: Aug 10, 2007

Date Published: Jun 26, 2008


06.3 HHS PIA Summary for Posting (Form) / NIH NCI PLCO Research Database (PLCO) (Item)






PIA Summary


Is this a new PIA 2008?: No

If this is an existing PIA, please provide a reason for revision:

1. Date of this Submission: Jul 18, 2007

2. OPDIV Name: NIH

3. Unique Project Identifier (UPI) Number: Not Applicable

4. Privacy Act System of Records (SOR) Number: No

5. OMB Information Collection Approval Number: No

6. Other Identifying Number(s): NCI-59

7. System Name: NIH NCI PLCO Research Database (PLCO)

9. System Point of Contact (POC). The System POC is the person to whom questions about the system and the responses to this PIA may be addressed: Dorothy Sullivan

10. Provide an overview of the system: The system is used for monitoring, quality control, and analysis of the PLCO trial.

13. Indicate if the system is new or an existing one being modified: Existing

17. Does/Will the system collect, maintain (store), disseminate and/or pass through IIF within any database(s), record(s), file(s) or website(s) hosted by this system?: No

Note: This question seeks to identify any, and all, personal information associated with the system. This includes any IIF, whether or not it is subject to the Privacy Act, whether the individuals are employees, the public, research subjects, or business partners, and whether provided voluntarily or collected by mandate. Later questions will try to understand the character of the data and its applicability to the requirements under the Privacy Act or other legislation

Note: If no IIF is contained in the system, please answer questions 21, 23, 30, 31, 37, 50 and 54, then promote the PIA to the Sr. Privacy Official who will authorize the PIA.

If this system contains IIF, all remaining questions on the PIA Form Tabs must be completed prior to signature and promotion.

21. Is the system subject to the Privacy Act?: No

23. If the system shares or discloses IIF please specify with whom and for what purpose(s): No IIF in the system

30. Please describe in detail: (1) the information the agency will collect, maintain, or disseminate; (2) why and for what purpose the agency will use the information; (3) In this description, indicate whether the information contains IIF; and (4) whether submission of personal information is voluntary or mandatory: This sytem is used to store and monitor data from the participants in the PLCO and NLST prevention trials. Such data consists of results of screening tests such as chest x-rays, serum PSA and CA-125, sigmoisoscopy, etc. Medical history and other questionaire information is also stored. To protect confidentially, the data in this system is referenced by a randomly assigned participant ID code only. The actual identity of the participant is known only to the screening center at which these tests were conducted. Since these participants are treated as clinical patients at these centers, their true identity is considered confidential, as with any patient, and is protected in accordance with HIPPA regulations to which all of these screening centers must adhere.

31. Please describe in detail any processes in place to: (1) notify and obtain consent from the individuals whose IIF is in the system when major changes occur to the system (e.g., disclosure and/or data uses have changed since the notice at the time of the original collection); and (2) notify and obtain consent from individuals regarding what IIF is being collected from them and how the information will be used or shared: No IIF.

32. Does the system host a website?: No

37. Does the website have any information or pages directed at children under the age of thirteen?: No

50. Are there policies or guidelines in place with regard to the retention and destruction of IIF?: No

54. Briefly describe in detail how the IIF will be secured on the system using administrative, technical, and physical controls.: Information is secured using username/passwords, least privilege, separation of duties, an intrusion detection system, firewalls, locks, badge access, background investigations. A comprehensive IRT capability is also maintained.

PIA Reviewer Approval: Promote


PIA Reviewer Name: Suzy Milliard

Sr. Official for Privacy Approval: Promote


Sr. Official for Privacy Name: Karen Plá

Sign-off Date: Aug 10, 2007

Date Published: Jun 26, 2008


06.3 HHS PIA Summary for Posting (Form) / NIH NCI Portfolio Management Application (PMA) (Item)






PIA Summary


Is this a new PIA 2008?: No

If this is an existing PIA, please provide a reason for revision: PIA Validation

1. Date of this Submission: Jul 16, 2007

2. OPDIV Name: NIH

3. Unique Project Identifier (UPI) Number: Not Applicable

4. Privacy Act System of Records (SOR) Number: 09-25-0036

5. OMB Information Collection Approval Number: NA

6. Other Identifying Number(s): NCI-32

7. System Name: NIH NCI DCCPS Portfolio Management Application (PMA)

9. System Point of Contact (POC). The System POC is the person to whom questions about the system and the responses to this PIA may be addressed: Everett Carpenter

10. Provide an overview of the system: This application is used by NCI Extramural Division staff to manage their Research Portfolio (Grants, Contracts, Interagency Agreements) Responding to Congressional Requests (Coding, Searching, Reporting); mass mailing, Dynamic Dissemination of Research Portfolio on Public Web site etc

13. Indicate if the system is new or an existing one being modified: Existing

17. Does/Will the system collect, maintain (store), disseminate and/or pass through IIF within any database(s), record(s), file(s) or website(s) hosted by this system?: Yes

Note: This question seeks to identify any, and all, personal information associated with the system. This includes any IIF, whether or not it is subject to the Privacy Act, whether the individuals are employees, the public, research subjects, or business partners, and whether provided voluntarily or collected by mandate. Later questions will try to understand the character of the data and its applicability to the requirements under the Privacy Act or other legislation

Note: If no IIF is contained in the system, please answer questions 21, 23, 30, 31, 37, 50 and 54, then promote the PIA to the Sr. Privacy Official who will authorize the PIA.

If this system contains IIF, all remaining questions on the PIA Form Tabs must be completed prior to signature and promotion.

21. Is the system subject to the Privacy Act?: Yes

23. If the system shares or discloses IIF please specify with whom and for what purpose(s): Shared with NREP to identify and collect programs for the RTIPS application. Shared with Input Solutions Inc. to convert Program Products for RTIPS application. Share RTIPS contact Information with ASPEN Systems for the purpose of order fulfillment. Dissemination of Principle Investigator name on DCCPS Public web site. Share CCPlanet contact information. Information sharing is done in accordance with SOR 09-25-0036.

30. Please describe in detail: (1) the information the agency will collect, maintain, or disseminate; (2) why and for what purpose the agency will use the information; (3) In this description, indicate whether the information contains IIF; and (4) whether submission of personal information is voluntary or mandatory: Public Health Act, TITLE 42, CHAPTER 6A, SUBCHAPTER III, Part C, subpart 1, Sec. 285, Sec. 285a and 44 U.S.C. 3101. The information is collected and reviewed by the Federal Program and DCCPS Management Staff to provide timely information for analysis, processing and/or dissemination. IIF collected is name, mailing address, e-mail address, and phone number. Information is submitted voluntarily.31. Please describe in detail any processes in place to: (1) notify and obtain consent from the individuals whose IIF is in the system when major changes occur to the system (e.g., disclosure and/or data uses have changed since the notice at the time of the original collection); and (2) notify and obtain consent from individuals regarding what IIF is being collected from them and how the information will be used or shared:

Change in Data Use/Shared – Individuals will be notified via telephone or email to obtain consent.

Via the CCPlanet order form, individuals are told how the information will be used/not used and consent is obtained by the user entering their information and executing the submit order button.

32. Does the system host a website?: Yes

37. Does the website have any information or pages directed at children under the age of thirteen?: No

50. Are there policies or guidelines in place with regard to the retention and destruction of IIF?: Yes

54. Briefly describe in detail how the IIF will be secured on the system using administrative, technical, and physical controls.: Information is secured using username/passwords, least privilege, separation of duties, an intrusion detection system, firewalls, locks, badge access, background investigations. A comprehensive IRT capability is also maintained.

PIA Reviewer Approval: Promote


PIA Reviewer Name: Suzy Milliard

Sr. Official for Privacy Approval: Promote


Sr. Official for Privacy Name: Karen Plá

Sign-off Date: Aug 10, 2007

Date Published: Jun 26, 2008


06.3 HHS PIA Summary for Posting (Form) / NIH NCI Radiation Epidemiology Course 2007 (REC07) (Item)






PIA Summary


Is this a new PIA 2008?: Yes

If this is an existing PIA, please provide a reason for revision:

1. Date of this Submission: Jan 4, 2007

2. OPDIV Name: NIH

3. Unique Project Identifier (UPI) Number: None needed no PII

4. Privacy Act System of Records (SOR) Number: None needed no PII

5. OMB Information Collection Approval Number: None needed no PII

6. Other Identifying Number(s): NCI-78

7. System Name: NIH NCI Radiation Epidemiology Course 2007

9. System Point of Contact (POC). The System POC is the person to whom questions about the system and the responses to this PIA may be addressed: Jenna Nober

10. Provide an overview of the system: Provides information to prospective attendees about the Radiation Epidemiology Course to be held in May 2007. This course provides an overview of the field of radiation epidemiology to people with an interest in the health effects of exposure to radiation. The information provided is a description of the course, the schedule, the speakers, the course material, and local maps.

13. Indicate if the system is new or an existing one being modified: New

17. Does/Will the system collect, maintain (store), disseminate and/or pass through IIF within any database(s), record(s), file(s) or website(s) hosted by this system?: No

Note: This question seeks to identify any, and all, personal information associated with the system. This includes any IIF, whether or not it is subject to the Privacy Act, whether the individuals are employees, the public, research subjects, or business partners, and whether provided voluntarily or collected by mandate. Later questions will try to understand the character of the data and its applicability to the requirements under the Privacy Act or other legislation

Note: If no IIF is contained in the system, please answer questions 21, 23, 30, 31, 37, 50 and 54, then promote the PIA to the Sr. Privacy Official who will authorize the PIA.

If this system contains IIF, all remaining questions on the PIA Form Tabs must be completed prior to signature and promotion.

21. Is the system subject to the Privacy Act?: No

23. If the system shares or discloses IIF please specify with whom and for what purpose(s): No IIF

30. Please describe in detail: (1) the information the agency will collect, maintain, or disseminate; (2) why and for what purpose the agency will use the information; (3) In this description, indicate whether the information contains IIF; and (4) whether submission of personal information is voluntary or mandatory: This an informational only website. No information is collected. The system does not contain IIF. It disseminates information on a course in Radiation Epidemiology being offered byt Radiation Epidemiology Branch, Division of cancer Epidemiology & Genetics, National Cancer Institute, National Institutes of Health.

31. Please describe in detail any processes in place to: (1) notify and obtain consent from the individuals whose IIF is in the system when major changes occur to the system (e.g., disclosure and/or data uses have changed since the notice at the time of the original collection); and (2) notify and obtain consent from individuals regarding what IIF is being collected from them and how the information will be used or shared: No IIF in the system

32. Does the system host a website?: Yes

37. Does the website have any information or pages directed at children under the age of thirteen?: No

50. Are there policies or guidelines in place with regard to the retention and destruction of IIF?: No

54. Briefly describe in detail how the IIF will be secured on the system using administrative, technical, and physical controls.: No IIF in the system.

PIA Reviewer Approval: Promote


PIA Reviewer Name: Blaise Czekalski

Sr. Official for Privacy Approval: Promote


Sr. Official for Privacy Name: Karen Plá

Sign-off Date: Jan 25, 2007

Date Published: Jun 26, 2008


06.3 HHS PIA Summary for Posting (Form) / NIH NCI SPORE Presentation Submission (SPORE) (Item)






PIA Summary


Is this a new PIA 2008?: No

If this is an existing PIA, please provide a reason for revision: PIA Validation

1. Date of this Submission: Jul 12, 2007

2. OPDIV Name: NIH

3. Unique Project Identifier (UPI) Number: 009-25-01-05-02-4915-00-110-219

4. Privacy Act System of Records (SOR) Number: 09-25-0106

5. OMB Information Collection Approval Number: No

6. Other Identifying Number(s): NCI-34

7. System Name: NIH NCI SPORE Presentation Submission (SPORE)

9. System Point of Contact (POC). The System POC is the person to whom questions about the system and the responses to this PIA may be addressed: Anita LoMonico

10. Provide an overview of the system: Annual Spore Meeting participants post presentations that will be delivered at the meeting to a website

13. Indicate if the system is new or an existing one being modified: Existing

17. Does/Will the system collect, maintain (store), disseminate and/or pass through IIF within any database(s), record(s), file(s) or website(s) hosted by this system?: Yes

Note: This question seeks to identify any, and all, personal information associated with the system. This includes any IIF, whether or not it is subject to the Privacy Act, whether the individuals are employees, the public, research subjects, or business partners, and whether provided voluntarily or collected by mandate. Later questions will try to understand the character of the data and its applicability to the requirements under the Privacy Act or other legislation

Note: If no IIF is contained in the system, please answer questions 21, 23, 30, 31, 37, 50 and 54, then promote the PIA to the Sr. Privacy Official who will authorize the PIA.

If this system contains IIF, all remaining questions on the PIA Form Tabs must be completed prior to signature and promotion.

21. Is the system subject to the Privacy Act?: Yes

23. If the system shares or discloses IIF please specify with whom and for what purpose(s): Name and e-mail address are disclosed to other meeting participants on the website. Name, e-mail address, employment status, and phone number are shared with meeting organizers.

30. Please describe in detail: (1) the information the agency will collect, maintain, or disseminate; (2) why and for what purpose the agency will use the information; (3) In this description, indicate whether the information contains IIF; and (4) whether submission of personal information is voluntary or mandatory: 5 U.S.C. 301; 44 U.S.C. 3101. Meeting participants post a limited amount of work-related information and a presentation(s) to a website. IIF includes name, employment status, e-mail address, and telephone number. The information is used to identify the participants and collect their submission information. Information is submitted voluntarily.

31. Please describe in detail any processes in place to: (1) notify and obtain consent from the individuals whose IIF is in the system when major changes occur to the system (e.g., disclosure and/or data uses have changed since the notice at the time of the original collection); and (2) notify and obtain consent from individuals regarding what IIF is being collected from them and how the information will be used or shared: There are no procedures in place form notifying individuals when major changes occur to the system. The website states "This is a government sponsored meeting that is open to the public. Your contact information will be printed in all workshop materials. Please do not provide personal information when completing your registration."

32. Does the system host a website?: Yes

37. Does the website have any information or pages directed at children under the age of thirteen?: No

50. Are there policies or guidelines in place with regard to the retention and destruction of IIF?: Yes

54. Briefly describe in detail how the IIF will be secured on the system using administrative, technical, and physical controls.: Information is secured using username/passwords, least privilege, separation of duties, an intrusion detection system, firewalls, locks, badge access, background investigations. A comprehensive IRT capability is also maintained.

PIA Reviewer Approval: Promote

Comments: No IIF.

PIA Reviewer Name: Brent Kopp

Sr. Official for Privacy Approval: Promote


Sr. Official for Privacy Name: Karen Plá

Sign-off Date: Aug 10, 2007

Date Published: Jun 26, 2008


06.3 HHS PIA Summary for Posting (Form) / NIH NCI SPORES Relationship and Clinical Interventions Portal (SPORE RCI) (Item)






PIA Summary


Is this a new PIA 2008?: No

If this is an existing PIA, please provide a reason for revision: PIA Validation

1. Date of this Submission: Jul 16, 2007

2. OPDIV Name: NIH

3. Unique Project Identifier (UPI) Number: Not Applicable

4. Privacy Act System of Records (SOR) Number: 09-25-0036

5. OMB Information Collection Approval Number: No

6. Other Identifying Number(s): NCI-69

7. System Name: NIH NCI SPORES Relationship and Clinical Interventions Portal (SPORE RCI)

9. System Point of Contact (POC). The System POC is the person to whom questions about the system and the responses to this PIA may be addressed: Dr. Jorge Gomez

10. Provide an overview of the system: The SPORE Project Relational Database and Clinical Interventions Portal is a tool to allow the Organ Systems Branch staff to survey, review and search for scientific information regarding the SPORE Program.

13. Indicate if the system is new or an existing one being modified: Existing

17. Does/Will the system collect, maintain (store), disseminate and/or pass through IIF within any database(s), record(s), file(s) or website(s) hosted by this system?: Yes

Note: This question seeks to identify any, and all, personal information associated with the system. This includes any IIF, whether or not it is subject to the Privacy Act, whether the individuals are employees, the public, research subjects, or business partners, and whether provided voluntarily or collected by mandate. Later questions will try to understand the character of the data and its applicability to the requirements under the Privacy Act or other legislation

Note: If no IIF is contained in the system, please answer questions 21, 23, 30, 31, 37, 50 and 54, then promote the PIA to the Sr. Privacy Official who will authorize the PIA.

If this system contains IIF, all remaining questions on the PIA Form Tabs must be completed prior to signature and promotion.

21. Is the system subject to the Privacy Act?: Yes

23. If the system shares or discloses IIF please specify with whom and for what purpose(s): No IIF shared or disclosed. This information is further addressed in the NIH Privacy Act Systems of Record Notice 09-25-0036, published in the Federal Register, Volume 67, No. 187, September 26, 2002.

30. Please describe in detail: (1) the information the agency will collect, maintain, or disseminate; (2) why and for what purpose the agency will use the information; (3) In this description, indicate whether the information contains IIF; and (4) whether submission of personal information is voluntary or mandatory: Legislation authority is the Public Health Service Act. (42 U.S.C. 241, 242, 248, 281, 282, 284, 285a, 285b, 285c, 285d, 285e, 285f, 285g, 285h, 285i, 285j, 285l, 285m, 285n, 285o, 285p, 285q, 287, 287b, 287c, 289a, 289c, and 44 U.S.C. 3101. IIF collected is name, mailing address, and telephone number of the principal investigator. This database will allow OSB staff to also respond to inquiries and request for information in a prompt fashion. These reports/responses do not require personal information, only scientific data and achievements in translational cancer research. The OSB staff will have full privilege to view grants information, budget information and clinical trials data (including protocols and patient accrual but not patient personal data). The nature of this information pertains to grant applications, supplement grant applications and contact information (about the principal investigator, project and core leaders, collaborators and if applicable, consortium members are contained in this database). The grant application information contains scientific data and short biosketches of individual investigators.

The grant application information is the same as that which resides in the IMPAC II warehouse. The additional information includes the specific scientific data pertaining to “subprojects”, “cores” and clinical trials (these do not exist on IMPAC II). The clinical trials were submitted directly via the Clinical Interventions Portal by the study PI, and the protocols were housed within a secured server. This information contains specifics of the clinical trials such as drugs or agents being used, all participating sites, primary and secondary endpoints, short description of the trial, regimen and other particulars intrinsic to a clinical trial. The patient accrual data only displayed the ethnic, gender and age categories. We do not collect any personal data on patients and submission of any personal information is not required. Information is submitted voluntarily.

31. Please describe in detail any processes in place to: (1) notify and obtain consent from the individuals whose IIF is in the system when major changes occur to the system (e.g., disclosure and/or data uses have changed since the notice at the time of the original collection); and (2) notify and obtain consent from individuals regarding what IIF is being collected from them and how the information will be used or shared: We will inform the principal investigators that the information housed in this database can be viewed by OSB staff (full privilege), NCI staff (limited privilege) and SPORE investigators (restricted). This tool has a secondary objective, which is to allow SPORE investigators (read-only) to see clinical trials that are ongoing or to search for projects that pertain to their area of interest. Confidential and budgetary information is restricted from their view.

As yet, we have not instituted any formal procedure or process to inform our investigators how their information is to be used. We keep our grantees apprised of the developments concerning this database, its information and useage. The SPORE Public website, Clinical Interventions portal and the upcoming relational database has always been referred to our investigators as a way to maintain and adhere to data sharing policies. However, we will make a formal notification to our current grantees; and also to new grantees as they are awarded.

32. Does the system host a website?: Yes

37. Does the website have any information or pages directed at children under the age of thirteen?: No

50. Are there policies or guidelines in place with regard to the retention and destruction of IIF?: Yes

54. Briefly describe in detail how the IIF will be secured on the system using administrative, technical, and physical controls.: Information is secured using username/passwords, least privilege, separation of duties, an intrusion detection system, firewalls, locks, badge access, background investigations. A comprehensive IRT capability is also maintained.

PIA Reviewer Approval: Promote

Comments: IIF

PIA Reviewer Name: Suzy Milliard

Sr. Official for Privacy Approval: Promote


Sr. Official for Privacy Name: Karen Plá

Sign-off Date: Aug 10, 2007

Date Published: Jun 26, 2008


06.3 HHS PIA Summary for Posting (Form) / NIH NCI Starcatcher-StarGazer (Starcatcher) (Item)






PIA Summary


Is this a new PIA 2008?: No

If this is an existing PIA, please provide a reason for revision: PIA Validation

1. Date of this Submission: Jul 12, 2007

2. OPDIV Name: NIH

3. Unique Project Identifier (UPI) Number: 009-25-01-05-02-4915-00-110-219

4. Privacy Act System of Records (SOR) Number: 09-90-0018

5. OMB Information Collection Approval Number: No

6. Other Identifying Number(s): NCI-12

7. System Name: NIH NCI Starcatcher/Stargazer (Starcatcher)

9. System Point of Contact (POC). The System POC is the person to whom questions about the system and the responses to this PIA may be addressed: Mary Velthuis

10. Provide an overview of the system: StarCatcher/Star Gazer is a web application in which the public can enter and submit resumes for referral within the NCI.

13. Indicate if the system is new or an existing one being modified: Existing

17. Does/Will the system collect, maintain (store), disseminate and/or pass through IIF within any database(s), record(s), file(s) or website(s) hosted by this system?: Yes

Note: This question seeks to identify any, and all, personal information associated with the system. This includes any IIF, whether or not it is subject to the Privacy Act, whether the individuals are employees, the public, research subjects, or business partners, and whether provided voluntarily or collected by mandate. Later questions will try to understand the character of the data and its applicability to the requirements under the Privacy Act or other legislation

Note: If no IIF is contained in the system, please answer questions 21, 23, 30, 31, 37, 50 and 54, then promote the PIA to the Sr. Privacy Official who will authorize the PIA.

If this system contains IIF, all remaining questions on the PIA Form Tabs must be completed prior to signature and promotion.

21. Is the system subject to the Privacy Act?: Yes

23. If the system shares or discloses IIF please specify with whom and for what purpose(s): Shared within NCI with NCI hiring managers per SOR 09-90-0018. This information is further addressed in the HHS Privacy Act Systems of Record Notice 09-90-0018, published in the Federal Register, Volume 59, November 9, 1994.

30. Please describe in detail: (1) the information the agency will collect, maintain, or disseminate; (2) why and for what purpose the agency will use the information; (3) In this description, indicate whether the information contains IIF; and (4) whether submission of personal information is voluntary or mandatory: Authority to collect this information is National Cancer Act of 1971, SEC.407 (b) (4). A limited amount of information collected via StarCatcher is used by authorized NCI staff via StarGazer to identify candidates interested in working at the NCI. Submission of information is voluntary. The information specifically collected is the person's name, phone number, mailing address and e-mail address. There may or may not be other IIF on the resumes that individuals submit.

31. Please describe in detail any processes in place to: (1) notify and obtain consent from the individuals whose IIF is in the system when major changes occur to the system (e.g., disclosure and/or data uses have changed since the notice at the time of the original collection); and (2) notify and obtain consent from individuals regarding what IIF is being collected from them and how the information will be used or shared: Candidates input information into StarCatcher and upon entry into the site, it is stated that: NCI maintains a resume databank of interested applicants for professional, administrative and internship positions that may have future openings. If you would like to post your resume, please choose a job category/specialty that we list.

On the website it is noted that: “The NCI StarCatcher Website accepts resumes from interested applicants for positions that may have future openings, it is not intended to solicit or accept applications for official vacancy announcements. Your contact information and resume will be kept on file in the StarCatcher Website for one year from the date you post your resume.

There are no procedures in place to notify individuals when major changes occur to the system.

32. Does the system host a website?: Yes

37. Does the website have any information or pages directed at children under the age of thirteen?: No

50. Are there policies or guidelines in place with regard to the retention and destruction of IIF?: Yes

54. Briefly describe in detail how the IIF will be secured on the system using administrative, technical, and physical controls.: Information is secured using username/passwords, least privilege, separation of duties, an intrusion detection system, firewalls, locks, badge access, background investigations. A comprehensive IRT capability is also maintained.

PIA Reviewer Approval: Promote

Comments: IIF

PIA Reviewer Name: Suzy Milliard

Sr. Official for Privacy Approval: Promote


Sr. Official for Privacy Name: Karen Plá

Sign-off Date: Aug 10, 2007

Date Published: Jun 26, 2008


06.3 HHS PIA Summary for Posting (Form) / NIH NCI Status of Funds Internet Edition (SOFie) (Item)






PIA Summary


Is this a new PIA 2008?: No

If this is an existing PIA, please provide a reason for revision: PIA Validation

1. Date of this Submission: Jul 16, 2007

2. OPDIV Name: NIH

3. Unique Project Identifier (UPI) Number: Not Applicable

4. Privacy Act System of Records (SOR) Number: N/A

5. OMB Information Collection Approval Number: No

6. Other Identifying Number(s): NCI-73

7. System Name: NIH NCI Status of Funds Internet Edition (SOFie)

9. System Point of Contact (POC). The System POC is the person to whom questions about the system and the responses to this PIA may be addressed: Bob Barber

10. Provide an overview of the system: SOFie is a financial tracking tool that allows users to access financial data and download the data into spreadsheets in order to perform analysis.

13. Indicate if the system is new or an existing one being modified: Existing

17. Does/Will the system collect, maintain (store), disseminate and/or pass through IIF within any database(s), record(s), file(s) or website(s) hosted by this system?: No

Note: This question seeks to identify any, and all, personal information associated with the system. This includes any IIF, whether or not it is subject to the Privacy Act, whether the individuals are employees, the public, research subjects, or business partners, and whether provided voluntarily or collected by mandate. Later questions will try to understand the character of the data and its applicability to the requirements under the Privacy Act or other legislation

Note: If no IIF is contained in the system, please answer questions 21, 23, 30, 31, 37, 50 and 54, then promote the PIA to the Sr. Privacy Official who will authorize the PIA.

If this system contains IIF, all remaining questions on the PIA Form Tabs must be completed prior to signature and promotion.

21. Is the system subject to the Privacy Act?: No

23. If the system shares or discloses IIF please specify with whom and for what purpose(s): No

30. Please describe in detail: (1) the information the agency will collect, maintain, or disseminate; (2) why and for what purpose the agency will use the information; (3) In this description, indicate whether the information contains IIF; and (4) whether submission of personal information is voluntary or mandatory: All accounting transactions are available for viewing in SOFie. The information is used to track and plan fiscal budgets. It is necessary to have access to this data in order to comply with appropriations laws and regulations.

31. Please describe in detail any processes in place to: (1) notify and obtain consent from the individuals whose IIF is in the system when major changes occur to the system (e.g., disclosure and/or data uses have changed since the notice at the time of the original collection); and (2) notify and obtain consent from individuals regarding what IIF is being collected from them and how the information will be used or shared: No IIF

32. Does the system host a website?: Yes

37. Does the website have any information or pages directed at children under the age of thirteen?: No

50. Are there policies or guidelines in place with regard to the retention and destruction of IIF?: No

54. Briefly describe in detail how the IIF will be secured on the system using administrative, technical, and physical controls.: Information is secured using username/passwords, least privilege, separation of duties, an intrusion detection system, firewalls, locks, badge access, background investigations. A comprehensive IRT capability is also maintained.

PIA Reviewer Approval: Promote

Comments: No IIF.

PIA Reviewer Name: Suzy Milliard

Sr. Official for Privacy Approval: Promote


Sr. Official for Privacy Name: Karen Plá

Sign-off Date: Aug 10, 2007

Date Published: Jun 26, 2008


06.3 HHS PIA Summary for Posting (Form) / NIH NCI The Cancer Genome Atlas (TCGA) (Item)






PIA Summary


Is this a new PIA 2008?: Yes

If this is an existing PIA, please provide a reason for revision: Initial PIA Migration to ProSight

1. Date of this Submission: Jul 16, 2007

2. OPDIV Name: NIH

3. Unique Project Identifier (UPI) Number: 009-25-01-26-02-4918-00

4. Privacy Act System of Records (SOR) Number: None

5. OMB Information Collection Approval Number: None

6. Other Identifying Number(s): NCI-83

7. System Name: NIH NCI The Cancer Genome Atlas (TCGA)

9. System Point of Contact (POC). The System POC is the person to whom questions about the system and the responses to this PIA may be addressed: Subhashree Madhavan

10. Provide an overview of the system: The Cancer Genome Atlas (TCGA) is a three-year pilot cancer genome characterization and sequencing project to determine the feasibility of large-scale effort to identify most of the genomic changes in three separate tumor types. The Data Coordinating Center (DCC), establishes and executes standard operating procedures, designs and implements data analysis procedures that perform quality checks on incoming data and report anomalies to the data source sites, and implements a data management pipeline to process data and prepare it for public distribution in formats and systems compatible with the caBIG program.

13. Indicate if the system is new or an existing one being modified: New

17. Does/Will the system collect, maintain (store), disseminate and/or pass through IIF within any database(s), record(s), file(s) or website(s) hosted by this system?: No

Note: This question seeks to identify any, and all, personal information associated with the system. This includes any IIF, whether or not it is subject to the Privacy Act, whether the individuals are employees, the public, research subjects, or business partners, and whether provided voluntarily or collected by mandate. Later questions will try to understand the character of the data and its applicability to the requirements under the Privacy Act or other legislation

Note: If no IIF is contained in the system, please answer questions 21, 23, 30, 31, 37, 50 and 54, then promote the PIA to the Sr. Privacy Official who will authorize the PIA.

If this system contains IIF, all remaining questions on the PIA Form Tabs must be completed prior to signature and promotion.

21. Is the system subject to the Privacy Act?: No

23. If the system shares or discloses IIF please specify with whom and for what purpose(s): No IIF

30. Please describe in detail: (1) the information the agency will collect, maintain, or disseminate; (2) why and for what purpose the agency will use the information; (3) In this description, indicate whether the information contains IIF; and (4) whether submission of personal information is voluntary or mandatory: The system collects medical gene data that is de-identified. The system does not collect any IIF. There are multiple de-identifying steps, so that no names, social security numbers, or none of the eighteen (18) HIPAA identifiers is collected. The system does collect de-identified gene data for research.

Patients voluntarily sign a consent form to allow their data to be used for research.

31. Please describe in detail any processes in place to: (1) notify and obtain consent from the individuals whose IIF is in the system when major changes occur to the system (e.g., disclosure and/or data uses have changed since the notice at the time of the original collection); and (2) notify and obtain consent from individuals regarding what IIF is being collected from them and how the information will be used or shared: No IIF

32. Does the system host a website?: Yes

37. Does the website have any information or pages directed at children under the age of thirteen?: No

50. Are there policies or guidelines in place with regard to the retention and destruction of IIF?: No

54. Briefly describe in detail how the IIF will be secured on the system using administrative, technical, and physical controls.: No IIF

PIA Reviewer Approval: Promote


PIA Reviewer Name: Suzy Milliard

Sr. Official for Privacy Approval: Promote


Sr. Official for Privacy Name: Karen Plá

Sign-off Date: Aug 10, 2007

Date Published: Jun 26, 2008


06.3 HHS PIA Summary for Posting (Form) / NIH NCI This Fine System (TFS) (Item)






PIA Summary


Is this a new PIA 2008?: No

If this is an existing PIA, please provide a reason for revision: PIA Validation

1. Date of this Submission: Jul 12, 2007

2. OPDIV Name: NIH

3. Unique Project Identifier (UPI) Number: 009-25-01-05-02-4915-00-110-2194. Privacy Act System of Records (SOR) Number: 09-90-0018

5. OMB Information Collection Approval Number: NA

6. Other Identifying Number(s): NCI-3

7. System Name: NCI TFS

9. System Point of Contact (POC). The System POC is the person to whom questions about the system and the responses to this PIA may be addressed: Anita LoMonico

10. Provide an overview of the system: Collects and maintains personnel management information.

13. Indicate if the system is new or an existing one being modified: Existing

17. Does/Will the system collect, maintain (store), disseminate and/or pass through IIF within any database(s), record(s), file(s) or website(s) hosted by this system?: Yes

Note: This question seeks to identify any, and all, personal information associated with the system. This includes any IIF, whether or not it is subject to the Privacy Act, whether the individuals are employees, the public, research subjects, or business partners, and whether provided voluntarily or collected by mandate. Later questions will try to understand the character of the data and its applicability to the requirements under the Privacy Act or other legislation

Note: If no IIF is contained in the system, please answer questions 21, 23, 30, 31, 37, 50 and 54, then promote the PIA to the Sr. Privacy Official who will authorize the PIA.

If this system contains IIF, all remaining questions on the PIA Form Tabs must be completed prior to signature and promotion.

21. Is the system subject to the Privacy Act?: Yes

23. If the system shares or discloses IIF please specify with whom and for what purpose(s): Does not share IIF. The disclosures permitted by SOR 09-90-0018 are not made.

30. Please describe in detail: (1) the information the agency will collect, maintain, or disseminate; (2) why and for what purpose the agency will use the information; (3) In this description, indicate whether the information contains IIF; and (4) whether submission of personal information is voluntary or mandatory: Regulatory authority: 42 U.S.C. 241(a)(2), 42 U.S.C. 282(b)(10), and 42 U.S.C. 284(b)(1)(k). Information is used for routine personnel management. The information contains IIFincluding name, date of birth, social security number, and employment status. Submission of information is voluntary.

31. Please describe in detail any processes in place to: (1) notify and obtain consent from the individuals whose IIF is in the system when major changes occur to the system (e.g., disclosure and/or data uses have changed since the notice at the time of the original collection); and (2) notify and obtain consent from individuals regarding what IIF is being collected from them and how the information will be used or shared: TFS only imports data from other HHS/NIH personnel systems that are specifically used for personnel related reports. Consent is obtained from employees by the offices that run the systems that are the source of the data. There is no process in place to notify individuals of major changes in the system.

32. Does the system host a website?: Yes

37. Does the website have any information or pages directed at children under the age of thirteen?: No

50. Are there policies or guidelines in place with regard to the retention and destruction of IIF?: Yes

54. Briefly describe in detail how the IIF will be secured on the system using administrative, technical, and physical controls.: Information is secured using username/passwords, least privilege, separation of duties, an intrusion detection system, firewalls, locks, badge access, background investigations. A comprehensive IRT capability is also maintained.

PIA Reviewer Approval: Promote

Comments: IIF.

PIA Reviewer Name: Suzy Milliard

Sr. Official for Privacy Approval: Promote


Sr. Official for Privacy Name: Karen Pla

Sign-off Date: Aug 10, 2007

Date Published: Jun 26, 2008


06.3 HHS PIA Summary for Posting (Form) / NIH NCRR Internet Website (Item)






PIA Summary


Is this a new PIA 2008?: No

If this is an existing PIA, please provide a reason for revision: PIA Validation

1. Date of this Submission: Jul 3, 2007

2. OPDIV Name: NIH

3. Unique Project Identifier (UPI) Number: 009-25-01-05-02-4803-00-110-219

4. Privacy Act System of Records (SOR) Number: 09-25-0106

5. OMB Information Collection Approval Number: No

6. Other Identifying Number(s): No

7. System Name: NCRR Internet Website

9. System Point of Contact (POC). The System POC is the person to whom questions about the system and the responses to this PIA may be addressed: Erin Shannon

10. Provide an overview of the system: NCRR Public Website used to disseminate information about NCRR resources and grant programs to biomedical researchers with NIH or other peer-reviewed funding via the world wide web.

13. Indicate if the system is new or an existing one being modified: Existing

17. Does/Will the system collect, maintain (store), disseminate and/or pass through IIF within any database(s), record(s), file(s) or website(s) hosted by this system?: No

Note: This question seeks to identify any, and all, personal information associated with the system. This includes any IIF, whether or not it is subject to the Privacy Act, whether the individuals are employees, the public, research subjects, or business partners, and whether provided voluntarily or collected by mandate. Later questions will try to understand the character of the data and its applicability to the requirements under the Privacy Act or other legislation

Note: If no IIF is contained in the system, please answer questions 21, 23, 30, 31, 37, 50 and 54, then promote the PIA to the Sr. Privacy Official who will authorize the PIA.

If this system contains IIF, all remaining questions on the PIA Form Tabs must be completed prior to signature and promotion.

21. Is the system subject to the Privacy Act?: Yes

23. If the system shares or discloses IIF please specify with whom and for what purpose(s): Shares employee work contact information to the public. Ref: 09-25-0106

30. Please describe in detail: (1) the information the agency will collect, maintain, or disseminate; (2) why and for what purpose the agency will use the information; (3) In this description, indicate whether the information contains IIF; and (4) whether submission of personal information is voluntary or mandatory: The NCRR website will disseminate information on NCRR initiatives and activities of relevence to the research community. Shares employee office contact information: name, title, position description, office location and phone numbers to expedite communication with the public.

31. Please describe in detail any processes in place to: (1) notify and obtain consent from the individuals whose IIF is in the system when major changes occur to the system (e.g., disclosure and/or data uses have changed since the notice at the time of the original collection); and (2) notify and obtain consent from individuals regarding what IIF is being collected from them and how the information will be used or shared: NCRR employees are notified that their office contact information is made publically available in the course of their duties.

32. Does the system host a website?: Yes

37. Does the website have any information or pages directed at children under the age of thirteen?: No

50. Are there policies or guidelines in place with regard to the retention and destruction of IIF?: Yes

54. Briefly describe in detail how the IIF will be secured on the system using administrative, technical, and physical controls.: Policy and procedures are in place for administrative management of the system. Technical control is: firewalls, IDS, antivirus, and audit logs. Physical access to the server room is protected by double set of locked doors and must be accessed using a key fob and pass code (cipher lock).

PIA Reviewer Approval: Promote


PIA Reviewer Name: Erin Shannon

Sr. Official for Privacy Approval: Promote


Sr. Official for Privacy Name: Karen Pla

Sign-off Date: Aug 10, 2007

Date Published: Jun 26, 2008


06.3 HHS PIA Summary for Posting (Form) / NIH NCRR Intranet Website (Item)






PIA Summary


Is this a new PIA 2008?: No

If this is an existing PIA, please provide a reason for revision: PIA Validation

1. Date of this Submission: Jul 3, 2007

2. OPDIV Name: NIH

3. Unique Project Identifier (UPI) Number: 009-25-01-05-02-4803-00-110-219

4. Privacy Act System of Records (SOR) Number: 09-25-0106

5. OMB Information Collection Approval Number: No

6. Other Identifying Number(s): No

7. System Name: NCRR Intranet9. System Point of Contact (POC). The System POC is the person to whom questions about the system and the responses to this PIA may be addressed:

9. System Point of Contact (POC). The System POC is the person to whom questions about the system and the responses to this PIA may be addressed: Erin Shannon

10. Provide an overview of the system: To disseminate relevant information and useful dynamic applications to Center employees.

13. Indicate if the system is new or an existing one being modified: Existing

17. Does/Will the system collect, maintain (store), disseminate and/or pass through IIF within any database(s), record(s), file(s) or website(s) hosted by this system?: No

Note: This question seeks to identify any, and all, personal information associated with the system. This includes any IIF, whether or not it is subject to the Privacy Act, whether the individuals are employees, the public, research subjects, or business partners, and whether provided voluntarily or collected by mandate. Later questions will try to understand the character of the data and its applicability to the requirements under the Privacy Act or other legislation

Note: If no IIF is contained in the system, please answer questions 21, 23, 30, 31, 37, 50 and 54, then promote the PIA to the Sr. Privacy Official who will authorize the PIA.

If this system contains IIF, all remaining questions on the PIA Form Tabs must be completed prior to signature and promotion.

21. Is the system subject to the Privacy Act?: Yes

23. If the system shares or discloses IIF please specify with whom and for what purpose(s): Shares employee information name, title, position description, office location and phone numbers (internally only). Ref: 09-25-0106

30. Please describe in detail: (1) the information the agency will collect, maintain, or disseminate; (2) why and for what purpose the agency will use the information; (3) In this description, indicate whether the information contains IIF; and (4) whether submission of personal information is voluntary or mandatory: Shares employee information: name, title, position description, office location and phone numbers (internally only) to increase organizational communication and efficiency. This information is "opt out" for each employee.

31. Please describe in detail any processes in place to: (1) notify and obtain consent from the individuals whose IIF is in the system when major changes occur to the system (e.g., disclosure and/or data uses have changed since the notice at the time of the original collection); and (2) notify and obtain consent from individuals regarding what IIF is being collected from them and how the information will be used or shared: No Applicable - the contact information in the NCRR intranet is used internally by NCRR employees and contractors only.

32. Does the system host a website?: Yes

37. Does the website have any information or pages directed at children under the age of thirteen?: No

50. Are there policies or guidelines in place with regard to the retention and destruction of IIF?: Yes

54. Briefly describe in detail how the IIF will be secured on the system using administrative, technical, and physical controls.: Policy and procedures are in place for administrative management of the system. Technical control is: username and password login, firewalls, IDS, antivirus, and audit logs. Physical access to the server room is protected by double set of locked doors and must be accessed using a key fob and pass code (cipher lock).

PIA Reviewer Approval: Promote


PIA Reviewer Name: Erin Shannon

Sr. Official for Privacy Approval: Promote


Sr. Official for Privacy Name: Karen Pla

Sign-off Date: Aug 10, 2007

Date Published: Jun 26, 2008


06.3 HHS PIA Summary for Posting (Form) / NIH NCRR Rare Diseases Management (Item)






PIA Summary


Is this a new PIA 2008?: Yes

If this is an existing PIA, please provide a reason for revision: PIA Validation

1. Date of this Submission: Jul 5, 2007

2. OPDIV Name: NIH

3. Unique Project Identifier (UPI) Number: Under Development

4. Privacy Act System of Records (SOR) Number: 09-25-0036

5. OMB Information Collection Approval Number: No

6. Other Identifying Number(s): No

7. System Name: NCRR Rase Disease Management System

9. System Point of Contact (POC). The System POC is the person to whom questions about the system and the responses to this PIA may be addressed: Elaine Collier

10. Provide an overview of the system: RDMS is an online database system used by NCRR staff to track the status of protocols at the seven centers and the data coordinating center involved in the Rare Disease Network.

13. Indicate if the system is new or an existing one being modified: Existing

17. Does/Will the system collect, maintain (store), disseminate and/or pass through IIF within any database(s), record(s), file(s) or website(s) hosted by this system?: Yes

Note: This question seeks to identify any, and all, personal information associated with the system. This includes any IIF, whether or not it is subject to the Privacy Act, whether the individuals are employees, the public, research subjects, or business partners, and whether provided voluntarily or collected by mandate. Later questions will try to understand the character of the data and its applicability to the requirements under the Privacy Act or other legislation

Note: If no IIF is contained in the system, please answer questions 21, 23, 30, 31, 37, 50 and 54, then promote the PIA to the Sr. Privacy Official who will authorize the PIA.

If this system contains IIF, all remaining questions on the PIA Form Tabs must be completed prior to signature and promotion.

21. Is the system subject to the Privacy Act?: Yes

23. If the system shares or discloses IIF please specify with whom and for what purpose(s): The data is shared internally for administrative use only and will not be shared with other entities. Information regarding potential IIF disclosure practices is further addressed in the NIH Privacy Act Systems of Record Notice 09-25-0036, published in the Federal Register, Volume 67, No. 187, September 26, 2002

30. Please describe in detail: (1) the information the agency will collect, maintain, or disseminate; (2) why and for what purpose the agency will use the information; (3) In this description, indicate whether the information contains IIF; and (4) whether submission of personal information is voluntary or mandatory: The information in this system is invaluable in supporting NCRR's ability to keep abreast of the status of the Rare Disease protocols. The data collected includes: principal investigator names, consortiums involved, committee types, committee members, conflict of interest participates; and other data such as protocol number, titles, addresses, phone and fax numbers, email addresses, etc. The addresses and phone numbers could be home addresses for some of the participates who work from home. All personal information submitted in the system is done voluntary.

31. Please describe in detail any processes in place to: (1) notify and obtain consent from the individuals whose IIF is in the system when major changes occur to the system (e.g., disclosure and/or data uses have changed since the notice at the time of the original collection); and (2) notify and obtain consent from individuals regarding what IIF is being collected from them and how the information will be used or shared: IIF data in the system is provided by the participates themselves. The participates must submit a consent form acknowledging that their information will be used internally and only their names, addresses, phone numbers, fax numbers and email addresses will be stored in the system. All other identifying information will be stored as hardcopy in locked files in the Office of Science Policy and Public Liaison and in the Division of Clinical Research Resources.

32. Does the system host a website?: No

37. Does the website have any information or pages directed at children under the age of thirteen?: No

50. Are there policies or guidelines in place with regard to the retention and destruction of IIF?: Yes

54. Briefly describe in detail how the IIF will be secured on the system using administrative, technical, and physical controls.: Policy and procedures are in place for administrative management of the system. Technical control is: NIH username and password login, firewalls, IDS, antivirus, and audit logs. Physical access to the server room is protected by double set of locked doors and must be accessed using a key fob and pass code (cipher lock).

PIA Reviewer Approval: Promote


PIA Reviewer Name: Erin Shannon

Sr. Official for Privacy Approval: Promote


Sr. Official for Privacy Name: Karen Plá

Sign-off Date: Jan 26, 2007

Date Published: Jun 26, 2008


06.3 HHS PIA Summary for Posting (Form) / NIH NCRR Science Information System (SIS) (Item)






PIA Summary


Is this a new PIA 2008?: No

If this is an existing PIA, please provide a reason for revision: PIA Validation

1. Date of this Submission: Jul 5, 2007

2. OPDIV Name: NIH

3. Unique Project Identifier (UPI) Number: 009-25-01-05-02-4802-00-110-219

4. Privacy Act System of Records (SOR) Number: 09-25-0036

5. OMB Information Collection Approval Number: No

6. Other Identifying Number(s): No

7. System Name: NCRR Science Information System

9. System Point of Contact (POC). The System POC is the person to whom questions about the system and the responses to this PIA may be addressed: R. Jean Babb

10. Provide an overview of the system: A database system used by NCRR staff to review annual progress report data, code the research activites, and prepare reports highlighting scientific accomplishments. This information is invaluable in supporting GPRA, PART, and other materials used to inform the Administration, Congress, interested parties and the general public. NCRR is working to integrate and strengthen clinical informatics.

13. Indicate if the system is new or an existing one being modified: Existing

17. Does/Will the system collect, maintain (store), disseminate and/or pass through IIF within any database(s), record(s), file(s) or website(s) hosted by this system?: Yes

Note: This question seeks to identify any, and all, personal information associated with the system. This includes any IIF, whether or not it is subject to the Privacy Act, whether the individuals are employees, the public, research subjects, or business partners, and whether provided voluntarily or collected by mandate. Later questions will try to understand the character of the data and its applicability to the requirements under the Privacy Act or other legislation

Note: If no IIF is contained in the system, please answer questions 21, 23, 30, 31, 37, 50 and 54, then promote the PIA to the Sr. Privacy Official who will authorize the PIA.

If this system contains IIF, all remaining questions on the PIA Form Tabs must be completed prior to signature and promotion.

21. Is the system subject to the Privacy Act?: Yes

23. If the system shares or discloses IIF please specify with whom and for what purpose(s): NCRR and NIH budget officials for reporting to Congress. Shares information internally for generating funding reports for NIH OD and congress. Ref: 09-25-0036

30. Please describe in detail: (1) the information the agency will collect, maintain, or disseminate; (2) why and for what purpose the agency will use the information; (3) In this description, indicate whether the information contains IIF; and (4) whether submission of personal information is voluntary or mandatory: Information is obtained from the IMPAC II system and populates this database for internal use only. Information collected is the minimal necessary to code and report on research projects for funding the grantees and investigators. Mandatory for eRA submission.

31. Please describe in detail any processes in place to: (1) notify and obtain consent from the individuals whose IIF is in the system when major changes occur to the system (e.g., disclosure and/or data uses have changed since the notice at the time of the original collection); and (2) notify and obtain consent from individuals regarding what IIF is being collected from them and how the information will be used or shared: The process in place is governed by IMPAC II, an NIH Enterprise System maintained by eRA. SIS has no additional processes in place.

32. Does the system host a website?: Yes

37. Does the website have any information or pages directed at children under the age of thirteen?: No

50. Are there policies or guidelines in place with regard to the retention and destruction of IIF?: Yes

54. Briefly describe in detail how the IIF will be secured on the system using administrative, technical, and physical controls.: Policy and procedures are in place for administrative management of the system. Technical control is: username and password login, firewalls, IDS, antivirus, and audit logs. Physical access to the server room is protected by double set of locked doors and must be accessed using a key fob and pass code (cipher lock).

PIA Reviewer Approval: Promote


PIA Reviewer Name: Erin Shannon

Sr. Official for Privacy Approval: Promote


Sr. Official for Privacy Name: Karen Pla

Sign-off Date: Aug 10, 2007

Date Published: Jun 26, 2008


06.3 HHS PIA Summary for Posting (Form) / NIH NCRR Status of Funds Internet Edition (SOFie) (Item)






PIA Summary


Is this a new PIA 2008?: Yes

If this is an existing PIA, please provide a reason for revision: PIA Validation

1. Date of this Submission: Jan 2, 2008

2. OPDIV Name: NIH

3. Unique Project Identifier (UPI) Number: No

4. Privacy Act System of Records (SOR) Number: No

5. OMB Information Collection Approval Number: No

6. Other Identifying Number(s): No

7. System Name: NCRR SOFIE

9. System Point of Contact (POC). The System POC is the person to whom questions about the system and the responses to this PIA may be addressed: Bonnie Richards

10. Provide an overview of the system: Manage expenditures and obligations. The purpose of the system is to monitor expenditures. Program helps project the budget; allows users to know how much money is left in the FY to spend.

13. Indicate if the system is new or an existing one being modified: Existing

17. Does/Will the system collect, maintain (store), disseminate and/or pass through IIF within any database(s), record(s), file(s) or website(s) hosted by this system?: No

Note: This question seeks to identify any, and all, personal information associated with the system. This includes any IIF, whether or not it is subject to the Privacy Act, whether the individuals are employees, the public, research subjects, or business partners, and whether provided voluntarily or collected by mandate. Later questions will try to understand the character of the data and its applicability to the requirements under the Privacy Act or other legislation

Note: If no IIF is contained in the system, please answer questions 21, 23, 30, 31, 37, 50 and 54, then promote the PIA to the Sr. Privacy Official who will authorize the PIA.

If this system contains IIF, all remaining questions on the PIA Form Tabs must be completed prior to signature and promotion.

21. Is the system subject to the Privacy Act?: No

23. If the system shares or discloses IIF please specify with whom and for what purpose(s): No IIF

30. Please describe in detail: (1) the information the agency will collect, maintain, or disseminate; (2) why and for what purpose the agency will use the information; (3) In this description, indicate whether the information contains IIF; and (4) whether submission of personal information is voluntary or mandatory: All accounting transactions are available for viewing in VSOF. The information is used to track and plan fiscal budgets. It is necessary to have access to this data in order to comply with appropriations laws and regulations. Data elements stored are: arbitrary Document #, Object Class Code, Vendor, Description of Expenses, and Purchase Amount.

31. Please describe in detail any processes in place to: (1) notify and obtain consent from the individuals whose IIF is in the system when major changes occur to the system (e.g., disclosure and/or data uses have changed since the notice at the time of the original collection); and (2) notify and obtain consent from individuals regarding what IIF is being collected from them and how the information will be used or shared: No IIF

32. Does the system host a website?: Yes

37. Does the website have any information or pages directed at children under the age of thirteen?: No

50. Are there policies or guidelines in place with regard to the retention and destruction of IIF?: No

54. Briefly describe in detail how the IIF will be secured on the system using administrative, technical, and physical controls.: No IIF

PIA Reviewer Approval: Promote


PIA Reviewer Name: Erin Shannon

Sr. Official for Privacy Approval: Promote


Sr. Official for Privacy Name: Karen Plá

Sign-off Date: Feb 15, 2008

Date Published: Jun 26, 2008


06.3 HHS PIA Summary for Posting (Form) / NIH NCRR Visual Employee Database System (VEDS) (Item)






PIA Summary


Is this a new PIA 2008?: No

If this is an existing PIA, please provide a reason for revision: PIA Validation

1. Date of this Submission: Jul 5, 2007

2. OPDIV Name: NIH

3. Unique Project Identifier (UPI) Number: 009-25-01-09-02-3196-00-403-131

4. Privacy Act System of Records (SOR) Number: 09-90-0018

5. OMB Information Collection Approval Number: No

6. Other Identifying Number(s): No

7. System Name: NCRR Visual Employee Database System

9. System Point of Contact (POC). The System POC is the person to whom questions about the system and the responses to this PIA may be addressed: Bonnie Richards

10. Provide an overview of the system: VEDS is a windows based application primarily used to track personnel information.

13. Indicate if the system is new or an existing one being modified: Existing

17. Does/Will the system collect, maintain (store), disseminate and/or pass through IIF within any database(s), record(s), file(s) or website(s) hosted by this system?: Yes

Note: This question seeks to identify any, and all, personal information associated with the system. This includes any IIF, whether or not it is subject to the Privacy Act, whether the individuals are employees, the public, research subjects, or business partners, and whether provided voluntarily or collected by mandate. Later questions will try to understand the character of the data and its applicability to the requirements under the Privacy Act or other legislation

Note: If no IIF is contained in the system, please answer questions 21, 23, 30, 31, 37, 50 and 54, then promote the PIA to the Sr. Privacy Official who will authorize the PIA.

If this system contains IIF, all remaining questions on the PIA Form Tabs must be completed prior to signature and promotion.

21. Is the system subject to the Privacy Act?: Yes

23. If the system shares or discloses IIF please specify with whom and for what purpose(s): The data is shared internally for administrative use only and will not be shared with other entities. Ref: 09-90-0018

30. Please describe in detail: (1) the information the agency will collect, maintain, or disseminate; (2) why and for what purpose the agency will use the information; (3) In this description, indicate whether the information contains IIF; and (4) whether submission of personal information is voluntary or mandatory: The NETCOMM application collects personal information from the NIH Human Resource Database (HRDB) through bi-weekly downloads. Social security numbers, names, grades, salaries, addresses, telephone numbers, and job titles are included in the data collected. The data collected is used to manage the organization's personnel information. Under authority 42 USC 287c-21

31. Please describe in detail any processes in place to: (1) notify and obtain consent from the individuals whose IIF is in the system when major changes occur to the system (e.g., disclosure and/or data uses have changed since the notice at the time of the original collection); and (2) notify and obtain consent from individuals regarding what IIF is being collected from them and how the information will be used or shared: IIF in the system is gathered from the HRDB and NED systems. Changes to the system or changes in the way the information is used is relayed to employees via official notices from NCRR or the System Owners. Individuals are notified of the collection and use of data as part of the hiring process and is mandatory if the potential job applicant wishes to seek employment at NIH.

32. Does the system host a website?: No

37. Does the website have any information or pages directed at children under the age of thirteen?: No

50. Are there policies or guidelines in place with regard to the retention and destruction of IIF?: Yes

54. Briefly describe in detail how the IIF will be secured on the system using administrative, technical, and physical controls.: Access to sensitive data fields is limited to those that need to know. Each user signs a security statement, and any violations results in loss of access to system. Policy and procedures are in place for administrative management of the system. Technical control is: username and password login, firewalls, IDS, antivirus, and audit logs. Physical access to the server room is protected by double set of locked doors and must be accessed using a key fob and pass code (cipher lock).

PIA Reviewer Approval: Promote


PIA Reviewer Name: Erin Shannon

Sr. Official for Privacy Approval: Promote


Sr. Official for Privacy Name: Karen Pla

Sign-off Date: Aug 10, 2007

Date Published: Jun 26, 2008


06.3 HHS PIA Summary for Posting (Form) / NIH NEI Clinical Studies Update System (CSUS) (Item)






PIA Summary


Is this a new PIA 2008?: Yes

If this is an existing PIA, please provide a reason for revision:

1. Date of this Submission: Apr 23, 2007

2. OPDIV Name: NIH

3. Unique Project Identifier (UPI) Number: N/A

4. Privacy Act System of Records (SOR) Number: 09-25-0106

5. OMB Information Collection Approval Number: N/A

6. Other Identifying Number(s): N/A

7. System Name: Clinical Studies Update System

9. System Point of Contact (POC). The System POC is the person to whom questions about the system and the responses to this PIA may be addressed: Kym Collins-Lee

10. Provide an overview of the system: The CSUS is used to update the content of the NEI’s web-based clinical studies database. The database is intended to provide public information on clinical vision research results and assist in recruiting patients into appropriate studies. This information is made available to the public, but is maintained by NEI staff and grantees who conduct clinical research studies.

13. Indicate if the system is new or an existing one being modified: Existing

17. Does/Will the system collect, maintain (store), disseminate and/or pass through IIF within any database(s), record(s), file(s) or website(s) hosted by this system?: YesNote: This question seeks to identify any, and all, personal information associated with the system. This includes any IIF, whether or not it is subject to the Privacy Act, whether the individuals are employees, the public, research subjects, or business partners, and whether provided voluntarily or collected by mandate. Later questions will try to understand the character of the data and its applicability to the requirements under the Privacy Act or other legislation

Note: If no IIF is contained in the system, please answer questions 21, 23, 30, 31, 37, 50 and 54, then promote the PIA to the Sr. Privacy Official who will authorize the PIA.

If this system contains IIF, all remaining questions on the PIA Form Tabs must be completed prior to signature and promotion.

21. Is the system subject to the Privacy Act?: Yes

23. If the system shares or discloses IIF please specify with whom and for what purpose(s):

(1) Disclosure may be made to a congressional office from the record of an individual in response to an inquiry from the congressional office made at the request of that individual.

(2) Disclosure may be made from this system of records by the Department of Health and Human Services (HHS) to the Department of Justice, or to a court or other tribunal, when (a) HHS, or any component thereof; or (b) any HHS employee in his or her official capacity; or (c) any HHS employee in his or her individual capacity where the Department of Justice (or HHS, where it is authorized to do so) has agreed to represent the employee; or (d) the United States or any agency thereof where HHS determines that the litigation is likely to affect HHS or any of its components, is a party to litigation or has any interest in such litigation, and HHS determines that the use of such records by the Department of Justice, court or other tribunal is relevant and necessary to the litigation and would help in the effective representation of the governmental party, provided, however, that in each case, HHS determines that such disclosure is compatible with the purpose for which the records were collected.

30. Please describe in detail: (1) the information the agency will collect, maintain, or disseminate; (2) why and for what purpose the agency will use the information; (3) In this description, indicate whether the information contains IIF; and (4) whether submission of personal information is voluntary or mandatory: Names and e-mail addresses are used by the NEI staff and grantees to access the system to update the information and add new study descriptions. Names and e-mail address are required for the user to access the CSUS. The only PII disseminated is already publicly available.

31. Please describe in detail any processes in place to: (1) notify and obtain consent from the individuals whose IIF is in the system when major changes occur to the system (e.g., disclosure and/or data uses have changed since the notice at the time of the original collection); and (2) notify and obtain consent from individuals regarding what IIF is being collected from them and how the information will be used or shared: A statement is included on the web site indicating the only usage is for the subscribers to share information. The only information collected is that supplied by the subscriber. If any change of information usage is made the subscribers will be contacted via email.

32. Does the system host a website?: Yes

37. Does the website have any information or pages directed at children under the age of thirteen?: No

50. Are there policies or guidelines in place with regard to the retention and destruction of IIF?: Yes

54. Briefly describe in detail how the IIF will be secured on the system using administrative, technical, and physical controls.: The server containing the VISION Network Members Only section is maintained by an NEI contractor who follows guidance from NSA, NIST, SANS, and CERT to maintain the security and integrity of the system.

Information contained in the lists is maintained by NEI staff and by specific request of the subscriber.

The system is monitored daily for intrusion by Big Brother, system logs, disk usage, and other indications of intrusion. McAfee Outbreak Manager is used to control any possible virus outbreaks.

PIA Reviewer Approval: Promote


PIA Reviewer Name: Don Smith

Sr. Official for Privacy Approval: Promote


Sr. Official for Privacy Name: Karen Plá

Sign-off Date: Aug 10, 2007

Date Published: Jun 26, 2008


06.3 HHS PIA Summary for Posting (Form) / NIH NEI Eye Bank (NEIBank) (Item)






PIA Summary


Is this a new PIA 2008?: No

If this is an existing PIA, please provide a reason for revision: PIA Validation

1. Date of this Submission: Jul 3, 2007

2. OPDIV Name: NIH

3. Unique Project Identifier (UPI) Number: 009-25-01-05-02-8710-00-110-219

4. Privacy Act System of Records (SOR) Number: No

5. OMB Information Collection Approval Number: No

6. Other Identifying Number(s): 2004 UPI=009-25-01-26-02-8710-00-202-069, Older UPI=009-25-01-26-02-8710-00

7. System Name: NIH NEI Eye Bank (NEIBank)

9. System Point of Contact (POC). The System POC is the person to whom questions about the system and the responses to this PIA may be addressed: Terry Williams

10. Provide an overview of the system: NEIBank is a web-based resource for the ocular genomics community.

13. Indicate if the system is new or an existing one being modified: Existing

17. Does/Will the system collect, maintain (store), disseminate and/or pass through IIF within any database(s), record(s), file(s) or website(s) hosted by this system?: No

Note: This question seeks to identify any, and all, personal information associated with the system. This includes any IIF, whether or not it is subject to the Privacy Act, whether the individuals are employees, the public, research subjects, or business partners, and whether provided voluntarily or collected by mandate. Later questions will try to understand the character of the data and its applicability to the requirements under the Privacy Act or other legislation

Note: If no IIF is contained in the system, please answer questions 21, 23, 30, 31, 37, 50 and 54, then promote the PIA to the Sr. Privacy Official who will authorize the PIA.

If this system contains IIF, all remaining questions on the PIA Form Tabs must be completed prior to signature and promotion.

21. Is the system subject to the Privacy Act?: No

23. If the system shares or discloses IIF please specify with whom and for what purpose(s): No

30. Please describe in detail: (1) the information the agency will collect, maintain, or disseminate; (2) why and for what purpose the agency will use the information; (3) In this description, indicate whether the information contains IIF; and (4) whether submission of personal information is voluntary or mandatory:

The data presented includes annotated, public domain expressed sequence tag (partial cDNA sequences) collections for multiple eye tissues from human and several other species; public domain eye-related human SAGE data; a database of known human eye disease genes from the published literature; and visualization tools for the genomic loci of as yet unmapped eye diseases. These resources provide an overview of the known transcriptional repertoire of the eye with visualization of specific clones, splice variants, human SAGE tag counts and candidate disease regions.

There is no IIF or personal information.

31. Please describe in detail any processes in place to: (1) notify and obtain consent from the individuals whose IIF is in the system when major changes occur to the system (e.g., disclosure and/or data uses have changed since the notice at the time of the original collection); and (2) notify and obtain consent from individuals regarding what IIF is being collected from them and how the information will be used or shared: There are no processes in place. The system does not collect, maintain or store IIF or any user solicited material.

32. Does the system host a website?: Yes

37. Does the website have any information or pages directed at children under the age of thirteen?: No

50. Are there policies or guidelines in place with regard to the retention and destruction of IIF?: No

54. Briefly describe in detail how the IIF will be secured on the system using administrative, technical, and physical controls.: No

PIA Reviewer Approval: Promote


PIA Reviewer Name: Trevor Peterson

Sr. Official for Privacy Approval: Promote


Sr. Official for Privacy Name: Karen Pla

Sign-off Date: Aug 10, 2007

Date Published: Jun 26, 2008


06.3 HHS PIA Summary for Posting (Form) / NIH NEI EyeGene (Item)






PIA Summary


Is this a new PIA 2008?: Yes

If this is an existing PIA, please provide a reason for revision: PIA Validation

1. Date of this Submission: Jul 3, 2007

2. OPDIV Name: NIH

3. Unique Project Identifier (UPI) Number: No

4. Privacy Act System of Records (SOR) Number: 09-25-0099

5. OMB Information Collection Approval Number: No

6. Other Identifying Number(s): No

7. System Name: NIH NEI EyeGene

9. System Point of Contact (POC). The System POC is the person to whom questions about the system and the responses to this PIA may be addressed: Terry Williams

10. Provide an overview of the system: A national collaborative network for ophthalmic research and diagnostic genotyping.

13. Indicate if the system is new or an existing one being modified: New

17. Does/Will the system collect, maintain (store), disseminate and/or pass through IIF within any database(s), record(s), file(s) or website(s) hosted by this system?: Yes

Note: This question seeks to identify any, and all, personal information associated with the system. This includes any IIF, whether or not it is subject to the Privacy Act, whether the individuals are employees, the public, research subjects, or business partners, and whether provided voluntarily or collected by mandate. Later questions will try to understand the character of the data and its applicability to the requirements under the Privacy Act or other legislation

Note: If no IIF is contained in the system, please answer questions 21, 23, 30, 31, 37, 50 and 54, then promote the PIA to the Sr. Privacy Official who will authorize the PIA.

If this system contains IIF, all remaining questions on the PIA Form Tabs must be completed prior to signature and promotion.

21. Is the system subject to the Privacy Act?: Yes

23. If the system shares or discloses IIF please specify with whom and for what purpose(s):

09-25-0099 Physicians enter patient contact and medical information. The NEI coordinator is the only user outside the physician's office that has access to contact information. Medical information is tracked by either a generated number or by sex and date-of-birth.

CLIA labs have access to biometrics and medical notes.

Researchers have access to anonymized medical notes and biometrics.

30. Please describe in detail: (1) the information the agency will collect, maintain, or disseminate; (2) why and for what purpose the agency will use the information; (3) In this description, indicate whether the information contains IIF; and (4) whether submission of personal information is voluntary or mandatory: Data is maintained for several purposes. Physicians enter and review symptomatic and contact information for their patients. CLIA labs will provide test results on minimally identified physician submitted patient sample. Results are available for physicians and their own patients.

Besides the physician, the project central administrator has access to participant contact information. The software developer/maintainer

assists users who are authorized to have access to data.

Anonymized aggregate results are available to cooperating researchers.

Participation is voluntary and requires consent forms. Information includes contact information, disease history and symptoms, possibly including photographic images, and medical information relative to the symptoms.

31. Please describe in detail any processes in place to: (1) notify and obtain consent from the individuals whose IIF is in the system when major changes occur to the system (e.g., disclosure and/or data uses have changed since the notice at the time of the original collection); and (2) notify and obtain consent from individuals regarding what IIF is being collected from them and how the information will be used or shared:

A written, signed consent form is required for patients to participate. For each participating clinical organization collecting data, the phone number of the organization and the email of at least one staff member of the organization will be kept as a contact information should some intrusion into eyeGENE that could compromise privacy be detected.

There is no process to contact individuals when major changes occur to the system.

32. Does the system host a website?: Yes

37. Does the website have any information or pages directed at children under the age of thirteen?: No

50. Are there policies or guidelines in place with regard to the retention and destruction of IIF?: No

54. Briefly describe in detail how the IIF will be secured on the system using administrative, technical, and physical controls.:

CIT maintains physical, technical and administrative security on the shared sever hosting this application.

The database application internally maintains valid access controls for the user.

All CIT controls for physical, technical, and administrative are applicable for the IIF. Access to the system requires a userid and password. CIT sites are protected by the NIH perimeter firewall. Physical access to NIH requires admission by guards that assures the individual has an NIH badge or whose identity is registered upon entering the campus. Entry to the CIT host site requires review by a guard. CIT institutes other required administrative, technical, and physical controls as mandated by HHS Secure One security program and NIST 800-53 standards.

PIA Reviewer Approval: Promote


PIA Reviewer Name: Terry L. Williams

Sr. Official for Privacy Approval: Promote


Sr. Official for Privacy Name: Karen Plá

Sign-off Date: Aug 10, 2007

Date Published: Jun 26, 2008


06.3 HHS PIA Summary for Posting (Form) / NIH NEI Grants Management (Item)






PIA Summary


Is this a new PIA 2008?: No

If this is an existing PIA, please provide a reason for revision: Alteration in Character of Data

1. Date of this Submission: Jan 3, 2007

2. OPDIV Name: NIH

3. Unique Project Identifier (UPI) Number: 009-25-04-00-02-8712-00-110-219

4. Privacy Act System of Records (SOR) Number: 09-25-0036

5. OMB Information Collection Approval Number: No

6. Other Identifying Number(s): 2004 UPI=009-25-04-00-02-8712-00-205-080, Older UPI= 009-25-01-03-02-8703-00

7. System Name: NIH NEI Grants Management

9. System Point of Contact (POC). The System POC is the person to whom questions about the system and the responses to this PIA may be addressed: Terry Williams

10. Provide an overview of the system: Support managment of NEI's grants.

13. Indicate if the system is new or an existing one being modified: Existing

17. Does/Will the system collect, maintain (store), disseminate and/or pass through IIF within any database(s), record(s), file(s) or website(s) hosted by this system?: Yes

Note: This question seeks to identify any, and all, personal information associated with the system. This includes any IIF, whether or not it is subject to the Privacy Act, whether the individuals are employees, the public, research subjects, or business partners, and whether provided voluntarily or collected by mandate. Later questions will try to understand the character of the data and its applicability to the requirements under the Privacy Act or other legislation

Note: If no IIF is contained in the system, please answer questions 21, 23, 30, 31, 37, 50 and 54, then promote the PIA to the Sr. Privacy Official who will authorize the PIA.

If this system contains IIF, all remaining questions on the PIA Form Tabs must be completed prior to signature and promotion.

21. Is the system subject to the Privacy Act?: Yes

23. If the system shares or discloses IIF please specify with whom and for what purpose(s):

This system shares IIF with NIH IMPACT II. Information is shared to allow grants management administration data to be synchronized with IMPACT II.


*30. Please describe in detail: (1) the information the agency will collect, maintain, or disseminate; (2) why and for what purpose the agency will use the information; (3) In this description, indicate whether the information contains IIF; and (4) whether submission of personal information is voluntary or mandatory: This system shares IIF with NIH IMPACT II. Information is shared to allow grants management administration data to be synchronized with IMPACT II.

IMPACT II states that Information is given to IMPACT II voluntarily.

31. Please describe in detail any processes in place to: (1) notify and obtain consent from the individuals whose IIF is in the system when major changes occur to the system (e.g., disclosure and/or data uses have changed since the notice at the time of the original collection); and (2) notify and obtain consent from individuals regarding what IIF is being collected from them and how the information will be used or shared: All information is extracted from IMPAC II - all consent and notification is handled by IMPAC II.

The system does not have any notification and consent processes in place in addition to the IMPAC II procedures.

32. Does the system host a website?: No

37. Does the website have any information or pages directed at children under the age of thirteen?: No

50. Are there policies or guidelines in place with regard to the retention and destruction of IIF?: No

54. Briefly describe in detail how the IIF will be secured on the system using administrative, technical, and physical controls.: Physical access to the NIH campus requires an identification badge or as a registered visitor. Physical access to all server rooms is restricted, brass key required.

Data is stored on the system in folders with permissions appropriate to the data. Active directory enforces access. Folder owners are responsible to authorizing access for individuals and adding to existing permission groups.

Access to the files and databases is through userid and password as enforced by NIH active directory. An additional userid/password challenge is presented when logging in to the database.

PIA Reviewer Approval: Promote


PIA Reviewer Name: Terry L. Williams

Sr. Official for Privacy Approval: Promote


Sr. Official for Privacy Name: Karen Pla

Sign-off Date: Jun 30, 2006

Date Published: Jun 26, 2008


06.3 HHS PIA Summary for Posting (Form) / NIH NEI GSS Sun (SUN) (Item)






PIA Summary


Is this a new PIA 2008?: No

If this is an existing PIA, please provide a reason for revision: PIA Validation

1. Date of this Submission: Jul 3, 2007

2. OPDIV Name: NIH

3. Unique Project Identifier (UPI) Number: No.

4. Privacy Act System of Records (SOR) Number: 09-25-0106, 09-25-0216

5. OMB Information Collection Approval Number: No

6. Other Identifying Number(s): No

7. System Name: NEI GSS Sun (SUN)

9. System Point of Contact (POC). The System POC is the person to whom questions about the system and the responses to this PIA may be addressed: Terry Williams

10. Provide an overview of the system: NEI's Sun General Support System is to support eye research for public health by providing services to its users and the public. NEI uses the NEI SUN GSS for file storage, database, web and application services.

13. Indicate if the system is new or an existing one being modified: Existing

17. Does/Will the system collect, maintain (store), disseminate and/or pass through IIF within any database(s), record(s), file(s) or website(s) hosted by this system?: Yes

Note: This question seeks to identify any, and all, personal information associated with the system. This includes any IIF, whether or not it is subject to the Privacy Act, whether the individuals are employees, the public, research subjects, or business partners, and whether provided voluntarily or collected by mandate. Later questions will try to understand the character of the data and its applicability to the requirements under the Privacy Act or other legislation

Note: If no IIF is contained in the system, please answer questions 21, 23, 30, 31, 37, 50 and 54, then promote the PIA to the Sr. Privacy Official who will authorize the PIA.

If this system contains IIF, all remaining questions on the PIA Form Tabs must be completed prior to signature and promotion.

21. Is the system subject to the Privacy Act?: Yes

23. If the system shares or discloses IIF please specify with whom and for what purpose(s): Contact information and descriptive job information is made available to employees. Information includes name, alias names, name, building, room number, and work phone, job classification and code, institute division, and NIH-assigned unique identifier. 09-25-0106, 09-25-0216

30. Please describe in detail: (1) the information the agency will collect, maintain, or disseminate; (2) why and for what purpose the agency will use the information; (3) In this description, indicate whether the information contains IIF; and (4) whether submission of personal information is voluntary or mandatory: Contact information and descriptive job information is made available to employees. Information includes name, office work location, phone numbers, email addresses, job title and SAC code. The information is downloaded hourly from the NIH electronic directory to provide up-to-date and current information only.

The information is disseminated to employees via a web site to enable locating offices and contacting individuals in the course of normal business. It is also used by automated systems to provide contact information for selected sub groups.

Contact information, including IIF, is copied from NED. NED information is required by NIH and is submitted voluntarily.

31. Please describe in detail any processes in place to: (1) notify and obtain consent from the individuals whose IIF is in the system when major changes occur to the system (e.g., disclosure and/or data uses have changed since the notice at the time of the original collection); and (2) notify and obtain consent from individuals regarding what IIF is being collected from them and how the information will be used or shared: No consent is obtained by NEI. No processes are in place to obtain consent from the individuals whose IIF is in the system when major changes occur to the system.

32. Does the system host a website?: Yes

37. Does the website have any information or pages directed at children under the age of thirteen?: No

50. Are there policies or guidelines in place with regard to the retention and destruction of IIF?: No

54. Briefly describe in detail how the IIF will be secured on the system using administrative, technical, and physical controls.: Physical access to the NIH campus requires an identification badge or as a registered visitor. Physical access to all server rooms is restricted; combination or brass key is required.

Data is stored on the system in directories with permissions appropriate to the data and reviewed by the system administrator. The operating system enforces access based on the userid.

Access to the files and databases is through userid and password as enforced by the operating system. An additional userid/password challenge is presented when logging in to a database.

PIA Reviewer Approval: Promote


PIA Reviewer Name: Terry L. Williams

Sr. Official for Privacy Approval: Promote


Sr. Official for Privacy Name: Karen Pla

Sign-off Date: Jan 26, 2007

Date Published: Jun 26, 2008


06.3 HHS PIA Summary for Posting (Form) / NIH NEI GSS Windows (WINDOWS) (Item)






PIA Summary


Is this a new PIA 2008?: No

If this is an existing PIA, please provide a reason for revision: PIA Validation

1. Date of this Submission: Jul 3, 2007

2. OPDIV Name: NIH

3. Unique Project Identifier (UPI) Number: No.

4. Privacy Act System of Records (SOR) Number: No

5. OMB Information Collection Approval Number: No

6. Other Identifying Number(s): No

7. System Name: NIH NEI GSS Windows (WINDOWS)

9. System Point of Contact (POC). The System POC is the person to whom questions about the system and the responses to this PIA may be addressed: Terry Williams

17. Does/Will the system collect, maintain (store), disseminate and/or pass through IIF within any database(s), record(s), file(s) or website(s) hosted by this system?: No

Note: This question seeks to identify any, and all, personal information associated with the system. This includes any IIF, whether or not it is subject to the Privacy Act, whether the individuals are employees, the public, research subjects, or business partners, and whether provided voluntarily or collected by mandate. Later questions will try to understand the character of the data and its applicability to the requirements under the Privacy Act or other legislation

Note: If no IIF is contained in the system, please answer questions 21, 23, 30, 31, 37, 50 and 54, then promote the PIA to the Sr. Privacy Official who will authorize the PIA.

If this system contains IIF, all remaining questions on the PIA Form Tabs must be completed prior to signature and promotion.

21. Is the system subject to the Privacy Act?: No

23. If the system shares or discloses IIF please specify with whom and for what purpose(s): No

30. Please describe in detail: (1) the information the agency will collect, maintain, or disseminate; (2) why and for what purpose the agency will use the information; (3) In this description, indicate whether the information contains IIF; and (4) whether submission of personal information is voluntary or mandatory: We maintain files insupport of the Institute's mission.

No PII is associated wtih the files.

31. Please describe in detail any processes in place to: (1) notify and obtain consent from the individuals whose IIF is in the system when major changes occur to the system (e.g., disclosure and/or data uses have changed since the notice at the time of the original collection); and (2) notify and obtain consent from individuals regarding what IIF is being collected from them and how the information will be used or shared: No

32. Does the system host a website?: Yes

37. Does the website have any information or pages directed at children under the age of thirteen?: No

50. Are there policies or guidelines in place with regard to the retention and destruction of IIF?: No54. Briefly describe in detail how the IIF will be secured on the system using administrative, technical, and physical controls.: No

PIA Reviewer Approval: Promote


PIA Reviewer Name: Terry L. Williams

Sr. Official for Privacy Approval: Promote


Sr. Official for Privacy Name: Karen Pla

Sign-off Date: Aug 10, 2007

Date Published: Jun 26, 2008


06.3 HHS PIA Summary for Posting (Form) / NIH NEI Internet Website (Item)






PIA Summary


Is this a new PIA 2008?: No

If this is an existing PIA, please provide a reason for revision: PIA Validation

1. Date of this Submission: Jul 3, 2007

2. OPDIV Name: NIH

3. Unique Project Identifier (UPI) Number: Not Applicable

4. Privacy Act System of Records (SOR) Number: 09-25-0106

5. OMB Information Collection Approval Number: No

6. Other Identifying Number(s): Old:

2004 UPI 009-25-01-27-02-8711-00-305-109, Old UPI: 009-25-02-01-02-3036-007. System Name: NIH NEI Internet Web site

9. System Point of Contact (POC). The System POC is the person to whom questions about the system and the responses to this PIA may be addressed: Terry Williams

10. Provide an overview of the system: To share information with the public about vision research and eye diseases and disorders.

13. Indicate if the system is new or an existing one being modified: Existing

17. Does/Will the system collect, maintain (store), disseminate and/or pass through IIF within any database(s), record(s), file(s) or website(s) hosted by this system?: Yes

Note: This question seeks to identify any, and all, personal information associated with the system. This includes any IIF, whether or not it is subject to the Privacy Act, whether the individuals are employees, the public, research subjects, or business partners, and whether provided voluntarily or collected by mandate. Later questions will try to understand the character of the data and its applicability to the requirements under the Privacy Act or other legislation

Note: If no IIF is contained in the system, please answer questions 21, 23, 30, 31, 37, 50 and 54, then promote the PIA to the Sr. Privacy Official who will authorize the PIA.

If this system contains IIF, all remaining questions on the PIA Form Tabs must be completed prior to signature and promotion.

21. Is the system subject to the Privacy Act?: Yes

23. If the system shares or discloses IIF please specify with whom and for what purpose(s): Mailing list and contact information for those requesting information from NEI's Office of Communications. 09-25-0106

A separate email list is maintained by the subscribers. It contains only the email address of the subscriber.

30. Please describe in detail: (1) the information the agency will collect, maintain, or disseminate; (2) why and for what purpose the agency will use the information; (3) In this description, indicate whether the information contains IIF; and (4) whether submission of personal information is voluntary or mandatory: Contact information is voluntarily collected. Information collected is only the information necessary to mail pamphlets or other printed information. Email address is voluntarily entered if the user joins an email list.

31. Please describe in detail any processes in place to: (1) notify and obtain consent from the individuals whose IIF is in the system when major changes occur to the system (e.g., disclosure and/or data uses have changed since the notice at the time of the original collection); and (2) notify and obtain consent from individuals regarding what IIF is being collected from them and how the information will be used or shared: Information is submitted voluntarily, consent is assumed when contact information is submitted. Individuals may request corrections to or be removed from the email list.

There are no processes in place to notify users when major changes occur to the system.

32. Does the system host a website?: Yes

37. Does the website have any information or pages directed at children under the age of thirteen?: No

50. Are there policies or guidelines in place with regard to the retention and destruction of IIF?: No

54. Briefly describe in detail how the IIF will be secured on the system using administrative, technical, and physical controls.: Requests for information, name and address, are only available to NEI staff.

Email addresses on the email list are maintained by NEI staff and by specific request of the subscriber.

The system is monitored daily for intrusion by Big Brother, system logs, disk usage, and other indications of intrusion. MacAfee Outbreak Manager is used to control any possible virus outbreaks.

PIA Reviewer Approval: Promote


PIA Reviewer Name: Terry L. Williams

Sr. Official for Privacy Approval: Promote


Sr. Official for Privacy Name: Karen Pla

Sign-off Date: Aug 10, 2007

Date Published: Jun 26, 2008


06.3 HHS PIA Summary for Posting (Form) / NIH NEI Personnel Actions Tracking System (PATS) (Item)






PIA Summary


Is this a new PIA 2008?: Yes

If this is an existing PIA, please provide a reason for revision:

1. Date of this Submission: Mar 20, 2007

2. OPDIV Name: NIH

3. Unique Project Identifier (UPI) Number: No

4. Privacy Act System of Records (SOR) Number: 09-90-0018

5. OMB Information Collection Approval Number: N/A

6. Other Identifying Number(s): N/A

7. System Name: Personnel Actions Tracking System (PATS)

9. System Point of Contact (POC). The System POC is the person to whom questions about the system and the responses to this PIA may be addressed: Trevor Peterson

10. Provide an overview of the system: PATS (Personnel Actions Tracking System) is a NEI automated system that allows for the tracking of HR actions from beginning to end. It is an Institute-wide, mandatory, automated system that provides Program and Administrative staff with up-to-date status and history of individual HR actions and provides supervisors with standardized reports to manage and measure HR, Program support, and administrative workloads. PATS facilitates streamlined tracking of processes which replaced a manual process supported by numerous stand-alone logs.

13. Indicate if the system is new or an existing one being modified: New

17. Does/Will the system collect, maintain (store), disseminate and/or pass through IIF within any database(s), record(s), file(s) or website(s) hosted by this system?: Yes

Note: This question seeks to identify any, and all, personal information associated with the system. This includes any IIF, whether or not it is subject to the Privacy Act, whether the individuals are employees, the public, research subjects, or business partners, and whether provided voluntarily or collected by mandate. Later questions will try to understand the character of the data and its applicability to the requirements under the Privacy Act or other legislation

Note: If no IIF is contained in the system, please answer questions 21, 23, 30, 31, 37, 50 and 54, then promote the PIA to the Sr. Privacy Official who will authorize the PIA.

If this system contains IIF, all remaining questions on the PIA Form Tabs must be completed prior to signature and promotion.

21. Is the system subject to the Privacy Act?: Yes

23. If the system shares or discloses IIF please specify with whom and for what purpose(s): Disclosures are made in accordance with SOR # 09-90-0018

Names and e-mail addresses of induviduals are collected and may be shared within the Institute or division in order to carry out the business process.

30. Please describe in detail: (1) the information the agency will collect, maintain, or disseminate; (2) why and for what purpose the agency will use the information; (3) In this description, indicate whether the information contains IIF; and (4) whether submission of personal information is voluntary or mandatory: This system is used to track personnel actions through the administrative process. Other than names and e-mail addresses of employees affiliated with such actions, and the names and e-mail addresses of the administrative officers involved in the work flow, it tracks no other personally identifiable information. The workflow process involved allows the position and disposition of a task or activity (with whom, when) to be identified in the organization. Information is obtained voluntarily.

31. Please describe in detail any processes in place to: (1) notify and obtain consent from the individuals whose IIF is in the system when major changes occur to the system (e.g., disclosure and/or data uses have changed since the notice at the time of the original collection); and (2) notify and obtain consent from individuals regarding what IIF is being collected from them and how the information will be used or shared: The IIF contained in the system is that of employees of the Institute. This information was obtained voluntarily from the employees and is used to manage administrative tasks within the department. There is no process in place to notify individuals of how their IIF will be used or if major changes occur.

32. Does the system host a website?: Yes

37. Does the website have any information or pages directed at children under the age of thirteen?: No

50. Are there policies or guidelines in place with regard to the retention and destruction of IIF?: Yes

54. Briefly describe in detail how the IIF will be secured on the system using administrative, technical, and physical controls.: The system is on the intranet and is password protected. It does not have outward facing web access.

User access is strictly controlled. Permissions are granted on need-to-know. The campus has full time security and key lock access controls. The server room where the application resides is a controlled access site with a limited roster.

PIA Reviewer Approval: Promote


PIA Reviewer Name: Trevor Peterson

Sr. Official for Privacy Approval: Promote


Sr. Official for Privacy Name: Karen Plá

Sign-off Date: Apr 12, 2007

Date Published: Jun 26, 2008


06.3 HHS PIA Summary for Posting (Form) / NIH NEI Status of Funds Internet Edition (SOFie) (Item)






PIA Summary


Is this a new PIA 2008?: Yes

If this is an existing PIA, please provide a reason for revision:

1. Date of this Submission: Dec 18, 2007

2. OPDIV Name: NIH

3. Unique Project Identifier (UPI) Number: 009-25-01-06-02-3199-00

4. Privacy Act System of Records (SOR) Number: 09-25-0217 "NIH Business System (NBS), HHS/NIH"

5. OMB Information Collection Approval Number: No

6. Other Identifying Number(s): No

7. System Name: NEI Status of Funds Internet Edition (SOFie)

9. System Point of Contact (POC). The System POC is the person to whom questions about the system and the responses to this PIA may be addressed: Don Smith

10. Provide an overview of the system: SOFie is a Web-based financial reporting/tracking tool that enables NIH ICs to manipulate and report on financial transactions downloaded from the Budget & Finance database in the NIH Data Warehouse. (The NIH DW Budget & Finance database comprises data downloaded from the NIH Business System.) Appointment and authority is given to the National Institutes of Health under 5 U.S.C. 301 and 302, 44 U.S.C. 3101 and 3102, Executive Order 9397.

The SOFie application supports the efforts of several offices and branches within NEI, allowing budget offices to track expenditures of direct, reimbursable, and non-appropriated funds in a fiscal year. Additionally, SOFie is used to reflect budget allocations and projected expenditures at the operating level.

13. Indicate if the system is new or an existing one being modified: Existing

17. Does/Will the system collect, maintain (store), disseminate and/or pass through IIF within any database(s), record(s), file(s) or website(s) hosted by this system?: Yes

Note: This question seeks to identify any, and all, personal information associated with the system. This includes any IIF, whether or not it is subject to the Privacy Act, whether the individuals are employees, the public, research subjects, or business partners, and whether provided voluntarily or collected by mandate. Later questions will try to understand the character of the data and its applicability to the requirements under the Privacy Act or other legislation

Note: If no IIF is contained in the system, please answer questions 21, 23, 30, 31, 37, 50 and 54, then promote the PIA to the Sr. Privacy Official who will authorize the PIA.

If this system contains IIF, all remaining questions on the PIA Form Tabs must be completed prior to signature and promotion.

21. Is the system subject to the Privacy Act?: Yes

23. If the system shares or discloses IIF please specify with whom and for what purpose(s): No sharing or disclosures at this time. Refer to the Privacy Act systems notice 09-25-0217 section entitled ROUTINE USES OF RECORDS MAINTAINED IN THE SYSTEM, INCLUDING CATEGORIES OF USERS AND THE PURPOSES OF SUCH USES for the allowed disclosures of IIF.

30. Please describe in detail: (1) the information the agency will collect, maintain, or disseminate; (2) why and for what purpose the agency will use the information; (3) In this description, indicate whether the information contains IIF; and (4) whether submission of personal information is voluntary or mandatory: Grantee and contractor (NIH grant recipient and contractor) personal information maintained comprises: name and financial account information. User (NIH employee) personal information maintained comprises: name, phone numbers, email addresses. NEI accounting transactions are downloaded from the Budget & Finance database in the NIH Data Warehouse. (The NIH DW Budget & Finance database comprises data downloaded from the NIH Business System.) The data is used to plan, track, and report on NEI fiscal budgets.

The SOFIE system collects IIF in the form of First Names, Last Names, Phone Numbers, Fax Numbers, and Email Addresses of its users voluntarily.

31. Please describe in detail any processes in place to: (1) notify and obtain consent from the individuals whose IIF is in the system when major changes occur to the system (e.g., disclosure and/or data uses have changed since the notice at the time of the original collection); and (2) notify and obtain consent from individuals regarding what IIF is being collected from them and how the information will be used or shared: No processes are in place to notify and obtain consent from the individuals whose IIF is in the system when major changes, as defined in Section 208 of the E-Government Act of 2002, occur to the system.

When applying for grants or contracts, applicants are informed that personal information is collected for accurate identification, referral and review by program managers. Refer to the system of record 09-25-0217 section entitled ROUTINE USES OF RECORDS MAINTAINED IN THE SYSTEM, INCLUDING CATEGORIES OF USERS AND THE PURPOSES OF SUCH USES for a summary of the notice of uses of information.

32. Does the system host a website?: Yes

37. Does the website have any information or pages directed at children under the age of thirteen?: No

50. Are there policies or guidelines in place with regard to the retention and destruction of IIF?: Yes

54. Briefly describe in detail how the IIF will be secured on the system using administrative, technical, and physical controls.: Physical controls: Guards, Identification badges, key cards and closed circuit TV

Technical controls: User ID, passwords, firewall, Virtual Private Network (VPN)

Administrative controls: Weekly backups, weekly log file checks, warning banners, database management

PIA Reviewer Approval: Promote


PIA Reviewer Name: Trevor Peterson

Sr. Official for Privacy Approval: Promote


Sr. Official for Privacy Name: Karen Plá

Sign-off Date: Feb 15, 2008

Date Published: Jun 26, 2008


06.3 HHS PIA Summary for Posting (Form) / NIH NEI Telework (Item)






PIA Summary


Is this a new PIA 2008?: Yes

If this is an existing PIA, please provide a reason for revision:

1. Date of this Submission: Jul 11, 2007

2. OPDIV Name: NIH

3. Unique Project Identifier (UPI) Number: no

4. Privacy Act System of Records (SOR) Number: 09-25-0216

5. OMB Information Collection Approval Number: no

6. Other Identifying Number(s): no

7. System Name: NEI Telework Application

. System Point of Contact (POC). The System POC is the person to whom questions about the system and the responses to this PIA may be addressed: Trevor Peterson

10. Provide an overview of the system: NEI Telework Application is a NEI Automated System that allows for the submission, routing, and approval of telework requests. It is an institute-wide, mandatory, automated system that replaces a manual process.

13. Indicate if the system is new or an existing one being modified: New

17. Does/Will the system collect, maintain (store), disseminate and/or pass through IIF within any database(s), record(s), file(s) or website(s) hosted by this system?: Yes

Note: This question seeks to identify any, and all, personal information associated with the system. This includes any IIF, whether or not it is subject to the Privacy Act, whether the individuals are employees, the public, research subjects, or business partners, and whether provided voluntarily or collected by mandate. Later questions will try to understand the character of the data and its applicability to the requirements under the Privacy Act or other legislation

Note: If no IIF is contained in the system, please answer questions 21, 23, 30, 31, 37, 50 and 54, then promote the PIA to the Sr. Privacy Official who will authorize the PIA.

If this system contains IIF, all remaining questions on the PIA Form Tabs must be completed prior to signature and promotion.

21. Is the system subject to the Privacy Act?: Yes

23. If the system shares or discloses IIF please specify with whom and for what purpose(s): Disclosures are made in accordance with SOR # 09-25-0216

Names contact information of individuals are collected and may be shared within the Institute or division in order to carry out the business process.

30. Please describe in detail: (1) the information the agency will collect, maintain, or disseminate; (2) why and for what purpose the agency will use the information; (3) In this description, indicate whether the information contains IIF; and (4) whether submission of personal information is voluntary or mandatory: This system is used to request approval for telework and store agreement (schedule, work arrangement, justifications) and necessary contact information (name, work org, address, phone, fax, e-mail, home address, phone, fax). Other than names and contact information of applicant employees, and the names and e-mail addresses of the approving officials, it tracks no other personally identifiable information. The workflow process involved allows the position and disposition of a task or activity (with whom, when) to be identified in the organization. Information is obtained voluntarily.

31. Please describe in detail any processes in place to: (1) notify and obtain consent from the individuals whose IIF is in the system when major changes occur to the system (e.g., disclosure and/or data uses have changed since the notice at the time of the original collection); and (2) notify and obtain consent from individuals regarding what IIF is being collected from them and how the information will be used or shared: The IIF contained in the system is that of employees and contractors of the Institute. This information was obtained voluntarily from the employees and is used to manage administrative tasks within the department. There is no process in place to notify individuals of how their IIF will be used or if major changes occur.

32. Does the system host a website?: Yes

37. Does the website have any information or pages directed at children under the age of thirteen?: No

50. Are there policies or guidelines in place with regard to the retention and destruction of IIF?: Yes

54. Briefly describe in detail how the IIF will be secured on the system using administrative, technical, and physical controls.: Physical access to the NIH campus requires an identification badge or as a registered visitor. Physical access to all server rooms is restricted; combination or brass key is required.

Data is stored on the system in directories with permissions appropriate to the data and reviewed by the system administrator. The operating system enforces access based on the userid.

Access to the files and databases is through userid and password as enforced by the operating system. An additional userid/password challenge is presented when logging in to a database.

PIA Reviewer Approval: Promote


PIA Reviewer Name: Trevor Peterson

Sr. Official for Privacy Approval: Promote


Sr. Official for Privacy Name: Karen Plá

Sign-off Date: Aug 10, 2007

Date Published: Jun 26, 2008


06.3 HHS PIA Summary for Posting (Form) / NIH NEI VISION Network Members Only (Item)






PIA Summary


Is this a new PIA 2008?: Yes

If this is an existing PIA, please provide a reason for revision:

1. Date of this Submission: Apr 20, 2007

2. OPDIV Name: NIH

3. Unique Project Identifier (UPI) Number: N/A

4. Privacy Act System of Records (SOR) Number: 09-25-0106

5. OMB Information Collection Approval Number: N/A

6. Other Identifying Number(s): N/A

7. System Name: VISION Network Members Only

9. System Point of Contact (POC). The System POC is the person to whom questions about the system and the responses to this PIA may be addressed: Kym Collins-Lee

10. Provide an overview of the system: The purpose of the VISION Public Information Network is to communicate vision research results to the public through its grantee institutions. Public Information Officers from NEI grantee institutions work with the NEI to develop ongoing programs to educate the public about the benefits of vision research. The Members Only section allows members to access special media materials and to post news release, projects and events; and advertise job opportunities.

13. Indicate if the system is new or an existing one being modified: Existing

17. Does/Will the system collect, maintain (store), disseminate and/or pass through IIF within any database(s), record(s), file(s) or website(s) hosted by this system?: Yes

Note: This question seeks to identify any, and all, personal information associated with the system. This includes any IIF, whether or not it is subject to the Privacy Act, whether the individuals are employees, the public, research subjects, or business partners, and whether provided voluntarily or collected by mandate. Later questions will try to understand the character of the data and its applicability to the requirements under the Privacy Act or other legislation

Note: If no IIF is contained in the system, please answer questions 21, 23, 30, 31, 37, 50 and 54, then promote the PIA to the Sr. Privacy Official who will authorize the PIA.

If this system contains IIF, all remaining questions on the PIA Form Tabs must be completed prior to signature and promotion.

21. Is the system subject to the Privacy Act?: Yes

23. If the system shares or discloses IIF please specify with whom and for what purpose(s): 1) Disclosure may be made to a congressional office from the record of an individual in response to an inquiry from the congressional office made at the request of that individual.

(2) Disclosure may be made from this system of records by the Department of Health and Human Services (HHS) to the Department of Justice, or to a court or other tribunal, when (a) HHS, or any component thereof; or (b) any HHS employee in his or her official capacity; or (c) any HHS employee in his or her individual capacity where the Department of Justice (or HHS, where it is authorized to do so) has agreed to represent the employee; or (d) the United States or any agency thereof where HHS determines that the litigation is likely to affect HHS or any of its components, is a party to litigation or has any interest in such litigation, and HHS determines that the use of such records by the Department of Justice, court or other tribunal is relevant and necessary to the litigation and would help in the effective representation of the governmental party, provided, however, that in each case, HHS determines that such disclosure is compatible with the purpose for which the records were collected.

30. Please describe in detail: (1) the information the agency will collect, maintain, or disseminate; (2) why and for what purpose the agency will use the information; (3) In this description, indicate whether the information contains IIF; and (4) whether submission of personal information is voluntary or mandatory: Names and e-mail addresses are used by the NEI staff and grantees to access the system to update the information and add new study descriptions. Names and e-mail address are required for the user to access the VISION Network Members Only section. Contact information of list members is available only to each other.

31. Please describe in detail any processes in place to: (1) notify and obtain consent from the individuals whose IIF is in the system when major changes occur to the system (e.g., disclosure and/or data uses have changed since the notice at the time of the original collection); and (2) notify and obtain consent from individuals regarding what IIF is being collected from them and how the information will be used or shared: A statement is included on the web site indicating the only usage is for the subscribers to communicate with each other. The only information collected is that supplied by the subscriber. If any change of information usage is made the subscribers will be contacted via email.

32. Does the system host a website?: Yes

37. Does the website have any information or pages directed at children under the age of thirteen?: No

50. Are there policies or guidelines in place with regard to the retention and destruction of IIF?: Yes

54. Briefly describe in detail how the IIF will be secured on the system using administrative, technical, and physical controls.: The server containing the VISION Network Members Only section is maintained by an NEI contractor who follows guidance from NSA, NIST, SANS, and CERT to maintain the security and integrity of the system.

Information contained in the lists is maintained by NEI staff and by specific request of the subscriber.

The system is monitored daily for intrusion by Big Brother, system logs, disk usage, and other indications of intrusion. MacAfee Outbreak Manager is used to control any possible virus outbreaks.

PIA Reviewer Approval: Promote


PIA Reviewer Name: Don Smith

Sr. Official for Privacy Approval: Promote


Sr. Official for Privacy Name: Karen Plá

Sign-off Date: Aug 10, 2007

Date Published: Jun 26, 2008


06.3 HHS PIA Summary for Posting (Form) / NIH NEI Visual Status of Funds (VSOF) (Item)






PIA Summary


Is this a new PIA 2008?: No

If this is an existing PIA, please provide a reason for revision: PIA Validation

1. Date of this Submission: Jul 3, 2007

2. OPDIV Name: NIH

3. Unique Project Identifier (UPI) Number: 009-25-01-01-02-3198-00-402-125

4. Privacy Act System of Records (SOR) Number: No - not subject to PIA

5. OMB Information Collection Approval Number: No

6. Other Identifying Number(s): Older UPI: 009-25-02-01-02-3036-00

7. System Name: NIH NEI Visual Status of Funds (VSOF)

9. System Point of Contact (POC). The System POC is the person to whom questions about the system and the responses to this PIA may be addressed: Terry Williams

10. Provide an overview of the system: National Eye Institute (NEI) use of Visual Status of Funds software. Visual Status of Funds (VSOF) is a multi-user integrated database of financial transactions from the NIH Central Accounting System used by multiple NIH institutes.

13. Indicate if the system is new or an existing one being modified: Existing

17. Does/Will the system collect, maintain (store), disseminate and/or pass through IIF within any database(s), record(s), file(s) or website(s) hosted by this system?: No

Note: This question seeks to identify any, and all, personal information associated with the system. This includes any IIF, whether or not it is subject to the Privacy Act, whether the individuals are employees, the public, research subjects, or business partners, and whether provided voluntarily or collected by mandate. Later questions will try to understand the character of the data and its applicability to the requirements under the Privacy Act or other legislation

Note: If no IIF is contained in the system, please answer questions 21, 23, 30, 31, 37, 50 and 54, then promote the PIA to the Sr. Privacy Official who will authorize the PIA.

If this system contains IIF, all remaining questions on the PIA Form Tabs must be completed prior to signature and promotion.

21. Is the system subject to the Privacy Act?: No

23. If the system shares or discloses IIF please specify with whom and for what purpose(s): No

30. Please describe in detail: (1) the information the agency will collect, maintain, or disseminate; (2) why and for what purpose the agency will use the information; (3) In this description, indicate whether the information contains IIF; and (4) whether submission of personal information is voluntary or mandatory: Accounting data and related document information is downloaded from ADB and is relevant or specific to NEI for its fiscal year operations. The system contains no IIF.

31. Please describe in detail any processes in place to: (1) notify and obtain consent from the individuals whose IIF is in the system when major changes occur to the system (e.g., disclosure and/or data uses have changed since the notice at the time of the original collection); and (2) notify and obtain consent from individuals regarding what IIF is being collected from them and how the information will be used or shared: The system contains no IIF.

32. Does the system host a website?: No

37. Does the website have any information or pages directed at children under the age of thirteen?: No

50. Are there policies or guidelines in place with regard to the retention and destruction of IIF?: No

54. Briefly describe in detail how the IIF will be secured on the system using administrative, technical, and physical controls.: No

PIA Reviewer Approval: Promote


PIA Reviewer Name: Terry L. Williams

Sr. Official for Privacy Approval: Promote


Sr. Official for Privacy Name: Karen Pla

Sign-off Date: Aug 10, 2007

Date Published: Jun 26, 2008


06.3 HHS PIA Summary for Posting (Form) / NIH NHGRI Attention Deficit Hyperactivity Disorder Database (ADHD) (Item)






PIA Summary


Is this a new PIA 2008?: No

If this is an existing PIA, please provide a reason for revision: PIA Validation

1. Date of this Submission: Jul 25, 2007

2. OPDIV Name: NIH

3. Unique Project Identifier (UPI) Number: 009-25-01-05-02-9199-00-404-138

4. Privacy Act System of Records (SOR) Number: 09-25-0200

5. OMB Information Collection Approval Number: not applicable

6. Other Identifying Number(s): not applicable

7. System Name: NHGRI ADHD Database

9. System Point of Contact (POC). The System POC is the person to whom questions about the system and the responses to this PIA may be addressed: Maria Acosta, MD

10. Provide an overview of the system: Database of demographic and clinical research data on ADHD (Attention Deficit Hyperactivity Disorder).

13. Indicate if the system is new or an existing one being modified: Existing

17. Does/Will the system collect, maintain (store), disseminate and/or pass through IIF within any database(s), record(s), file(s) or website(s) hosted by this system?: Yes

Note: This question seeks to identify any, and all, personal information associated with the system. This includes any IIF, whether or not it is subject to the Privacy Act, whether the individuals are employees, the public, research subjects, or business partners, and whether provided voluntarily or collected by mandate. Later questions will try to understand the character of the data and its applicability to the requirements under the Privacy Act or other legislation

Note: If no IIF is contained in the system, please answer questions 21, 23, 30, 31, 37, 50 and 54, then promote the PIA to the Sr. Privacy Official who will authorize the PIA.

If this system contains IIF, all remaining questions on the PIA Form Tabs must be completed prior to signature and promotion.

21. Is the system subject to the Privacy Act?: Yes

23. If the system shares or discloses IIF please specify with whom and for what purpose(s): Data is shared among members of the ADHD research team. This information is further addressed in the NIH Privacy Act Systems of Record Notice 09-25-0200, published in the Federal Register, Volume 67, No. 187, September 26, 2002.

30. Please describe in detail: (1) the information the agency will collect, maintain, or disseminate; (2) why and for what purpose the agency will use the information; (3) In this description, indicate whether the information contains IIF; and (4) whether submission of personal information is voluntary or mandatory: Name, date of birth, mailing address, phone numbers, medical notes, email address, family and blood sample accession numbers, genetic pedigree. Information is given voluntarily.

31. Please describe in detail any processes in place to: (1) notify and obtain consent from the individuals whose IIF is in the system when major changes occur to the system (e.g., disclosure and/or data uses have changed since the notice at the time of the original collection); and (2) notify and obtain consent from individuals regarding what IIF is being collected from them and how the information will be used or shared: Patients and/or parents sign an IRB (Internal Review Board) informed consent form mailed to them and mailed back to the research study coordinator. Patients and/or parents are informed that protocol related information will be used for research purposes and restricted to study team members only. Families that agree to participate are contacted by the study coordinator. No changes in the system or modifications in the database have been done from the original design. No modifications are expected. Currently no reason to re-contact families that have finished the data collection part of the study.

32. Does the system host a website?: Yes

37. Does the website have any information or pages directed at children under the age of thirteen?: No

50. Are there policies or guidelines in place with regard to the retention and destruction of IIF?: Yes

54. Briefly describe in detail how the IIF will be secured on the system using administrative, technical, and physical controls.: Access is limited to research team members only; files backed up regularly and back up files stored offsite; user ID and password required; firewall present; accounts locked after five minutes of inactivity, computers in locked offices

PIA Reviewer Approval: Promote


PIA Reviewer Name: Gloria Butler, 301-594-1061

Sr. Official for Privacy Approval: Promote


Sr. Official for Privacy Name: Karen Plá

Sign-off Date: Aug 10, 2007

Date Published: Jun 26, 2008


06.3 HHS PIA Summary for Posting (Form) / NIH NHGRI Community of Genetic Educators (CoGE) (Item)






PIA Summary


Is this a new PIA 2008?: Yes

If this is an existing PIA, please provide a reason for revision:

1. Date of this Submission: Oct 10, 2007

2. OPDIV Name: NIH

3. Unique Project Identifier (UPI) Number: No

4. Privacy Act System of Records (SOR) Number: 09-25-0156

5. OMB Information Collection Approval Number: No

6. Other Identifying Number(s): No

7. System Name: Community of Genetic Educators (CoGE) NIH

9. System Point of Contact (POC). The System POC is the person to whom questions about the system and the responses to this PIA may be addressed: Jeff Witherly

10. Provide an overview of the system: The "Community of Genetic Educators" website was created to help connect genetic educators online. It is a forum for information sharing. With so many resources available, it is sometimes difficult for educators to know what will work in the classroom. This website may be used to find resources, to recommend resources, learn from other members in similar situations, act as a mentor to other members, submit helpful lessons learned and resources, and work with the education team at the NIH Genome Institute (NHGRI) in reviewing and refining learning tools.

Each site visitor is asked to register on the first visit. Registration includes setting up an account with password, name, email address, state/country, language, time zone, current education position, type of school info, teaching experience and instructional focus. Voluntary information that further defines the visitor includes affiliations, a text box for a biography and the option to add a photograph.

After registration the visitor is given immediate access to the site which includes many resources and a messaging forum.

13. Indicate if the system is new or an existing one being modified: New

17. Does/Will the system collect, maintain (store), disseminate and/or pass through IIF within any database(s), record(s), file(s) or website(s) hosted by this system?: Yes

Note: This question seeks to identify any, and all, personal information associated with the system. This includes any IIF, whether or not it is subject to the Privacy Act, whether the individuals are employees, the public, research subjects, or business partners, and whether provided voluntarily or collected by mandate. Later questions will try to understand the character of the data and its applicability to the requirements under the Privacy Act or other legislation

Note: If no IIF is contained in the system, please answer questions 21, 23, 30, 31, 37, 50 and 54, then promote the PIA to the Sr. Privacy Official who will authorize the PIA.

If this system contains IIF, all remaining questions on the PIA Form Tabs must be completed prior to signature and promotion.

21. Is the system subject to the Privacy Act?: Yes

23. If the system shares or discloses IIF please specify with whom and for what purpose(s): No

30. Please describe in detail: (1) the information the agency will collect, maintain, or disseminate; (2) why and for what purpose the agency will use the information; (3) In this description, indicate whether the information contains IIF; and (4) whether submission of personal information is voluntary or mandatory: To register for site access, the following information is mandatory: First and last name, email address, country, state, language, time zone , current education position, other positions, type of school, minority serving institution, location, school level, teaching experience, and instructional focus. Of the information required, name and email address are considered to be information in identifiable form (IIF).

The following information is voluntary: affiliations, biography, photo. A photo is considered to be information in identifiable form (IIF).

The "Community of Genetic Educators" website was created to help connect genetic educators online. It is a forum for information sharing. With so many resources available, it is sometimes difficult for educators to know what will work in the classroom. This website may be used to find resources, to recommend resources, learn from other members in similar situations, act as a mentor to other members, submit helpful lessons learned and resources, and work with the education team at the NIH Genome Institute (NHGRI) in reviewing and refining learning tools.

Each site visitor is asked to register on the first visit. Registration includes setting up an account with password and includes the mandatory information listed above. Voluntary information that further defines the visitor and will better introduce this person to others visiting the site.

31. Please describe in detail any processes in place to: (1) notify and obtain consent from the individuals whose IIF is in the system when major changes occur to the system (e.g., disclosure and/or data uses have changed since the notice at the time of the original collection); and (2) notify and obtain consent from individuals regarding what IIF is being collected from them and how the information will be used or shared: There is an extensive Privacy statement displayed on the registration page. Additional information is made available through a link called “Privacy” displayed on each web page, which includes the following:

Personally Provided Information

Information Required For Membership:

We require each member to enter a limited amount of personal information as part of the registration process of the CoGE web site. This information is typically required as part of our NHGRI educational course registrations, and will be used at the CoGE for contacting CoGE members about events, opportunities, and new educational products of value.

We have made every attempt to make the required information as minimal as possible for members. This information includes: your name, your email address, country, state, and current educational position (teacher, administrator, other). We will also ask you to choose a member name and a member password.

Your real name, and your email address are not shared online in the CoGE. Only CoGE administrators have access to this personal information. Members will only know your member name and your CoGE email address.

32. Does the system host a website?: Yes

37. Does the website have any information or pages directed at children under the age of thirteen?: No

50. Are there policies or guidelines in place with regard to the retention and destruction of IIF?: Yes

54. Briefly describe in detail how the IIF will be secured on the system using administrative, technical, and physical controls.: The amount of IIF collected is minimal, only that which is absolutely needed to meet the needs of the system's purpose.

Registration information is not available to the users of this site unless they chose to share with one another. This voluntary sharing of information is not being managed by the system.

From an administrative point of view, only a limited number of staff have access to the IIF. Support personnel will have access for maintenance purposes. The system owners and administrators will have access for the creation of aggregate reports. A well constructed set of rules of behavior are in place for all who have access to the IIF.

The technical and physical aspects are properly cared for by placing the system on a secured server, in a secured location. A separate C&A was completed for the server that houses this application by the IT staff. Firewalls and other security devices are in place.

PIA Reviewer Approval: Promote

Comments: I have requested an update to the SORN to include POC from NHGRI.

The C&A for CoGE is in the final stages and should be completed soon.

PIA Reviewer Name: Gloria Butler, 301-594-1061

Sr. Official for Privacy Approval: Promote


Sr. Official for Privacy Name: Karen Plá

Sign-off Date: Feb 15, 2008

Date Published: Jun 26, 2008


06.3 HHS PIA Summary for Posting (Form) / NIH NHGRI LabMatrix (Item)






PIA Summary


Is this a new PIA 2008?: No

If this is an existing PIA, please provide a reason for revision: PIA Validation

1. Date of this Submission: Jul 25, 2007

2. OPDIV Name: NIH

3. Unique Project Identifier (UPI) Number: n/a

4. Privacy Act System of Records (SOR) Number: 09-25-0200

5. OMB Information Collection Approval Number: not applicable

6. Other Identifying Number(s): not applicable

7. System Name: Lab Matrix

9. System Point of Contact (POC). The System POC is the person to whom questions about the system and the responses to this PIA may be addressed: Dr Gretchen Gibney

10. Provide an overview of the system: Research and clinical database which contains info related to clinical, lab, data collection and Internal Review Board findings from study protocols. NHGRI professional medical staff (MD, RN, Genetic Counselor) access for research purposes.

13. Indicate if the system is new or an existing one being modified: Existing

17. Does/Will the system collect, maintain (store), disseminate and/or pass through IIF within any database(s), record(s), file(s) or website(s) hosted by this system?: Yes

Note: This question seeks to identify any, and all, personal information associated with the system. This includes any IIF, whether or not it is subject to the Privacy Act, whether the individuals are employees, the public, research subjects, or business partners, and whether provided voluntarily or collected by mandate. Later questions will try to understand the character of the data and its applicability to the requirements under the Privacy Act or other legislation

Note: If no IIF is contained in the system, please answer questions 21, 23, 30, 31, 37, 50 and 54, then promote the PIA to the Sr. Privacy Official who will authorize the PIA.

If this system contains IIF, all remaining questions on the PIA Form Tabs must be completed prior to signature and promotion.

21. Is the system subject to the Privacy Act?: Yes

23. If the system shares or discloses IIF please specify with whom and for what purpose(s): Restricted to research. This information is further addressed in the NIH Privacy Act Systems of Record Notice 09-25-0200, published in the Federal Register, Volume 67, No. 187, September 26, 2002.

30. Please describe in detail: (1) the information the agency will collect, maintain, or disseminate; (2) why and for what purpose the agency will use the information; (3) In this description, indicate whether the information contains IIF; and (4) whether submission of personal information is voluntary or mandatory: research and clinical database of patient information including demographics, protocol data, medical records, medical record number, photographic identifier, email address, employment data. IIF contained. Information submission is voluntary. Information is used for research purposes only per individual research protocol.

31. Please describe in detail any processes in place to: (1) notify and obtain consent from the individuals whose IIF is in the system when major changes occur to the system (e.g., disclosure and/or data uses have changed since the notice at the time of the original collection); and (2) notify and obtain consent from individuals regarding what IIF is being collected from them and how the information will be used or shared: IRB (Internal Review Board) approved informed consent form. In the event of sharing of information or major changes to database, individuals would be re-consented per IRB guidance.

32. Does the system host a website?: No

37. Does the website have any information or pages directed at children under the age of thirteen?: No

50. Are there policies or guidelines in place with regard to the retention and destruction of IIF?: No

54. Briefly describe in detail how the IIF will be secured on the system using administrative, technical, and physical controls.: Access is password/ID restricted to authorized users and controls for each user are specified. All data is encrypted and monitored in a locked, secure setting.

PIA Reviewer Approval: Promote


PIA Reviewer Name: Gloria Butler 301-594-1061

Sr. Official for Privacy Approval: Promote


Sr. Official for Privacy Name: Karen Plá

Sign-off Date: Aug 10, 2007

Date Published: Jun 26, 2008


06.3 HHS PIA Summary for Posting (Form) / NIH NHGRI Status of Funds Internet Explorer (SOFie) (Item)






PIA Summary


Is this a new PIA 2008?: No

If this is an existing PIA, please provide a reason for revision: PIA Validation

1. Date of this Submission: Jul 25, 2007

2. OPDIV Name: NIH

3. Unique Project Identifier (UPI) Number: 009-25-01-09-02-3199-00

4. Privacy Act System of Records (SOR) Number: no

5. OMB Information Collection Approval Number: no

6. Other Identifying Number(s): no

7. System Name: NHGRI Visual Status of Funds Internet Explorer (SOFie)

9. System Point of Contact (POC). The System POC is the person to whom questions about the system and the responses to this PIA may be addressed: Eddie Rivera

10. Provide an overview of the system: An organizational reporting tool that allows an organization to manipulate and report on financial transactions downloaded from the NIH Central Accounting System. The information is general accounting info by category, with totals by category, and has no info specific to employees.

13. Indicate if the system is new or an existing one being modified: Existing

17. Does/Will the system collect, maintain (store), disseminate and/or pass through IIF within any database(s), record(s), file(s) or website(s) hosted by this system?: No

Note: This question seeks to identify any, and all, personal information associated with the system. This includes any IIF, whether or not it is subject to the Privacy Act, whether the individuals are employees, the public, research subjects, or business partners, and whether provided voluntarily or collected by mandate. Later questions will try to understand the character of the data and its applicability to the requirements under the Privacy Act or other legislation

Note: If no IIF is contained in the system, please answer questions 21, 23, 30, 31, 37, 50 and 54, then promote the PIA to the Sr. Privacy Official who will authorize the PIA.

If this system contains IIF, all remaining questions on the PIA Form Tabs must be completed prior to signature and promotion.

21. Is the system subject to the Privacy Act?: No

23. If the system shares or discloses IIF please specify with whom and for what purpose(s): no

30. Please describe in detail: (1) the information the agency will collect, maintain, or disseminate; (2) why and for what purpose the agency will use the information; (3) In this description, indicate whether the information contains IIF; and (4) whether submission of personal information is voluntary or mandatory: Accounting data and related document information is downloaded from CAS/Central Accounting System mainframe and is specific to NHGRI/OD Office for its fiscal year operations. The information is general accounting info by category (ex. wages), with totals by category, and nothing specific to individual employees. The system contains no IIF.

31. Please describe in detail any processes in place to: (1) notify and obtain consent from the individuals whose IIF is in the system when major changes occur to the system (e.g., disclosure and/or data uses have changed since the notice at the time of the original collection); and (2) notify and obtain consent from individuals regarding what IIF is being collected from them and how the information will be used or shared: No

32. Does the system host a website?: No

37. Does the website have any information or pages directed at children under the age of thirteen?: No

50. Are there policies or guidelines in place with regard to the retention and destruction of IIF?: No

54. Briefly describe in detail how the IIF will be secured on the system using administrative, technical, and physical controls.: No

PIA Reviewer Approval: Promote


PIA Reviewer Name: Gloria Butler, 301-594-1061

Sr. Official for Privacy Approval: Promote


Sr. Official for Privacy Name: Karen Pla

Sign-off Date: Aug 10, 2007

Date Published: Jun 26, 2008


06.3 HHS PIA Summary for Posting (Form) / NIH NHGRI Telework Application (Item)






PIA Summary


Is this a new PIA 2008?: Yes

If this is an existing PIA, please provide a reason for revision:

1. Date of this Submission: Mar 23, 2007

2. OPDIV Name: NIH

3. Unique Project Identifier (UPI) Number: no

4. Privacy Act System of Records (SOR) Number: 09-25-0216

5. OMB Information Collection Approval Number: no

6. Other Identifying Number(s): no

7. System Name: Telework Application

9. System Point of Contact (POC). The System POC is the person to whom questions about the system and the responses to this PIA may be addressed: Gloria Butler

10. Provide an overview of the system: This system automates the Telework application and approval process. Each applicant logs into the Telework program, enters an application to telework, which is then electronically routed to those who will review/approve the application.

13. Indicate if the system is new or an existing one being modified: New

17. Does/Will the system collect, maintain (store), disseminate and/or pass through IIF within any database(s), record(s), file(s) or website(s) hosted by this system?: Yes

Note: This question seeks to identify any, and all, personal information associated with the system. This includes any IIF, whether or not it is subject to the Privacy Act, whether the individuals are employees, the public, research subjects, or business partners, and whether provided voluntarily or collected by mandate. Later questions will try to understand the character of the data and its applicability to the requirements under the Privacy Act or other legislation

Note: If no IIF is contained in the system, please answer questions 21, 23, 30, 31, 37, 50 and 54, then promote the PIA to the Sr. Privacy Official who will authorize the PIA.

If this system contains IIF, all remaining questions on the PIA Form Tabs must be completed prior to signature and promotion.

21. Is the system subject to the Privacy Act?: Yes

23. If the system shares or discloses IIF please specify with whom and for what purpose(s):

Information gathered is for internal administrative use only and not shared with other entities. Access is limited to our internal administrators, telework reviewers/approvers, and software maintenance contracting staff. This is further addressed in the NIH Privacy Act Systems of Record Notice (SORN) 09-25-0216.

30. Please describe in detail: (1) the information the agency will collect, maintain, or disseminate; (2) why and for what purpose the agency will use the information; (3) In this description, indicate whether the information contains IIF; and (4) whether submission of personal information is voluntary or mandatory: The questions asked are all mandatory, needed to determine where and under what circumstances the applicant will be teleworking. Data items: name, work phone numbers, home address and phone are IIF.

31. Please describe in detail any processes in place to: (1) notify and obtain consent from the individuals whose IIF is in the system when major changes occur to the system (e.g., disclosure and/or data uses have changed since the notice at the time of the original collection); and (2) notify and obtain consent from individuals regarding what IIF is being collected from them and how the information will be used or shared: Before a telework application is submitted, each applicant discusses requirements and forms that must be completed with his/her supervisor. All IIF information is then submitted by the applicant through the automated telework program. At log on to the system, on the main login screen, each applicant sees a Privacy statement that describes how the data will be used. The following statement is viewed by each person who enters the system: "Purposes and Uses - The information entered into this data system will become a part of the NHGRI Telework Application & Approval System which managed the electronic evaluation of telework applications. The primary use of the information is to evaluate an employee's request to telework. The information will only be used as part of the application process and will not be disclosed to anyone other than the NHGRI Telework Coordinator, Managing Supervisor, NHGRI Executive Officer and appropriate contracting staff. "

No changes to how the data is being used are planned or expected. At this time no major changes to the system are planned. If/when changes are made, each applicant or person renewing an application will have access to the new procedures through the log on screen "Purposes and Uses" section, which will be modified to accommodate any access or policy changes made to the system.

32. Does the system host a website?: No

37. Does the website have any information or pages directed at children under the age of thirteen?: No

50. Are there policies or guidelines in place with regard to the retention and destruction of IIF?: Yes

54. Briefly describe in detail how the IIF will be secured on the system using administrative, technical, and physical controls.: Administrative Controls: The numbers of administrators who can view all data is strictly limited by the institute, and access is monitored through an audit report. The software itself captures information on all system access (audit report). This audit is available to the system maintenance contractor and the system administrator only. The administrator has a policy in place to review these accounts on a regular basis, ant to take action on any suspicious activity.

Technical Controls: The system data is secured using role based authentication to access/view the files. Everyone is required to enter a user name/password to enter the system. Each person has access to his/her own data submissions only. All user accounts/roles are verified before access is given to those using the system to submit an application, or to review/approve an application. Immediate supervisors can only view their own staff applications, and only gain access through an email forwarded to them by the telework system.

Physical Controls:The system is stored on an NHGRI file server (with encryption) in a secured data center. The center has the appropriate technical and physical controls (firewalls, security cameras, data back up procedures, facility security, etc.) in place to protect all IIF.

PIA Reviewer Approval: Promote


PIA Reviewer Name: Gloria Butler

Sr. Official for Privacy Approval: Promote


Sr. Official for Privacy Name: Karen Plá

Sign-off Date: Aug 10, 2007

Date Published: Jun 26, 2008


06.3 HHS PIA Summary for Posting (Form) / NIH NHGRI Trainee Tracking Database (Item)






PIA Summary


Is this a new PIA 2008?: No

If this is an existing PIA, please provide a reason for revision: PIA Validation

1. Date of this Submission: Aug 6, 2007

2. OPDIV Name: NIH

3. Unique Project Identifier (UPI) Number: not applicable

4. Privacy Act System of Records (SOR) Number: 09-90-0018

5. OMB Information Collection Approval Number: not applicable

6. Other Identifying Number(s): not applicable

7. System Name: Training and Tracking Application

9. System Point of Contact (POC). The System POC is the person to whom questions about the system and the responses to this PIA may be addressed: Dave Kanney and/or Michelle Hamlet

10. Provide an overview of the system: The system supports the overall training mission of the intramural program through the monitoring and tracking of trainees at all levels. The database enables the ITO (Intramural Training Office) to create and manage records for all trainees. A record of each trainee contains name, degree, gender,race, department and mentor and is maintained to capture aggregate demographic information, to track the progress of individual trainees, and to manage follow-up surveys, annual reviews, and exit interviews critical for the evaluation of the training program. The information in the database aggregated across the data set, presents a snapshot of the size and demographics of the trainees each year.

13. Indicate if the system is new or an existing one being modified: Existing

17. Does/Will the system collect, maintain (store), disseminate and/or pass through IIF within any database(s), record(s), file(s) or website(s) hosted by this system?: Yes

Note: This question seeks to identify any, and all, personal information associated with the system. This includes any IIF, whether or not it is subject to the Privacy Act, whether the individuals are employees, the public, research subjects, or business partners, and whether provided voluntarily or collected by mandate. Later questions will try to understand the character of the data and its applicability to the requirements under the Privacy Act or other legislation

Note: If no IIF is contained in the system, please answer questions 21, 23, 30, 31, 37, 50 and 54, then promote the PIA to the Sr. Privacy Official who will authorize the PIA.

If this system contains IIF, all remaining questions on the PIA Form Tabs must be completed prior to signature and promotion.

21. Is the system subject to the Privacy Act?: Yes

23. If the system shares or discloses IIF please specify with whom and for what purpose(s): no. This information is further addressed in the NIH Privacy Act Systems of Record Notice 09-90-0018, published in the Federal Register, Volume 59, November 26, 1994.

30. Please describe in detail: (1) the information the agency will collect, maintain, or disseminate; (2) why and for what purpose the agency will use the information; (3) In this description, indicate whether the information contains IIF; and (4) whether submission of personal information is voluntary or mandatory: Annual reviews, branch, position title, EOD (Enter on Duty), name, CV (resume), gender, race/ethnicity for diversity and evaluation purposes. The system contains IIF and submission is voluntary.

31. Please describe in detail any processes in place to: (1) notify and obtain consent from the individuals whose IIF is in the system when major changes occur to the system (e.g., disclosure and/or data uses have changed since the notice at the time of the original collection); and (2) notify and obtain consent from individuals regarding what IIF is being collected from them and how the information will be used or shared: Any changes in the system would not change the data, therefore, there is no need to notify and obtain consent.

32. Does the system host a website?: No

37. Does the website have any information or pages directed at children under the age of thirteen?: No

50. Are there policies or guidelines in place with regard to the retention and destruction of IIF?: Yes

54. Briefly describe in detail how the IIF will be secured on the system using administrative, technical, and physical controls.: Database secured behind locked doors, login/password/id protected with very limited 'need-to-know' users.

PIA Reviewer Approval: Promote


PIA Reviewer Name: Gloria Butler, 301-594-1061

Sr. Official for Privacy Approval: Promote


Sr. Official for Privacy Name: Karen Pla

Sign-off Date: Aug 10, 2007

Date Published: Jun 26, 2008


06.3 HHS PIA Summary for Posting (Form) / NIH NHGRI Visual Employee Database System (VEDS) (Item)






PIA Summary


Is this a new PIA 2008?: No

If this is an existing PIA, please provide a reason for revision: PIA Validation

1. Date of this Submission: Aug 6, 2007

2. OPDIV Name: NIH

3. Unique Project Identifier (UPI) Number: 009-25-01-09-02-3196-00-403-131

4. Privacy Act System of Records (SOR) Number: 09-90-0018

5. OMB Information Collection Approval Number: no

6. Other Identifying Number(s): no

7. System Name: NHGRI Visual Employee Database System (VEDS)

9. System Point of Contact (POC). The System POC is the person to whom questions about the system and the responses to this PIA may be addressed: Matthew Burr

10. Provide an overview of the system: VEDS is a windows-based application primarily used to manage and track personnel information. Authority for maintenance of the system: 5 U.S. C 1302, 2951, 4118, 4308, 4506,7501,7511, 7521, and Executive Order 10561.

13. Indicate if the system is new or an existing one being modified: Existing

17. Does/Will the system collect, maintain (store), disseminate and/or pass through IIF within any database(s), record(s), file(s) or website(s) hosted by this system?: Yes

Note: This question seeks to identify any, and all, personal information associated with the system. This includes any IIF, whether or not it is subject to the Privacy Act, whether the individuals are employees, the public, research subjects, or business partners, and whether provided voluntarily or collected by mandate. Later questions will try to understand the character of the data and its applicability to the requirements under the Privacy Act or other legislation

Note: If no IIF is contained in the system, please answer questions 21, 23, 30, 31, 37, 50 and 54, then promote the PIA to the Sr. Privacy Official who will authorize the PIA.

If this system contains IIF, all remaining questions on the PIA Form Tabs must be completed prior to signature and promotion.

21. Is the system subject to the Privacy Act?: Yes

23. If the system shares or discloses IIF please specify with whom and for what purpose(s): For internal administrative use only and not shared with other entities. SOR 09-90-0018

30. Please describe in detail: (1) the information the agency will collect, maintain, or disseminate; (2) why and for what purpose the agency will use the information; (3) In this description, indicate whether the information contains IIF; and (4) whether submission of personal information is voluntary or mandatory: Information is for internal administrative use only and will not be shared with other entities. Information downloaded from the NIH Human Resources Database. Mandatory.

Name, date of birth, SS#, mailing address, phone numbers, email address, employment status/records, VISA status, salary information, personnel action information.

31. Please describe in detail any processes in place to: (1) notify and obtain consent from the individuals whose IIF is in the system when major changes occur to the system (e.g., disclosure and/or data uses have changed since the notice at the time of the original collection); and (2) notify and obtain consent from individuals regarding what IIF is being collected from them and how the information will be used or shared: It is an electronic system with very limited "need-to-know" users, and is password protected. Individuals are not consented or notified individually. IIF is not collected from individuals, only through downloading of data from NIH Human Resources Database.

32. Does the system host a website?: No

37. Does the website have any information or pages directed at children under the age of thirteen?: No

50. Are there policies or guidelines in place with regard to the retention and destruction of IIF?: Yes

54. Briefly describe in detail how the IIF will be secured on the system using administrative, technical, and physical controls.: user ID, passwords, firewall, VPN, encryption, minimum length of password is eight characters, key cards,

PIA Reviewer Approval: Promote


PIA Reviewer Name: Gloria Butler, 301-594-1061

Sr. Official for Privacy Approval: Promote


Sr. Official for Privacy Name: Karen Plá

Sign-off Date: Aug 10, 2007

Date Published: Jun 26, 2008


06.3 HHS PIA Summary for Posting (Form) / NIH NHLBI Clinical Data System (CDS) (Item)






PIA Summary


Is this a new PIA 2008?: No

If this is an existing PIA, please provide a reason for revision: PIA Validation

1. Date of this Submission: Jan 5, 2008

2. OPDIV Name: NIH

3. Unique Project Identifier (UPI) Number: 009-25-01-26-02-7213-00-202-069

4. Privacy Act System of Records (SOR) Number: 09-25-0200

5. OMB Information Collection Approval Number: No

6. Other Identifying Number(s): No

7. System Name: NIH NHLBI Clinical Data System (CDS)

9. System Point of Contact (POC). The System POC is the person to whom questions about the system and the responses to this PIA may be addressed: Melissa Bryant

10. Provide an overview of the system: The NHLBI-CDS collects and manages data emanating from clinical studies and allows for monitoring recruitment and tracking patients. It is a multi-tiered, Web-based system where research-related data are entered to facilitate the generation of regulatory reports and data sets for analyses.

13. Indicate if the system is new or an existing one being modified: Existing

7. Does/Will the system collect, maintain (store), disseminate and/or pass through IIF within any database(s), record(s), file(s) or website(s) hosted by this system?: Yes

Note: This question seeks to identify any, and all, personal information associated with the system. This includes any IIF, whether or not it is subject to the Privacy Act, whether the individuals are employees, the public, research subjects, or business partners, and whether provided voluntarily or collected by mandate. Later questions will try to understand the character of the data and its applicability to the requirements under the Privacy Act or other legislation

Note: If no IIF is contained in the system, please answer questions 21, 23, 30, 31, 37, 50 and 54, then promote the PIA to the Sr. Privacy Official who will authorize the PIA.

If this system contains IIF, all remaining questions on the PIA Form Tabs must be completed prior to signature and promotion.

21. Is the system subject to the Privacy Act?: Yes

23. If the system shares or discloses IIF please specify with whom and for what purpose(s): The NHLBI-CDS produces Medical Record reports that are filed in the Clinical Center Medical Records Department and are also used to send to the patient’s referring physician. SOR number is 09-25-0200.

30. Please describe in detail: (1) the information the agency will collect, maintain, or disseminate; (2) why and for what purpose the agency will use the information; (3) In this description, indicate whether the information contains IIF; and (4) whether submission of personal information is voluntary or mandatory: The NHLBI-CDS collects and manages data emanating from clinical studies and allows for monitoring recruitment and tracking patients and analyzing results. Collection of this information is authorized under sections 301, 319F-1, 402, and 405 of the PHS Act which authorize the HHS Secretary to conduct and support research.

The primary use of this information is to track clinical research results for studies conducted at the National Institutes of Health. Information such as patient name, address, medical history, test and procedure results, and other research related information is collected and maintained. NHLBI-DIR uses this information to analyze and report the results of clinical research being conducted within the division. The information collected includes IIF and all patients enrolled on clinical studies sign an informed consent related to their participation in clinical research. Some of the information is used for Medical Record reporting and for providing the patient’s referring physicians with the test results and assessments related to the patient’s visit. Information is provided on a voluntary basis as participation in clinical trial research is voluntary.

31. Please describe in detail any processes in place to: (1) notify and obtain consent from the individuals whose IIF is in the system when major changes occur to the system (e.g., disclosure and/or data uses have changed since the notice at the time of the original collection); and (2) notify and obtain consent from individuals regarding what IIF is being collected from them and how the information will be used or shared: All patients sign an informed consent (paper) related to their participation in clinical research and how their data will be used. There is no process for obtaining consent from individuals whose IIF is in the system when major system changes occur, however this system is an internal system (only available within NIH) and data are de-identified for the purpose of summarizing and publishing research results.

32. Does the system host a website?: Yes

37. Does the website have any information or pages directed at children under the age of thirteen?: No

50. Are there policies or guidelines in place with regard to the retention and destruction of IIF?: Yes

54. Briefly describe in detail how the IIF will be secured on the system using administrative, technical, and physical controls.: Data is maintained in a secure database. Routine access is restricted to authorized employees and contractors only according to the principal of least privilege by the use of user name and password access controls. Additional technical and administrative controls are also employed, including badge access, intrusion detection system, firewalls, virtual private networks, encryption, etc. The NHLBI-CDS staff monitors system access for intrusion detection and reviews audit logs to identify inappropriate browsing or inappropriate database access. Computer security incidents are referred to the NIH Incident Response Team (NIH IRT). Contractors are required to have employment suitability determinations, National Agency Checks, credit checks, and/or background investigations, commensurate with the position. Contractors are also required to sign an NIH non-disclosure agreement prior to being given access to the NHLBI-CDS. Contractors must take the NIH security awareness training.

PIA Reviewer Approval: Promote


PIA Reviewer Name: Melissa Bryant

Sr. Official for Privacy Approval: Promote


Sr. Official for Privacy Name: Karen Plá

Sign-off Date: Aug 10, 2007

Date Published: Jun 26, 2008


06.3 HHS PIA Summary for Posting (Form) / NIH NHLBI Data Center (Item)






PIA Summary


Is this a new PIA 2008?: Yes

If this is an existing PIA, please provide a reason for revision:

1. Date of this Submission: May 23, 2007

2. OPDIV Name: NIH

3. Unique Project Identifier (UPI) Number: NO

4. Privacy Act System of Records (SOR) Number: NO

5. OMB Information Collection Approval Number: NO

6. Other Identifying Number(s): NO

7. System Name: NHLBI Data Center

9. System Point of Contact (POC). The System POC is the person to whom questions about the system and the responses to this PIA may be addressed: Cindy Walczak

10. Provide an overview of the system: The NHLBI Data Center supports approximately 1,300 users at the NHLBI. The NHLBI Data Center is located in the Customer Service Area (CSA) 2 in the NIH Data Center in Building 12 on the NIH main campus in Bethesda, MD and at the NIH Consolidated Co-Location Site (NCCS) at the Qwest data center in Sterling, VA.

The NHLBI Data Center comprises servers and SANs constituting a General Support System.

Although many applications reside on servers in the NHLBI Data Center, the Data Center itself does not process or store any IIF. (Individual application PIAs will address any and all IIF.)

13. Indicate if the system is new or an existing one being modified: Existing

17. Does/Will the system collect, maintain (store), disseminate and/or pass through IIF within any database(s), record(s), file(s) or website(s) hosted by this system?: No

Note: This question seeks to identify any, and all, personal information associated with the system. This includes any IIF, whether or not it is subject to the Privacy Act, whether the individuals are employees, the public, research subjects, or business partners, and whether provided voluntarily or collected by mandate. Later questions will try to understand the character of the data and its applicability to the requirements under the Privacy Act or other legislation

Note: If no IIF is contained in the system, please answer questions 21, 23, 30, 31, 37, 50 and 54, then promote the PIA to the Sr. Privacy Official who will authorize the PIA.

If this system contains IIF, all remaining questions on the PIA Form Tabs must be completed prior to signature and promotion.

21. Is the system subject to the Privacy Act?: No

23. If the system shares or discloses IIF please specify with whom and for what purpose(s): No IIF shared or disclosed.

30. Please describe in detail: (1) the information the agency will collect, maintain, or disseminate; (2) why and for what purpose the agency will use the information; (3) In this description, indicate whether the information contains IIF; and (4) whether submission of personal information is voluntary or mandatory: No IIF collected, contained, maintained, or disseminated.

31. Please describe in detail any processes in place to: (1) notify and obtain consent from the individuals whose IIF is in the system when major changes occur to the system (e.g., disclosure and/or data uses have changed since the notice at the time of the original collection); and (2) notify and obtain consent from individuals regarding what IIF is being collected from them and how the information will be used or shared: N/A--No IIF in the system.

32. Does the system host a website?: No

37. Does the website have any information or pages directed at children under the age of thirteen?: No

50. Are there policies or guidelines in place with regard to the retention and destruction of IIF?: No

54. Briefly describe in detail how the IIF will be secured on the system using administrative, technical, and physical controls.: N/A--No IIF in the system.

PIA Reviewer Approval: Promote


PIA Reviewer Name: Cindy Walczak, NHLBI ISSO

Sr. Official for Privacy Approval: Promote


Sr. Official for Privacy Name: Karen Plá

Sign-off Date: Aug 10, 2007

Date Published: Jun 26, 2008


06.3 HHS PIA Summary for Posting (Form) / NIH NHLBI Extramural Program Development (EP) (Item)






PIA Summary


Is this a new PIA 2008?: No

If this is an existing PIA, please provide a reason for revision: PIA Validation

1. Date of this Submission: Jul 6, 2007

2. OPDIV Name: NIH

3. Unique Project Identifier (UPI) Number: 009-25-01-26-02-7204-00-202-069

4. Privacy Act System of Records (SOR) Number: 09-25-0036

5. OMB Information Collection Approval Number: No

6. Other Identifying Number(s): No

7. System Name: NHLBI Extramural Program

9. System Point of Contact (POC). The System POC is the person to whom questions about the system and the responses to this PIA may be addressed: Ralph Van Wey

10. Provide an overview of the system: Manage NHLBI Extramural Research Programs.

13. Indicate if the system is new or an existing one being modified: Existing

17. Does/Will the system collect, maintain (store), disseminate and/or pass through IIF within any database(s), record(s), file(s) or website(s) hosted by this system?: Yes

Note: This question seeks to identify any, and all, personal information associated with the system. This includes any IIF, whether or not it is subject to the Privacy Act, whether the individuals are employees, the public, research subjects, or business partners, and whether provided voluntarily or collected by mandate. Later questions will try to understand the character of the data and its applicability to the requirements under the Privacy Act or other legislation

Note: If no IIF is contained in the system, please answer questions 21, 23, 30, 31, 37, 50 and 54, then promote the PIA to the Sr. Privacy Official who will authorize the PIA.

If this system contains IIF, all remaining questions on the PIA Form Tabs must be completed prior to signature and promotion.

21. Is the system subject to the Privacy Act?: Yes

23. If the system shares or discloses IIF please specify with whom and for what purpose(s): Grant data is available to reviewers during submission/evaluation of potential grants. See SOR 09-25-0036

30. Please describe in detail: (1) the information the agency will collect, maintain, or disseminate; (2) why and for what purpose the agency will use the information; (3) In this description, indicate whether the information contains IIF; and (4) whether submission of personal information is voluntary or mandatory: Collection of this information is authorized under 5 U.S.C 301. Information collected by the system includes: funding applications, awards, trainee appointments and advisory committee records. The primary use of this information is for government personnel to conduct grant application reviews, approvals, and to create reports related to grant applications. Submission of this information is mandatory for grant applications to be processed.

31. Please describe in detail any processes in place to: (1) notify and obtain consent from the individuals whose IIF is in the system when major changes occur to the system (e.g., disclosure and/or data uses have changed since the notice at the time of the original collection); and (2) notify and obtain consent from individuals regarding what IIF is being collected from them and how the information will be used or shared: There is no process to notify or obtain consent when there is a major change to the system that affects disclosure and/or data uses since the notice at the time of the original collection.

Applicants are notified data is collected when they enter it into the system, or fill in the paper application.

32. Does the system host a website?: Yes

37. Does the website have any information or pages directed at children under the age of thirteen?: No

50. Are there policies or guidelines in place with regard to the retention and destruction of IIF?: Yes

54. Briefly describe in detail how the IIF will be secured on the system using administrative, technical, and physical controls.: This system has been subject to a Certification and Accreditation (C&A) process, during which, all technical, administrative and physical controls were evaluated. These controls are defined in NIST publication 800-53 Recommended Security Controls for Federal Information Systems.

The system is housed in a secure server room, which is located in a building protected by security personnel 24/7 (door locks, key badge, etc…). Technical controls ensure that no unauthorized access is permitted (passwords, certificates, encryption, firewalls, etc…). Strict administrative controls are in place to ensure the system is operated in a safe, consistent manner (least privilege, separation of duties, background investigations, etc…).

PIA Reviewer Approval: Promote


PIA Reviewer Name: Ralph Van Wey


Sr. Official for Privacy Name: Karen Plá

Sign-off Date: Aug 10, 2007

Date Published: Jun 26, 2008


06.3 HHS PIA Summary for Posting (Form) / NIH NHLBI Internet Website (Item)






PIA Summary


Is this a new PIA 2008?: No

If this is an existing PIA, please provide a reason for revision: PIA Validation

1. Date of this Submission: Jul 3, 2007

2. OPDIV Name: NIH

3. Unique Project Identifier (UPI) Number: 009-25-01-27-02-7299-00-305-109

4. Privacy Act System of Records (SOR) Number: 09-25-0106, 09-90-0024

5. OMB Information Collection Approval Number: No

6. Other Identifying Number(s): No

7. System Name: NHLBI Web Site

9. System Point of Contact (POC). The System POC is the person to whom questions about the system and the responses to this PIA may be addressed: Mark Malamud

10. Provide an overview of the system: Disseminates health information and information and policies related to NHLBI Extramural and Intramural Programs.

13. Indicate if the system is new or an existing one being modified: Existing

17. Does/Will the system collect, maintain (store), disseminate and/or pass through IIF within any database(s), record(s), file(s) or website(s) hosted by this system?: Yes

Note: This question seeks to identify any, and all, personal information associated with the system. This includes any IIF, whether or not it is subject to the Privacy Act, whether the individuals are employees, the public, research subjects, or business partners, and whether provided voluntarily or collected by mandate. Later questions will try to understand the character of the data and its applicability to the requirements under the Privacy Act or other legislation

Note: If no IIF is contained in the system, please answer questions 21, 23, 30, 31, 37, 50 and 54, then promote the PIA to the Sr. Privacy Official who will authorize the PIA.

If this system contains IIF, all remaining questions on the PIA Form Tabs must be completed prior to signature and promotion.

21. Is the system subject to the Privacy Act?: Yes

23. If the system shares or discloses IIF please specify with whom and for what purpose(s): Credit Card information is transferred to Verisign for cost recovery.

Information from Techfinder may be shared the NIH Office of Technology Transfer, which is responsible for licensing NIH technology. SOR is 09-25-0106 and 09-90-0024.

30. Please describe in detail: (1) the information the agency will collect, maintain, or disseminate; (2) why and for what purpose the agency will use the information; (3) In this description, indicate whether the information contains IIF; and (4) whether submission of personal information is voluntary or mandatory: Voluntary; contains IIF:

o names and mailing addresses, email addresses, phone and FAX numbers for delivery of purchased items, purchase confirmation, verification, and updating information,

o credit card numbers for: purchase of items (cost recovery),

o Login credentials needed to update staff profiles

Voluntary; does not contain IIF

o Names of organizations and description, general job titles, organizational unit, research interests, contact information, information about an activity (including dates), expected audience, and setting (e.g., healthcare, work site, community, media, etc.) for posting on the Web, publicizing local activities, or developing interest in NHLBI activities, also for staff recruitment of new postdocs and principal investigators.

31. Please describe in detail any processes in place to: (1) notify and obtain consent from the individuals whose IIF is in the system when major changes occur to the system (e.g., disclosure and/or data uses have changed since the notice at the time of the original collection); and (2) notify and obtain consent from individuals regarding what IIF is being collected from them and how the information will be used or shared: The individuals are contacted by either email or US Post, depending on the information in that particular system

Notification of intent to use information is available on the Web application or Web sites.

32. Does the system host a website?: Yes

37. Does the website have any information or pages directed at children under the age of thirteen?: Yes

50. Are there policies or guidelines in place with regard to the retention and destruction of IIF?: Yes

54. Briefly describe in detail how the IIF will be secured on the system using administrative, technical, and physical controls.: Information is secured using username/passwords, least privilege, separation of duties, an intrusion detection system, firewalls, locks, badge access, background investigations. A comprehensive IRT capability is also maintained.

PIA Reviewer Approval: Promote


PIA Reviewer Name: Mark Malamud

Sr. Official for Privacy Approval: Promote


Sr. Official for Privacy Name: Karen Plá

Sign-off Date: Aug 10, 2007

Date Published: Jun 26, 2008


06.3 HHS PIA Summary for Posting (Form) / NIH NHLBI Intramural Research Application Development (IR) (Item)






PIA Summary


Is this a new PIA 2008?: No

If this is an existing PIA, please provide a reason for revision: PIA Validation

1. Date of this Submission: Jul 6, 2007

2. OPDIV Name: NIH

3. Unique Project Identifier (UPI) Number: 009-25-01-26-02-7203-00-202-069

4. Privacy Act System of Records (SOR) Number: 09-25-0099

5. OMB Information Collection Approval Number: No

6. Other Identifying Number(s): No

7. System Name: NHLBI Intramural Program

9. System Point of Contact (POC). The System POC is the person to whom questions about the system and the responses to this PIA may be addressed: Ralph Van Wey

10. Provide an overview of the system: Manage NHLBI Intramural Research Programs.

13. Indicate if the system is new or an existing one being modified: Existing

17. Does/Will the system collect, maintain (store), disseminate and/or pass through IIF within any database(s), record(s), file(s) or website(s) hosted by this system?: Yes

Note: This question seeks to identify any, and all, personal information associated with the system. This includes any IIF, whether or not it is subject to the Privacy Act, whether the individuals are employees, the public, research subjects, or business partners, and whether provided voluntarily or collected by mandate. Later questions will try to understand the character of the data and its applicability to the requirements under the Privacy Act or other legislation

Note: If no IIF is contained in the system, please answer questions 21, 23, 30, 31, 37, 50 and 54, then promote the PIA to the Sr. Privacy Official who will authorize the PIA.If this system contains IIF, all remaining questions on the PIA Form Tabs must be completed prior to signature and promotion.

21. Is the system subject to the Privacy Act?: Yes

23. If the system shares or discloses IIF please specify with whom and for what purpose(s): Clinical test results are available to authorized researchers and caregivers. See SOR 09-25-0099

30. Please describe in detail: (1) the information the agency will collect, maintain, or disseminate; (2) why and for what purpose the agency will use the information; (3) In this description, indicate whether the information contains IIF; and (4) whether submission of personal information is voluntary or mandatory: Collection of this information is authorized under 42 U.S.C. 241, 248. The system collects medical treatment record data. This information is used to provide evaluations and treatments to patients, and for subsequent medical research. The researchers and caregivers will have access to this information. Submission of this information is mandatory for all medical research patients.

31. Please describe in detail any processes in place to: (1) notify and obtain consent from the individuals whose IIF is in the system when major changes occur to the system (e.g., disclosure and/or data uses have changed since the notice at the time of the original collection); and (2) notify and obtain consent from individuals regarding what IIF is being collected from them and how the information will be used or shared: All patients sign an informed consent (paper) related to their participation in clinical research and how their data will be used. There is no process for obtaining consent from individuals whose IIF is in the system when major system changes occur, however this system is an internal system (only available within NIH) and data are de-identified for the purpose of summarizing and publishing research results.

32. Does the system host a website?: Yes

37. Does the website have any information or pages directed at children under the age of thirteen?: No

50. Are there policies or guidelines in place with regard to the retention and destruction of IIF?: Yes

54. Briefly describe in detail how the IIF will be secured on the system using administrative, technical, and physical controls.: This system has been subject to a Certification and Accreditation (C&A) process, during which, all technical, administrative and physical controls were evaluated. These controls are defined in NIST publication 800-53 Recommended Security Controls for Federal Information Systems.

The system is housed in a secure server room, which is located in a building protected by security personnel 24/7 (door locks, key badge, etc…). Technical controls ensure that no unauthorized access is permitted (passwords, certificates, encryption, firewalls, etc…). Strict administrative controls are in place to ensure the system is operated in a safe, consistent manner (least privilege, separation of duties, background investigations, etc…).

PIA Reviewer Approval: Promote


PIA Reviewer Name: Ralph Van Wey

Sr. Official for Privacy Approval: Promote


Sr. Official for Privacy Name: Karen Plá

Sign-off Date: Aug 10, 2007

Date Published: Jun 26, 2008


06.3 HHS PIA Summary for Posting (Form) / NIH NHLBI LAN GSS (Item)






PIA Summary


Is this a new PIA 2008?: Yes

If this is an existing PIA, please provide a reason for revision:

1. Date of this Submission: Feb 19, 2008

2. OPDIV Name: NIH

3. Unique Project Identifier (UPI) Number: NO

4. Privacy Act System of Records (SOR) Number: NO

5. OMB Information Collection Approval Number: NO

6. Other Identifying Number(s): NO

7. System Name: NHLBI LAN GSS

9. System Point of Contact (POC). The System POC is the person to whom questions about the system and the responses to this PIA may be addressed: Cindy Walczak

10. Provide an overview of the system: The NHLBI-managed LANs general support system (GSS) is owned and maintained by the Information Technology Resources Branch (ITRB) of the NHLBI Center for Biomedical Informatics (CBI). NHLBI LANs assets are located in buildings 10, 14, and 31 on the NIH main campus in Bethesda, MD as well as in the off-campus Rockledge One and Two buildings in Bethesda, MD and the 5RC building in Rockville, MD. The NHLBI LANs GSS provides network connectivity for NHLBI information systems, applications, and users.

13. Indicate if the system is new or an existing one being modified: Existing

17. Does/Will the system collect, maintain (store), disseminate and/or pass through IIF within any database(s), record(s), file(s) or website(s) hosted by this system?: No

Note: This question seeks to identify any, and all, personal information associated with the system. This includes any IIF, whether or not it is subject to the Privacy Act, whether the individuals are employees, the public, research subjects, or business partners, and whether provided voluntarily or collected by mandate. Later questions will try to understand the character of the data and its applicability to the requirements under the Privacy Act or other legislation

Note: If no IIF is contained in the system, please answer questions 21, 23, 30, 31, 37, 50 and 54, then promote the PIA to the Sr. Privacy Official who will authorize the PIA.

If this system contains IIF, all remaining questions on the PIA Form Tabs must be completed prior to signature and promotion.

21. Is the system subject to the Privacy Act?: No

23. If the system shares or discloses IIF please specify with whom and for what purpose(s): No IIF shared or disclosed.

30. Please describe in detail: (1) the information the agency will collect, maintain, or disseminate; (2) why and for what purpose the agency will use the information; (3) In this description, indicate whether the information contains IIF; and (4) whether submission of personal information is voluntary or mandatory: No IIF collected, contained, maintained, or disseminated.

31. Please describe in detail any processes in place to: (1) notify and obtain consent from the individuals whose IIF is in the system when major changes occur to the system (e.g., disclosure and/or data uses have changed since the notice at the time of the original collection); and (2) notify and obtain consent from individuals regarding what IIF is being collected from them and how the information will be used or shared: N/A--No IIF in the system.

32. Does the system host a website?: No

37. Does the website have any information or pages directed at children under the age of thirteen?: No

50. Are there policies or guidelines in place with regard to the retention and destruction of IIF?: No

54. Briefly describe in detail how the IIF will be secured on the system using administrative, technical, and physical controls.: N/A--No IIF in the system.

PIA Reviewer Approval: Promote


PIA Reviewer Name: Cindy Walczak

Sr. Official for Privacy Approval: Promote


Sr. Official for Privacy Name: Karen Plá

Sign-off Date: Mar 3, 2008

Date Published: Jun 26, 2008


06.3 HHS PIA Summary for Posting (Form) / NIH NHLBI Status of Funds Internet Edition (SOFie) (Item)






PIA Summary


Is this a new PIA 2008?: No

If this is an existing PIA, please provide a reason for revision: PIA Validation

1. Date of this Submission: Jul 6, 2007

2. OPDIV Name: NIH

3. Unique Project Identifier (UPI) Number: No

4. Privacy Act System of Records (SOR) Number: No

5. OMB Information Collection Approval Number: No

6. Other Identifying Number(s): No

7. System Name: NHLBI SOFie

9. System Point of Contact (POC). The System POC is the person to whom questions about the system and the responses to this PIA may be addressed: Sandra Gault

10. Provide an overview of the system: Manage expenditures and obligations. The purpose of the system is to monitor expenditures. Program helps project the budget; allows users to know how much money is left in the FY to spend.

13. Indicate if the system is new or an existing one being modified: New

17. Does/Will the system collect, maintain (store), disseminate and/or pass through IIF within any database(s), record(s), file(s) or website(s) hosted by this system?: No

Note: This question seeks to identify any, and all, personal information associated with the system. This includes any IIF, whether or not it is subject to the Privacy Act, whether the individuals are employees, the public, research subjects, or business partners, and whether provided voluntarily or collected by mandate. Later questions will try to understand the character of the data and its applicability to the requirements under the Privacy Act or other legislation

Note: If no IIF is contained in the system, please answer questions 21, 23, 30, 31, 37, 50 and 54, then promote the PIA to the Sr. Privacy Official who will authorize the PIA.

If this system contains IIF, all remaining questions on the PIA Form Tabs must be completed prior to signature and promotion.

21. Is the system subject to the Privacy Act?: No

23. If the system shares or discloses IIF please specify with whom and for what purpose(s): No IIF

30. Please describe in detail: (1) the information the agency will collect, maintain, or disseminate; (2) why and for what purpose the agency will use the information; (3) In this description, indicate whether the information contains IIF; and (4) whether submission of personal information is voluntary or mandatory: All accounting transactions are available for viewing in VSOF. The information is used to track and plan fiscal budgets. It is necessary to have access to this data in order to comply with appropriations laws and regulations. Data elements stored are: arbitrary Document #, Object Class Code, Vendor, Description of Expenses, and Purchase Amount.

31. Please describe in detail any processes in place to: (1) notify and obtain consent from the individuals whose IIF is in the system when major changes occur to the system (e.g., disclosure and/or data uses have changed since the notice at the time of the original collection); and (2) notify and obtain consent from individuals regarding what IIF is being collected from them and how the information will be used or shared: No IIF

32. Does the system host a website?: Yes

37. Does the website have any information or pages directed at children under the age of thirteen?: No

50. Are there policies or guidelines in place with regard to the retention and destruction of IIF?: No

54. Briefly describe in detail how the IIF will be secured on the system using administrative, technical, and physical controls.: No IIF

PIA Reviewer Approval: Promote


PIA Reviewer Name: Cindy Walczak

Sr. Official for Privacy Approval: Promote


Sr. Official for Privacy Name: Karen Plá

Sign-off Date: Jan 25, 2007

Date Published: Jun 26, 2008


06.3 HHS PIA Summary for Posting (Form) / NIH NHLBI Visual Employee Database System (VEDS) (Item)






PIA Summary


Is this a new PIA 2008?: No

If this is an existing PIA, please provide a reason for revision: PIA Validation

1. Date of this Submission: Jul 6, 2007

2. OPDIV Name: NIH

3. Unique Project Identifier (UPI) Number: 009-25-01-09-02-3196-00-403-131

4. Privacy Act System of Records (SOR) Number: 09-90-0018

5. OMB Information Collection Approval Number: None

6. Other Identifying Number(s): None

7. System Name: Visual Employee Data System (VEDS)

9. System Point of Contact (POC). The System POC is the person to whom questions about the system and the responses to this PIA may be addressed: Jim Menasian

10. Provide an overview of the system: Provides management of staffing levels and personnel for NHLBI programs

13. Indicate if the system is new or an existing one being modified: Existing

17. Does/Will the system collect, maintain (store), disseminate and/or pass through IIF within any database(s), record(s), file(s) or website(s) hosted by this system?: Yes

Note: This question seeks to identify any, and all, personal information associated with the system. This includes any IIF, whether or not it is subject to the Privacy Act, whether the individuals are employees, the public, research subjects, or business partners, and whether provided voluntarily or collected by mandate. Later questions will try to understand the character of the data and its applicability to the requirements under the Privacy Act or other legislation

Note: If no IIF is contained in the system, please answer questions 21, 23, 30, 31, 37, 50 and 54, then promote the PIA to the Sr. Privacy Official who will authorize the PIA.

If this system contains IIF, all remaining questions on the PIA Form Tabs must be completed prior to signature and promotion.

21. Is the system subject to the Privacy Act?: Yes

23. If the system shares or discloses IIF please specify with whom and for what purpose(s): No sharing or disclosure. SOR is 09-90-0018.

30. Please describe in detail: (1) the information the agency will collect, maintain, or disseminate; (2) why and for what purpose the agency will use the information; (3) In this description, indicate whether the information contains IIF; and (4) whether submission of personal information is voluntary or mandatory: Most of the data is downloaded from the central personnel system. Additional personnel data is entered on staff not in the central database. Submission of IIF is a necessary pre-requisite for employment. The database is used for reporting and managing staffing levels [FTEs] and costs across various hiring mechanisms.

31. Please describe in detail any processes in place to: (1) notify and obtain consent from the individuals whose IIF is in the system when major changes occur to the system (e.g., disclosure and/or data uses have changed since the notice at the time of the original collection); and (2) notify and obtain consent from individuals regarding what IIF is being collected from them and how the information will be used or shared: IIF in the system is gathered from the HRDB system. Changes to the system or changes in the way the information is used is relayed to employees via official notices from OHR. Individuals are notified of the collection and use of data as part of the hiring process and is mandatory if the potential job applicant wishes to seek employment at NIH.

32. Does the system host a website?: No

37. Does the website have any information or pages directed at children under the age of thirteen?: No

50. Are there policies or guidelines in place with regard to the retention and destruction of IIF?: Yes

54. Briefly describe in detail how the IIF will be secured on the system using administrative, technical, and physical controls.: Information is secured using username/passwor­ds, least privilege, separation of duties, an intrusion detection system, firewalls, locks, badge access, background investigations. A comprehensive IRT capability is also maintained.

PIA Reviewer Approval: Promote


PIA Reviewer Name: Ralph Van Wey

Sr. Official for Privacy Approval: Promote


Sr. Official for Privacy Name: Karen Plá

Sign-off Date: Aug 10, 2007

Date Published: Jun 26, 2008


06.3 HHS PIA Summary for Posting (Form) / NIH NHLBI Visual Status of Funds (VSOF) (Item)






PIA Summary


Is this a new PIA 2008?: No

If this is an existing PIA, please provide a reason for revision: PIA Validation

1. Date of this Submission: Jul 6, 2007

2. OPDIV Name: NIH

3. Unique Project Identifier (UPI) Number: 009-25-01-01-02-3198-00-402-125

4. Privacy Act System of Records (SOR) Number: 09-90-0024

5. OMB Information Collection Approval Number: No

6. Other Identifying Number(s): None

7. System Name: Visual Status of Funds (VSOF)

9. System Point of Contact (POC). The System POC is the person to whom questions about the system and the responses to this PIA may be addressed: Jim Menasian

10. Provide an overview of the system: Manage expenditures and obligations

13. Indicate if the system is new or an existing one being modified: Existing

17. Does/Will the system collect, maintain (store), disseminate and/or pass through IIF within any database(s), record(s), file(s) or website(s) hosted by this system?: No

Note: This question seeks to identify any, and all, personal information associated with the system. This includes any IIF, whether or not it is subject to the Privacy Act, whether the individuals are employees, the public, research subjects, or business partners, and whether provided voluntarily or collected by mandate. Later questions will try to understand the character of the data and its applicability to the requirements under the Privacy Act or other legislation

Note: If no IIF is contained in the system, please answer questions 21, 23, 30, 31, 37, 50 and 54, then promote the PIA to the Sr. Privacy Official who will authorize the PIA.

If this system contains IIF, all remaining questions on the PIA Form Tabs must be completed prior to signature and promotion.

21. Is the system subject to the Privacy Act?: No

23. If the system shares or discloses IIF please specify with whom and for what purpose(s): No IIF

30. Please describe in detail: (1) the information the agency will collect, maintain, or disseminate; (2) why and for what purpose the agency will use the information; (3) In this description, indicate whether the information contains IIF; and (4) whether submission of personal information is voluntary or mandatory: All accounting transactions are available for viewing in VSOF. The information is used to track and plan fiscal budgets. It is necessary to have access to this data in order to comply with appropriations laws and regulations.

31. Please describe in detail any processes in place to: (1) notify and obtain consent from the individuals whose IIF is in the system when major changes occur to the system (e.g., disclosure and/or data uses have changed since the notice at the time of the original collection); and (2) notify and obtain consent from individuals regarding what IIF is being collected from them and how the information will be used or shared: No IIF

32. Does the system host a website?: No

37. Does the website have any information or pages directed at children under the age of thirteen?: No

50. Are there policies or guidelines in place with regard to the retention and destruction of IIF?: No

54. Briefly describe in detail how the IIF will be secured on the system using administrative, technical, and physical controls.: No IIF

PIA Reviewer Approval: Promote


PIA Reviewer Name: Ralph Van Wey

Sr. Official for Privacy Approval: Promote


Sr. Official for Privacy Name: Karen Pla

Sign-off Date: Aug 10, 2007

Date Published: Jun 26, 2008


06.3 HHS PIA Summary for Posting (Form) / NIH NIA Aging Data Administration Management System (ADAMS) (Item)






PIA Summary


Is this a new PIA 2008?: No

If this is an existing PIA, please provide a reason for revision: PIA Validation

1. Date of this Submission: Jul 3, 2007

2. OPDIV Name: NIH

3. Unique Project Identifier (UPI) Number: 009-25-04-00-02-4302-00-101-001

4. Privacy Act System of Records (SOR) Number: 09-25-0036 Extramural Awards and Charted Advisory Committees

5. OMB Information Collection Approval Number: No

6. Other Identifying Number(s): No

7. System Name: Aging Data Administration Management System (ADAMS)

9. System Point of Contact (POC). The System POC is the person to whom questions about the system and the responses to this PIA may be addressed: Larry Washburn

10. Provide an overview of the system: The Aging Data Administration Management System (ADAMS) is a tracking and recording system for grants. It allows the user to code competing applications before council meetings, scientifically code grants based on their study, perform ad hoc queries, and generate reports. Legislation to authorize this activity is under 5. U.S.C.301;42U.S.C.217a.241,282(b)(6),248a, and 288.48 CFR Subpart

15.3 and Subpart 42.15. More specific functions include: allocation and adjusting funding estimates for grants based on their budgets, summarizing grant funding by specific categories for reporting to Congress, and reporting committed, pending, and obligated records with future year commitments.

13. Indicate if the system is new or an existing one being modified: Existing

17. Does/Will the system collect, maintain (store), disseminate and/or pass through IIF within any database(s), record(s), file(s) or website(s) hosted by this system?: Yes

Note: This question seeks to identify any, and all, personal information associated with the system. This includes any IIF, whether or not it is subject to the Privacy Act, whether the individuals are employees, the public, research subjects, or business partners, and whether provided voluntarily or collected by mandate. Later questions will try to understand the character of the data and its applicability to the requirements under the Privacy Act or other legislation

Note: If no IIF is contained in the system, please answer questions 21, 23, 30, 31, 37, 50 and 54, then promote the PIA to the Sr. Privacy Official who will authorize the PIA.

If this system contains IIF, all remaining questions on the PIA Form Tabs must be completed prior to signature and promotion.

21. Is the system subject to the Privacy Act?: Yes

23. If the system shares or discloses IIF please specify with whom and for what purpose(s): No sharing or disclosures at this time. Refer to the system of record 09-25-0036 section entitled ROUTINE USES OF RECORDS MAINTAINED IN THE SYSTEM, INCLUDING CATEGORIES OF USERS AND THE PURPOSES OF SUCH USES for the allowed disclosures of IIF.

30. Please describe in detail: (1) the information the agency will collect, maintain, or disseminate; (2) why and for what purpose the agency will use the information; (3) In this description, indicate whether the information contains IIF; and (4) whether submission of personal information is voluntary or mandatory: The system stores informaiton on grant applications and current and historical information on grant applications and contracts awarded by the NIH, including performance evaluations. The information is used to support centralized grant programs and contract management. IIF in the system includes name, mailing address, email address, telephone number, financial account information, and grant and/or contract number.

31. Please describe in detail any processes in place to: (1) notify and obtain consent from the individuals whose IIF is in the system when major changes occur to the system (e.g., disclosure and/or data uses have changed since the notice at the time of the original collection); and (2) notify and obtain consent from individuals regarding what IIF is being collected from them and how the information will be used or shared: No processes are in place to notify and obtain consent from the individuals whose IIF is in the system when major changes, as defined in Section 208 of the E-Government Act of 2002, occur to the system.

When applying for grants, applicants are informed that personal information is collected for accurate identification, referral and review by grants program managers. Refer to the system of record 09-25-0036 section entitled ROUTINE USES OF RECORDS MAINTAINED IN THE SYSTEM, INCLUDING CATEGORIES OF USERS AND THE PURPOSES OF SUCH USES, for a summary of the notice of uses of information.

32. Does the system host a website?: Yes

37. Does the website have any information or pages directed at children under the age of thirteen?: No

50. Are there policies or guidelines in place with regard to the retention and destruction of IIF?: Yes

54. Briefly describe in detail how the IIF will be secured on the system using administrative, technical, and physical controls.: Physical controls: Guards, Identification badges, key cards and closed circuit TV.

Technical controls: User ID, passwords, firewall, Virtual Private Network (VPN) .

PIA Reviewer Approval: Promote


PIA Reviewer Name: Larry Washburn 301-451-8829

Sr. Official for Privacy Approval: Promote


Sr. Official for Privacy Name: Karen Pla

Sign-off Date: Aug 10, 2007Date Published: Jun 26, 2008


06.3 HHS PIA Summary for Posting (Form) / NIH NIA Baltimore Longitudinal Study of Aging (BLSA) (Item)






PIA Summary


Is this a new PIA 2008?: Yes

If this is an existing PIA, please provide a reason for revision: PIA Validation

1. Date of this Submission: Jul 3, 2007

2. OPDIV Name: NIH

3. Unique Project Identifier (UPI) Number: 009-25-01-05-02-­4303-00-110-219

4. Privacy Act System of Records (SOR) Number: 09-25-0200 Clinical, Basic and Population-based­ Research Studies

5. OMB Information Collection Approval Number: None

6. Other Identifying Number(s): None

7. System Name: Baltimore Longitudinal Study of Aging (BLSA)

9. System Point of Contact (POC). The System POC is the person to whom questions about the system and the responses to this PIA may be addressed: Larry Washburn

10. Provide an overview of the system: The Baltimore Longitudinal Study of Aging collects information on study participants for clinical research. The system is located on the 5th floor of the Harbor Hospital Center and the 2nd floor of the Gerontology Research Center in Baltimore, MD. Appointment and authority is given to the National Institutes of Health under Public Service Act, 42 U.S.C. 241, 242, 248, 281, 282, 284, 285a, 285b, 285c, 285d, 285e, 285f, 285g, 285h, 285i, 285j, 285l, 285m, 285n, 285o, 285p, 285q, 287, 287b, 287c, 289a, 289c, and 44 U.S.C. 3101.

13. Indicate if the system is new or an existing one being modified: Existing

17. Does/Will the system collect, maintain (store), disseminate and/or pass through IIF within any database(s), record(s), file(s) or website(s) hosted by this system?: Yes

Note: This question seeks to identify any, and all, personal information associated with the system. This includes any IIF, whether or not it is subject to the Privacy Act, whether the individuals are employees, the public, research subjects, or business partners, and whether provided voluntarily or collected by mandate. Later questions will try to understand the character of the data and its applicability to the requirements under the Privacy Act or other legislation

Note: If no IIF is contained in the system, please answer questions 21, 23, 30, 31, 37, 50 and 54, then promote the PIA to the Sr. Privacy Official who will authorize the PIA.

If this system contains IIF, all remaining questions on the PIA Form Tabs must be completed prior to signature and promotion.

21. Is the system subject to the Privacy Act?: Yes

23. If the system shares or discloses IIF please specify with whom and for what purpose(s): No sharing or disclosures at this time. Information regarding potential disclosure practices is further addressed in the NIH Privacy Act Systems of Record Notice 09-25-0200, published in the Federal Register, Volume 67, No. 187, September 26, 2002.

30. Please describe in detail: (1) the information the agency will collect, maintain, or disseminate; (2) why and for what purpose the agency will use the information; (3) In this description, indicate whether the information contains IIF; and (4) whether submission of personal information is voluntary or mandatory: The personal information collected includes: name, mother’s maiden name, date of birth, (voluntary) SSN, mailing address, phone number, medical record numbers, notes and email address. Information is used in examining the clinical questions addressed by the study, and to contact the consenting participants with the results of testing and to collect clinical follow-up information. The information collected is the minimum required to accomplish the stated mission.

31. Please describe in detail any processes in place to: (1) notify and obtain consent from the individuals whose IIF is in the system when major changes occur to the system (e.g., disclosure and/or data uses have changed since the notice at the time of the original collection); and (2) notify and obtain consent from individuals regarding what IIF is being collected from them and how the information will be used or shared: Noprocesses are in place to notify and obtain consent from the individuals whose IIF is in the system when major changes, as defined in Section 208 of the E-Government Act of 2002, occur to the system.

All participants sign an informed consent form acknowledging their voluntary participation in the study and their rights under HIPAA. (Refer to the Privacy Act systems notice 09-25-0200 section entitled ROUTINE USES OF RECORDS MAINTAINED IN THE SYSTEM, INCLUDING CATEGORIES OF USERS AND THE PURPOSES OF SUCH USES for a summary of the notice of uses of information.)

32. Does the system host a website?: Yes

37. Does the website have any information or pages directed at children under the age of thirteen?: No

50. Are there policies or guidelines in place with regard to the retention and destruction of IIF?: Yes

54. Briefly describe in detail how the IIF will be secured on the system using administrative, technical, and physical controls.: Physical controls: Guards, Identification badges, key cards and closed circuit TV

Technical controls: User ID, passwords, firewall, Virtual Private Network (VPN)

PIA Reviewer Approval: Promote


PIA Reviewer Name: Larry Washburn 301-451-8829

Sr. Official for Privacy Approval: Promote


Sr. Official for Privacy Name: Karen Plá

Sign-off Date: Jan 25, 2007

Date Published: Aug 15, 2007


06.3 HHS PIA Summary for Posting (Form) / NIH NIA Clinical Research System (CRS) (Item)






PIA Summary


Is this a new PIA 2008?: No

If this is an existing PIA, please provide a reason for revision: PIA Validation

1. Date of this Submission: Jul 3, 2007

2. OPDIV Name: NIH

3. Unique Project Identifier (UPI) Number: 009-25-01-05-02-4303-00-110-219

4. Privacy Act System of Records (SOR) Number: 09-25-0200 Clinical, Basic and Population-based Research Studies

5. OMB Information Collection Approval Number: No

6. Other Identifying Number(s): No

7. System Name: Clinical Research System (CRS)

9. System Point of Contact (POC). The System POC is the person to whom questions about the system and the responses to this PIA may be addressed: Larry Washburn

10. Provide an overview of the system: The Clinical Research System is a product of the Clinical Research Branch of the NIA Intramural Research Program. It collects personal information on the participants of the Baltimore Longitudinal Study on Aging as well as clinical research studies. The system is physically located on the 5th floor of the Harbor Hospital Center in Baltimore, Maryland.

Appointment and authority is given to the National Institute on Aging under Public Service Act, Public Service Act, 42 U.S.C. 241, 242, 248, 282, 284, 285a, 285b, 285c, 285d, 285e, 285f, 285g, 285h, 285i, 285j, 285l, 285m, 285n, 285o, 285p, 285q, 287, 287b, 287c, 289a, 289c, and 44 U.S.C. 3101.

13. Indicate if the system is new or an existing one being modified: Existing

17. Does/Will the system collect, maintain (store), disseminate and/or pass through IIF within any database(s), record(s), file(s) or website(s) hosted by this system?: Yes

Note: This question seeks to identify any, and all, personal information associated with the system. This includes any IIF, whether or not it is subject to the Privacy Act, whether the individuals are employees, the public, research subjects, or business partners, and whether provided voluntarily or collected by mandate. Later questions will try to understand the character of the data and its applicability to the requirements under the Privacy Act or other legislation

Note: If no IIF is contained in the system, please answer questions 21, 23, 30, 31, 37, 50 and 54, then promote the PIA to the Sr. Privacy Official who will authorize the PIA.

If this system contains IIF, all remaining questions on the PIA Form Tabs must be completed prior to signature and promotion.

21. Is the system subject to the Privacy Act?: Yes

23. If the system shares or discloses IIF please specify with whom and for what purpose(s): No sharing or disclosures at this time. Refer to the system of record 09-25-0200 section entitled ROUTINE USES OF RECORDS MAINTAINED IN THE SYSTEM, INCLUDING CATEGORIES OF USERS AND THE PURPOSES OF SUCH USES for the allowed disclosures of IIF.

30. Please describe in detail: (1) the information the agency will collect, maintain, or disseminate; (2) why and for what purpose the agency will use the information; (3) In this description, indicate whether the information contains IIF; and (4) whether submission of personal information is voluntary or mandatory: The personal information collected during the initial and subsequent visits to the clinical research branch. This information includes: name, mother’s maiden name, date of birth, social security number, mailing address, phone number, medical record numbers, notes and email address. Information is used to contact the consenting participants with the results of testing, to collect follow-up information, and as part of the clinical research. The information collected is the minimum required to accomplish the stated mission

31. Please describe in detail any processes in place to: (1) notify and obtain consent from the individuals whose IIF is in the system when major changes occur to the system (e.g., disclosure and/or data uses have changed since the notice at the time of the original collection); and (2) notify and obtain consent from individuals regarding what IIF is being collected from them and how the information will be used or shared: No processes are in place to notify and obtain consent from the individuals whose IIF is in the system when major changes, as defined in Section 208 of the E-Government Act of 2002, occur to the system.

All participants sign an RRB-approved informed consent form acknowledging their voluntary participation in the study and their rights under HIPAA. (Refer to the system of record 09-25-0200 section entitled ROUTINE USES OF RECORDS MAINTAINED IN THE SYSTEM, INCLUDING CATEGORIES OF USERS AND THE PURPOSES OF SUCH USES, for a summary of the notice of uses of information.)

32. Does the system host a website?: No

37. Does the website have any information or pages directed at children under the age of thirteen?: No

50. Are there policies or guidelines in place with regard to the retention and destruction of IIF?: Yes

54. Briefly describe in detail how the IIF will be secured on the system using administrative, technical, and physical controls.: Physical controls: Guards, Identification badges, key cards and closed circuit TV

Technical controls: User ID, passwords, firewall, Virtual Private Network (VPN)

PIA Reviewer Approval: Promote


PIA Reviewer Name: Larry Washburn 301-451-8829

Sr. Official for Privacy Approval: Promote


Sr. Official for Privacy Name: Karen Pla

Sign-off Date: Aug 10, 2007

Date Published: Jun 26, 2008


06.3 HHS PIA Summary for Posting (Form) / NIH NIA Computational Resources (COMP RES) (Item)






PIA Summary


Is this a new PIA 2008?: Yes

If this is an existing PIA, please provide a reason for revision: PIA Validation

1. Date of this Submission: Jul 3, 2007

2. OPDIV Name: NIH

3. Unique Project Identifier (UPI) Number: 009-25-01-05-02-4305-00-110-219

4. Privacy Act System of Records (SOR) Number: 09-25-0200 Clinical, Basic and Population-based Research Studies

5. OMB Information Collection Approval Number: No

6. Other Identifying Number(s): No

7. System Name: Computational Resources (COMP RES)

9. System Point of Contact (POC). The System POC is the person to whom questions about the system and the responses to this PIA may be addressed: Larry Washburn

10. Provide an overview of the system: COMP RES comprises commodity servers and workstations used by NIA Intramural Research Program (IRP) scientists for clinical research. Appointment and authority is given to the National Institute on Aging under Public Service Act, 42 U.S.C. 241, 242, 248, 282, 284, 285a, 285b, 285c, 285d, 285e, 285f, 285g, 285h, 285i, 285j, 285l, 285m, 285n, 285o, 285p, 285q, 287, 287b, 287c, 289a, 289c, and 44 U.S.C. 3101.

13. Indicate if the system is new or an existing one being modified: Existing

17. Does/Will the system collect, maintain (store), disseminate and/or pass through IIF within any database(s), record(s), file(s) or website(s) hosted by this system?: No

Note: This question seeks to identify any, and all, personal information associated with the system. This includes any IIF, whether or not it is subject to the Privacy Act, whether the individuals are employees, the public, research subjects, or business partners, and whether provided voluntarily or collected by mandate. Later questions will try to understand the character of the data and its applicability to the requirements under the Privacy Act or other legislation

Note: If no IIF is contained in the system, please answer questions 21, 23, 30, 31, 37, 50 and 54, then promote the PIA to the Sr. Privacy Official who will authorize the PIA.

If this system contains IIF, all remaining questions on the PIA Form Tabs must be completed prior to signature and promotion.

21. Is the system subject to the Privacy Act?: No

23. If the system shares or discloses IIF please specify with whom and for what purpose(s): No IIF collected, stored, or processed.

30. Please describe in detail: (1) the information the agency will collect, maintain, or disseminate; (2) why and for what purpose the agency will use the information; (3) In this description, indicate whether the information contains IIF; and (4) whether submission of personal information is voluntary or mandatory: De-identified clinical research data. No IIF collected, stored, or processed.

31. Please describe in detail any processes in place to: (1) notify and obtain consent from the individuals whose IIF is in the system when major changes occur to the system (e.g., disclosure and/or data uses have changed since the notice at the time of the original collection); and (2) notify and obtain consent from individuals regarding what IIF is being collected from them and how the information will be used or shared: N/A--No IIF collected, stored, or processed.

32. Does the system host a website?: No

37. Does the website have any information or pages directed at children under the age of thirteen?: No

50. Are there policies or guidelines in place with regard to the retention and destruction of IIF?: No

54. Briefly describe in detail how the IIF will be secured on the system using administrative, technical, and physical controls.: No IIF collected, stored, or processed.

PIA Reviewer Approval: Promote


PIA Reviewer Name: Larry Washburn 301-451-8829

Sr. Official for Privacy Approval: Promote


Sr. Official for Privacy Name: Karen Plá

Sign-off Date: Aug 10, 2007

Date Published: Jun 26, 2008


06.3 HHS PIA Summary for Posting (Form) / NIH NIA ERP LANs (Item)






PIA Summary


Is this a new PIA 2008?: No

If this is an existing PIA, please provide a reason for revision: PIA Validation

1. Date of this Submission: Jul 3, 2007

2. OPDIV Name: NIH

3. Unique Project Identifier (UPI) Number: 009-25-03-00-02-4399-00-304-104

4. Privacy Act System of Records (SOR) Number: No

5. OMB Information Collection Approval Number: No

6. Other Identifying Number(s): No

7. System Name: ERP Local Area Networks (LANs)

9. System Point of Contact (POC). The System POC is the person to whom questions about the system and the responses to this PIA may be addressed: Larry Washburn

10. Provide an overview of the system: NIA Extramural Research Program (ERP) Local Area Networks (LANs) in Bethesda, MD. These networks support NIA ERP clinical research and administrative activities. Appointment and authority is given to the National Institute on Aging under Public Service Act, 42 U.S.C. 241, 242, 248, 282, 284, 285a, 285b, 285c, 285d, 285e, 285f, 285g, 285h, 285i, 285j, 285l, 285m, 285n, 285o, 285p, 285q, 287, 287b, 287c, 289a, 289c, and 44 U.S.C. 3101.

13. Indicate if the system is new or an existing one being modified: Existing

17. Does/Will the system collect, maintain (store), disseminate and/or pass through IIF within any database(s), record(s), file(s) or website(s) hosted by this system?: No

Note: This question seeks to identify any, and all, personal information associated with the system. This includes any IIF, whether or not it is subject to the Privacy Act, whether the individuals are employees, the public, research subjects, or business partners, and whether provided voluntarily or collected by mandate. Later questions will try to understand the character of the data and its applicability to the requirements under the Privacy Act or other legislation

Note: If no IIF is contained in the system, please answer questions 21, 23, 30, 31, 37, 50 and 54, then promote the PIA to the Sr. Privacy Official who will authorize the PIA.

If this system contains IIF, all remaining questions on the PIA Form Tabs must be completed prior to signature and promotion.

21. Is the system subject to the Privacy Act?: No

23. If the system shares or discloses IIF please specify with whom and for what purpose(s): No IIF collected, stored, or processed.

30. Please describe in detail: (1) the information the agency will collect, maintain, or disseminate; (2) why and for what purpose the agency will use the information; (3) In this description, indicate whether the information contains IIF; and (4) whether submission of personal information is voluntary or mandatory: No IIF collected, stored, or processed.

31. Please describe in detail any processes in place to: (1) notify and obtain consent from the individuals whose IIF is in the system when major changes occur to the system (e.g., disclosure and/or data uses have changed since the notice at the time of the original collection); and (2) notify and obtain consent from individuals regarding what IIF is being collected from them and how the information will be used or shared: N/A--No IIF collected, stored, or processed.

32. Does the system host a website?: No

37. Does the website have any information or pages directed at children under the age of thirteen?: No

50. Are there policies or guidelines in place with regard to the retention and destruction of IIF?: No

54. Briefly describe in detail how the IIF will be secured on the system using administrative, technical, and physical controls.: No IIF collected, stored, or processed.

PIA Reviewer Approval: Promote


PIA Reviewer Name: Larry Washburn 301-451-8829

Sr. Official for Privacy Approval: Promote


Sr. Official for Privacy Name: Karen Plá

Sign-off Date: Aug 10, 2007

Date Published: Jun 26, 2008


06.3 HHS PIA Summary for Posting (Form) / NIH NIA ERP Web (Item)






PIA Summary


Is this a new PIA 2008?: Yes

If this is an existing PIA, please provide a reason for revision: PIA Validation

1. Date of this Submission: Jul 3, 2007

2. OPDIV Name: NIH

3. Unique Project Identifier (UPI) Number: 009-25-03-00-02-­4399-00-304-104

4. Privacy Act System of Records (SOR) Number: No

5. OMB Information Collection Approval Number: No

6. Other Identifying Number(s): No

7. System Name: NIA ERP Web

9. System Point of Contact (POC). The System POC is the person to whom questions about the system and the responses to this PIA may be addressed: Larry Washburn

10. Provide an overview of the system: The NIA Extramural Research Program (ERP) Web comprises the NIA public and intranet Websites. The NIA public Website provides Web-based worldwide access to NIA public information. The public portion of the NIA website has no identification/authentication of visitors or encryption of traffic between the Web server and user browsers. The NIA intranet Website provides Web-based local (NIHnet) access to NIA private information and applications. (ADAMS Web-based applications are located on the intranet Website. See the ADAMS PIA.) Appointment and authority is given to the National Institute on Aging under Public Service Act, 42 U.S.C. 241, 242, 248, 282, 284, 285a, 285b, 285c, 285d, 285e, 285f, 285g, 285h, 285i, 285j, 285l, 285m, 285n, 285o, 285p, 285q, 287, 287b, 287c, 289a, 289c, and 44 U.S.C. 3101.

13. Indicate if the system is new or an existing one being modified: Existing

17. Does/Will the system collect, maintain (store), disseminate and/or pass through IIF within any database(s), record(s), file(s) or website(s) hosted by this system?: No

Note: This question seeks to identify any, and all, personal information associated with the system. This includes any IIF, whether or not it is subject to the Privacy Act, whether the individuals are employees, the public, research subjects, or business partners, and whether provided voluntarily or collected by mandate. Later questions will try to understand the character of the data and its applicability to the requirements under the Privacy Act or other legislation

Note: If no IIF is contained in the system, please answer questions 21, 23, 30, 31, 37, 50 and 54, then promote the PIA to the Sr. Privacy Official who will authorize the PIA.

If this system contains IIF, all remaining questions on the PIA Form Tabs must be completed prior to signature and promotion.

21. Is the system subject to the Privacy Act?: No

23. If the system shares or discloses IIF please specify with whom and for what purpose(s): No IIF collected, stored, or processed.

30. Please describe in detail: (1) the information the agency will collect, maintain, or disseminate; (2) why and for what purpose the agency will use the information; (3) In this description, indicate whether the information contains IIF; and (4) whether submission of personal information is voluntary or mandatory: No IIF collected, stored, or processed. No Submission of personal information.

Information on the ERP Web website comprises NIA health information publications, clinical trials descriptions, public service ads, links to related sites, links to health and aging organizations, extramural research program descriptions, intramural research descriptions, materials from NIA conferences, workshops, and meetings, information on NIH's inclusion policies, and descriptions of scientific resources.

Information on the ERP Web website comprises links to login pages of NIA applications accessible only from NIA LANs. A few public links that are provided for internal users such as the NIH home page.

No IIF on ERP Web site.

31. Please describe in detail any processes in place to: (1) notify and obtain consent from the individuals whose IIF is in the system when major changes occur to the system (e.g., disclosure and/or data uses have changed since the notice at the time of the original collection); and (2) notify and obtain consent from individuals regarding what IIF is being collected from them and how the information will be used or shared: N/A--No IIF collected, stored, or processed.

32. Does the system host a website?: Yes

37. Does the website have any information or pages directed at children under the age of thirteen?: No

50. Are there policies or guidelines in place with regard to the retention and destruction of IIF?: No

54. Briefly describe in detail how the IIF will be secured on the system using administrative, technical, and physical controls.: No IIF collected, stored, or processed.

PIA Reviewer Approval: Promote


PIA Reviewer Name: Larry Washburn 301-451-8829

Sr. Official for Privacy Approval: Promote


Sr. Official for Privacy Name: Karen Plá

Sign-off Date: Aug 10, 2007

Date Published: Jun 26, 2008


06.3 HHS PIA Summary for Posting (Form) / NIH NIA Extramural Financial Management Branch application (FINeX) (Item)






PIA Summary


Is this a new PIA 2008?: Yes

If this is an existing PIA, please provide a reason for revision: PIA Validation

1. Date of this Submission: Jul 3, 2007

2. OPDIV Name: NIH

3. Unique Project Identifier (UPI) Number: 009-25-01-04-02-8610-00-404-136

4. Privacy Act System of Records (SOR) Number: 09-25-0036 Extramural Awards and Charted Advisory Committees

5. OMB Information Collection Approval Number: No

6. Other Identifying Number(s): No

7. System Name: NIH NIA Extramural Financial Management Branch Application (FINeX)

9. System Point of Contact (POC). The System POC is the person to whom questions about the system and the responses to this PIA may be addressed: Larry Washburn

10. Provide an overview of the system: The FINeX application facilitates maintenance of NIH extramural grant budgets. The NIA FINeX application accesses NIA financial grant information from the eRA IMPAC II and NIH Data Warehouse databases.

13. Indicate if the system is new or an existing one being modified: Existing

17. Does/Will the system collect, maintain (store), disseminate and/or pass through IIF within any database(s), record(s), file(s) or website(s) hosted by this system?: Yes

Note: This question seeks to identify any, and all, personal information associated with the system. This includes any IIF, whether or not it is subject to the Privacy Act, whether the individuals are employees, the public, research subjects, or business partners, and whether provided voluntarily or collected by mandate. Later questions will try to understand the character of the data and its applicability to the requirements under the Privacy Act or other legislation

Note: If no IIF is contained in the system, please answer questions 21, 23, 30, 31, 37, 50 and 54, then promote the PIA to the Sr. Privacy Official who will authorize the PIA.

If this system contains IIF, all remaining questions on the PIA Form Tabs must be completed prior to signature and promotion.

21. Is the system subject to the Privacy Act?: Yes

23. If the system shares or discloses IIF please specify with whom and for what purpose(s): No sharing or disclosures at this time. Refer to the system of record 09-25-0036 section entitled ROUTINE USES OF RECORDS MAINTAINED IN THE SYSTEM, INCLUDING CATEGORIES OF USERS AND THE PURPOSES OF SUCH USES for the allowed disclosures of IIF.

30. Please describe in detail: (1) the information the agency will collect, maintain, or disseminate; (2) why and for what purpose the agency will use the information; (3) In this description, indicate whether the information contains IIF; and (4) whether submission of personal information is voluntary or mandatory: Financial grant information. The FINeX application facilitates maintenance of NIH extramural grant budgets. The NIA FINeX application accesses NIA financial grant information from from the IMPAC II and NIH Data Warehouse databases. IIF in the system includes name, financial account information, and grant and/or contract number. Submission of personal information is voluntary.

31. Please describe in detail any processes in place to: (1) notify and obtain consent from the individuals whose IIF is in the system when major changes occur to the system (e.g., disclosure and/or data uses have changed since the notice at the time of the original collection); and (2) notify and obtain consent from individuals regarding what IIF is being collected from them and how the information will be used or shared: No processes are in place to notify and obtain consent from the individuals whose IIF is in the system when major changes, as defined in Section 208 of the e-Government Act of 2002, occur to the system. IIF is submitted by grant applicants during the grant application process. Information used by the NIA FINeX application originates in the eRA grant application and NIH Data Warehouse. Notification and consent from the individual is assumed when the grant application is submitted.

32. Does the system host a website?: Yes

37. Does the website have any information or pages directed at children under the age of thirteen?: No

50. Are there policies or guidelines in place with regard to the retention and destruction of IIF?: Yes

54. Briefly describe in detail how the IIF will be secured on the system using administrative, technical, and physical controls.: Physical controls: guards, identification badges, key cards and closed circuit TV. Technical controls: user ID, passwords, firewall, Virtual Private Network (VPN).

PIA Reviewer Approval: Promote


PIA Reviewer Name: Larry Washburn 301-451-8829

Sr. Official for Privacy Approval: Promote


Sr. Official for Privacy Name: Karen Plá

Sign-off Date: Jan 25, 2007

Date Published: Jun 26, 2008


06.3 HHS PIA Summary for Posting (Form) / NIH NIA Healthy Aging in Neighborhoods of Diversity across the Life Span System (HANDLS) (Item)






PIA Summary


Is this a new PIA 2008?: No

If this is an existing PIA, please provide a reason for revision: PIA Validation

1. Date of this Submission: Jul 3, 2007

2. OPDIV Name: NIH

3. Unique Project Identifier (UPI) Number: 009-25-01-05-02-4303-00-110-219

4. Privacy Act System of Records (SOR) Number: 09-25-0200 Clinical, Basic and Population-based Research Studies

5. OMB Information Collection Approval Number: CE-04-06-01

6. Other Identifying Number(s): No

7. System Name: Healthy Aging in Neighborhoods of Diversity across the Life Span (HANDLS)

9. System Point of Contact (POC). The System POC is the person to whom questions about the system and the responses to this PIA may be addressed: Larry Washburn

10. Provide an overview of the system: The HANDLS system is a product of the Research Resources Branch of NIA Intramural Research Program. It collects personal information on the participants in the HANDLS study. The system is physically located in the Gerontology Research Center in Baltimore, Maryland. Appointment and authority is given to the National Institute on Aging under Public Service Act, 42 U.S.C. 241, 242, 248, 282, 284, 285a, 285b, 285c, 285d, 285e, 285f, 285g, 285h, 285i, 285j, 285l, 285m, 285n, 285o, 285p, 285q, 287, 287b, 287c, 289a, 289c, and 44 U.S.C. 3101.

13. Indicate if the system is new or an existing one being modified: Existing

17. Does/Will the system collect, maintain (store), disseminate and/or pass through IIF within any database(s), record(s), file(s) or website(s) hosted by this system?: Yes

Note: This question seeks to identify any, and all, personal information associated with the system. This includes any IIF, whether or not it is subject to the Privacy Act, whether the individuals are employees, the public, research subjects, or business partners, and whether provided voluntarily or collected by mandate. Later questions will try to understand the character of the data and its applicability to the requirements under the Privacy Act or other legislation

Note: If no IIF is contained in the system, please answer questions 21, 23, 30, 31, 37, 50 and 54, then promote the PIA to the Sr. Privacy Official who will authorize the PIA.

If this system contains IIF, all remaining questions on the PIA Form Tabs must be completed prior to signature and promotion.

21. Is the system subject to the Privacy Act?: Yes

23. If the system shares or discloses IIF please specify with whom and for what purpose(s): No sharing or disclosures at this time. Refer to the system of record 09-25-0200 section entitled ROUTINE USES OF RECORDS MAINTAINED IN THE SYSTEM, INCLUDING CATEGORIES OF USERS AND THE PURPOSES OF SUCH USES for the allowed disclosures of IIF.

30. Please describe in detail: (1) the information the agency will collect, maintain, or disseminate; (2) why and for what purpose the agency will use the information; (3) In this description, indicate whether the information contains IIF; and (4) whether submission of personal information is voluntary or mandatory: The personal information collected includes: name, date of birth, social security number, mailing address, phone number, medical record numbers, notes and email address. Information is used in examining the clinical questions addressed by the study, and to contact the consenting participants with the results of testing and to collect clinical follow-up information. The information collected is the minimum required to accomplish the stated mission.

31. Please describe in detail any processes in place to: (1) notify and obtain consent from the individuals whose IIF is in the system when major changes occur to the system (e.g., disclosure and/or data uses have changed since the notice at the time of the original collection); and (2) notify and obtain consent from individuals regarding what IIF is being collected from them and how the information will be used or shared: No processes are in place to notify and obtain consent from the individuals whose IIF is in the system when major changes, as defined in Section 208 of the E-Government Act of 2002, occur to the system.

All participants sign an RRB-approved informed consent form acknowledging their voluntary participation in the study and their rights under HIPAA. (Refer to the system of record 09-25-0200 section entitled ROUTINE USES OF RECORDS MAINTAINED IN THE SYSTEM, INCLUDING CATEGORIES OF USERS AND THE PURPOSES OF SUCH USES, for a summary of the notice of uses of information.)

32. Does the system host a website?: Yes

37. Does the website have any information or pages directed at children under the age of thirteen?: No

50. Are there policies or guidelines in place with regard to the retention and destruction of IIF?: Yes

54. Briefly describe in detail how the IIF will be secured on the system using administrative, technical, and physical controls.: Physical controls: Guards, Identification badges, key cards and closed circuit TV

Technical controls: User ID, passwords, firewall, Virtual Private Network (VPN)

PIA Reviewer Approval: Promote


PIA Reviewer Name: Larry Washburn 301-451-8829

Sr. Official for Privacy Approval: Promote


Sr. Official for Privacy Name: Karen Pla

Sign-off Date: Aug 10, 2007

Date Published: Jun 26, 2008


06.3 HHS PIA Summary for Posting (Form) / NIH NIA IRP LANs (Item)






PIA Summary


Is this a new PIA 2008?: Yes

If this is an existing PIA, please provide a reason for revision: PIA Validation

1. Date of this Submission: Jul 3, 2007

2. OPDIV Name: NIH

3. Unique Project Identifier (UPI) Number: 009-25-01-05-02-4399-00-110-219

4. Privacy Act System of Records (SOR) Number: No

5. OMB Information Collection Approval Number: No

6. Other Identifying Number(s): No

7. System Name: IRP Local Area Networks (LANs)

9. System Point of Contact (POC). The System POC is the person to whom questions about the system and the responses to this PIA may be addressed: Larry Washburn

10. Provide an overview of the system: NIA Intramural Research Program (IRP) Local Area Networks (LANs) in Baltimore, MD. These networks support NIA IRP clinical research and administrative activities. Appointment and authority is given to the National Institute on Aging under Public Service Act, 42 U.S.C. 241, 242, 248, 282, 284, 285a, 285b, 285c, 285d, 285e, 285f, 285g, 285h, 285i, 285j, 285l, 285m, 285n, 285o, 285p, 285q, 287, 287b, 287c, 289a, 289c, and 44 U.S.C. 3101.

13. Indicate if the system is new or an existing one being modified: Existing

17. Does/Will the system collect, maintain (store), disseminate and/or pass through IIF within any database(s), record(s), file(s) or website(s) hosted by this system?: No

Note: This question seeks to identify any, and all, personal information associated with the system. This includes any IIF, whether or not it is subject to the Privacy Act, whether the individuals are employees, the public, research subjects, or business partners, and whether provided voluntarily or collected by mandate. Later questions will try to understand the character of the data and its applicability to the requirements under the Privacy Act or other legislation

Note: If no IIF is contained in the system, please answer questions 21, 23, 30, 31, 37, 50 and 54, then promote the PIA to the Sr. Privacy Official who will authorize the PIA.

If this system contains IIF, all remaining questions on the PIA Form Tabs must be completed prior to signature and promotion.

21. Is the system subject to the Privacy Act?: No

23. If the system shares or discloses IIF please specify with whom and for what purpose(s): No IIF collected, stored, or processed.

30. Please describe in detail: (1) the information the agency will collect, maintain, or disseminate; (2) why and for what purpose the agency will use the information; (3) In this description, indicate whether the information contains IIF; and (4) whether submission of personal information is voluntary or mandatory: No IIF collected, stored, or processed.

31. Please describe in detail any processes in place to: (1) notify and obtain consent from the individuals whose IIF is in the system when major changes occur to the system (e.g., disclosure and/or data uses have changed since the notice at the time of the original collection); and (2) notify and obtain consent from individuals regarding what IIF is being collected from them and how the information will be used or shared: N/A--No IIF collected, stored, or processed.

32. Does the system host a website?: No

37. Does the website have any information or pages directed at children under the age of thirteen?: No

50. Are there policies or guidelines in place with regard to the retention and destruction of IIF?: No

54. Briefly describe in detail how the IIF will be secured on the system using administrative, technical, and physical controls.: No IIF collected, stored, or processed.

PIA Reviewer Approval: Promote


PIA Reviewer Name: Larry Washburn 301-451-8829

Sr. Official for Privacy Approval: Promote


Sr. Official for Privacy Name: Karen PláSign-off Date: Aug 10, 2007

Date Published: Jun 26, 2008


06.3 HHS PIA Summary for Posting (Form) / NIH NIA IRP RAS (Item)






PIA Summary


Is this a new PIA 2008?: Yes

If this is an existing PIA, please provide a reason for revision: PIA Validation

1. Date of this Submission: Jul 3, 2007

2. OPDIV Name: NIH

3. Unique Project Identifier (UPI) Number: 009-25-01-05-02-4399-00-110-219

4. Privacy Act System of Records (SOR) Number: No

5. OMB Information Collection Approval Number: No

6. Other Identifying Number(s): No

7. System Name: IRP Remote Access Service (RAS)

9. System Point of Contact (POC). The System POC is the person to whom questions about the system and the responses to this PIA may be addressed: Larry Washburn

10. Provide an overview of the system: The NIA Intramural Research Program (IRP) Remote Access Service (RAS) enables modem access to NIA LANs in Baltimore, MD via the public switched telephone network (PSTN). The IRP RAS supports NIA IRP clinical research and administrative activities. Appointment and authority is given to the National Institute on Aging under Public Service Act, 42 U.S.C. 241, 242, 248, 282, 284, 285a, 285b, 285c, 285d, 285e, 285f, 285g, 285h, 285i, 285j, 285l, 285m, 285n, 285o, 285p, 285q, 287, 287b, 287c, 289a, 289c, and 44 U.S.C. 3101.

13. Indicate if the system is new or an existing one being modified: Existing

17. Does/Will the system collect, maintain (store), disseminate and/or pass through IIF within any database(s), record(s), file(s) or website(s) hosted by this system?:

Note: This question seeks to identify any, and all, personal information associated with the system. This includes any IIF, whether or not it is subject to the Privacy Act, whether the individuals are employees, the public, research subjects, or business partners, and whether provided voluntarily or collected by mandate. Later questions will try to understand the character of the data and its applicability to the requirements under the Privacy Act or other legislation

Note: If no IIF is contained in the system, please answer questions 21, 23, 30, 31, 37, 50 and 54, then promote the PIA to the Sr. Privacy Official who will authorize the PIA.If this system contains IIF, all remaining questions on the PIA Form Tabs must be completed prior to signature and promotion.

21. Is the system subject to the Privacy Act?: No

23. If the system shares or discloses IIF please specify with whom and for what purpose(s): No IIF collected, stored, or processed.

30. Please describe in detail: (1) the information the agency will collect, maintain, or disseminate; (2) why and for what purpose the agency will use the information; (3) In this description, indicate whether the information contains IIF; and (4) whether submission of personal information is voluntary or mandatory: No IIF collected, stored, or processed.

31. Please describe in detail any processes in place to: (1) notify and obtain consent from the individuals whose IIF is in the system when major changes occur to the system (e.g., disclosure and/or data uses have changed since the notice at the time of the original collection); and (2) notify and obtain consent from individuals regarding what IIF is being collected from them and how the information will be used or shared: N/A--No IIF collected, stored, or processed.

32. Does the system host a website?: No

37. Does the website have any information or pages directed at children under the age of thirteen?: No

50. Are there policies or guidelines in place with regard to the retention and destruction of IIF?: No

54. Briefly describe in detail how the IIF will be secured on the system using administrative, technical, and physical controls.: No IIF collected, stored, or processed.

PIA Reviewer Approval: Promote

Comments: PIA approved.

PIA Reviewer Name: Larry Washburn 301-451-8829

Sr. Official for Privacy Approval: Promote


Sr. Official for Privacy Name: Karen Plá

Sign-off Date: Aug 10, 2007

Date Published: Jun 26, 2008


06.3 HHS PIA Summary for Posting (Form) / NIH NIA IRP Web (Item)






PIA Summary


Is this a new PIA 2008?: Yes

If this is an existing PIA, please provide a reason for revision: PIA Validation

1. Date of this Submission: Jul 3, 2007

2. OPDIV Name: NIH

3. Unique Project Identifier (UPI) Number: 009-25-01-05-02-4303-00-110-219

4. Privacy Act System of Records (SOR) Number: 09-25-0200 Clinical, Basic and Population-based­ Research Studies

5. OMB Information Collection Approval Number: No

6. Other Identifying Number(s): No

7. System Name: IRP Web

9. System Point of Contact (POC). The System POC is the person to whom questions about the system and the responses to this PIA may be addressed: Larry Washburn

10. Provide an overview of the system: NIA Intramural Research Program (IRP) Web is a suite of Web-enabled applications in Baltimore, MD, that supports NIA IRP clinical research and administrative activities. Appointment and authority is given to the National Institute on Aging under Public Service Act, 42 U.S.C. 241, 242, 248, 282, 284, 285a, 285b, 285c, 285d, 285e, 285f, 285g, 285h, 285i, 285j, 285l, 285m, 285n, 285o, 285p, 285q, 287, 287b, 287c, 289a, 289c, and 44 U.S.C. 3101.

13. Indicate if the system is new or an existing one being modified: Existing

17. Does/Will the system collect, maintain (store), disseminate and/or pass through IIF within any database(s), record(s), file(s) or website(s) hosted by this system?: Yes

Note: This question seeks to identify any, and all, personal information associated with the system. This includes any IIF, whether or not it is subject to the Privacy Act, whether the individuals are employees, the public, research subjects, or business partners, and whether provided voluntarily or collected by mandate. Later questions will try to understand the character of the data and its applicability to the requirements under the Privacy Act or other legislation

Note: If no IIF is contained in the system, please answer questions 21, 23, 30, 31, 37, 50 and 54, then promote the PIA to the Sr. Privacy Official who will authorize the PIA.

If this system contains IIF, all remaining questions on the PIA Form Tabs must be completed prior to signature and promotion.

21. Is the system subject to the Privacy Act?: Yes

23. If the system shares or discloses IIF please specify with whom and for what purpose(s): No sharing or disclosures. While this system does not intend to share or disclose any IIF, the system of record 09-25-0200 indicates some potential disclosure of information practices.

30. Please describe in detail: (1) the information the agency will collect, maintain, or disseminate; (2) why and for what purpose the agency will use the information; (3) In this description, indicate whether the information contains IIF; and (4) whether submission of personal information is voluntary or mandatory: The personal information is collected from a Website. This information includes: name, street address, telephone number, email address, date of birth, gender, height, weight, ethnic background, medications currently taken, and comments. The information is used to screen the potential participants in clinical research. The information collected is the minimum required to accomplish the stated mission

31. Please describe in detail any processes in place to: (1) notify and obtain consent from the individuals whose IIF is in the system when major changes occur to the system (e.g., disclosure and/or data uses have changed since the notice at the time of the original collection); and (2) notify and obtain consent from individuals regarding what IIF is being collected from them and how the information will be used or shared: Participants supply basic personal identifying information during the intake process to the Clinical Research Branch. All participants sign a consent form acknowledging their anonymity and rights under HIPAA. Refer to system of record 09-25-0200 for a detailed summary. No process for notifying individuals when major changes occur to the system.

32. Does the system host a website?: Yes

37. Does the website have any information or pages directed at children under the age of thirteen?: No

50. Are there policies or guidelines in place with regard to the retention and destruction of IIF?: Yes

54. Briefly describe in detail how the IIF will be secured on the system using administrative, technical, and physical controls.: Physical controls: Guards, Identification badges, key cards and closed circuit TV

Technical controls: User ID, passwords, firewall, Virtual Private Network (VPN)

PIA Reviewer Approval: Promote


PIA Reviewer Name: Larry Washburn 301-451-8829

Sr. Official for Privacy Approval: Promote


Sr. Official for Privacy Name: Karen Plá

Sign-off Date: Aug 10, 2007

Date Published: Jun 26, 2008


06.3 HHS PIA Summary for Posting (Form) / NIH NIA NACAnet (Item)






PIA Summary


Is this a new PIA 2008?: No

If this is an existing PIA, please provide a reason for revision: PIA Validation

1. Date of this Submission: Jul 3, 2007

2. OPDIV Name: NIH

3. Unique Project Identifier (UPI) Number: 009-25-03-00-02-4399-00-304-104

4. Privacy Act System of Records (SOR) Number: 09-25-0217 "NIH Business System (NBS), HHS/NIH"

5. OMB Information Collection Approval Number: No

6. Other Identifying Number(s): No

7. System Name: National Advisory Council on Aging Network (NACAnet)

9. System Point of Contact (POC). The System POC is the person to whom questions about the system and the responses to this PIA may be addressed: Larry Washburn

10. Provide an overview of the system: NACAnet is an NIA web application that supports the National Advisory Council on Aging (NACA) by providing a repository of council-related documents. No transactions are collected or accomplished on the website, only display of NACA information. NACAnet users comprise NIA employees and the current NACA council members, some of whom are located outside NIH at academic facilities. Appointment and authority is given to the National Institute on Aging under Public Service Act, 42 U.S.C. 241, 242, 248, 282, 284, 285a, 285b, 285c, 285d, 285e, 285f, 285g, 285h, 285i, 285j, 285l, 285m, 285n, 285o, 285p, 285q, 287, 287b, 287c, 289a, 289c, and 44 U.S.C. 3101.

13. Indicate if the system is new or an existing one being modified: Existing

17. Does/Will the system collect, maintain (store), disseminate and/or pass through IIF within any database(s), record(s), file(s) or website(s) hosted by this system?: Yes

Note: This question seeks to identify any, and all, personal information associated with the system. This includes any IIF, whether or not it is subject to the Privacy Act, whether the individuals are employees, the public, research subjects, or business partners, and whether provided voluntarily or collected by mandate. Later questions will try to understand the character of the data and its applicability to the requirements under the Privacy Act or other legislation

Note: If no IIF is contained in the system, please answer questions 21, 23, 30, 31, 37, 50 and 54, then promote the PIA to the Sr. Privacy Official who will authorize the PIA.

If this system contains IIF, all remaining questions on the PIA Form Tabs must be completed prior to signature and promotion.

21. Is the system subject to the Privacy Act?: Yes

23. If the system shares or discloses IIF please specify with whom and for what purpose(s): No sharing or disclosures at this time. Refer to the Privacy Act systems notice 09-25-0217 section entitled ROUTINE USES OF RECORDS MAINTAINED IN THE SYSTEM, INCLUDING CATEGORIES OF USERS AND THE PURPOSES OF SUCH USES for the allowed disclosures of IIF.

30. Please describe in detail: (1) the information the agency will collect, maintain, or disseminate; (2) why and for what purpose the agency will use the information; (3) In this description, indicate whether the information contains IIF; and (4) whether submission of personal information is voluntary or mandatory: Grantee (NIH grant recipient) personal information maintained comprises: name, mailing address, phone number, financial account information, and employment status. The data is used for NACA planning

31. Please describe in detail any processes in place to: (1) notify and obtain consent from the individuals whose IIF is in the system when major changes occur to the system (e.g., disclosure and/or data uses have changed since the notice at the time of the original collection); and (2) notify and obtain consent from individuals regarding what IIF is being collected from them and how the information will be used or shared: No processes are in place to notify and obtain consent from the individuals whose IIF is in the system when major changes, as defined in Section 208 of the E-Government Act of 2002, occur to the system.

When applying for grants or contracts, applicants are informed that personal information is collected for accurate identification, referral and review by program managers. Refer to the system of record 09-25-0217 section entitled ROUTINE USES OF RECORDS MAINTAINED IN THE SYSTEM, INCLUDING CATEGORIES OF USERS AND THE PURPOSES OF SUCH USES for a summary of the notice of uses of information..

32. Does the system host a website?: Yes

37. Does the website have any information or pages directed at children under the age of thirteen?: No

50. Are there policies or guidelines in place with regard to the retention and destruction of IIF?: Yes

54. Briefly describe in detail how the IIF will be secured on the system using administrative, technical, and physical controls.: Physical controls: Guards, Identification badges, key cards and closed circuit TV

Technical controls: User ID, passwords, firewall, Virtual Private Network (VPN).

PIA Reviewer Approval: Promote


PIA Reviewer Name: Larry Washburn 301-451-8829

Sr. Official for Privacy Approval: Promote


Sr. Official for Privacy Name: Karen Plá

Sign-off Date: Aug 10, 2007

Date Published: Jun 26, 2008


06.3 HHS PIA Summary for Posting (Form) / NIH NIA Status of Funds Internet Edition (SOFie) (Item)






PIA Summary


Is this a new PIA 2008?: Yes

If this is an existing PIA, please provide a reason for revision: PIA Validation

1. Date of this Submission: Jul 3, 2007

2. OPDIV Name: NIH

3. Unique Project Identifier (UPI) Number: 009-25-01-09-02-3199-004. Privacy Act System of Records (SOR) Number: 09-25-0217 "NIH Business System (NBS), HHS/NIH"

5. OMB Information Collection Approval Number: No

6. Other Identifying Number(s): No

7. System Name: NIH NIA Status of Funds Internet Edition (SOFie)

9. System Point of Contact (POC). The System POC is the person to whom questions about the system and the responses to this PIA may be addressed: Larry Washburn

10. Provide an overview of the system: SOFie is a Web-based financial reporting/tracking tool that enables NIH ICs to manipulate and report on financial transactions downloaded from the Budget & Finance database in the NIH Data Warehouse. (The NIH DW Budget & Finance database comprises data downloaded from the NIH Business System.) Appointment and authority is given to the National Institutes of Health under 5 U.S.C. 301 and 302, 44 U.S.C. 3101 and 3102, Executive Order 9397.

13. Indicate if the system is new or an existing one being modified: Existing

17. Does/Will the system collect, maintain (store), disseminate and/or pass through IIF within any database(s), record(s), file(s) or website(s) hosted by this system?: Yes

Note: This question seeks to identify any, and all, personal information associated with the system. This includes any IIF, whether or not it is subject to the Privacy Act, whether the individuals are employees, the public, research subjects, or business partners, and whether provided voluntarily or collected by mandate. Later questions will try to understand the character of the data and its applicability to the requirements under the Privacy Act or other legislation

Note: If no IIF is contained in the system, please answer questions 21, 23, 30, 31, 37, 50 and 54, then promote the PIA to the Sr. Privacy Official who will authorize the PIA.

If this system contains IIF, all remaining questions on the PIA Form Tabs must be completed prior to signature and promotion.

21. Is the system subject to the Privacy Act?: Yes

23. If the system shares or discloses IIF please specify with whom and for what purpose(s): No sharing or disclosures at this time. Refer to the Privacy Act systems notice 09-25-0217 section entitled ROUTINE USES OF RECORDS MAINTAINED

30. Please describe in detail: (1) the information the agency will collect, maintain, or disseminate; (2) why and for what purpose the agency will use the information; (3) In this description, indicate whether the information contains IIF; and (4) whether submission of personal information is voluntary or mandatory: Grantee and contractor (NIH grant recipient and contractor) personal information maintained comprises: name and financial account information. User (NIH employee) personal information maintained comprises: name, phone numbers, email addresses. NIA accounting transactions are downloaded from the Budget & Finance database in the NIH Data Warehouse. (The NIH DW Budget & Finance database comprises data downloaded from the NIH Business System.) The data is used to plan, track, and report on NIA fiscal budgets.

31. Please describe in detail any processes in place to: (1) notify and obtain consent from the individuals whose IIF is in the system when major changes occur to the system (e.g., disclosure and/or data uses have changed since the notice at the time of the original collection); and (2) notify and obtain consent from individuals regarding what IIF is being collected from them and how the information will be used or shared: No processes are in place to notify and obtain consent from the individuals whose IIF is in the system when major changes, as defined in Section 208 of the E-Government Act of 2002, occur to the system.

When applying for grants or contracts, applicants are informed that personal information is collected for accurate identification, referral and review by program managers. Refer to the system of record 09-25-0217 section entitled ROUTINE USES OF RECORDS MAINTAINED IN THE SYSTEM, INCLUDING CATEGORIES OF USERS AND THE PURPOSES OF SUCH USES for a summary of the notice of uses of information.

32. Does the system host a website?: Yes

37. Does the website have any information or pages directed at children under the age of thirteen?: No

50. Are there policies or guidelines in place with regard to the retention and destruction of IIF?: Yes

54. Briefly describe in detail how the IIF will be secured on the system using administrative, technical, and physical controls.: Physical controls: Guards, Identification badges, key cards and closed circuit TV

Technical controls: User ID, passwords, firewall, Virtual Private Network (VPN).

PIA Reviewer Approval: Promote


PIA Reviewer Name: Larry Washburn 301-451-8829

Sr. Official for Privacy Approval: Promote


Sr. Official for Privacy Name: Karen Plá

Sign-off Date: Jan 25, 2007

Date Published: Jun 26, 2008


06.3 HHS PIA Summary for Posting (Form) / NIH NIA Telework (Item)






PIA Summary


Is this a new PIA 2008?: Yes

If this is an existing PIA, please provide a reason for revision: Initial PIA Migration to ProSight

1. Date of this Submission: Jul 3, 2007

2. OPDIV Name: NIH

3. Unique Project Identifier (UPI) Number: 009-25-01-09-02-3199-00 (Telework)

4. Privacy Act System of Records (SOR) Number: 09-25-0216 "Administration: NIH Electronic Directory (NED), HHS/NIH"

5. OMB Information Collection Approval Number: no

6. Other Identifying Number(s): no

7. System Name: NIH NIA Telework Application

9. System Point of Contact (POC). The System POC is the person to whom questions about the system and the responses to this PIA may be addressed: Larry Washburn

10. Provide an overview of the system: The Telework system supports the federal Telework initiative by providing an online Telework application repository and approval workflow. After an NIA employee completes an online Telework application form, the application moves through an electronic approval process. Upon approval of the application, the applicant receives an email notification of their application status. The applicant then completes an online Home Office Evaluation form. The Telework system also enables automatic renewals, automatic changes, and online termination of telework approval.

13. Indicate if the system is new or an existing one being modified: New

17. Does/Will the system collect, maintain (store), disseminate and/or pass through IIF within any database(s), record(s), file(s) or website(s) hosted by this system?: Yes

Note: This question seeks to identify any, and all, personal information associated with the system. This includes any IIF, whether or not it is subject to the Privacy Act, whether the individuals are employees, the public, research subjects, or business partners, and whether provided voluntarily or collected by mandate. Later questions will try to understand the character of the data and its applicability to the requirements under the Privacy Act or other legislation

Note: If no IIF is contained in the system, please answer questions 21, 23, 30, 31, 37, 50 and 54, then promote the PIA to the Sr. Privacy Official who will authorize the PIA.

If this system contains IIF, all remaining questions on the PIA Form Tabs must be completed prior to signature and promotion.

21. Is the system subject to the Privacy Act?: Yes

23. If the system shares or discloses IIF please specify with whom and for what purpose(s): No sharing or disclosures at this time. Refer to the system of record 09-25-0216 section entitled ROUTINE USES OF RECORDS MAINTAINED IN THE SYSTEM, INCLUDING CATEGORIES OF USERS AND THE PURPOSES OF SUCH USES for the allowed disclosures of IIF.

30. Please describe in detail: (1) the information the agency will collect, maintain, or disseminate; (2) why and for what purpose the agency will use the information; (3) In this description, indicate whether the information contains IIF; and (4) whether submission of personal information is voluntary or mandatory: The Telework system collects and maintains voluntarily submitted IIF needed to support the federal Telework initiative, including employee name,supervisor name, NIH employee badge number, job title and grade, IC, division, building and room numbers, work phone and fax, email address, home address, and home phone and fax numbers. The information is used to manage Telework applications, approvals, renewals, changes, and terminations.

31. Please describe in detail any processes in place to: (1) notify and obtain consent from the individuals whose IIF is in the system when major changes occur to the system (e.g., disclosure and/or data uses have changed since the notice at the time of the original collection); and (2) notify and obtain consent from individuals regarding what IIF is being collected from them and how the information will be used or shared: All IIF in the Telework system is submitted by Telework applicants during the application process. At login, the Telework system displays a Privacy Statement that describes use of collected data.

No processes are in place to notify and obtain consent from the individuals whose IIF is in the system when major changes, as defined in Section 208 of the E-Government Act of 2002, occur to the system.

Refer to the system of record 09-25-0216 section entitled ROUTINE USES OF RECORDS MAINTAINED IN THE SYSTEM, INCLUDING CATEGORIES OF USERS AND THE PURPOSES OF SUCH USES for a summary of the notice of uses of information.

32. Does the system host a website?: Yes

37. Does the website have any information or pages directed at children under the age of thirteen?: No

50. Are there policies or guidelines in place with regard to the retention and destruction of IIF?: Yes

54. Briefly describe in detail how the IIF will be secured on the system using administrative, technical, and physical controls.: Physical controls: guards, identification badges, key cards and closed circuit TV. Technical controls: user ID, passwords, firewall, Virtual Private Network (VPN).

PIA Reviewer Approval: Promote


PIA Reviewer Name: Larry Washburn 301-451-8829

Sr. Official for Privacy Approval: Promote


Sr. Official for Privacy Name: Karen Plá

Sign-off Date: Aug 10, 2007

Date Published: Jun 26, 2008


06.3 HHS PIA Summary for Posting (Form) / NIH NIA Visual Status of Funds (VSOF) (Item)






PIA Summary


Is this a new PIA 2008?: No

If this is an existing PIA, please provide a reason for revision: Alteration in Character of Data

1. Date of this Submission: Jan 10, 2007

2. OPDIV Name: NIH

3. Unique Project Identifier (UPI) Number: 009-25-01-01-02-3198-00-402-125

4. Privacy Act System of Records (SOR) Number: 09-25-0217 "NIH Business System (NBS), HHS/NIH"

5. OMB Information Collection Approval Number: No

6. Other Identifying Number(s): No

7. System Name: NIH NIA Visual Status of Funds (VSOF)

9. System Point of Contact (POC). The System POC is the person to whom questions about the system and the responses to this PIA may be addressed: Larry Washburn

10. Provide an overview of the system: VSOF is a financial reporting/tracking tool that enables NIH ICs to manipulate and report on financial transactions downloaded from the Budget & Finance database in the NIH Data Warehouse. (The NIH DW Budget & Finance database comprises data downloaded from the NIH Business System.) Appointment and authority is given to the National Institutes of Health under 5 U.S.C. 301 and 302, 44 U.S.C. 3101 and 3102, Executive Order 9397.

13. Indicate if the system is new or an existing one being modified: Existing

17. Does/Will the system collect, maintain (store), disseminate and/or pass through IIF within any database(s), record(s), file(s) or website(s) hosted by this system?: Yes

Note: This question seeks to identify any, and all, personal information associated with the system. This includes any IIF, whether or not it is subject to the Privacy Act, whether the individuals are employees, the public, research subjects, or business partners, and whether provided voluntarily or collected by mandate. Later questions will try to understand the character of the data and its applicability to the requirements under the Privacy Act or other legislation

Note: If no IIF is contained in the system, please answer questions 21, 23, 30, 31, 37, 50 and 54, then promote the PIA to the Sr. Privacy Official who will authorize the PIA.

If this system contains IIF, all remaining questions on the PIA Form Tabs must be completed prior to signature and promotion.

21. Is the system subject to the Privacy Act?: Yes

23. If the system shares or discloses IIF please specify with whom and for what purpose(s): No sharing or disclosures at this time. Refer to the Privacy Act systems notice 09-25-0217 section entitled ROUTINE USES OF RECORDS MAINTAINED IN THE SYSTEM, INCLUDING CATEGORIES OF USERS AND THE PURPOSES OF SUCH USES for the allowed disclosures of IIF.

30. Please describe in detail: (1) the information the agency will collect, maintain, or disseminate; (2) why and for what purpose the agency will use the information; (3) In this description, indicate whether the information contains IIF; and (4) whether submission of personal information is voluntary or mandatory: Grantee and contractor (NIH grant recipient and contractor) personal information maintained comprises: name and financial account information. User (NIH employee) personal information maintained comprises: name, phone numbers, email addresses. NIA accounting transactions are downloaded from the Budget & Finance database in the NIH Data Warehouse. (The NIH DW Budget & Finance database comprises data downloaded from the NIH Business System.) The data is used to plan, track, and report on NIA fiscal budgets.

31. Please describe in detail any processes in place to: (1) notify and obtain consent from the individuals whose IIF is in the system when major changes occur to the system (e.g., disclosure and/or data uses have changed since the notice at the time of the original collection); and (2) notify and obtain consent from individuals regarding what IIF is being collected from them and how the information will be used or shared: No processes are in place to notify and obtain consent from the individuals whose IIF is in the system when major changes, as defined in Section 208 of the E-Government Act of 2002, occur to the system.

When applying for grants or contracts, applicants are informed that personal information is collected for accurate identification, referral and review by program managers. Refer to the system of record 09-25-0217 section entitled ROUTINE USES OF RECORDS MAINTAINED IN THE SYSTEM, INCLUDING CATEGORIES OF USERS AND THE PURPOSES OF SUCH USES for a summary of the notice of uses of information.

32. Does the system host a website?: No

37. Does the website have any information or pages directed at children under the age of thirteen?: No

50. Are there policies or guidelines in place with regard to the retention and destruction of IIF?: Yes

54. Briefly describe in detail how the IIF will be secured on the system using administrative, technical, and physical controls.: Physical controls: Guards, Identification badges, key cards and closed circuit TV

Technical controls: User ID, passwords, firewall, Virtual Private Network (VPN).

PIA Reviewer Approval: Promote


PIA Reviewer Name: Larry Washburn 301-451-8829

Sr. Official for Privacy Approval: Promote


Sr. Official for Privacy Name: Karen Plá

Sign-off Date: Jun 30, 2006

Date Published: Jun 26, 2008


06.3 HHS PIA Summary for Posting (Form) / NIH NIAAA FINEX (Item)






PIA Summary


Is this a new PIA 2008?: Yes

If this is an existing PIA, please provide a reason for revision:

1. Date of this Submission: Jun 27, 2007

2. OPDIV Name: NIH

3. Unique Project Identifier (UPI) Number: 009-25-01-04-02-8610-00-404-136

4. Privacy Act System of Records (SOR) Number: 09-25-0036

5. OMB Information Collection Approval Number: no

6. Other Identifying Number(s): no

7. System Name: NIAAA FinEx

9. System Point of Contact (POC). The System POC is the person to whom questions about the system and the responses to this PIA may be addressed: Keith Lamirande

10. Provide an overview of the system: The FinEx application is a centralized, internet-based relational database environment that stores data and business rules (procedures) required to maintain the Extramural grant budget.. The FinEx applicaiton includes the tools necessary to estimate, award, obligate, forecast and report on grant budgets in the Extramural program.

In its in-production state, FinEx resides on the NIAAA-FINSOF server as a .Net, web-developed application. Its interdependences on other resources (or dynamically-linked libraries (DLLs)) are fully compiled into the installed version of FinEx on NIAAA-FINSOF. NIAAA-FINSOF serves as the web application. The database on which FinEx is dependent resides on NIAAA reosurces, SQL Server 2000 database server. FinEx utilizes, but is not dependent on NIH CIT resources for supplemental data (e.g. IRDB-an Oracle database warehouse server and DataWarehouse-an IBM mainframe finance data warehouse).

13. Indicate if the system is new or an existing one being modified: New

17. Does/Will the system collect, maintain (store), disseminate and/or pass through IIF within any database(s), record(s), file(s) or website(s) hosted by this system?: Yes

Note: This question seeks to identify any, and all, personal information associated with the system. This includes any IIF, whether or not it is subject to the Privacy Act, whether the individuals are employees, the public, research subjects, or business partners, and whether provided voluntarily or collected by mandate. Later questions will try to understand the character of the data and its applicability to the requirements under the Privacy Act or other legislation

Note: If no IIF is contained in the system, please answer questions 21, 23, 30, 31, 37, 50 and 54, then promote the PIA to the Sr. Privacy Official who will authorize the PIA.

If this system contains IIF, all remaining questions on the PIA Form Tabs must be completed prior to signature and promotion.

21. Is the system subject to the Privacy Act?: Yes

23. If the system shares or discloses IIF please specify with whom and for what purpose(s): IIF is obtained from the eRA system in the administration of research grants IAW SOR#09-25-0036.

30. Please describe in detail: (1) the information the agency will collect, maintain, or disseminate; (2) why and for what purpose the agency will use the information; (3) In this description, indicate whether the information contains IIF; and (4) whether submission of personal information is voluntary or mandatory: Financial Grant information. The FinEx application is a centralized, Internet-based relational database environment that stores data and business rules (procedures) required to maintain the extramural grant budget. The FinEx application includes the tools necessary to estimate, award, obligate, forecast and report on grant budgets in the extramural program. IIF contained in NIAAA FinEx is obtained from the eRA system and is a required part of the grants submission process. Since IIF is required for the grants submission process, it is a mandatory requirement of FinEx.

31. Please describe in detail any processes in place to: (1) notify and obtain consent from the individuals whose IIF is in the system when major changes occur to the system (e.g., disclosure and/or data uses have changed since the notice at the time of the original collection); and (2) notify and obtain consent from individuals regarding what IIF is being collected from them and how the information will be used or shared: IIF is submitted as a part of the grants application process. Information used by the NIAAA FinEx is taken from the eRA grant application. Notification and consent from the individual is assumed when the grant application is submitted. All notification and consent is taken care of via the grant application submission process and eRA systems.

32. Does the system host a website?: Yes

37. Does the website have any information or pages directed at children under the age of thirteen?: No

50. Are there policies or guidelines in place with regard to the retention and destruction of IIF?: Yes

54. Briefly describe in detail how the IIF will be secured on the system using administrative, technical, and physical controls.: Role base security, single sign-on using user name and password, system resides behind a firewal and is in a server room with no external access. All personnel not having card key access are escorted and required to sign in.

PIA Reviewer Approval: Promote


PIA Reviewer Name: Bridget Williams-Simmons

Sr. Official for Privacy Approval: Promote


Sr. Official for Privacy Name: Karen Plá

Sign-off Date: Aug 10, 2007

Date Published: Jun 26, 2008


06.3 HHS PIA Summary for Posting (Form) / NIH NIAAA SOFie (Item)






PIA Summary


Is this a new PIA 2008?: Yes

If this is an existing PIA, please provide a reason for revision:

1. Date of this Submission: Jun 27, 2007

2. OPDIV Name: NIH

3. Unique Project Identifier (UPI) Number: N/A

4. Privacy Act System of Records (SOR) Number: N/A

5. OMB Information Collection Approval Number: N/A

6. Other Identifying Number(s): N/A

7. System Name: SOFIE

9. System Point of Contact (POC). The System POC is the person to whom questions about the system and the responses to this PIA may be addressed: Laura L. Lee

10. Provide an overview of the system: SOFie is a Web based application employing Microsoft’s IIS and SQL server software. The SOFie application supports the efforts of several offices and branches within NIAAA, allowing budget offices to track expenditures of direct, reimbursable, and non-appropriated funds in a fiscal year. Additionally, SOFie is used to reflect budget allocations and projected expenditures at the operating level. The program also contains a tracking mechanism to track prior year funds. The application downloads this information from the NIH Data Warehouse weekly. Information entered into the SOFie database is not uploaded into the NIH Data Warehouse database. SOFie is not a source database for other information systems

13. Indicate if the system is new or an existing one being modified: New

17. Does/Will the system collect, maintain (store), disseminate and/or pass through IIF within any database(s), record(s), file(s) or website(s) hosted by this system?: No

Note: This question seeks to identify any, and all, personal information associated with the system. This includes any IIF, whether or not it is subject to the Privacy Act, whether the individuals are employees, the public, research subjects, or business partners, and whether provided voluntarily or collected by mandate. Later questions will try to understand the character of the data and its applicability to the requirements under the Privacy Act or other legislation

Note: If no IIF is contained in the system, please answer questions 21, 23, 30, 31, 37, 50 and 54, then promote the PIA to the Sr. Privacy Official who will authorize the PIA.

If this system contains IIF, all remaining questions on the PIA Form Tabs must be completed prior to signature and promotion.

21. Is the system subject to the Privacy Act?: No

23. If the system shares or discloses IIF please specify with whom and for what purpose(s): N/A

30. Please describe in detail: (1) the information the agency will collect, maintain, or disseminate; (2) why and for what purpose the agency will use the information; (3) In this description, indicate whether the information contains IIF; and (4) whether submission of personal information is voluntary or mandatory: SOFie is a Web based application employing Microsoft’s IIS and SQL server software. The SOFie application supports the efforts of the budget office to track expenditures of direct, reimbursable, and non-appropriated funds in a fiscal year. Additionally, SOFie is used to reflect budget allocations and projected expenditures at the operating level. The program also contains a tracking mechanism to track prior year funds. The application downloads this information from the NIH Data Warehouse weekly. Information entered into the SOFie database is not uploaded into the NIH Data Warehouse database. SOFie is not a source database for other information systems. No IIF information is contained in SOFIE.

31. Please describe in detail any processes in place to: (1) notify and obtain consent from the individuals whose IIF is in the system when major changes occur to the system (e.g., disclosure and/or data uses have changed since the notice at the time of the original collection); and (2) notify and obtain consent from individuals regarding what IIF is being collected from them and how the information will be used or shared: N/A

32. Does the system host a website?: No

37. Does the website have any information or pages directed at children under the age of thirteen?: No

50. Are there policies or guidelines in place with regard to the retention and destruction of IIF?: Yes

54. Briefly describe in detail how the IIF will be secured on the system using administrative, technical, and physical controls.: N/A

PIA Reviewer Approval: Promote


PIA Reviewer Name: Bridget Williams-Simmons

Sr. Official for Privacy Approval: Promote


Sr. Official for Privacy Name: Karen Plá

Sign-off Date: Aug 10, 2007

Date Published: Jun 26, 2008


06.3 HHS PIA Summary for Posting (Form) / NIH NIAAA Visual Employee Database System (VEDS) (Item)






PIA Summary


Is this a new PIA 2008?: No

If this is an existing PIA, please provide a reason for revision: PIA Validation

1. Date of this Submission: Jun 27, 2007

2. OPDIV Name: Jun 27, 2007

3. Unique Project Identifier (UPI) Number: 009-25-01-09-02-3196-00-403-131

4. Privacy Act System of Records (SOR) Number: 09-90-0018

5. OMB Information Collection Approval Number: No

6. Other Identifying Number(s): None

7. System Name: Visual Employee Data System (VEDS)

9. System Point of Contact (POC). The System POC is the person to whom questions about the system and the responses to this PIA may be addressed: Laura L. Lee

10. Provide an overview of the system: VEDS is a windows-based application primarily used to manage and track personnel information. Authority for maintenance of the system: 5 U.S.C. 1302, 2951, 4118, 4308, 4506, 7501, 7511, 7521 and Executive Order 10561.

13. Indicate if the system is new or an existing one being modified: Existing

17. Does/Will the system collect, maintain (store), disseminate and/or pass through IIF within any database(s), record(s), file(s) or website(s) hosted by this system?: Yes

Note: This question seeks to identify any, and all, personal information associated with the system. This includes any IIF, whether or not it is subject to the Privacy Act, whether the individuals are employees, the public, research subjects, or business partners, and whether provided voluntarily or collected by mandate. Later questions will try to understand the character of the data and its applicability to the requirements under the Privacy Act or other legislation

Note: If no IIF is contained in the system, please answer questions 21, 23, 30, 31, 37, 50 and 54, then promote the PIA to the Sr. Privacy Official who will authorize the PIA.

If this system contains IIF, all remaining questions on the PIA Form Tabs must be completed prior to signature and promotion.

21. Is the system subject to the Privacy Act?: Yes

23. If the system shares or discloses IIF please specify with whom and for what purpose(s): Information is for internal senior administrative use only and will not be shared with other entities. Reference to Privacy Act System of Records (SOR) Number 09-90-0018


30. Please describe in detail: (1) the information the agency will collect, maintain, or disseminate; (2) why and for what purpose the agency will use the information; (3) In this description, indicate whether the information contains IIF; and (4) whether submission of personal information is voluntary or mandatory: VEDS tracks all information pertinent to a personnel file for the purpose of personnel management activities. Information is collected from employees via the HRDB system. Uses consist of the following: a) tracking a time-limited appointment to ensure renewals are done in a timely manner, thereby avoiding any break in service, b) ensuring that allocated FTE ceilings are maintained, c) ensuring salary equality for various hiring mechanisms, d) providing reports requested by the NIH Director, IC Director and other management staff, as requested), and e) maintaining lists of non FTEs, special volunteers, contractors, and other hiring appointments. The information collected constitutes IIF, and is mandatory for all employees.

31. Please describe in detail any processes in place to: (1) notify and obtain consent from the individuals whose IIF is in the system when major changes occur to the system (e.g., disclosure and/or data uses have changed since the notice at the time of the original collection); and (2) notify and obtain consent from individuals regarding what IIF is being collected from them and how the information will be used or shared: IIF in the system is downloaded from the Human Resources Database (HRDB) system. Changes to the system or changes in the way the information is used is relayed to employees via official notices from the Office of Human Resources (OHR). Individuals are notified of the collection and use of data as part of the hiring process and is mandatory if the potential job applicant wishes to seek employment at NIH.

32. Does the system host a website?: No

37. Does the website have any information or pages directed at children under the age of thirteen?: No

50. Are there policies or guidelines in place with regard to the retention and destruction of IIF?: Yes

54. Briefly describe in detail how the IIF will be secured on the system using administrative, technical, and physical controls.: IIF is protected with very limited "need-to-know" administrative staff and is password protected. The system is located in a secured network room behind a firewall.

PIA Reviewer Approval: Promote


PIA Reviewer Name: Bridget Williams-Simmons

Sr. Official for Privacy Approval: Promote


Sr. Official for Privacy Name: Karen Plá

Sign-off Date: Jun 30, 2006

Date Published: Jun 26, 2008


06.3 HHS PIA Summary for Posting (Form) / NIH NIAAA Visual Status of Funds (VSOF) (Item)






PIA Summary


Is this a new PIA 2008?: No

If this is an existing PIA, please provide a reason for revision: PIA Validation

1. Date of this Submission: Jun 27, 2007

2. OPDIV Name: NIH

3. Unique Project Identifier (UPI) Number: 009-25-01-01-02-3198-00-402-125

4. Privacy Act System of Records (SOR) Number: 09-90-0024

5. OMB Information Collection Approval Number: No

6. Other Identifying Number(s): No

7. System Name: Visual Status of Funds (VSOF)

9. System Point of Contact (POC). The System POC is the person to whom questions about the system and the responses to this PIA may be addressed: Laura L. Lee

10. Provide an overview of the system: The purpose of the system is for query and review of accountding data in order to monitor obligations and expenditures associated with a current fiscal year. Authorizing for maintenance of this system are the Budget and Accounting Act of 1950 (P.L. 81-784) and the Debt Collection Act of 1982 (P.L. 97-365).

13. Indicate if the system is new or an existing one being modified: Existing

17. Does/Will the system collect, maintain (store), disseminate and/or pass through IIF within any database(s), record(s), file(s) or website(s) hosted by this system?: No

Note: This question seeks to identify any, and all, personal information associated with the system. This includes any IIF, whether or not it is subject to the Privacy Act, whether the individuals are employees, the public, research subjects, or business partners, and whether provided voluntarily or collected by mandate. Later questions will try to understand the character of the data and its applicability to the requirements under the Privacy Act or other legislation

Note: If no IIF is contained in the system, please answer questions 21, 23, 30, 31, 37, 50 and 54, then promote the PIA to the Sr. Privacy Official who will authorize the PIA.

If this system contains IIF, all remaining questions on the PIA Form Tabs must be completed prior to signature and promotion.

21. Is the system subject to the Privacy Act?: Yes

23. If the system shares or discloses IIF please specify with whom and for what purpose(s): The system does not share or disclose IIF information.

30. Please describe in detail: (1) the information the agency will collect, maintain, or disseminate; (2) why and for what purpose the agency will use the information; (3) In this description, indicate whether the information contains IIF; and (4) whether submission of personal information is voluntary or mandatory: Accounting data and related document information is downloaded from the Central Accounting Mainframe (Data Warehouse Budget and Finance) and is relevant or specific to NIAAA for its fiscal year operations. The system contains no IIF.

31. Please describe in detail any processes in place to: (1) notify and obtain consent from the individuals whose IIF is in the system when major changes occur to the system (e.g., disclosure and/or data uses have changed since the notice at the time of the original collection); and (2) notify and obtain consent from individuals regarding what IIF is being collected from them and how the information will be used or shared: No IIF is in the system.

32. Does the system host a website?: No

37. Does the website have any information or pages directed at children under the age of thirteen?: No

50. Are there policies or guidelines in place with regard to the retention and destruction of IIF?: No

54. Briefly describe in detail how the IIF will be secured on the system using administrative, technical, and physical controls.: No IIF is on the system.

PIA Reviewer Approval: Promote


PIA Reviewer Name: Etienne Lamoreaux

Sr. Official for Privacy Approval: Promote


Sr. Official for Privacy Name: Karen Plá

Sign-off Date: Jun 12, 2006

Date Published: Jun 26, 2008


06.3 HHS PIA Summary for Posting (Form) / NIH NIAID Aquisition Management and Budget Information System (AMBIS) (Item)




PIA Summary


Is this a new PIA 2008?: No

If this is an existing PIA, please provide a reason for revision: PIA Validation

1. Date of this Submission: PIA Validation

2. OPDIV Name: NIH

3. Unique Project Identifier (UPI) Number: 009-25-01-09-02-8513-00-405-143

4. Privacy Act System of Records (SOR) Number: No

5. OMB Information Collection Approval Number: N/A

6. Other Identifying Number(s): N/A

7. System Name: Acquisition Management and Budget Information System (AMBIS)

9. System Point of Contact (POC). The System POC is the person to whom questions about the system and the responses to this PIA may be addressed: Rebecca Chang

10. Provide an overview of the system: The Acquisition Management Budget Information System (AMBIS) is a desktop based acquisitions system that effectively and securely allows filing purchasing requests that are further processed and entered into NIH DelPro system. AMBIS Lite is a web-based version of AMBIS.

13. Indicate if the system is new or an existing one being modified: Existing

17. Does/Will the system collect, maintain (store), disseminate and/or pass through IIF within any database(s), record(s), file(s) or website(s) hosted by this system?: No

Note: This question seeks to identify any, and all, personal information associated with the system. This includes any IIF, whether or not it is subject to the Privacy Act, whether the individuals are employees, the public, research subjects, or business partners, and whether provided voluntarily or collected by mandate. Later questions will try to understand the character of the data and its applicability to the requirements under the Privacy Act or other legislation

Note: If no IIF is contained in the system, please answer questions 21, 23, 30, 31, 37, 50 and 54, then promote the PIA to the Sr. Privacy Official who will authorize the PIA.

If this system contains IIF, all remaining questions on the PIA Form Tabs must be completed prior to signature and promotion.

21. Is the system subject to the Privacy Act?: No

23. If the system shares or discloses IIF please specify with whom and for what purpose(s): Internal Administraitve DB

30. Please describe in detail: (1) the information the agency will collect, maintain, or disseminate; (2) why and for what purpose the agency will use the information; (3) In this description, indicate whether the information contains IIF; and (4) whether submission of personal information is voluntary or mandatory: Name, Mailing address, telephone number, and email address collected as identifier for requester. All of this information is in public domain

31. Please describe in detail any processes in place to: (1) notify and obtain consent from the individuals whose IIF is in the system when major changes occur to the system (e.g., disclosure and/or data uses have changed since the notice at the time of the original collection); and (2) notify and obtain consent from individuals regarding what IIF is being collected from them and how the information will be used or shared: Only publicly avaialble contact information is collected.

32. Does the system host a website?: Yes

37. Does the website have any information or pages directed at children under the age of thirteen?: No

50. Are there policies or guidelines in place with regard to the retention and destruction of IIF?: No

54. Briefly describe in detail how the IIF will be secured on the system using administrative, technical, and physical controls.: N/A


PIA Reviewer Approval: Promote


PIA Reviewer Name: Susan Boyle

Sr. Official for Privacy Approval: Promote


Sr. Official for Privacy Name: Karen Plá

Sign-off Date: Aug 10, 2007

Date Published: Jun 26, 2008


06.3 HHS PIA Summary for Posting (Form) / NIH NIAID ARAC Review (ARAC) (Item)






PIA Summary


Is this a new PIA 2008?: No

If this is an existing PIA, please provide a reason for revision: PIA Validation

1. Date of this Submission: Jul 23, 2007

2. OPDIV Name: NIH

3. Unique Project Identifier (UPI) Number: 009-25-01-01-02-8520-00-110-249

4. Privacy Act System of Records (SOR) Number: 09-25-0036

5. OMB Information Collection Approval Number: No

6. Other Identifying Number(s): No

7. System Name: NIAID ARAC Review

9. System Point of Contact (POC). The System POC is the person to whom questions about the system and the responses to this PIA may be addressed: Eric Charles

10. Provide an overview of the system: This is an data-centric ASP project that assists users with entering information at meeting time for discussions on upcoming meetings. On-going support is characterized by on-demand recurring requests for updating of web pages which list meetings.

13. Indicate if the system is new or an existing one being modified: Existing

17. Does/Will the system collect, maintain (store), disseminate and/or pass through IIF within any database(s), record(s), file(s) or website(s) hosted by this system?: Yes

Note: This question seeks to identify any, and all, personal information associated with the system. This includes any IIF, whether or not it is subject to the Privacy Act, whether the individuals are employees, the public, research subjects, or business partners, and whether provided voluntarily or collected by mandate. Later questions will try to understand the character of the data and its applicability to the requirements under the Privacy Act or other legislation

Note: If no IIF is contained in the system, please answer questions 21, 23, 30, 31, 37, 50 and 54, then promote the PIA to the Sr. Privacy Official who will authorize the PIA.

If this system contains IIF, all remaining questions on the PIA Form Tabs must be completed prior to signature and promotion.

21. Is the system subject to the Privacy Act?: Yes

23. If the system shares or discloses IIF please specify with whom and for what purpose(s): Does Not Share

Per SOR 09-25-0036,

Disclosure may be made to qualified experts not within the definition of Department employees as prescribed in Department regulations for opinions as a part of the application review process.

Disclosure may be made to a private contractor or Federal agency for the purpose of collating, analyzing, aggregating or otherwise refining records in this system. The contractor or Federal agency will be required to maintain Privacy Act safeguards with respect to these records.

30. Please describe in detail: (1) the information the agency will collect, maintain, or disseminate; (2) why and for what purpose the agency will use the information; (3) In this description, indicate whether the information contains IIF; and (4) whether submission of personal information is voluntary or mandatory: To maintain current and historical information pertaining to the establishment of chartered advisory committees of the National Institutes of Health and the appointment or designation of their members.

The Administrative task for ARAC is done through email correspondences between client and site administrators. The client sends to site administrator documents which the site administrator converts to Html and updates the application to display these documents. Also the client sends a list of reviewers, the meeting start date and concepts for the meeting; the site administrator inters this information to the application.

Members whose names and contact information is contained on the system have submitted it voluntarily and are informed that it will be used to assist in communication and the review process.

31. Please describe in detail any processes in place to: (1) notify and obtain consent from the individuals whose IIF is in the system when major changes occur to the system (e.g., disclosure and/or data uses have changed since the notice at the time of the original collection); and (2) notify and obtain consent from individuals regarding what IIF is being collected from them and how the information will be used or shared: Written consent is obtained from members when personal (contact) information is collected.

The intended use for the information is described in writing at the time of collection.

Members are informed of the use of the application (ARAC), that it will contain their names and contact information. Changes to the system are discussed with all members during business communications, including written correspondence.

32. Does the system host a website?: Yes

37. Does the website have any information or pages directed at children under the age of thirteen?: No

50. Are there policies or guidelines in place with regard to the retention and destruction of IIF?: Yes

54. Briefly describe in detail how the IIF will be secured on the system using administrative, technical, and physical controls.: Authorized Users: Employees who maintain records in this system are instructed to grant regular access only to NIH extramural and advisory committee staff, NIH contract management staff, and Federal acquisition personnel. Other one-time and special access by other employees is granted on a need-to-know basis as specifically authorized by the System manager.

Physical Safeguards: Physical access to NIH work areas is restricted to employees. Physical access to the Office of Technology Information Systems (OTIS) work areas is restricted to OTIS employees. Physical access to Office of Federal Advisory Committee Policy (OFACP) work areas is restricted to OFACP employees. Access to the contractor performance files is restricted through the use of secure socket layer encryption and through an IBM password protection system. Only authorized government contracting personnel are permitted access. Access is monitored and controlled by OTIS.

Procedural Safeguards: Access to source data files is strictly controlled by files staff. Records may be removed from files only at the request of the System manager or other authorized employee. Access to computer files is controlled by the use of registered accounts, registered initials, keywords, and similar limited access systems.

PIA Reviewer Approval: Promote


PIA Reviewer Name: Susan Boyle

Sr. Official for Privacy Approval: Promote


Sr. Official for Privacy Name: Karen Plá

Sign-off Date: Aug 10, 2007

Date Published: Jun 26, 2008


06.3 HHS PIA Summary for Posting (Form) / NIH NIAID Council Action and Approval Program (CAAP) (Item)






PIA Summary


Is this a new PIA 2008?: No

If this is an existing PIA, please provide a reason for revision: PIA Validation

1. Date of this Submission: Jul 23, 2007

2. OPDIV Name: NIH

3. Unique Project Identifier (UPI) Number: 009-25-01-09-02-8504-00-301-092

4. Privacy Act System of Records (SOR) Number: 09-25-0036

5. OMB Information Collection Approval Number: No

6. Other Identifying Number(s): NO

7. System Name: Council Action and Approval Program (CAAP)

9. System Point of Contact (POC). The System POC is the person to whom questions about the system and the responses to this PIA may be addressed: Jay Silverman

10. Provide an overview of the system: Caap is a group of 10 individual modules. Each module is a mini application within itself. Caap is develop in VB 6, ADO, stored procedures, SQL database, and ASP. Net.

Council was developed with VB 6.0 and ADO technology, stored procedures, and SQL database. A number of reports are available in Crystal and Excel format.

RFA/PA VB 6, Ado, stored procedures and SQL database are used.

Modules: NIAID Funding Plan, RFA/PA Award System, Bridge Awards System, Select Pay Awards System, Merit Pay System, Merit Extensions, FY Grants Tracking System, GrayZone Comments Select Pay and Bridge, Request For Administrative Supplement, and GMB Specia

Used by Extramural staff to track and administer grant applications. The information loaded into the application provides the staff with a portfolio listing of records based on several parameters, i.e. Council date(s), PCC code(s), or Division Code.

RFA/PA application is used by Dait and Dmid to generate a listing and total money obligated in the out years from RFA/PA’s. This is used in Institute meetings for planning purposes.

13. Indicate if the system is new or an existing one being modified: Existing

17. Does/Will the system collect, maintain (store), disseminate and/or pass through IIF within any database(s), record(s), file(s) or website(s) hosted by this system?: Yes

Note: This question seeks to identify any, and all, personal information associated with the system. This includes any IIF, whether or not it is subject to the Privacy Act, whether the individuals are employees, the public, research subjects, or business partners, and whether provided voluntarily or collected by mandate. Later questions will try to understand the character of the data and its applicability to the requirements under the Privacy Act or other legislation

Note: If no IIF is contained in the system, please answer questions 21, 23, 30, 31, 37, 50 and 54, then promote the PIA to the Sr. Privacy Official who will authorize the PIA.

If this system contains IIF, all remaining questions on the PIA Form Tabs must be completed prior to signature and promotion.

21. Is the system subject to the Privacy Act?: Yes

23. If the system shares or discloses IIF please specify with whom and for what purpose(s): Does Not Share

Per SOR (09-25-0036) disclosures may be made to a Federal Agency, The Department, or another NIH organization according to the guidelines stipulated in the SOR.

30. Please describe in detail: (1) the information the agency will collect, maintain, or disseminate; (2) why and for what purpose the agency will use the information; (3) In this description, indicate whether the information contains IIF; and (4) whether submission of personal information is voluntary or mandatory: As part of the Institute's business functions in the management research, this system contains Names, Mailing Addresses, and Phone numbers of Principle Investigators involved in research funded by the Institute.

This information is voluntary. The principle investigator submits this data when seeking NIH funding for research. There is an opt out choice.

The infomation collected is used to manage NIH business functions.

31. Please describe in detail any processes in place to: (1) notify and obtain consent from the individuals whose IIF is in the system when major changes occur to the system (e.g., disclosure and/or data uses have changed since the notice at the time of the original collection); and (2) notify and obtain consent from individuals regarding what IIF is being collected from them and how the information will be used or shared: Grant applicants are given NIAID's Privacy Policy during the application process. Consent is obtained upon application. IIF within this system is not disclosed or utilized outside of the functions of managing the Institute's business. Individuals are notified of changes in writing per NIAID's Privacy Policy.

32. Does the system host a website?: No

37. Does the website have any information or pages directed at children under the age of thirteen?: No

50. Are there policies or guidelines in place with regard to the retention and destruction of IIF?: Yes

54. Briefly describe in detail how the IIF will be secured on the system using administrative, technical, and physical controls.: Authorized Users: Employees who maintain records in this system are instructed to grant regular access only to NIH extramural and advisory committee staff, NIH contract management staff, and Federal acquisition personnel. Other one-time and special access by other employees is granted on a need-to-know basis as specifically authorized by the System manager.

Physical Safeguards: Physical access to Office of Extramural Research (OER) work areas is restricted to OER employees. Physical access to the Office of Acquisition and Policy (OAMP) work areas is restricted to OAMP employees. Physical access to Office of Federal Advisory Committee Policy (OFACP) work areas is restricted to OFACP employees. Access to the contractor performance files is restricted through the use of secure socket layer encryption and through an IBM password protection system. Only authorized government contracting personnel are permitted access. Access is monitored and controlled by OAMP.

Procedural Safeguards: Access to source data files is strictly controlled by files staff. Records may be removed from files only at the request of the System manager or other authorized employee. Access to computer files is controlled by the use of registered accounts, registered initials, keywords, and similar limited access systems.

CAAP system has been through a full C&A and received an ATO from NIAID's CIO (June 2005). System benefits from double firewall, user authentication, least privileges, and controlled access points.

PIA Reviewer Approval: Promote


PIA Reviewer Name: Susan Boyle

Sr. Official for Privacy Approval: Promote


Sr. Official for Privacy Name: Karen Plá

Sign-off Date: Aug 10, 2007

Date Published: Jun 26, 2008


06.3 HHS PIA Summary for Posting (Form) / NIH NIAID DAIT Studies System (DSS) (Item)






PIA Summary


Is this a new PIA 2008?: No

If this is an existing PIA, please provide a reason for revision: PIA Validation

1. Date of this Submission: Jul 23, 2007

2. OPDIV Name: NIH

3. Unique Project Identifier (UPI) Number: 009-25-01-06-02-8534-00-110-249

4. Privacy Act System of Records (SOR) Number: 09-25-0036

5. OMB Information Collection Approval Number: NA

6. Other Identifying Number(s): NA

7. System Name: DAIT Studies System (DSS)

9. System Point of Contact (POC). The System POC is the person to whom questions about the system and the responses to this PIA may be addressed: Eric Charles

10. Provide an overview of the system: A management oversight system designed to assist Project Officers (POs) with the DAIT in managing research projects that include human subjects.

13. Indicate if the system is new or an existing one being modified: Existing

17. Does/Will the system collect, maintain (store), disseminate and/or pass through IIF within any database(s), record(s), file(s) or website(s) hosted by this system?: Yes

Note: This question seeks to identify any, and all, personal information associated with the system. This includes any IIF, whether or not it is subject to the Privacy Act, whether the individuals are employees, the public, research subjects, or business partners, and whether provided voluntarily or collected by mandate. Later questions will try to understand the character of the data and its applicability to the requirements under the Privacy Act or other legislation

Note: If no IIF is contained in the system, please answer questions 21, 23, 30, 31, 37, 50 and 54, then promote the PIA to the Sr. Privacy Official who will authorize the PIA.

If this system contains IIF, all remaining questions on the PIA Form Tabs must be completed prior to signature and promotion.

21. Is the system subject to the Privacy Act?: Yes

23. If the system shares or discloses IIF please specify with whom and for what purpose(s): The information will not be shared. Per SOR 09-25-0036, disclosures may be made for the following uses:

Disclosure may be made to the cognizant audit agency for auditing.

Disclosure may be made to a congressional office from the record of an individual in response to an inquiry from the congressional office made at the request of that individual.

Disclosure may be made to qualified experts not within the definition of Department employees as prescribed in Department regulations for opinions as a part of the application review process.

30. Please describe in detail: (1) the information the agency will collect, maintain, or disseminate; (2) why and for what purpose the agency will use the information; (3) In this description, indicate whether the information contains IIF; and (4) whether submission of personal information is voluntary or mandatory: Name, Mailing address, telephone number, and email address are the PII that the agency will collect. It will be used for management oversight to assist DAIT Project Officers (POs) manage research projects that include human subjects.

Submission of the information is voluntary as it is part of the application process, but applications that are submitted without the information could be hindered from processing and could be declined for inssuficient information.

31. Please describe in detail any processes in place to: (1) notify and obtain consent from the individuals whose IIF is in the system when major changes occur to the system (e.g., disclosure and/or data uses have changed since the notice at the time of the original collection); and (2) notify and obtain consent from individuals regarding what IIF is being collected from them and how the information will be used or shared: Information is provided by individuals who are applying for grants. Participation is at the discretion of the individual who applies for the grant or award. The applicants are informed on the application that the information collected will be used soley for the management of the grants process and will not be shared. There is no process in place to notify individuals in the event of a major change to the system.

32. Does the system host a website?: Yes

37. Does the website have any information or pages directed at children under the age of thirteen?: No

50. Are there policies or guidelines in place with regard to the retention and destruction of IIF?: Yes

54. Briefly describe in detail how the IIF will be secured on the system using administrative, technical, and physical controls.: Authorized Users: Employees who maintain records in this system are instructed to grant regular access only to NIH extramural and advisory committee staff, NIH contract management staff, and Federal acquisition personnel. Other one-time and special access by other employees is granted on a need-to-know basis as specifically authorized by the System manager.

Physical Safeguards: Physical access to Office of Extramural Research (OER) work areas is restricted to OER employees. Physical access to the Office of Acquisition and Policy (OAMP) work areas is restricted to OAMP employees. Physical access to Office of Federal Advisory Committee Policy (OFACP) work areas is restricted to OFACP employees. Access to the contractor performance files is restricted through the use of secure socket layer encryption and through an IBM password protection system. Only authorized government contracting personnel are permitted access. Access is monitored and controlled by OAMP.

Procedural Safeguards: Access to source data files is strictly controlled by files staff. Records may be removed from files only at the request of the System manager or other authorized employee. Access to computer files is controlled by the use of registered accounts, registered initials, keywords, and similar limited access systems.

These practices are in compliance with the standards of Chapter 45-13 of the HHS General Administration Manual, "Safeguarding Records Contained in Systems of Records," supplementary Chapter PHS hf: 45-13, and the HHS Automated Information Systems Security Program Handbook.

PIA Reviewer Approval: Promote


PIA Reviewer Name: Susan Boyle

Sr. Official for Privacy Approval: Promote


Sr. Official for Privacy Name: Karen Plá

Sign-off Date: Aug 10, 2007

Date Published: Jun 26, 2008


06.3 HHS PIA Summary for Posting (Form) / NIH NIAID Intramural NIAID Research Opportunities Program (INRO) (Item)






PIA Summary


Is this a new PIA 2008?: No

If this is an existing PIA, please provide a reason for revision: PIA Validation

1. Date of this Submission: Jul 23, 2007

2. OPDIV Name: NIH

3. Unique Project Identifier (UPI) Number: 009-25-01-06-02-8529-00-110-249

4. Privacy Act System of Records (SOR) Number: 09-25-0014

5. OMB Information Collection Approval Number: na

6. Other Identifying Number(s): na

7. System Name: Intramural NIAID Research Opportunities Program (INRO)

9. System Point of Contact (POC). The System POC is the person to whom questions about the system and the responses to this PIA may be addressed: Rebecca Chang

10. Provide an overview of the system: INRO introduces students to research and training opportunities in NIAID's Division of Intramural Research and the Vaccine Research Center. To support this endeavor, SAISB created the INRO application. INRO provides an on-line application process for students interested in the INRO Program, and enables reviewers to assign ratings and select students for participation. It serves as a resource for INRO program administrators.

13. Indicate if the system is new or an existing one being modified: Existing

17. Does/Will the system collect, maintain (store), disseminate and/or pass through IIF within any database(s), record(s), file(s) or website(s) hosted by this system?: Yes

Note: This question seeks to identify any, and all, personal information associated with the system. This includes any IIF, whether or not it is subject to the Privacy Act, whether the individuals are employees, the public, research subjects, or business partners, and whether provided voluntarily or collected by mandate. Later questions will try to understand the character of the data and its applicability to the requirements under the Privacy Act or other legislation

Note: If no IIF is contained in the system, please answer questions 21, 23, 30, 31, 37, 50 and 54, then promote the PIA to the Sr. Privacy Official who will authorize the PIA.

If this system contains IIF, all remaining questions on the PIA Form Tabs must be completed prior to signature and promotion.

21. Is the system subject to the Privacy Act?: Yes

23. If the system shares or discloses IIF please specify with whom and for what purpose(s): Per SOR 09-25-0014

Information may be used to respond to congressional inquiries regarding constituents who have applied for training programs.

30. Please describe in detail: (1) the information the agency will collect, maintain, or disseminate; (2) why and for what purpose the agency will use the information; (3) In this description, indicate whether the information contains IIF; and (4) whether submission of personal information is voluntary or mandatory: Students will enter the following data. Submission is voluntary and used to manage selections for the intern program.

· Name

· Date of Birth

· Social Security Number

- Alien Registration Number

- Special Needs

· Mailing Address

· Phone Numbers (e.g., phone, fax, and cell)

· Email Address

· Education Records

· Race

· National Origin

· Country of birth

· Gender

· Physical Disabilities, Constraints or health issues

· Emergency Contact Name

· Emergency Contact Phone

· Dates of Winter Break

This is the minimal information needed to track selected students between the time of their application to the program and the onset of the conference. Additional information will be collected to help manage the review and evaluation process:

· Sponsor Name

· Sponsor E-mail

· Sponsor Telephone

31. Please describe in detail any processes in place to: (1) notify and obtain consent from the individuals whose IIF is in the system when major changes occur to the system (e.g., disclosure and/or data uses have changed since the notice at the time of the original collection); and (2) notify and obtain consent from individuals regarding what IIF is being collected from them and how the information will be used or shared: Students supply information voluntarily as part of the application process for a Fellowship opportunity at the NIH. IIF is collected at the time of application for the internship. Students are informed of the need and intended use of the IIF at the point of collection, and they are given the choice to opt out by not completing and submitting the application for an internship.

They are advised that the information collected is to be used strictly for administering the INRO program.

They may opt out of the submission by not submitting an application.

Notification is made electronically, and in some cases by mail, if changes occur that warrant notification to enrolees.

32. Does the system host a website?: Yes

37. Does the website have any information or pages directed at children under the age of thirteen?: No

50. Are there policies or guidelines in place with regard to the retention and destruction of IIF?: Yes

54. Briefly describe in detail how the IIF will be secured on the system using administrative, technical, and physical controls.: Data security in accordance with the HHS, NIH, and NIAID IT security guidelines, and the guidelines of the Office of Training and Special Emphasis Programs (OTSEP).

Measures to prevent the unauthorized disclosure of information covered under the Privacy Act are implemented for each training program administered through the Office of Education.

Authorized Users: Staff in the Office of Education are instructed to disclose information only to NIH personnel who are involved in the evaluation and selection of candidates for intramural training programs.

Physical Safeguards: Paper files and disks are stored in cabinets in a locked room that is under constant surveillance by security personnel. Electronic databases are accessible only with a password on secure web sites.

Procedural safeguards: Access to the paper files is strictly controlled by the Office of Education staff. Files may be removed only with the approval of the system manager or other authorized official(s).

PIA Reviewer Approval: Promote


PIA Reviewer Name: Susan Boyle

Sr. Official for Privacy Approval: Promote


Sr. Official for Privacy Name: Karen Plá

Sign-off Date: Aug 10, 2007

Date Published: Jun 26, 2008


06.3 HHS PIA Summary for Posting (Form) / NIH NIAID Personnel Action Tracking System (PATS) (Item)






PIA Summary


Is this a new PIA 2008?: No

If this is an existing PIA, please provide a reason for revision: PIA Validation

1. Date of this Submission: Jul 23, 2007

2. OPDIV Name: NIH

3. Unique Project Identifier (UPI) Number: 009-25-01-01-02-8533-00-403-250

4. Privacy Act System of Records (SOR) Number: 09-90-0018

5. OMB Information Collection Approval Number: N/A

6. Other Identifying Number(s): N/A

7. System Name: Personnel Action Tracking System (PATS)

9. System Point of Contact (POC). The System POC is the person to whom questions about the system and the responses to this PIA may be addressed: Jorge Montalvo

10. Provide an overview of the system: PATS (Personnel Action Tracking System) is a NIAID automated system that allows for the tracking of HR actions from beginning to end. It is an Institute-wide, mandatory, automated system that provides Program and Administrative staff with up-to-date status and history of individual HR actions and provides supervisors with standardized reports to manage and measure HR, Program support, and administrative workloads. PATS facilitates streamlined tracking of processes which replaced a manual process supported by numerous stand-alone logs.

13. Indicate if the system is new or an existing one being modified: Existing17. Does/Will the system collect, maintain (store), disseminate and/or pass through IIF within any database(s), record(s), file(s) or website(s) hosted by this system?: Existing

17. Does/Will the system collect, maintain (store), disseminate and/or pass through IIF within any database(s), record(s), file(s) or website(s) hosted by this system?: Yes

Note: This question seeks to identify any, and all, personal information associated with the system. This includes any IIF, whether or not it is subject to the Privacy Act, whether the individuals are employees, the public, research subjects, or business partners, and whether provided voluntarily or collected by mandate. Later questions will try to understand the character of the data and its applicability to the requirements under the Privacy Act or other legislation

Note: If no IIF is contained in the system, please answer questions 21, 23, 30, 31, 37, 50 and 54, then promote the PIA to the Sr. Privacy Official who will authorize the PIA.

If this system contains IIF, all remaining questions on the PIA Form Tabs must be completed prior to signature and promotion.

21. Is the system subject to the Privacy Act?: Yes

23. If the system shares or discloses IIF please specify with whom and for what purpose(s): Disclosures are made in accordance with SOR # 09-90-0018

Names of induviduals are collected and may be shared within the Institute or division in order to carry out the business process.

30. Please describe in detail: (1) the information the agency will collect, maintain, or disseminate; (2) why and for what purpose the agency will use the information; (3) In this description, indicate whether the information contains IIF; and (4) whether submission of personal information is voluntary or mandatory: This system is used to track personnel actions through the administrative process. Other than names of employees affiliated with such actions, and the names of the administrative officers involved in the work flow, it tracks no other personally identifiable information. The workflow process involved allows the position and disposition of a task or activity (with whom, when) to be identified in the organization. Specific information about individuals is not contained in this application.

31. Please describe in detail any processes in place to: (1) notify and obtain consent from the individuals whose IIF is in the system when major changes occur to the system (e.g., disclosure and/or data uses have changed since the notice at the time of the original collection); and (2) notify and obtain consent from individuals regarding what IIF is being collected from them and how the information will be used or shared: The IIF contained in the system is that of employees of the Institute. This information was obtained voluntarily from the employees and is used to manage administrative tasks within the department.

Per NIH policy, the individuals whose personal information is contained in the system will be notified electronically if there is a change in the intended use of this information.

32. Does the system host a website?: Yes

37. Does the website have any information or pages directed at children under the age of thirteen?: No

50. Are there policies or guidelines in place with regard to the retention and destruction of IIF?: Yes

54. Briefly describe in detail how the IIF will be secured on the system using administrative, technical, and physical controls.: The system is on the intranet with a double firewall perimeter, and is password protected. It does not have outward facing web access.

User access is strictly controlled. Permissions are granted on need-to-know. The building has full time security and key lock access controls. The server room where the application resides is a controlled access site with a limited roster.

PIA Reviewer Approval: Promote


PIA Reviewer Name: Susan Boyle

Sr. Official for Privacy Approval: Promote


Sr. Official for Privacy Name: Karen Plá

Sign-off Date: Aug 10, 2007

Date Published: Jun 26, 2008


06.3 HHS PIA Summary for Posting (Form) / NIH NIAID PMT (PMT) (Item)






PIA Summary


Is this a new PIA 2008?: No

If this is an existing PIA, please provide a reason for revision: PIA Validation

1. Date of this Submission: Jul 23, 2007

2. OPDIV Name: NIH

3. Unique Project Identifier (UPI) Number: 009-25-01-09-02-8508-00-301-092

4. Privacy Act System of Records (SOR) Number: No

5. OMB Information Collection Approval Number: No

6. Other Identifying Number(s): No

7. System Name: Program Management Tool

9. System Point of Contact (POC). The System POC is the person to whom questions about the system and the responses to this PIA may be addressed: Eric Charles

10. Provide an overview of the system: The Program Management Tool (PMT) is an Intranet, web-based application that was developed for Program Officers (PO) within the Division of Microbiology and Infectious Diseases (DMID) of the extramural branch as an aid for organizing and managing their grants and project applications portfolio. The primary purpose of the application is to assist POs in performing various administrative tasks associated with portfolio management.

13. Indicate if the system is new or an existing one being modified: The Program Management Tool (PMT) is an Intranet, web-based application that was developed for Program Officers (PO) within the Division of Microbiology and Infectious Diseases (DMID) of the extramural branch as an aid for organizing and managing their grants and project applications portfolio. The primary purpose of the application is to assist POs in performing various administrative tasks associated with portfolio management.

13. Indicate if the system is new or an existing one being modified: Existing

17. Does/Will the system collect, maintain (store), disseminate and/or pass through IIF within any database(s), record(s), file(s) or website(s) hosted by this system?: No

Note: This question seeks to identify any, and all, personal information associated with the system. This includes any IIF, whether or not it is subject to the Privacy Act, whether the individuals are employees, the public, research subjects, or business partners, and whether provided voluntarily or collected by mandate. Later questions will try to understand the character of the data and its applicability to the requirements under the Privacy Act or other legislation

Note: If no IIF is contained in the system, please answer questions 21, 23, 30, 31, 37, 50 and 54, then promote the PIA to the Sr. Privacy Official who will authorize the PIA.

If this system contains IIF, all remaining questions on the PIA Form Tabs must be completed prior to signature and promotion.

21. Is the system subject to the Privacy Act?: No

23. If the system shares or discloses IIF please specify with whom and for what purpose(s): No

30. Please describe in detail: (1) the information the agency will collect, maintain, or disseminate; (2) why and for what purpose the agency will use the information; (3) In this description, indicate whether the information contains IIF; and (4) whether submission of personal information is voluntary or mandatory: NA

31. Please describe in detail any processes in place to: (1) notify and obtain consent from the individuals whose IIF is in the system when major changes occur to the system (e.g., disclosure and/or data uses have changed since the notice at the time of the original collection); and (2) notify and obtain consent from individuals regarding what IIF is being collected from them and how the information will be used or shared: This system contains no IIF.

The system integrates all electronic information resources required to perform the activities of portfolio management . It captures information about the application, awards, and grants. It contains indicators from basic laboratory science to Phase III clinical trials. It has biodefense program information

32. Does the system host a website?: No

37. Does the website have any information or pages directed at children under the age of thirteen?: No

50. Are there policies or guidelines in place with regard to the retention and destruction of IIF?: No

54. Briefly describe in detail how the IIF will be secured on the system using administrative, technical, and physical controls.: NA

PIA Reviewer Approval: Promote


PIA Reviewer Name: Susan Boyle

Sr. Official for Privacy Approval: Promote


Sr. Official for Privacy Name: Karen Plá

Sign-off Date: Aug 10, 2007

Date Published: Jun 26, 2008


06.3 HHS PIA Summary for Posting (Form) / NIH NIAID Reviewer Support Site (RSS) (Item)






PIA Summary


Is this a new PIA 2008?: No

If this is an existing PIA, please provide a reason for revision: PIA Validation

1. Date of this Submission: Jul 23, 2007

2. OPDIV Name: NIH

3. Unique Project Identifier (UPI) Number: 009-25-01-06-02-8534-00-110-249

4. Privacy Act System of Records (SOR) Number: 09-25-0036

5. OMB Information Collection Approval Number: no

6. Other Identifying Number(s): no

7. System Name: Reviewer Support Site (RSS)

9. System Point of Contact (POC). The System POC is the person to whom questions about the system and the responses to this PIA may be addressed: Eric Charles

10. Provide an overview of the system: The NIAID Scientific Review Program (SRP) conducts peer review meetings to perform technical evaluation of grant applications and contract proposals. Scientific Review Administrators (SRA) provide scientific, administrative, and logistical oversight of the peer review process, ensuring all applications/proposals receive an impartial and competent evaluation in compliance with official policies and guidelines. After review meetings, SRAs prepare and release a summary statement/technical evaluation report for each reviewed application/proposal, verify meeting expenses, and certify reviewers' attendance. RSS enhances the communication of information between SRP staff and meeting participants throughout the process. SRP staff can make great quantities of information (i.e., meeting related documents) available to reviewers via a secure Internet site versus sending numerous packages of hardcopy and electronic media via courier service.

13. Indicate if the system is new or an existing one being modified: Existing

17. Does/Will the system collect, maintain (store), disseminate and/or pass through IIF within any database(s), record(s), file(s) or website(s) hosted by this system?: Yes

Note: This question seeks to identify any, and all, personal information associated with the system. This includes any IIF, whether or not it is subject to the Privacy Act, whether the individuals are employees, the public, research subjects, or business partners, and whether provided voluntarily or collected by mandate. Later questions will try to understand the character of the data and its applicability to the requirements under the Privacy Act or other legislation

Note: If no IIF is contained in the system, please answer questions 21, 23, 30, 31, 37, 50 and 54, then promote the PIA to the Sr. Privacy Official who will authorize the PIA.

If this system contains IIF, all remaining questions on the PIA Form Tabs must be completed prior to signature and promotion.

21. Is the system subject to the Privacy Act?: Yes

23. If the system shares or discloses IIF please specify with whom and for what purpose(s): Per SOR 09-25-0036 -

Disclosure may be made to qualified experts not within the definition of Department employees as prescribed in Department regulations for opinions as a part of the application review process.

A record may be disclosed for a research purpose, when the Department: (A) has determined that the use or disclosure does not violate legal or policy limitations under which the record was provided, collected, or obtained.

30. Please describe in detail: (1) the information the agency will collect, maintain, or disseminate; (2) why and for what purpose the agency will use the information; (3) In this description, indicate whether the information contains IIF; and (4) whether submission of personal information is voluntary or mandatory: The system will collect user identification and contact information such as name, address(es), phone and fax number(s), email address(es), organization, title, degree(s), and social security number (SSN). NIAID Scientific Review Program (SRP) staff will use this information in the performance of their duties coordinating the peer review of grant applications and contract proposals. Such duties include, but are not limited to: telephone interviews and teleconferences, meetings, and sending great quantities of meeting related materials to reviewers. Reviewers will use the system to access review-related documents and information.

Submission of IIF is voluntary. Consent is implicit in the reviewer’s agreement to serve on a peer review panel.

31. Please describe in detail any processes in place to: (1) notify and obtain consent from the individuals whose IIF is in the system when major changes occur to the system (e.g., disclosure and/or data uses have changed since the notice at the time of the original collection); and (2) notify and obtain consent from individuals regarding what IIF is being collected from them and how the information will be used or shared: Information about NIAID staff will be entered by system administrators or the individuals themselves. Some information about reviewers will be collected via telephone conversation or hardcopy submission and entered by NIAID staff; the rest will be entered online by the individuals themselves. Reviewers are instructed by initial telephone interview that information about them will be used for internal administrative purposes only and will not be shared. Consent is implicit in a reviewer’s agreement to serve on a peer review panel.

32. Does the system host a website?: Yes

37. Does the website have any information or pages directed at children under the age of thirteen?: No

50. Are there policies or guidelines in place with regard to the retention and destruction of IIF?: Yes

54. Briefly describe in detail how the IIF will be secured on the system using administrative, technical, and physical controls.: Authorized Users: Employees who maintain records in this system are instructed to grant regular access only to NIH extramural and advisory committee staff, NIH contract management staff, and Federal acquisition personnel. Other one-time and special access by other employees is granted on a need-to-know basis as specifically authorized by the System manager.

Physical Safeguards: Physical access to Office of Extramural Research (OER) work areas is restricted to OER employees. Physical access to the Office of Acquisition and Policy (OAMP) work areas is restricted to OAMP employees. Physical access to Office of Federal Advisory Committee Policy (OFACP) work areas is restricted to OFACP employees. Access to the contractor performance files is restricted through the use of secure socket layer encryption and through an IBM password protection system. Only authorized government contracting personnel are permitted access. Access is monitored and controlled by OAMP.

Procedural Safeguards: Access to source data files is strictly controlled by files staff. Records may be removed from files only at the request of the System manager or other authorized employee. Access to computer files is controlled by the use of registered accounts, registered initials, keywords, and similar limited access systems.

PIA Reviewer Approval: Promote


PIA Reviewer Name: Susan Boyle

Sr. Official for Privacy Approval: Promote


Sr. Official for Privacy Name: Karen Plá

Sign-off Date: Aug 10, 2007

Date Published: Jun 26, 2008


06.3 HHS PIA Summary for Posting (Form) / NIH NIAID Scientific Initiative Management System (SIMS) (Item)






PIA Summary


Is this a new PIA 2008?: No

If this is an existing PIA, please provide a reason for revision: PIA Validation

1. Date of this Submission: Jul 23, 2007

2. OPDIV Name: NIH

3. Unique Project Identifier (UPI) Number: 009-25-01-06-02-8536-00-110-249

4. Privacy Act System of Records (SOR) Number: 09-25-0036

5. OMB Information Collection Approval Number: No

6. Other Identifying Number(s): No

7. System Name: Scientific Initiative Management System (SIMS)

9. System Point of Contact (POC). The System POC is the person to whom questions about the system and the responses to this PIA may be addressed: Rebecca Chang

10. Provide an overview of the system: SIMS is designed to integrate the creation of concepts for initiatives, and the review and approval of selected concepts for development as PFAs, RFPs, PAs and Contracts. It enables phasing (scheduling) and tracking of initiatives from approval through completion stages.

13. Indicate if the system is new or an existing one being modified: Existing

17. Does/Will the system collect, maintain (store), disseminate and/or pass through IIF within any database(s), record(s), file(s) or website(s) hosted by this system?: No

Note: This question seeks to identify any, and all, personal information associated with the system. This includes any IIF, whether or not it is subject to the Privacy Act, whether the individuals are employees, the public, research subjects, or business partners, and whether provided voluntarily or collected by mandate. Later questions will try to understand the character of the data and its applicability to the requirements under the Privacy Act or other legislation

Note: If no IIF is contained in the system, please answer questions 21, 23, 30, 31, 37, 50 and 54, then promote the PIA to the Sr. Privacy Official who will authorize the PIA.

If this system contains IIF, all remaining questions on the PIA Form Tabs must be completed prior to signature and promotion.

21. Is the system subject to the Privacy Act?: No

23. If the system shares or discloses IIF please specify with whom and for what purpose(s): Does Not Share

Per SOR 09-25-0036, disclosure to Congress, Federal Agencies, and within the Department are permitted according to specified guidelines.

30. Please describe in detail: (1) the information the agency will collect, maintain, or disseminate; (2) why and for what purpose the agency will use the information; (3) In this description, indicate whether the information contains IIF; and (4) whether submission of personal information is voluntary or mandatory: The system contains Names, Addresses, Email addresses and Phone numbers. These are used to support centralized grant programs of the Public Health Service. Services are provided in the areas of grant application assignment and referral, initial review, council review, award processing and grant accounting.

Submittal of this information is voluntary. The applicant has the choice to opt out.

21. Is the system subject to the Privacy Act?: No

23. If the system shares or discloses IIF please specify with whom and for what purpose(s): Does Not Share

Per SOR 09-25-0036, disclosure to Congress, Federal Agencies, and within the Department are permitted according to specified guidelines.

30. Please describe in detail: (1) the information the agency will collect, maintain, or disseminate; (2) why and for what purpose the agency will use the information; (3) In this description, indicate whether the information contains IIF; and (4) whether submission of personal information is voluntary or mandatory: The system contains Names, Addresses, Email addresses and Phone numbers. These are used to support centralized grant programs of the Public Health Service. Services are provided in the areas of grant application assignment and referral, initial review, council review, award processing and grant accounting.

Submittal of this information is voluntary. The applicant has the choice to opt out.

31. Please describe in detail any processes in place to: (1) notify and obtain consent from the individuals whose IIF is in the system when major changes occur to the system (e.g., disclosure and/or data uses have changed since the notice at the time of the original collection); and (2) notify and obtain consent from individuals regarding what IIF is being collected from them and how the information will be used or shared: Consent is gained at the point of application. The Institute's Privacy Policy is included with application materials and includes intended use of the data by the Institute. An applicant consents to the disclosure and use of personal information by submitting an application. The intended use of the information is disclosed at the application process.

Applicants are notified via electronic means, postal service, or telephone of all changes that affect their grant or contract status. This includes their file information.

32. Does the system host a website?: Yes

37. Does the website have any information or pages directed at children under the age of thirteen?: No

50. Are there policies or guidelines in place with regard to the retention and destruction of IIF?: No

54. Briefly describe in detail how the IIF will be secured on the system using administrative, technical, and physical controls.: Authorized Users: Employees who maintain records in this system are instructed to grant regular access only to NIH extramural and advisory committee staff, NIH contract management staff, and Federal acquisition personnel. Other one-time and special access by other employees is granted on a need-to-know basis as specifically authorized by the System manager.

Physical Safeguards: Physical access to Office of Extramural Research (OER) work areas is restricted to OER employees. Physical access to the Office of Acquisition and Policy (OAMP) work areas is restricted to OAMP employees. Physical access to Office of Federal Advisory Committee Policy (OFACP) work areas is restricted to OFACP employees. Access to the contractor performance files is restricted through the use of secure socket layer encryption and through an IBM password protection system. Only authorized government contracting personnel are permitted access. Access is monitored and controlled by OAMP.

Procedural Safeguards: Access to source data files is strictly controlled by files staff. Records may be removed from files only at the request of the System manager or other authorized employee. Access to computer files is controlled by the use of registered accounts, registered initials, keywords, and similar limited access systems.

54. Briefly describe in detail how the IIF will be secured on the system using administrative, technical, and physical controls.: Authorized Users: Employees who maintain records in this system are instructed to grant regular access only to NIH extramural and advisory committee staff, NIH contract management staff, and Federal acquisition personnel. Other one-time and special access by other employees is granted on a need-to-know basis as specifically authorized by the System manager.

Physical Safeguards: Physical access to Office of Extramural Research (OER) work areas is restricted to OER employees. Physical access to the Office of Acquisition and Policy (OAMP) work areas is restricted to OAMP employees. Physical access to Office of Federal Advisory Committee Policy (OFACP) work areas is restricted to OFACP employees. Access to the contractor performance files is restricted through the use of secure socket layer encryption and through an IBM password protection system. Only authorized government contracting personnel are permitted access. Access is monitored and controlled by OAMP.

Procedural Safeguards: Access to source data files is strictly controlled by files staff. Records may be removed from files only at the request of the System manager or other authorized employee. Access to computer files is controlled by the use of registered accounts, registered initials, keywords, and similar limited access systems.

PIA Reviewer Approval: Promote


PIA Reviewer Name: Susan Boyle

Sr. Official for Privacy Approval: Promote


Sr. Official for Privacy Name: Karen Plá

Sign-off Date: Aug 10, 2007

Date Published: Jun 26, 2008


06.3 HHS PIA Summary for Posting (Form) / NIH NIAID Scientific Reporting Suite (SRS) (Item)






PIA Summary


Is this a new PIA 2008?: No

If this is an existing PIA, please provide a reason for revision: PIA Validation

1. Date of this Submission: Jul 25, 2007

2. OPDIV Name: NIH

3. Unique Project Identifier (UPI) Number: 009-25-01-06-02-8535-00-110-249

4. Privacy Act System of Records (SOR) Number: N/A

5. OMB Information Collection Approval Number: no

6. Other Identifying Number(s): no

7. System Name: NIAID Scientific Reporting Suite

9. System Point of Contact (POC). The System POC is the person to whom questions about the system and the responses to this PIA may be addressed: Nancy Bavisotto

10. Provide an overview of the system: A series of software support tools for the DEA - primarily scientific reporting tools regarding research, science, grants management, and data analysis.

13. Indicate if the system is new or an existing one being modified: Existing

17. Does/Will the system collect, maintain (store), disseminate and/or pass through IIF within any database(s), record(s), file(s) or website(s) hosted by this system?: No

Note: This question seeks to identify any, and all, personal information associated with the system. This includes any IIF, whether or not it is subject to the Privacy Act, whether the individuals are employees, the public, research subjects, or business partners, and whether provided voluntarily or collected by mandate. Later questions will try to understand the character of the data and its applicability to the requirements under the Privacy Act or other legislation

Note: If no IIF is contained in the system, please answer questions 21, 23, 30, 31, 37, 50 and 54, then promote the PIA to the Sr. Privacy Official who will authorize the PIA.

If this system contains IIF, all remaining questions on the PIA Form Tabs must be completed prior to signature and promotion.

21. Is the system subject to the Privacy Act?: No

23. If the system shares or discloses IIF please specify with whom and for what purpose(s): Does Not Share

30. Please describe in detail: (1) the information the agency will collect, maintain, or disseminate; (2) why and for what purpose the agency will use the information; (3) In this description, indicate whether the information contains IIF; and (4) whether submission of personal information is voluntary or mandatory: This system does not collect or contain any IIF.

A series of software support tools for the DEA -

The system identifies the scientific codes employed by NIAID to define the type of research employed on research efforts. Each discipline and sub-discipline has specific codes which are used to track the work; primarily scientific reporting tools regarding research,scientific coding, science, grants management, and data analysis.

31. Please describe in detail any processes in place to: (1) notify and obtain consent from the individuals whose IIF is in the system when major changes occur to the system (e.g., disclosure and/or data uses have changed since the notice at the time of the original collection); and (2) notify and obtain consent from individuals regarding what IIF is being collected from them and how the information will be used or shared: No

32. Does the system host a website?: No

37. Does the website have any information or pages directed at children under the age of thirteen?: No

50. Are there policies or guidelines in place with regard to the retention and destruction of IIF?: No

54. Briefly describe in detail how the IIF will be secured on the system using administrative, technical, and physical controls.: N/A

PIA Reviewer Approval: Promote


PIA Reviewer Name: Susan Boyle

Sr. Official for Privacy Approval: Promote


Sr. Official for Privacy Name: Karen Plá

Sign-off Date: Aug 10, 2007

Date Published: Jun 26, 2008


06.3 HHS PIA Summary for Posting (Form) / NIH NIAID Visual Employee Database System (VEDS) (Item)






PIA Summary


Is this a new PIA 2008?: No

If this is an existing PIA, please provide a reason for revision: PIA Validation

1. Date of this Submission: Jul 23, 2007

2. OPDIV Name: NIH

3. Unique Project Identifier (UPI) Number: 009-25-01-09-02-3196-00-403-131

4. Privacy Act System of Records (SOR) Number: 09-90-0018

5. OMB Information Collection Approval Number: No

6. Other Identifying Number(s): No

7. System Name: Visual Employee Database System (VEDS)

9. System Point of Contact (POC). The System POC is the person to whom questions about the system and the responses to this PIA may be addressed: Eric Charles

10. Provide an overview of the system: This is a windows-based application for that is used to monitor, track, query and report the Institute’s personnel information for FTE and non-FTE staff.

13. Indicate if the system is new or an existing one being modified: Existing

17. Does/Will the system collect, maintain (store), disseminate and/or pass through IIF within any database(s), record(s), file(s) or website(s) hosted by this system?: Yes

Note: This question seeks to identify any, and all, personal information associated with the system. This includes any IIF, whether or not it is subject to the Privacy Act, whether the individuals are employees, the public, research subjects, or business partners, and whether provided voluntarily or collected by mandate. Later questions will try to understand the character of the data and its applicability to the requirements under the Privacy Act or other legislation

Note: If no IIF is contained in the system, please answer questions 21, 23, 30, 31, 37, 50 and 54, then promote the PIA to the Sr. Privacy Official who will authorize the PIA.

If this system contains IIF, all remaining questions on the PIA Form Tabs must be completed prior to signature and promotion.

21. Is the system subject to the Privacy Act?: Yes

23. If the system shares or discloses IIF please specify with whom and for what purpose(s): Information is not shared.

Per SOR 09-90-0018, data may be disclosed to the Department according to business and compliance needs.

30. Please describe in detail: (1) the information the agency will collect, maintain, or disseminate; (2) why and for what purpose the agency will use the information; (3) In this description, indicate whether the information contains IIF; and (4) whether submission of personal information is voluntary or mandatory: Name, date of birth, social security number, mailining address, educational, military, and employee records.

The application collects information from the NIH HRDB system through a downloaded bi-weekly report. Social security numbers are included in the data collected as it is information necessary to manage an organization’s personnel information.

The information is collected from individuals upon seeking employment at the NIH and is mandatory.

31. Please describe in detail any processes in place to: (1) notify and obtain consent from the individuals whose IIF is in the system when major changes occur to the system (e.g., disclosure and/or data uses have changed since the notice at the time of the original collection); and (2) notify and obtain consent from individuals regarding what IIF is being collected from them and how the information will be used or shared: Individuals are given a copy of the Institute's Privacy policy upon hiring and informed that the personal information they provide will be used by the Institute soley to manage its personel affairs. It is not shared.

IIF in the system is gathered from the HRDB system. Changes to the system or changes in the way the information is used is relayed to employees via official notices from NIAID. Individuals are notified of the collection and use of data as part of the hiring process and is mandatory if the potential job applicant wishes to seek employment at NIH.

32. Does the system host a website?: No

37. Does the website have any information or pages directed at children under the age of thirteen?: No

50. Are there policies or guidelines in place with regard to the retention and destruction of IIF?: Yes

54. Briefly describe in detail how the IIF will be secured on the system using administrative, technical, and physical controls.: Authorized Users: Employees who maintain records in this system are instructed to grant regular access only to NIH extramural and advisory committee staff, NIH contract management staff, and Federal acquisition personnel. Other one-time and special access by other employees is granted on a need-to-know basis as specifically authorized by the System manager.

Physical Safeguards: Physical access to Office of Extramural Research (OER) work areas is restricted to OER employees. Physical access to the Office of Acquisition and Policy (OAMP) work areas is restricted to OAMP employees. Physical access to Office of Federal Advisory Committee Policy (OFACP) work areas is restricted to OFACP employees. Access to the contractor performance files is restricted through the use of secure socket layer encryption and through an IBM password protection system. Only authorized government contracting personnel are permitted access. Access is monitored and controlled by OAMP.

Procedural Safeguards: Access to source data files is strictly controlled by files staff. Records may be removed from files only at the request of the System manager or other authorized employee. Access to computer files is controlled by the use of registered accounts, registered initials, keywords, and similar limited access systems.

PIA Reviewer Approval: Promote


PIA Reviewer Name: Susan Boyle

Sr. Official for Privacy Approval: Promote


Sr. Official for Privacy Name: Karen Plá

Sign-off Date: Aug 10, 2007

Date Published: Jun 26, 2008


06.3 HHS PIA Summary for Posting (Form) / NIH NIAID Visual Status of Funds (VSOF) (Item)






PIA Summary


Is this a new PIA 2008?: No

If this is an existing PIA, please provide a reason for revision: PIA Validation

1. Date of this Submission: Jul 23, 2007

2. OPDIV Name: NIH

3. Unique Project Identifier (UPI) Number: 009-25-01-01-02-3198-00-402-125

4. Privacy Act System of Records (SOR) Number: NA

5. OMB Information Collection Approval Number: NA

6. Other Identifying Number(s): NA

7. System Name: Visual Status of Funds

9. System Point of Contact (POC). The System POC is the person to whom questions about the system and the responses to this PIA may be addressed: John Graves

10. Provide an overview of the system: This application is used to monitor, track, query and report the Institute’s fiscal and budgetary data in order to monitor obligations and expenditures associated with the current fiscal year.

13. Indicate if the system is new or an existing one being modified: Existing

17. Does/Will the system collect, maintain (store), disseminate and/or pass through IIF within any database(s), record(s), file(s) or website(s) hosted by this system?: No

Note: This question seeks to identify any, and all, personal information associated with the system. This includes any IIF, whether or not it is subject to the Privacy Act, whether the individuals are employees, the public, research subjects, or business partners, and whether provided voluntarily or collected by mandate. Later questions will try to understand the character of the data and its applicability to the requirements under the Privacy Act or other legislation

Note: If no IIF is contained in the system, please answer questions 21, 23, 30, 31, 37, 50 and 54, then promote the PIA to the Sr. Privacy Official who will authorize the PIA.

If this system contains IIF, all remaining questions on the PIA Form Tabs must be completed prior to signature and promotion.

21. Is the system subject to the Privacy Act?: No

23. If the system shares or discloses IIF please specify with whom and for what purpose(s): It does not

30. Please describe in detail: (1) the information the agency will collect, maintain, or disseminate; (2) why and for what purpose the agency will use the information; (3) In this description, indicate whether the information contains IIF; and (4) whether submission of personal information is voluntary or mandatory: Accounting data and related document information is downloaded from ImpacII and is relevant or specific to NIAID for its fiscal year operations. The system contains no IIF.

31. Please describe in detail any processes in place to: (1) notify and obtain consent from the individuals whose IIF is in the system when major changes occur to the system (e.g., disclosure and/or data uses have changed since the notice at the time of the original collection); and (2) notify and obtain consent from individuals regarding what IIF is being collected from them and how the information will be used or shared: N/A

32. Does the system host a website?: No

37. Does the website have any information or pages directed at children under the age of thirteen?: No

50. Are there policies or guidelines in place with regard to the retention and destruction of IIF?: No

54. Briefly describe in detail how the IIF will be secured on the system using administrative, technical, and physical controls.: This system does not contain IIF.

PIA Reviewer Approval: Promote


PIA Reviewer Name: Susan Boyle

Sr. Official for Privacy Approval: Promote


Sr. Official for Privacy Name: Karen Plá

Sign-off Date: Aug 10, 2007

Date Published: Jun 26, 2008


06.3 HHS PIA Summary for Posting (Form) / NIH NIAID VRC Study Manager (StudyMgr) (Item)






PIA Summary


Is this a new PIA 2008?: No

If this is an existing PIA, please provide a reason for revision: PIA Validation

1. Date of this Submission: Jul 25, 2007

2. OPDIV Name: NIH

3. Unique Project Identifier (UPI) Number: 009-25-01-06-02-8539-00-110-249

4. Privacy Act System of Records (SOR) Number: 09-25-0200

5. OMB Information Collection Approval Number: na

6. Other Identifying Number(s): na

7. System Name: Vaccine Research Center Study Manager

9. System Point of Contact (POC). The System POC is the person to whom questions about the system and the responses to this PIA may be addressed: Fred Sparks

10. Provide an overview of the system: This is an clinical trial recruitment and scheduling system for vaccine research.

13. Indicate if the system is new or an existing one being modified: Existing

17. Does/Will the system collect, maintain (store), disseminate and/or pass through IIF within any database(s), record(s), file(s) or website(s) hosted by this system?: Yes

Note: This question seeks to identify any, and all, personal information associated with the system. This includes any IIF, whether or not it is subject to the Privacy Act, whether the individuals are employees, the public, research subjects, or business partners, and whether provided voluntarily or collected by mandate. Later questions will try to understand the character of the data and its applicability to the requirements under the Privacy Act or other legislation

Note: If no IIF is contained in the system, please answer questions 21, 23, 30, 31, 37, 50 and 54, then promote the PIA to the Sr. Privacy Official who will authorize the PIA.

If this system contains IIF, all remaining questions on the PIA Form Tabs must be completed prior to signature and promotion.

21. Is the system subject to the Privacy Act?: Yes

23. If the system shares or discloses IIF please specify with whom and for what purpose(s): Does not disclose or share IIF.

Per SOR, (90-25-0200) -

A record may be disclosed for a research purpose, when the Department: (A) has determined that the use or disclosure does not violate legal or policy limitations under which the record was provided, collected, or obtained; e.g., disclosure of alcohol or drug abuse patient records will be made only in accordance with the restrictions of confidentiality statutes and regulations 42 U.S.C. 241, 42 U.S.C. 290dd-2, 42 CFR Part 2, and where applicable, no disclosures will be made inconsistent with an authorization of confidentiality under 42 U.S.C. 241 and 42 CFR Part 2a; (B) has determined that the research purpose (1) cannot be reasonably accomplished unless the record is provided in individually identifiable form, and (2) warrants the risk to the privacy of the individual that additional exposure of the record might bring; (C) has required the recipient to (1) establish reasonable administrative, technical, and physical safeguards to prevent unauthorized use or disclosure of the record, (2) remove or destroy the information that identifies the individual at the earliest time at which removal or destruction can be accomplished consistent with the purpose of the research project, unless the recipient has presented adequate justification of a research or health nature for retaining such information, and (3) make no further use or disclosure of the record except (a) in emergency circumstances affecting the health or safety of any individual, (b) for use in another research project, under these same conditions, and with written authorization of the Department, (c) for disclosure to a properly identified person for the purpose of an audit related to the research project, if information that would enable research subjects to be identified is removed or destroyed at the earliest opportunity consistent with the purpose of the audit, or (d) when required by law; and (D) has secured a written statement attesting to the recipient's understanding of, and willingness to abide by, these provisions.

30. Please describe in detail: (1) the information the agency will collect, maintain, or disseminate; (2) why and for what purpose the agency will use the information; (3) In this description, indicate whether the information contains IIF; and (4) whether submission of personal information is voluntary or mandatory: The following PIA is collected from volunteers who choose to participate in a clinical trial:

· Name

· Age and date of birth

· Mailing address

· Telephone number and alternate phone number

· Email address

· Generic medical history of healthy volunteers

· History of sexual behavior (if applicable to the trial)

Collected information will be used to track potential clinical trial volunteers and determine their eligibility for participation in various trails.

31. Please describe in detail any processes in place to: (1) notify and obtain consent from the individuals whose IIF is in the system when major changes occur to the system (e.g., disclosure and/or data uses have changed since the notice at the time of the original collection); and (2) notify and obtain consent from individuals regarding what IIF is being collected from them and how the information will be used or shared: Individuals agree to have information collected as part of clinical trial screening. Major changes are not contemplated for this system, and data is not shared. The data will never be used for other purposes. Individuals call in and self volunteer for studies.

32. Does the system host a website?: Yes

37. Does the website have any information or pages directed at children under the age of thirteen?: No

50. Are there policies or guidelines in place with regard to the retention and destruction of IIF?: Yes

54. Briefly describe in detail how the IIF will be secured on the system using administrative, technical, and physical controls.: User accounts grant access only to those individuals who have a need to know the information in the performance of their duties. Data is not available outside of the dedicated group.

System is housed in a locked server room with strict access contol kept. Duties are divided to ensure access monitoring.

Management review ensures compliance with proceedures.

PIA Reviewer Approval: Promote


PIA Reviewer Name: Susan Boyle

Sr. Official for Privacy Approval: Promote


Sr. Official for Privacy Name: Karen Plá

Sign-off Date: Aug 10, 2007

Date Published: Jun 26, 2008


06.3 HHS PIA Summary for Posting (Form) / NIH NIAID VRC Support Suite (VRCSS) (Item)






PIA Summary


Is this a new PIA 2008?: No

If this is an existing PIA, please provide a reason for revision: PIA Validation

1. Date of this Submission: Jul 23, 2007

2. OPDIV Name: NIH

3. Unique Project Identifier (UPI) Number: 009-25-01-06-02-8541-00-110-249

4. Privacy Act System of Records (SOR) Number: N/A

5. OMB Information Collection Approval Number: No

6. Other Identifying Number(s): No

7. System Name: VRC Support Suite

9. System Point of Contact (POC). The System POC is the person to whom questions about the system and the responses to this PIA may be addressed: Eric Silberman

10. Provide an overview of the system: A suite of software applications built for the VRC by SAISB for use by research scientists and their laboratory staff. These systems include features for sophisticated data analysis, information storage, retrieval and sharing, and reporting functionality. Vector application is designed for Vector Core Laboratory in VRC to store plasmid information. VRCCID application creates, retrieves, updates, and deletes protocols and all their components for FACS and for the VRC flow cytometry core facility. Components include FACS machines, fluorochromes, laser colors, conjugated antibodies.

13. Indicate if the system is new or an existing one being modified: Existing

17. Does/Will the system collect, maintain (store), disseminate and/or pass through IIF within any database(s), record(s), file(s) or website(s) hosted by this system?: No

Note: This question seeks to identify any, and all, personal information associated with the system. This includes any IIF, whether or not it is subject to the Privacy Act, whether the individuals are employees, the public, research subjects, or business partners, and whether provided voluntarily or collected by mandate. Later questions will try to understand the character of the data and its applicability to the requirements under the Privacy Act or other legislation

Note: If no IIF is contained in the system, please answer questions 21, 23, 30, 31, 37, 50 and 54, then promote the PIA to the Sr. Privacy Official who will authorize the PIA.

If this system contains IIF, all remaining questions on the PIA Form Tabs must be completed prior to signature and promotion.

21. Is the system subject to the Privacy Act?: No

23. If the system shares or discloses IIF please specify with whom and for what purpose(s): N/A - This system contains no IIF

30. Please describe in detail: (1) the information the agency will collect, maintain, or disseminate; (2) why and for what purpose the agency will use the information; (3) In this description, indicate whether the information contains IIF; and (4) whether submission of personal information is voluntary or mandatory: No IIF collected -

Web-based application for VRC to maintain their Viral Pathogenesis Laboratory plasmid database.

Web-based cell-line freezer inventory application

Laboratory of Virology and Vector Core Laboratory Database

Tracks results from lab research and testing, customized to include a freezer inventory of blood samples

Application for VRC to maintain their antibody database and create their experiment protocol

31. Please describe in detail any processes in place to: (1) notify and obtain consent from the individuals whose IIF is in the system when major changes occur to the system (e.g., disclosure and/or data uses have changed since the notice at the time of the original collection); and (2) notify and obtain consent from individuals regarding what IIF is being collected from them and how the information will be used or shared: NO

32. Does the system host a website?: Yes

37. Does the website have any information or pages directed at children under the age of thirteen?: No

50. Are there policies or guidelines in place with regard to the retention and destruction of IIF?: No

54. Briefly describe in detail how the IIF will be secured on the system using administrative, technical, and physical controls.: NO IIF is collected or maintained in this system.

Authorized Users: Employees who maintain records in this system are instructed to grant regular access only to NIH extramural and advisory committee staff, NIH contract management staff, and Federal acquisition personnel. Other one-time and special access by other employees is granted on a need-to-know basis as specifically authorized by the System manager.

Physical Safeguards: Physical access to Office of Extramural Research (OER) work areas is restricted to OER employees. Physical access to the Office of Acquisition and Policy (OAMP) work areas is restricted to OAMP employees. Physical access to Office of Federal Advisory Committee Policy (OFACP) work areas is restricted to OFACP employees. Access to the contractor performance files is restricted through the use of secure socket layer encryption and through an IBM password protection system. Only authorized government contracting personnel are permitted access. Access is monitored and controlled by OAMP.

Procedural Safeguards: Access to source data files is strictly controlled by files staff. Records may be removed from files only at the request of the System manager or other authorized employee. Access to computer files is controlled by the use of registered accounts, registered initials, keywords, and similar limited access systems.

PIA Reviewer Approval: Promote


PIA Reviewer Name: Susan Boyle

Sr. Official for Privacy Approval: Promote


Sr. Official for Privacy Name: Karen Plá

Sign-off Date: Aug 10, 2007

Date Published: Jun 26, 2008


06.3 HHS PIA Summary for Posting (Form) / NIH NIAMS Coding System for Special Emphasis Areas (SEA) (Item)






PIA Summary


Is this a new PIA 2008?: No

If this is an existing PIA, please provide a reason for revision: PIA Validation

1. Date of this Submission: Jul 3, 2007

2. OPDIV Name: NIH

3. Unique Project Identifier (UPI) Number: 009-25-01-26-02-8801-00-202-069

4. Privacy Act System of Records (SOR) Number: 09-25-0036

5. OMB Information Collection Approval Number: 0925-0001

6. Other Identifying Number(s): None

7. System Name: NIAMS Coding System for Scientific Emphasis Areas (SEA)

9. System Point of Contact (POC). The System POC is the person to whom questions about the system and the responses to this PIA may be addressed: Janet David

10. Provide an overview of the system: In order to respond to the NIH Budget Office requests and congressional inquiries regarding awarded information in relation to disease reporting areas, awarded data on grants, research contracts and intramural projects are “coded” by disease or special emphasis areas (SEA). This system allows the record to be coded and reports generated to respond to requests. The principal investigator's name and address are included on reports for reference. Data is tallied by fiscal year and comparisons made. The purpose of this system is to code the grant, contract or intramural project to obtain the data.

13. Indicate if the system is new or an existing one being modified: Existing

17. Does/Will the system collect, maintain (store), disseminate and/or pass through IIF within any database(s), record(s), file(s) or website(s) hosted by this system?: Yes

Note: This question seeks to identify any, and all, personal information associated with the system. This includes any IIF, whether or not it is subject to the Privacy Act, whether the individuals are employees, the public, research subjects, or business partners, and whether provided voluntarily or collected by mandate. Later questions will try to understand the character of the data and its applicability to the requirements under the Privacy Act or other legislation

Note: If no IIF is contained in the system, please answer questions 21, 23, 30, 31, 37, 50 and 54, then promote the PIA to the Sr. Privacy Official who will authorize the PIA.

If this system contains IIF, all remaining questions on the PIA Form Tabs must be completed prior to signature and promotion.

21. Is the system subject to the Privacy Act?: Yes

23. If the system shares or discloses IIF please specify with whom and for what purpose(s): Information is collected under SOR 09-25-0036. Information is compiled in report format to respond to queries from Congressional offices, scientific associations and for NIH disease reporting information. Data is provided to show projects funded to support the numerous NIAMS disease categories. The data is displayed to show dollars awarded to Institutions/Principal Investigators broken down by disease categories. IIF data is used to identify and credit the project to the specific investigator.

30. Please describe in detail: (1) the information the agency will collect, maintain, or disseminate; (2) why and for what purpose the agency will use the information; (3) In this description, indicate whether the information contains IIF; and (4) whether submission of personal information is voluntary or mandatory: Legislation authority: 5. U.S.C. 301; 42 U.S.C. 217a, 241, 282(b)(6), 284a, and 288. 48 CFR Subpart 15.3 and Subpart 42.15.

The name and address information associated with the grant, contract or project is listed on the generated reports as a reference. The grant, contract or project is coded for special emphasis areas (SEA) as it relates to disease reporting. Information is collected to respond to congressional inquiries and budget office requests. Information is usually aggregated for each special emphasis area as well as reports listing the specific grant, contract, and project.

Information is mandatory under the parent eRA/NIH system. (NIAMS is not making it mandatory).

31. Please describe in detail any processes in place to: (1) notify and obtain consent from the individuals whose IIF is in the system when major changes occur to the system (e.g., disclosure and/or data uses have changed since the notice at the time of the original collection); and (2) notify and obtain consent from individuals regarding what IIF is being collected from them and how the information will be used or shared: This system is an extension of the enterprise system (eRA/ImpacII) which is authorized to collect data under 0925-0001. If major changes in the enterprise system ocurred, the notification and consent would be through the enterprise system. Changes to the forms or systems that collect the data would notify the individuals when they enter their own data. This system does not collect or use any other data on the individual except what is available through the enterprise system.

32. Does the system host a website?: No

37. Does the website have any information or pages directed at children under the age of thirteen?: No

50. Are there policies or guidelines in place with regard to the retention and destruction of IIF?: Yes

54. Briefly describe in detail how the IIF will be secured on the system using administrative, technical, and physical controls.: Admin Controls - The information is maintained on-line by the system and may be accessed and printed by those authorized access to the information. Access to this data is limited to those persons whose official duties require such access.

Physical controls - Access to the system requires an NIH Login userid and password. The system is further restricted to only NIAMS users and the NIAMS domain (servers, and PCs etc residing in NIAMS). The servers are secured in a locked, controlled environment.

Technical controls - The NIAMS ISSO and Server Team monitor and control access to all NIAMS machines, including the Intranet server using system monitoring and intrusion detection tools.

PIA Reviewer Approval: Promote


PIA Reviewer Name: Michael Toland,

Sr. Official for Privacy Approval: Promote


Sr. Official for Privacy Name: Karen Plá

Sign-off Date: Aug 10, 2007

Date Published: Jun 26, 2008


06.3 HHS PIA Summary for Posting (Form) / NIH NIAMS Coding System for Special Emphasis Areas (SEA) (Item)






PIA Summary


Is this a new PIA 2008?: No

If this is an existing PIA, please provide a reason for revision: PIA Validation

1. Date of this Submission: Jul 3, 2007

2. OPDIV Name: NIH

3. Unique Project Identifier (UPI) Number: 009-25-01-26-02-8801-00-202-069

4. Privacy Act System of Records (SOR) Number: 09-25-0036

5. OMB Information Collection Approval Number: 0925-0001

6. Other Identifying Number(s): None

7. System Name: NIAMS Coding System for Scientific Emphasis Areas (SEA)

9. System Point of Contact (POC). The System POC is the person to whom questions about the system and the responses to this PIA may be addressed: Janet David

10. Provide an overview of the system: In order to respond to the NIH Budget Office requests and congressional inquiries regarding awarded information in relation to disease reporting areas, awarded data on grants, research contracts and intramural projects are “coded” by disease or special emphasis areas (SEA). This system allows the record to be coded and reports generated to respond to requests. The principal investigator's name and address are included on reports for reference. Data is tallied by fiscal year and comparisons made. The purpose of this system is to code the grant, contract or intramural project to obtain the data.

13. Indicate if the system is new or an existing one being modified: Existing

17. Does/Will the system collect, maintain (store), disseminate and/or pass through IIF within any database(s), record(s), file(s) or website(s) hosted by this system?: Yes

Note: This question seeks to identify any, and all, personal information associated with the system. This includes any IIF, whether or not it is subject to the Privacy Act, whether the individuals are employees, the public, research subjects, or business partners, and whether provided voluntarily or collected by mandate. Later questions will try to understand the character of the data and its applicability to the requirements under the Privacy Act or other legislation

Note: If no IIF is contained in the system, please answer questions 21, 23, 30, 31, 37, 50 and 54, then promote the PIA to the Sr. Privacy Official who will authorize the PIA.

all remaining questions on the PIA Form Tabs must be completed prior to signature and promotion.

21. Is the system subject to the Privacy Act?: Yes

23. If the system shares or discloses IIF please specify with whom and for what purpose(s): Information is collected under SOR 09-25-0036. Information is compiled in report format to respond to queries from Congressional offices, scientific associations and for NIH disease reporting information. Data is provided to show projects funded to support the numerous NIAMS disease categories. The data is displayed to show dollars awarded to Institutions/Principal Investigators broken down by disease categories. IIF data is used to identify and credit the project to the specific investigator.

30. Please describe in detail: (1) the information the agency will collect, maintain, or disseminate; (2) why and for what purpose the agency will use the information; (3) In this description, indicate whether the information contains IIF; and (4) whether submission of personal information is voluntary or mandatory: Legislation authority: 5. U.S.C. 301; 42 U.S.C. 217a, 241, 282(b)(6), 284a, and 288. 48 CFR Subpart 15.3 and Subpart 42.15.

The name and address information associated with the grant, contract or project is listed on the generated reports as a reference. The grant, contract or project is coded for special emphasis areas (SEA) as it relates to disease reporting. Information is collected to respond to congressional inquiries and budget office requests. Information is usually aggregated for each special emphasis area as well as reports listing the specific grant, contract, and project.

Information is mandatory under the parent eRA/NIH system. (NIAMS is not making it mandatory).

31. Please describe in detail any processes in place to: (1) notify and obtain consent from the individuals whose IIF is in the system when major changes occur to the system (e.g., disclosure and/or data uses have changed since the notice at the time of the original collection); and (2) notify and obtain consent from individuals regarding what IIF is being collected from them and how the information will be used or shared: This system is an extension of the enterprise system (eRA/ImpacII) which is authorized to collect data under 0925-0001. If major changes in the enterprise system ocurred, the notification and consent would be through the enterprise system. Changes to the forms or systems that collect the data would notify the individuals when they enter their own data. This system does not collect or use any other data on the individual except what is available through the enterprise system.

32. Does the system host a website?: No

37. Does the website have any information or pages directed at children under the age of thirteen?: No

50. Are there policies or guidelines in place with regard to the retention and destruction of IIF?: Yes

54. Briefly describe in detail how the IIF will be secured on the system using administrative, technical, and physical controls.: Admin Controls - The information is maintained on-line by the system and may be accessed and printed by those authorized access to the information. Access to this data is limited to those persons whose official duties require such access.

Physical controls - Access to the system requires an NIH Login userid and password. The system is further restricted to only NIAMS users and the NIAMS domain (servers, and PCs etc residing in NIAMS). The servers are secured in a locked, controlled environment.

Technical controls - The NIAMS ISSO and Server Team monitor and control access to all NIAMS machines, including the Intranet server using system monitoring and intrusion detection tools.

PIA Reviewer Approval: Promote


PIA Reviewer Name: Michael Toland,

Sr. Official for Privacy Approval: Promote


Sr. Official for Privacy Name: Karen Plá

Sign-off Date: Aug 10, 2007

Date Published: Jun 26, 2008


06.3 HHS PIA Summary for Posting (Form) / NIH NIAMS Internet Multi-IC Contract Tracking System (MCTS) (Item)






PIA Summary


Is this a new PIA 2008?: No

If this is an existing PIA, please provide a reason for revision: PIA Validation

1. Date of this Submission: Jul 3, 2007

2. OPDIV Name: NIH

3. Unique Project Identifier (UPI) Number: 009-25-01-26-02-8801-00-202-069

4. Privacy Act System of Records (SOR) Number: 09-25-0036

5. OMB Information Collection Approval Number: 0990-0115

6. Other Identifying Number(s): None

7. System Name: Internet Multi-IC Contract Tracking System (MCTS)

9. System Point of Contact (POC). The System POC is the person to whom questions about the system and the responses to this PIA may be addressed: Janet David

10. Provide an overview of the system: This system is used to monitor and track deliverables and administrative paperwork on awarded research contracts. System is used to facilitate the work processes within the contract management office and to provide the data for reports for internal sources.

13. Indicate if the system is new or an existing one being modified: Existing

17. Does/Will the system collect, maintain (store), disseminate and/or pass through IIF within any database(s), record(s), file(s) or website(s) hosted by this system?: Yes

Note: This question seeks to identify any, and all, personal information associated with the system. This includes any IIF, whether or not it is subject to the Privacy Act, whether the individuals are employees, the public, research subjects, or business partners, and whether provided voluntarily or collected by mandate. Later questions will try to understand the character of the data and its applicability to the requirements under the Privacy Act or other legislation

Note: If no IIF is contained in the system, please answer questions 21, 23, 30, 31, 37, 50 and 54, then promote the PIA to the Sr. Privacy Official who will authorize the PIA.

If this system contains IIF, all remaining questions on the PIA Form Tabs must be completed prior to signature and promotion.

21. Is the system subject to the Privacy Act?: Yes

23. If the system shares or discloses IIF please specify with whom and for what purpose(s): Information is collected under 09-25-0036. Data is for internal purposes to track and manage the contract paperwork with the office. IIF data is used to identify the principal investigator of the contract.

30. Please describe in detail: (1) the information the agency will collect, maintain, or disseminate; (2) why and for what purpose the agency will use the information; (3) In this description, indicate whether the information contains IIF; and (4) whether submission of personal information is voluntary or mandatory: Legislation authority: 5. U.S.C. 301; 42 U.S.C. 217a, 241, 282(b)(6), 284a, and 288. 48 CFR Subpart 15.3 and Subpart 42.15.

Information collected is from the awarded research contract paperwork and is for internal administration of the contract. A contact person's name and mailing address is included for reference and to generate correspondence. The contact name & address is mandatory.

31. Please describe in detail any processes in place to: (1) notify and obtain consent from the individuals whose IIF is in the system when major changes occur to the system (e.g., disclosure and/or data uses have changed since the notice at the time of the original collection); and (2) notify and obtain consent from individuals regarding what IIF is being collected from them and how the information will be used or shared: If major changes in the enterprise system ocurred (request for contract data), notification and consent would be through the enterprise system. Changes to the forms or systems that collect the data would notify the individuals when they enter their own data and apply for a contract. This system does not collect or use any other data on the individual except what is available through the enterprise system.

32. Does the system host a website?: No

37. Does the website have any information or pages directed at children under the age of thirteen?: No

50. Are there policies or guidelines in place with regard to the retention and destruction of IIF?: Yes

PIA Reviewer Approval: Promote


PIA Reviewer Name: Michael Toland,

Sr. Official for Privacy Approval: Promote


Sr. Official for Privacy Name: Karen Plá

Sign-off Date: Aug 10, 2007

Date Published: Jun 26, 2008


06.3 HHS PIA Summary for Posting (Form) / NIH NIAMS Internet Website (Item)






PIA Summary


Is this a new PIA 2008?: No

If this is an existing PIA, please provide a reason for revision: PIA Validation

1. Date of this Submission: Jul 3, 2007

2. OPDIV Name: NIH

3. Unique Project Identifier (UPI) Number: 009-25-01-04-02-8812-00-312-165

4. Privacy Act System of Records (SOR) Number: 09-25-0106

5. OMB Information Collection Approval Number: Not applicable

6. Other Identifying Number(s): None

7. System Name: NIAMS Internet Website

9. System Point of Contact (POC). The System POC is the person to whom questions about the system and the responses to this PIA may be addressed: Ms. Susan Bettendorf

10. Provide an overview of the system: Information Dissemination - NIAMS receives calls requesting various literature related to the NIAMS mission. In order to send the information, the caller's name, address and, optionally, their email address and telephone number are captured.

13. Indicate if the system is new or an existing one being modified: Existing

17. Does/Will the system collect, maintain (store), disseminate and/or pass through IIF within any database(s), record(s), file(s) or website(s) hosted by this system?: Yes

Note: This question seeks to identify any, and all, personal information associated with the system. This includes any IIF, whether or not it is subject to the Privacy Act, whether the individuals are employees, the public, research subjects, or business partners, and whether provided voluntarily or collected by mandate. Later questions will try to understand the character of the data and its applicability to the requirements under the Privacy Act or other legislation

Note: If no IIF is contained in the system, please answer questions 21, 23, 30, 31, 37, 50 and 54, then promote the PIA to the Sr. Privacy Official who will authorize the PIA.

If this system contains IIF, all remaining questions on the PIA Form Tabs must be completed prior to signature and promotion.

21. Is the system subject to the Privacy Act?: Yes

23. If the system shares or discloses IIF please specify with whom and for what purpose(s): Information is shared with the NIAMS Clearing House that sends out requested literature.

30. Please describe in detail: (1) the information the agency will collect, maintain, or disseminate; (2) why and for what purpose the agency will use the information; (3) In this description, indicate whether the information contains IIF; and (4) whether submission of personal information is voluntary or mandatory: NIAMS collects the caller's name and address, and optionally their email and telephone number, plus a description of the information requested. We also collect IP addresses and pages visited in the log.

The data is used to send the requested information to the requestor. The data is shared with a Clearing House who mails out the information. Once the information (brochure, literature, etc.) is mailed, the data is deleted.

The requestor would need to furnish their name and address (or email address) in order for the requested literature to be mailed.

31. Please describe in detail any processes in place to: (1) notify and obtain consent from the individuals whose IIF is in the system when major changes occur to the system (e.g., disclosure and/or data uses have changed since the notice at the time of the original collection); and (2) notify and obtain consent from individuals regarding what IIF is being collected from them and how the information will be used or shared: When/if major changes occur to the system that could affect or change how the individuals information would be shared, each of the existing individuals would be notified, via mail or email, and requested to consent to the new process. All new users would be made aware of the change when they supply or enter their information.

Under the Privacy Statement tab located on the web site, the requestor is notified of what information will be collected and how it will be used.

The requestor's information is deleted after the materials have been mailed. Changes to the system would not affect the requestor.

The name, address, and optionally an email address and telephone number, are collected from the individual who requests literature from the NIAMS. Without the name and address, the literature could not be mailed.

32. Does the system host a website?: Yes

37. Does the website have any information or pages directed at children under the age of thirteen?: No

50. Are there policies or guidelines in place with regard to the retention and destruction of IIF?: Yes

54. Briefly describe in detail how the IIF will be secured on the system using administrative, technical, and physical controls.: Admin Controls - The information is maintained on-line by the system and may be accessed and printed by those authorized access to the information. Access to this data is limited to those persons whose official duties require such access.

Physical controls - Access to the System requires an NIH Login userid and password. The system is further restricted to only NIAMS users and the NIAMS domain (servers, and PCs etc residing in NIAMS). The servers are secured in a locked, controlled environment.

Technical controls - The NIAMS ISSO and Server Team monitor and control access to all NIAMS machines, including the Intranet server using system monitoring and intrusion detection tools.

PIA Reviewer Approval: Promote


PIA Reviewer Name: Michael Toland,

Sr. Official for Privacy Approval: Promote


Sr. Official for Privacy Name: Karen Plá

Sign-off Date: Aug 10, 2007

Date Published: Jun 26, 2008


06.3 HHS PIA Summary for Posting (Form) / NIH NIAMS Intranet Website (Item)






PIA Summary


Is this a new PIA 2008?: No

If this is an existing PIA, please provide a reason for revision: PIA Validation

1. Date of this Submission: Jul 3, 2007

2. OPDIV Name: NIH

3. Unique Project Identifier (UPI) Number: 009-25-01-04-02-8812-00-312-165

4. Privacy Act System of Records (SOR) Number: 09-25-0106

5. OMB Information Collection Approval Number: Not applicable

6. Other Identifying Number(s): None

7. System Name: NIAMS Intranet Site

9. System Point of Contact (POC). The System POC is the person to whom questions about the system and the responses to this PIA may be addressed: Danny Heise

10. Provide an overview of the system: None

13. Indicate if the system is new or an existing one being modified: Existing

17. Does/Will the system collect, maintain (store), disseminate and/or pass through IIF within any database(s), record(s), file(s) or website(s) hosted by this system?: Yes

Note: This question seeks to identify any, and all, personal information associated with the system. This includes any IIF, whether or not it is subject to the Privacy Act, whether the individuals are employees, the public, research subjects, or business partners, and whether provided voluntarily or collected by mandate. Later questions will try to understand the character of the data and its applicability to the requirements under the Privacy Act or other legislation

Note: If no IIF is contained in the system, please answer questions 21, 23, 30, 31, 37, 50 and 54, then promote the PIA to the Sr. Privacy Official who will authorize the PIA.

If this system contains IIF, all remaining questions on the PIA Form Tabs must be completed prior to signature and promotion.

21. Is the system subject to the Privacy Act?: Yes

23. If the system shares or discloses IIF please specify with whom and for what purpose(s): Reference SOR # 09-25-0106

The information is shared internally amongst NIAMS Staff. It is used to complete administrative processes/functions.

30. Please describe in detail: (1) the information the agency will collect, maintain, or disseminate; (2) why and for what purpose the agency will use the information; (3) In this description, indicate whether the information contains IIF; and (4) whether submission of personal information is voluntary or mandatory: The agency collects the individual's name, photo, Lab/Branch/Office address, phone numbers, and email address for administrative processes/functions. The photo is voluntary and the other information obtained is mandatory.

31. Please describe in detail any processes in place to: (1) notify and obtain consent from the individuals whose IIF is in the system when major changes occur to the system (e.g., disclosure and/or data uses have changed since the notice at the time of the original collection); and (2) notify and obtain consent from individuals regarding what IIF is being collected from them and how the information will be used or shared: When/if major changes occur to the system that affect or change how the individuals information will be shared, each of the existing individuals would be notified, via mail or email, and requested to consent to the new process. All new users will be made aware of the change when they enter or supply their information.

The Directory information is mandatory and is provided by the Administrative Office. The photo is voluntary. Staff members must sign a consent form before the photo is taken and placed on the Intranet. The site contains a privacy notice that states, "This is a U.S. Government Internal (Intranet) Web site, which may be accessed and used only for authorized Government business by authorized personnel. Unauthorized access or use of content on this Web site may subject violators to criminal, civil, and/or administrative action. All information on this site may be intercepted, recorded, read, copied, and disclosed by and to authorized personnel for official purposes, including criminal investigations. Such information includes sensitive data encrypted to comply with confidentiality and privacy requirements. Access or use of this Web site by any person, whether authorized or unauthorized, constitutes consent to these terms. There is no right of privacy when accessing this site. Information on this site relates only to work and data related to NIAMS activities. No information related to non-business activities of personnel will be collected or presented on this site without the explicit written permission of the personnel involved."

32. Does the system host a website?: Yes

37. Does the website have any information or pages directed at children under the age of thirteen?: No

50. Are there policies or guidelines in place with regard to the retention and destruction of IIF?: Yes

54. Briefly describe in detail how the IIF will be secured on the system using administrative, technical, and physical controls.: Admin Controls - The information is maintained on-line by the system and may be accessed and printed by those authorized access to the information. The data is indexed by employee name. Access to this data is limited to those persons whose official duties require such access.

Physical controls - Access to the Intranet requires an NIH Login userid and password, The NIAMS Intranet is further restricted to only NIAMS employees and the NIAMS domain (servers, and PCs etc residing in NIAMS). The servers are secured in a locked, controlled environment.

Technical controls - The NIAMS ISSO and Server Team monitor and control access to all NIAMS machines, including the Intranet server using system monitoring and intrusion detection tools.

PIA Reviewer Approval: Promote


PIA Reviewer Name: Michael Toland,

Sr. Official for Privacy Approval: Promote


Sr. Official for Privacy Name: Karen Plá

Sign-off Date: Aug 10, 2007

Date Published: Jun 26, 2008


06.3 HHS PIA Summary for Posting (Form) / NIH NIAMS Phoenix Data Systems Express (PDS) (Item)






PIA Summary


Is this a new PIA 2008?: No

If this is an existing PIA, please provide a reason for revision: PIA Validation

1. Date of this Submission: Jul 3, 2007

2. OPDIV Name: NIH

3. Unique Project Identifier (UPI) Number: 009-25-01-26-02-8803-00-202-069

4. Privacy Act System of Records (SOR) Number: 09-25-0200

5. OMB Information Collection Approval Number: Not Applicable

6. Other Identifying Number(s): None

7. System Name: Phoenix Data Systems (PDS) Express

9. System Point of Contact (POC). The System POC is the person to whom questions about the system and the responses to this PIA may be addressed: Dr. Paul Plotz

10. Provide an overview of the system: A "turnkey" system that organizes data for approximately 30 clinical trials that are underway at NIAMS.

13. Indicate if the system is new or an existing one being modified: Existing

17. Does/Will the system collect, maintain (store), disseminate and/or pass through IIF within any database(s), record(s), file(s) or website(s) hosted by this system?: Yes

Note: This question seeks to identify any, and all, personal information associated with the system. This includes any IIF, whether or not it is subject to the Privacy Act, whether the individuals are employees, the public, research subjects, or business partners, and whether provided voluntarily or collected by mandate. Later questions will try to understand the character of the data and its applicability to the requirements under the Privacy Act or other legislation

Note: If no IIF is contained in the system, please answer questions 21, 23, 30, 31, 37, 50 and 54, then promote the PIA to the Sr. Privacy Official who will authorize the PIA.

If this system contains IIF, all remaining questions on the PIA Form Tabs must be completed prior to signature and promotion.

21. Is the system subject to the Privacy Act?: Yes

23. If the system shares or discloses IIF please specify with whom and for what purpose(s): This information is addressed in the NIH Privacy Act Systems of Record Notice 09-25-0200, published in the Federal Register, Volume 67, No. 187, September 26, 2002.

30. Please describe in detail: (1) the information the agency will collect, maintain, or disseminate; (2) why and for what purpose the agency will use the information; (3) In this description, indicate whether the information contains IIF; and (4) whether submission of personal information is voluntary or mandatory: The system collects patient name and date of birth, and assigns a random patient number. The number is used to track the patients progress while under the clinical trial. The patient is required to submit their name and date of birth in order to participate in the study. Researchers use clinical trial data to perform analyses and publish reports to Congress.

31. Please describe in detail any processes in place to: (1) notify and obtain consent from the individuals whose IIF is in the system when major changes occur to the system (e.g., disclosure and/or data uses have changed since the notice at the time of the original collection); and (2) notify and obtain consent from individuals regarding what IIF is being collected from them and how the information will be used or shared: When/if major changes occur to the system that affect or change how the individuals information will be shared, each of the existing individuals would be notified, via mail or email, and requested to consent to the new process. All new users will be made aware of the change when they supply or enter their information.

The information is obtained directly from the subject individual by interview, written questionnaire or other means. The information is required as a condition of treatment or enrollment in a clinical trial. Written notice is provided to the subject at the time of enrollment or treatment.

32. Does the system host a website?: No

37. Does the website have any information or pages directed at children under the age of thirteen?: No

50. Are there policies or guidelines in place with regard to the retention and destruction of IIF?: Yes

54. Briefly describe in detail how the IIF will be secured on the system using administrative, technical, and physical controls.: Admin Controls - The information is maintained on-line by the system and may be accessed and printed by those authorized access to the information. Access to this data is limited to those persons whose official duties require such access.

Physical controls - Access to the system requires an NIH Login userid and password. The system is further restricted to only NIAMS users and the NIAMS domain (servers, and PCs etc residing in NIAMS). The servers are secured in a locked, controlled environment.

Technical controls - The NIAMS ISSO and Server Team monitor and control access to all NIAMS machines, including the Intranet server using system monitoring and intrusion detection tools.

PIA Reviewer Approval: Promote


PIA Reviewer Name: Michael Toland,

Sr. Official for Privacy Approval: Promote


Sr. Official for Privacy Name: Karen Plá

Sign-off Date: Aug 10, 2007

Date Published: Jun 26, 2008


06.3 HHS PIA Summary for Posting (Form) / NIH NIAMS Resource Management Services Budget (RMS) (Item)






PIA Summary


Is this a new PIA 2008?: No

If this is an existing PIA, please provide a reason for revision: PIA Validation

1. Date of this Submission: Jul 3, 2007

2. OPDIV Name: NIH

3. Unique Project Identifier (UPI) Number: 009-25-02-01-02-8806-00

4. Privacy Act System of Records (SOR) Number: 09-90-0018

5. OMB Information Collection Approval Number: Not applicable

6. Other Identifying Number(s): None

7. System Name: NIAMS Resource Management Services (RMS) Budget System

9. System Point of Contact (POC). The System POC is the person to whom questions about the system and the responses to this PIA may be addressed: Ms. Valerie Green

10. Provide an overview of the system: Create and maintain budget data for the NIAMS Office of the Director programs. The legislation authorizing this activity is 5 U.S.C 1302, 2951, 4118, 4308, 4506, 7501, 7511, 7521, and Executive Order 10561.

13. Indicate if the system is new or an existing one being modified: Existing

17. Does/Will the system collect, maintain (store), disseminate and/or pass through IIF within any database(s), record(s), file(s) or website(s) hosted by this system?: Yes

Note: This question seeks to identify any, and all, personal information associated with the system. This includes any IIF, whether or not it is subject to the Privacy Act, whether the individuals are employees, the public, research subjects, or business partners, and whether provided voluntarily or collected by mandate. Later questions will try to understand the character of the data and its applicability to the requirements under the Privacy Act or other legislation

Note: If no IIF is contained in the system, please answer questions 21, 23, 30, 31, 37, 50 and 54, then promote the PIA to the Sr. Privacy Official who will authorize the PIA.

If this system contains IIF, all remaining questions on the PIA Form Tabs must be completed prior to signature and promotion.

21. Is the system subject to the Privacy Act?: Yes

23. If the system shares or discloses IIF please specify with whom and for what purpose(s): Reference SOR # 09-90-0018. This information is further addressed in the HHS Privacy Act Systems of Record Notice 09-90-0018, published in the Federal Register, Volume 59, November 9, 1994.

30. Please describe in detail: (1) the information the agency will collect, maintain, or disseminate; (2) why and for what purpose the agency will use the information; (3) In this description, indicate whether the information contains IIF; and (4) whether submission of personal information is voluntary or mandatory: NIAMS collects Employee Last and First Names with the salary. Information is used for creating the OD Division budget for each fiscal year.

Data is not matched with any personal identifiers, sensitive data, or Privacy Act data. Data is required to project and create an accurate budget for FTEs.

This information is collected as backup data to create the salary line item for the NIAMS OD budget for the fiscal year.

31. Please describe in detail any processes in place to: (1) notify and obtain consent from the individuals whose IIF is in the system when major changes occur to the system (e.g., disclosure and/or data uses have changed since the notice at the time of the original collection); and (2) notify and obtain consent from individuals regarding what IIF is being collected from them and how the information will be used or shared: When/if major changes occur to the system that affect or change how the individuals information will be shared, each of the existing individuals would be notified, via mail or email, and requested to consent to the new process. All new users will be made aware of the change when they are asked to supply information.

The information is provided by Department officials, only Employee Name and Salary information is gathered via report from the Enterprise Human Resources Program (EHRP).

The information is required, as a condition of employment, to process payroll, taxes, benefits, and other actions and determinations made about an individual while employed.

Written notice is provided to the subject at the time of employment.

Notification procedures include the immediate supervisors of individuals or the administrative offices of the organizational units in which employed. HR may also provide further information concerning the existence of this SOR. Individuals should provide their name, SSN, and organization in which employed.

The information is used by operating officials in carrying out their management responsibilities.

32. Does the system host a website?: Yes

37. Does the website have any information or pages directed at children under the age of thirteen?: No

50. Are there policies or guidelines in place with regard to the retention and destruction of IIF?: Yes

54. Briefly describe in detail how the IIF will be secured on the system using administrative, technical, and physical controls.: Admin Controls - The information is maintained on-line by the system and may be accessed and printed by those authorized access to the information. Access to this data is limited to those persons whose official duties require such access.

Physical controls - Access to the system requires an NIH Login userid and password. The system is further restricted to only NIAMS users and the NIAMS domain (servers, and PCs etc residing in NIAMS).

Technical controls - The NIAMS ISSO and Server Team monitor and control access to all NIAMS machines, including the Intranet server using system monitoring and intrusion detection tools.

PIA Reviewer Approval: Promote


PIA Reviewer Name: Michael Toland,

Sr. Official for Privacy Approval: Promote


Sr. Official for Privacy Name: Karen Plá

Sign-off Date: Aug 10, 2007

Date Published: Jun 26, 2008


06.3 HHS PIA Summary for Posting (Form) / NIH NIAMS SF-52 (SF-52) (Item)






PIA Summary


Is this a new PIA 2008?: No

If this is an existing PIA, please provide a reason for revision: PIA Validation

1. Date of this Submission: Jul 3, 2007

2. OPDIV Name: NIH

3. Unique Project Identifier (UPI) Number: 009-25-01-26-02-8801-00-202-069

4. Privacy Act System of Records (SOR) Number: 09-90-0018

5. OMB Information Collection Approval Number: Not applicable

6. Other Identifying Number(s): None

7. System Name: NIAMS SF-52 Tracking

9. System Point of Contact (POC). The System POC is the person to whom questions about the system and the responses to this PIA may be addressed: Janet M. David

10. Provide an overview of the system: The systems is used to create, modify, route, and track SF-52 (personnel) actions. IIF data collected/used is the employee's name, DOB, SSN, mailing address, and salary. The information is required, as a condition of employment, to process payroll, benefits, taxes, and other actions and determinations made about an individual while employed.

Reference SOR # 09-90-0018.

13. Indicate if the system is new or an existing one being modified: Existing

17. Does/Will the system collect, maintain (store), disseminate and/or pass through IIF within any database(s), record(s), file(s) or website(s) hosted by this system?: Yes

Note: This question seeks to identify any, and all, personal information associated with the system. This includes any IIF, whether or not it is subject to the Privacy Act, whether the individuals are employees, the public, research subjects, or business partners, and whether provided voluntarily or collected by mandate. Later questions will try to understand the character of the data and its applicability to the requirements under the Privacy Act or other legislation

Note: If no IIF is contained in the system, please answer questions 21, 23, 30, 31, 37, 50 and 54, then promote the PIA to the Sr. Privacy Official who will authorize the PIA.

If this system contains IIF, all remaining questions on the PIA Form Tabs must be completed prior to signature and promotion.

21. Is the system subject to the Privacy Act?: Yes

23. If the system shares or discloses IIF please specify with whom and for what purpose(s): Reference SOR # 09-90-0018.

The Office of Personnel Management, Merit System Protection Board, Equal Employment Opportunity

Commission, and the Federal Labor Relations Authority in carrying out their functions. Appropriate federal, state or local agencies as deemed relevant or necessary to the Department. Other individuals performing functions for the Department but technically not having the status of agency employees, if they need access to the records in order to perform their assigned agency functions. Used by the NIAMS Administrative Officers (AOs) to track SF52 data. Data collected is required for all SF-52 personnel actions.

30. Please describe in detail: (1) the information the agency will collect, maintain, or disseminate; (2) why and for what purpose the agency will use the information; (3) In this description, indicate whether the information contains IIF; and (4) whether submission of personal information is voluntary or mandatory: The legislation authorizing this activity is 5 U.S.C. 1302, 2951, 4118, 4308, 4506, 7501, 7511, 7521, and Exec Order 10561. NIAMS collects employee name, date of birth, SSN, mailing address and salary. The data is needed to create SF-52 actions. Human Resources uses the SF-52 actions to input information into EHRP. Required statistical reports to upper management and higher headquarters are generated from this information. Data collection is mandatory.

31. Please describe in detail any processes in place to: (1) notify and obtain consent from the individuals whose IIF is in the system when major changes occur to the system (e.g., disclosure and/or data uses have changed since the notice at the time of the original collection); and (2) notify and obtain consent from individuals regarding what IIF is being collected from them and how the information will be used or shared: When/if major changes occur to the system that affect or change how the individuals information will be shared, each of the existing individuals would be notified, via mail or email, and requested to consent to the new process. All new users will be made aware of the change when they supply their information.

(a) The information comes from the individual to whom it applies, is derived from information supplied by the individual, or is provided by Department officials. (b) It is initially supplied by the individual to HR in writing at the time of employment. (c) The information is required, as a condition of employment, to process payroll, taxes, benefits, and other actions and determinations made about an individual while employed.

(d) Written notice is provided to the subject at the time of employment. (e) Notification procedures include the immediate supervisors of individuals or the administrative offices of the organizational units in which employed. HR may also provide further information concerning the existence of this SOR. Individuals should provide their name, SSN, and organization in which employed. The information is used by operating officials in carrying out their personnel management responsibilities.

32. Does the system host a website?: No

37. Does the website have any information or pages directed at children under the age of thirteen?: No

50. Are there policies or guidelines in place with regard to the retention and destruction of IIF?: Yes

54. Briefly describe in detail how the IIF will be secured on the system using administrative, technical, and physical controls.: Admin Controls - The information is maintained on-line by the system and may be accessed and printed by those authorized access to the information. Access to this data is limited to those persons whose official duties require such access.

Physical controls - Access to the system requires an NIH Login userid and password. The system is further restricted to only NIAMS users and the NIAMS domain (servers, and PCs etc residing in NIAMS).

Technical controls - The NIAMS ISSO and Server Team monitor and control access to all NIAMS machines, including the Intranet server using system monitoring and intrusion detection tools.

PIA Reviewer Approval: Promote


PIA Reviewer Name: Michael Toland,

Sr. Official for Privacy Approval: Promote


Sr. Official for Privacy Name: Karen Plá

Sign-off Date: Aug 10, 2007

Date Published: Jun 26, 2008


06.3 HHS PIA Summary for Posting (Form) / NIH NIAMS Systemic Lupus Erythematosus Tracking System (SLE) (Item)






PIA Summary


Is this a new PIA 2008?: No

If this is an existing PIA, please provide a reason for revision: PIA Validation

1. Date of this Submission: Jul 3, 2007

2. OPDIV Name: NIH

3. Unique Project Identifier (UPI) Number: 009-25-01-26-02-8803-00-202-069

4. Privacy Act System of Records (SOR) Number: 09-25-0200

5. OMB Information Collection Approval Number: Not applicable

6. Other Identifying Number(s): None

7. System Name: Systemic Lupus Erythematosus (SLE) Tracking System

9. System Point of Contact (POC). The System POC is the person to whom questions about the system and the responses to this PIA may be addressed: Ms. Janet David

10. Provide an overview of the system: Track and maintain Lupus-related clinical test samples.

13. Indicate if the system is new or an existing one being modified: Existing

17. Does/Will the system collect, maintain (store), disseminate and/or pass through IIF within any database(s), record(s), file(s) or website(s) hosted by this system?: Yes

Note: This question seeks to identify any, and all, personal information associated with the system. This includes any IIF, whether or not it is subject to the Privacy Act, whether the individuals are employees, the public, research subjects, or business partners, and whether provided voluntarily or collected by mandate. Later questions will try to understand the character of the data and its applicability to the requirements under the Privacy Act or other legislation

Note: If no IIF is contained in the system, please answer questions 21, 23, 30, 31, 37, 50 and 54, then promote the PIA to the Sr. Privacy Official who will authorize the PIA.

If this system contains IIF, all remaining questions on the PIA Form Tabs must be completed prior to signature and promotion.

21. Is the system subject to the Privacy Act?: Yes

23. If the system shares or discloses IIF please specify with whom and for what purpose(s): This information is addressed in the NIH Privacy Act Systems of Record Notice 09-25-0200, published in the Federal Register, Volume 67, No. 187, September 26, 2002.

30. Please describe in detail: (1) the information the agency will collect, maintain, or disseminate; (2) why and for what purpose the agency will use the information; (3) In this description, indicate whether the information contains IIF; and (4) whether submission of personal information is voluntary or mandatory: NIAMS collects Patient Last Name, First Name, Middle Initial, DOB, Gender, Ethnicity, NIH Record Number, Sample Number, and various medical information and test results. This information is used to track test samples and sample related clinical data taken at each patient visit.

During data collection stages and follow-up, retrieval is by personal identifier. During the data analysis stage, data are normally retrieved by the variables of interest. This information is collected to track and account for patient test samples related to Protocol 94-AR-0066. Information is required as a condition of treatment or enrollment in a clinical trial.

31. Please describe in detail any processes in place to: (1) notify and obtain consent from the individuals whose IIF is in the system when major changes occur to the system (e.g., disclosure and/or data uses have changed since the notice at the time of the original collection); and (2) notify and obtain consent from individuals regarding what IIF is being collected from them and how the information will be used or shared: When/if major changes occur to the system that affect or change how the individuals information will be shared, each of the existing individuals would be notified, via mail or email, and requested to consent to the new process. All new users will be made aware of the change when they supply or enter their information.

a. Information is obtained directly from the subject individual by interview, written questionnaire, or by other tests, recording devices or observations, consistent with legislation and regulation regarding informed consent and protection of human subjects.

b. It is also obtained from other sources, including but not limited to: referring medical physicians, mental health/alcohol/drug abuse or other health care providers; hospitals; organizations providing biological specimens; relatives; guardians; schools; and clinical medical research records.

c. Information is required as a condition of treatment or enrollment in a clinical trial.

d. Written notice is provided to the subject at the time of enrollment or treatment.

32. Does the system host a website?: No

37. Does the website have any information or pages directed at children under the age of thirteen?: No

50. Are there policies or guidelines in place with regard to the retention and destruction of IIF?: Yes

54. Briefly describe in detail how the IIF will be secured on the system using administrative, technical, and physical controls.: Access to identifiers and to link files is strictly limited to the authorized personnel whose duties require such access. Procedures for determining authorized access are established for each location. Records are either stored in locked rooms during off-duty hours, locked file cabinets, and/or secured computer facilities. Computer data access is limited through the use of key words known only to authorized personnel. Collection and maintenance of data is consistent with legislation and regulations in the protection of human subjects, informed consent, and confidentiality. Implementation Guidelines are in compliance with the standards of Chapter 45-13 of the HHS General Administration Manual, "Safeguarding Records Contained in Systems of Records," supplementary Chapter PHS hf: 45-13, and the HHS Automated Information Systems Security Program Handbook.

Admin Controls - The information is maintained on-line by the system and may be accessed and printed by those authorized access to the information. Access to this data is limited to those persons whose official duties require such access.

Physical controls - Access requires an NIH Login userid and password. The system is further restricted to only NIAMS users and the NIAMS domain (servers, and PCs etc residing in NIAMS). The servers are secured in a locked, controlled environment.

Technical controls - The NIAMS ISSO and Server Team monitor and control access to all NIAMS machines, including the Intranet server using system monitoring and intrusion detection tools.

PIA Reviewer Approval: Promote


PIA Reviewer Name: Michael Toland,

Sr. Official for Privacy Approval: Promote


Sr. Official for Privacy Name: Karen Plá

Sign-off Date: Aug 10, 2007

Date Published: Jun 26, 2008


06.3 HHS PIA Summary for Posting (Form) / NIH NIAMS Visual Employee Data System (VEDS) (Item)






PIA Summary


Is this a new PIA 2008?: No

If this is an existing PIA, please provide a reason for revision: PIA Validation

1. Date of this Submission: Jul 3, 2007

2. OPDIV Name: NIH

3. Unique Project Identifier (UPI) Number: 009-25-01-09-02-3196-00-403-131

4. Privacy Act System of Records (SOR) Number: 09-90-0018

5. OMB Information Collection Approval Number: Not applicable

6. Other Identifying Number(s): None

7. System Name: NIAMS Visual Employee Database System (VEDS)

9. System Point of Contact (POC). The System POC is the person to whom questions about the system and the responses to this PIA may be addressed: Ms. Valerie Green

10. Provide an overview of the system: This system is used to generate reports containing personnel information, in order to answer queries.

13. Indicate if the system is new or an existing one being modified: Existing

17. Does/Will the system collect, maintain (store), disseminate and/or pass through IIF within any database(s), record(s), file(s) or website(s) hosted by this system?: Yes

Note: This question seeks to identify any, and all, personal information associated with the system. This includes any IIF, whether or not it is subject to the Privacy Act, whether the individuals are employees, the public, research subjects, or business partners, and whether provided voluntarily or collected by mandate. Later questions will try to understand the character of the data and its applicability to the requirements under the Privacy Act or other legislation

Note: If no IIF is contained in the system, please answer questions 21, 23, 30, 31, 37, 50 and 54, then promote the PIA to the Sr. Privacy Official who will authorize the PIA.

If this system contains IIF, all remaining questions on the PIA Form Tabs must be completed prior to signature and promotion.

21. Is the system subject to the Privacy Act?: Yes

23. If the system shares or discloses IIF please specify with whom and for what purpose(s): Reference SOR # 09-90-0018

This systems is used by the Administrative Officers/Assistants and Management Analyst to respond to queries. This information is further addressed in the HHS Privacy Act Systems of Record Notice 09-90-0018, published in the Federal Register, Volume 59, November 9, 1994.

30. Please describe in detail: (1) the information the agency will collect, maintain, or disseminate; (2) why and for what purpose the agency will use the information; (3) In this description, indicate whether the information contains IIF; and (4) whether submission of personal information is voluntary or mandatory: VEDS tracks all information pertinent to a personnel file for the purpose of personnel management activities. Information is collected from employees via the EHRP system. Uses consist of the following: a) tracking a time-limited appointment to ensure renewals are done in a timely manner, thereby avoiding any break in service, b) ensuring that allocated FTE ceilings are maintained, c) ensuring salary equality for various hiring mechanisms, d) providing reports requested by the NIH Director, IC Director and other management staff, as requested), and e) maintaining lists of non FTEs, special volunteers, contractors, and other hiring appointments. The information collected constitutes IIF, and is mandatory for all employees.

31. Please describe in detail any processes in place to: (1) notify and obtain consent from the individuals whose IIF is in the system when major changes occur to the system (e.g., disclosure and/or data uses have changed since the notice at the time of the original collection); and (2) notify and obtain consent from individuals regarding what IIF is being collected from them and how the information will be used or shared: IIF in the system is gathered from the HRDB or EHRP system. Changes to the system or changes in the way the information is used is relayed to employees via official notices from HR or the IC. Individuals are notified of the collection and use of data as part of the hiring process. The information is mandatory if the potential job applicant wishes to seek employment at NIH.

32. Does the system host a website?: No

37. Does the website have any information or pages directed at children under the age of thirteen?: No

50. Are there policies or guidelines in place with regard to the retention and destruction of IIF?: Yes

54. Briefly describe in detail how the IIF will be secured on the system using administrative, technical, and physical controls.: Admin Controls - The information is maintained on-line by the system and may be accessed and printed by those authorized access to the information. Access to this data is limited to those persons whose official duties require such access.

Physical controls - Access to the system requires an NIH Login userid and password. The system is further restricted to only NIAMS users and the NIAMS domain (servers, and PCs etc residing in NIAMS). The servers are secured in a locked, controlled environment.

Technical controls - The NIAMS ISSO and Server Team monitor and control access to all NIAMS machines, including the Intranet server using system monitoring and intrusion detection tools.

PIA Reviewer Approval: Promote


PIA Reviewer Name: Michael Toland,

Sr. Official for Privacy Approval: Promote


Sr. Official for Privacy Name: Karen Plá

Sign-off Date: Aug 10, 2007

Date Published: Jun 26, 2008


06.3 HHS PIA Summary for Posting (Form) / NIH NIAMS Visual Status of Funds (VSOF) (Item)






PIA Summary


Is this a new PIA 2008?: No

If this is an existing PIA, please provide a reason for revision: PIA Validation

1. Date of this Submission: Jul 3, 2007

2. OPDIV Name: NIH

3. Unique Project Identifier (UPI) Number: 009-25-01-01-02-3198-00-402-125

4. Privacy Act System of Records (SOR) Number: Not applicable

5. OMB Information Collection Approval Number: None

6. Other Identifying Number(s): None

7. System Name: Visual Status of Funds

9. System Point of Contact (POC). The System POC is the person to whom questions about the system and the responses to this PIA may be addressed: Valerie Green

10. Provide an overview of the system: VSOF is the Institute's budget reporting system used to track costs and generate financial status reports. It is a multi-user integrated database of financial transactions from the NIH Central Accounting System used by multiple NIH institutes and centers to monitor the financial status of programs they support.

13. Indicate if the system is new or an existing one being modified: Existing

17. Does/Will the system collect, maintain (store), disseminate and/or pass through IIF within any database(s), record(s), file(s) or website(s) hosted by this system?: No

Note: This question seeks to identify any, and all, personal information associated with the system. This includes any IIF, whether or not it is subject to the Privacy Act, whether the individuals are employees, the public, research subjects, or business partners, and whether provided voluntarily or collected by mandate. Later questions will try to understand the character of the data and its applicability to the requirements under the Privacy Act or other legislation

Note: If no IIF is contained in the system, please answer questions 21, 23, 30, 31, 37, 50 and 54, then promote the PIA to the Sr. Privacy Official who will authorize the PIA.

If this system contains IIF, all remaining questions on the PIA Form Tabs must be completed prior to signature and promotion.

21. Is the system subject to the Privacy Act?: No

23. If the system shares or discloses IIF please specify with whom and for what purpose(s): The system does not share or disclosure IIF.

30. Please describe in detail: (1) the information the agency will collect, maintain, or disseminate; (2) why and for what purpose the agency will use the information; (3) In this description, indicate whether the information contains IIF; and (4) whether submission of personal information is voluntary or mandatory: Accounting data and related document information is downloaded from Accounting and is relevant or specific to NIAMS for its fiscal year operations. The system contains no IIF.

31. Please describe in detail any processes in place to: (1) notify and obtain consent from the individuals whose IIF is in the system when major changes occur to the system (e.g., disclosure and/or data uses have changed since the notice at the time of the original collection); and (2) notify and obtain consent from individuals regarding what IIF is being collected from them and how the information will be used or shared: Not applicabe. No IIF is collected from individuals.

32. Does the system host a website?: No

37. Does the website have any information or pages directed at children under the age of thirteen?: No

50. Are there policies or guidelines in place with regard to the retention and destruction of IIF?: No

54. Briefly describe in detail how the IIF will be secured on the system using administrative, technical, and physical controls.: Not applicable

PIA Reviewer Approval: Promote


PIA Reviewer Name: Michael Toland,

Sr. Official for Privacy Approval: Promote


Sr. Official for Privacy Name: Karen Plá

Sign-off Date: Aug 10, 2007

Date Published: Jun 26, 2008


06.3 HHS PIA Summary for Posting (Form) / NIH NIBIB Internal Website (Item)






PIA Summary


Is this a new PIA 2008?: No

If this is an existing PIA, please provide a reason for revision: PIA Validation

1. Date of this Submission: Jul 2, 2007

2. OPDIV Name: NIH

3. Unique Project Identifier (UPI) Number: 009-25-01-00-0000-00

4. Privacy Act System of Records (SOR) Number: No

5. OMB Information Collection Approval Number: No

6. Other Identifying Number(s): No

7. System Name: Internal Website

9. System Point of Contact (POC). The System POC is the person to whom questions about the system and the responses to this PIA may be addressed: ColleenGuay-Broder

10. Provide an overview of the system: The NIBIB Internet provides mission-related information to multiple constituencies that include other federal agency staff, extramural researchers, health professionals, educators, students, and professionals.

13. Indicate if the system is new or an existing one being modified: New

17. Does/Will the system collect, maintain (store), disseminate and/or pass through IIF within any database(s), record(s), file(s) or website(s) hosted by this system?: No

Note: This question seeks to identify any, and all, personal information associated with the system. This includes any IIF, whether or not it is subject to the Privacy Act, whether the individuals are employees, the public, research subjects, or business partners, and whether provided voluntarily or collected by mandate. Later questions will try to understand the character of the data and its applicability to the requirements under the Privacy Act or other legislation

Note: If no IIF is contained in the system, please answer questions 21, 23, 30, 31, 37, 50 and 54, then promote the PIA to the Sr. Privacy Official who will authorize the PIA.

If this system contains IIF, all remaining questions on the PIA Form Tabs must be completed prior to signature and promotion.

21. Is the system subject to the Privacy Act?: No

23. If the system shares or discloses IIF please specify with whom and for what purpose(s): does not disclose IIF

30. Please describe in detail: (1) the information the agency will collect, maintain, or disseminate; (2) why and for what purpose the agency will use the information; (3) In this description, indicate whether the information contains IIF; and (4) whether submission of personal information is voluntary or mandatory: The only data collected are for web site usage statisticsand are not retrieved by personal identifier.

31. Please describe in detail any processes in place to: (1) notify and obtain consent from the individuals whose IIF is in the system when major changes occur to the system (e.g., disclosure and/or data uses have changed since the notice at the time of the original collection); and (2) notify and obtain consent from individuals regarding what IIF is being collected from them and how the information will be used or shared: NIBIB website is in compliance with federal law and NIH web policies. The web site does not collect personal data and the privacy notification statement and disclaimers are used and visible from every page, including web pages directed to children. We do not use persistent cookies.

32. Does the system host a website?: Yes

37. Does the website have any information or pages directed at children under the age of thirteen?: Yes

50. Are there policies or guidelines in place with regard to the retention and destruction of IIF?: Yes

54. Briefly describe in detail how the IIF will be secured on the system using administrative, technical, and physical controls.: We do not collect information in identifiable form.

PIA Reviewer Approval: Promote


PIA Reviewer Name: Larry Morton

Sr. Official for Privacy Approval: Promote


Sr. Official for Privacy Name: Karen Plá

Sign-off Date: Aug 10, 2007

Date Published: Jun 26, 2008


06.3 HHS PIA Summary for Posting (Form) / NIH NIBIB Intranet Website (Item)






PIA Summary


this a new PIA 2008?: No

If this is an existing PIA, please provide a reason for revision: PIA Validation

1. Date of this Submission: Jul 2, 2007

2. OPDIV Name: NIH

3. Unique Project Identifier (UPI) Number: 009-25-01-04-00-0000-00

4. Privacy Act System of Records (SOR) Number: No

5. OMB Information Collection Approval Number: No

6. Other Identifying Number(s): No

7. System Name: NIBIB Intranet Website

9. System Point of Contact (POC). The System POC is the person to whom questions about the system and the responses to this PIA may be addressed: Colleen Guay-Broder

10. Provide an overview of the system: The NIBIB intranet is an internal use, private network within the NIBIB that is used to maintain procedural and administrative information. The intranet is accessible only by NIBIB employees and others with appropriate authorization.

13. Indicate if the system is new or an existing one being modified: Existing

17. Does/Will the system collect, maintain (store), disseminate and/or pass through IIF within any database(s), record(s), file(s) or website(s) hosted by this system?: No

Note: This question seeks to identify any, and all, personal information associated with the system. This includes any IIF, whether or not it is subject to the Privacy Act, whether the individuals are employees, the public, research subjects, or business partners, and whether provided voluntarily or collected by mandate. Later questions will try to understand the character of the data and its applicability to the requirements under the Privacy Act or other legislation

Note: If no IIF is contained in the system, please answer questions 21, 23, 30, 31, 37, 50 and 54, then promote the PIA to the Sr. Privacy Official who will authorize the PIA.

If this system contains IIF, all remaining questions on the PIA Form Tabs must be completed prior to signature and promotion.

21. Is the system subject to the Privacy Act?: No

23. If the system shares or discloses IIF please specify with whom and for what purpose(s): does not share or disclose IIF

30. Please describe in detail: (1) the information the agency will collect, maintain, or disseminate; (2) why and for what purpose the agency will use the information; (3) In this description, indicate whether the information contains IIF; and (4) whether submission of personal information is voluntary or mandatory: agency will not collect, maintain or disseminate any data using this system.

31. Please describe in detail any processes in place to: (1) notify and obtain consent from the individuals whose IIF is in the system when major changes occur to the system (e.g., disclosure and/or data uses have changed since the notice at the time of the original collection); and (2) notify and obtain consent from individuals regarding what IIF is being collected from them and how the information will be used or shared: do not collect IIF

32. Does the system host a website?: Yes

37. Does the website have any information or pages directed at children under the age of thirteen?: No

50. Are there policies or guidelines in place with regard to the retention and destruction of IIF?: Yes

54. Briefly describe in detail how the IIF will be secured on the system using administrative, technical, and physical controls.: The intranet is an internal NIBIB system and does not collect IIF. A firewall surrounding the intranet protects from unauthorized access.

PIA Reviewer Approval: Promote


PIA Reviewer Name: Larry Morton

Sr. Official for Privacy Approval: Promote


Sr. Official for Privacy Name: Karen Plá

Sign-off Date: Aug 10, 2007

Date Published: Jun 26, 2008


06.3 HHS PIA Summary for Posting (Form) / NIH NIBIB Status of Funds Internet Edition (SOFIE) (Item)






PIA Summary


Is this a new PIA 2008?: Yes

If this is an existing PIA, please provide a reason for revision: PIA Validation

1. Date of this Submission: Jul 2, 2007

2. OPDIV Name: NIH

3. Unique Project Identifier (UPI) Number: In development

4. Privacy Act System of Records (SOR) Number: No

5. OMB Information Collection Approval Number: No

6. Other Identifying Number(s): No

7. System Name: Status of Funds Internet Edition (SOFie)

9. System Point of Contact (POC). The System POC is the person to whom questions about the system and the responses to this PIA may be addressed: Pamela Galpin

10. Provide an overview of the system: SOFie is a web database application that allows institutes to track expenses and the balance of accounts.

13. Indicate if the system is new or an existing one being modified: New

17. Does/Will the system collect, maintain (store), disseminate and/or pass through IIF within any database(s), record(s), file(s) or website(s) hosted by this system?: No

Note: This question seeks to identify any, and all, personal information associated with the system. This includes any IIF, whether or not it is subject to the Privacy Act, whether the individuals are employees, the public, research subjects, or business partners, and whether provided voluntarily or collected by mandate. Later questions will try to understand the character of the data and its applicability to the requirements under the Privacy Act or other legislation

Note: If no IIF is contained in the system, please answer questions 21, 23, 30, 31, 37, 50 and 54, then promote the PIA to the Sr. Privacy Official who will authorize the PIA.

If this system contains IIF, all remaining questions on the PIA Form Tabs must be completed prior to signature and promotion.

21. Is the system subject to the Privacy Act?: No

23. If the system shares or discloses IIF please specify with whom and for what purpose(s): No

30. Please describe in detail: (1) the information the agency will collect, maintain, or disseminate; (2) why and for what purpose the agency will use the information; (3) In this description, indicate whether the information contains IIF; and (4) whether submission of personal information is voluntary or mandatory: The SOFie system gathers financial data together from NIH systems in order to view and manipulate financial information for the ICs needs. The system does not include any personal information or information in identifiable form.

31. Please describe in detail any processes in place to: (1) notify and obtain consent from the individuals whose IIF is in the system when major changes occur to the system (e.g., disclosure and/or data uses have changed since the notice at the time of the original collection); and (2) notify and obtain consent from individuals regarding what IIF is being collected from them and how the information will be used or shared: No

32. Does the system host a website?: No

37. Does the website have any information or pages directed at children under the age of thirteen?: No

50. Are there policies or guidelines in place with regard to the retention and destruction of IIF?: Yes

54. Briefly describe in detail how the IIF will be secured on the system using administrative, technical, and physical controls.: System is password protected. Individuals only view accounts pertinent to their area.

PIA Reviewer Approval: Promote


PIA Reviewer Name: Larry Morton

Sr. Official for Privacy Approval: Promote


Sr. Official for Privacy Name: Karen Plá

Sign-off Date: Aug 10, 2007

Date Published: Jun 26, 2008


06.3 HHS PIA Summary for Posting (Form) / NIH NIBIB Visual Employee Database System (VEDS) (Item)






PIA Summary


Is this a new PIA 2008?: No

If this is an existing PIA, please provide a reason for revision: PIA Validation

1. Date of this Submission: Jul 2, 2007

2. OPDIV Name: NIH

3. Unique Project Identifier (UPI) Number: 009-25-01-09-02-3196-00-403-131

4. Privacy Act System of Records (SOR) Number: 09-90-0018

5. OMB Information Collection Approval Number: no

6. Other Identifying Number(s): no

7. System Name: Visual Employee Data System

9. System Point of Contact (POC). The System POC is the person to whom questions about the system and the responses to this PIA may be addressed: Donna Pearman

10. Provide an overview of the system: VEDS is a windows-based application primarily used to manage and track personnel information.

13. Indicate if the system is new or an existing one being modified: Existing

17. Does/Will the system collect, maintain (store), disseminate and/or pass through IIF within any database(s), record(s), file(s) or website(s) hosted by this system?: Yes

Note: This question seeks to identify any, and all, personal information associated with the system. This includes any IIF, whether or not it is subject to the Privacy Act, whether the individuals are employees, the public, research subjects, or business partners, and whether provided voluntarily or collected by mandate. Later questions will try to understand the character of the data and its applicability to the requirements under the Privacy Act or other legislation

Note: If no IIF is contained in the system, please answer questions 21, 23, 30, 31, 37, 50 and 54, then promote the PIA to the Sr. Privacy Official who will authorize the PIA.

this system contains IIF, all remaining questions on the PIA Form Tabs must be completed prior to signature and promotion.

21. Is the system subject to the Privacy Act?: Yes

23. If the system shares or discloses IIF please specify with whom and for what purpose(s): SOR #09-90-0018. This information is further addressed in the HHS Privacy Act Systems of Record Notice 09-90-0018, published in the Federal Register, Volume 59, November 9, 1994.

30. Please describe in detail: (1) the information the agency will collect, maintain, or disseminate; (2) why and for what purpose the agency will use the information; (3) In this description, indicate whether the information contains IIF; and (4) whether submission of personal information is voluntary or mandatory: The NETCOMM application collects personal information from the NIH Human Resource Database (HRDB) through bi-weekly downloads. Social security numbers are included in the data collected. The data collected is used to manage the organization's personnel information. Under authority 42 USC 287c-21. Submission of personal information is mandatory; however, personal information is not submitted to the VEDS system. VEDS only downloads official personal data that is maintained in the HRDB.

31. Please describe in detail any processes in place to: (1) notify and obtain consent from the individuals whose IIF is in the system when major changes occur to the system (e.g., disclosure and/or data uses have changed since the notice at the time of the original collection); and (2) notify and obtain consent from individuals regarding what IIF is being collected from them and how the information will be used or shared: NIBIB Administrative officer has read only access to the VEDS data and cannot make changes. Therefore, no need for a process to notify and obtain consent.

32. Does the system host a website?: No

37. Does the website have any information or pages directed at children under the age of thirteen?: No

50. Are there policies or guidelines in place with regard to the retention and destruction of IIF?: Yes

54. Briefly describe in detail how the IIF will be secured on the system using administrative, technical, and physical controls.: Access to sensitive data fields is limited on need to know basis. Each user signs a security statement, and any violations results in loss of access to system.

PIA Reviewer Approval: Promote


PIA Reviewer Name: Larry Morton 301-594-6339

Sr. Official for Privacy Approval: Promote


Sr. Official for Privacy Name: Karen Plá

Sign-off Date: Aug 10, 2007

Date Published: Jun 26, 2008


06.3 HHS PIA Summary for Posting (Form) / NIH NICHD Child Health Information (CHIRP) (Item)






PIA Summary


Is this a new PIA 2008?: No

If this is an existing PIA, please provide a reason for revision: PIA Validation

1. Date of this Submission: Jul 5, 2007

2. OPDIV Name: NIH

3. Unique Project Identifier (UPI) Number: 009-25-04-00-02-4401-00-202-069

4. Privacy Act System of Records (SOR) Number: 09-25-0036

5. OMB Information Collection Approval Number: No

6. Other Identifying Number(s): NICHD-0002

7. System Name: CHIRP

9. System Point of Contact (POC). The System POC is the person to whom questions about the system and the responses to this PIA may be addressed: Aubrey Callwood

10. Provide an overview of the system: The Child Health Information Retrieval Program (CHIRP) provides support for grant application and award processing, tracking, scientific coding and report retrieval for the NICHD Extramural program

13. Indicate if the system is new or an existing one being modified: Existing

17. Does/Will the system collect, maintain (store), disseminate and/or pass through IIF within any database(s), record(s), file(s) or website(s) hosted by this system?: No

Note: This question seeks to identify any, and all, personal information associated with the system. This includes any IIF, whether or not it is subject to the Privacy Act, whether the individuals are employees, the public, research subjects, or business partners, and whether provided voluntarily or collected by mandate. Later questions will try to understand the character of the data and its applicability to the requirements under the Privacy Act or other legislation

Note: If no IIF is contained in the system, please answer questions 21, 23, 30, 31, 37, 50 and 54, then promote the PIA to the Sr. Privacy Official who will authorize the PIA.

If this system contains IIF, all remaining questions on the PIA Form Tabs must be completed prior to signature and promotion.

21. Is the system subject to the Privacy Act?: Yes

23. If the system shares or discloses IIF please specify with whom and for what purpose(s): No

30. Please describe in detail: (1) the information the agency will collect, maintain, or disseminate; (2) why and for what purpose the agency will use the information; (3) In this description, indicate whether the information contains IIF; and (4) whether submission of personal information is voluntary or mandatory: No Information in Indentifiable Form (IIF) is collected or stored. CHIRP Pull grants and Contract Related data from IMPACII.

The Referral and Program Analysis Branch (RPAB) of NICHD’s Office of Scientific Policy, Analysis, and Communication (OSPAC) assigns each project funding application to the appropriate NICHD branch for review. Once funding has been approved, RPAB then applies extensive scientific coding to the grant record based on the areas of research involved. Throughout the pre- and post-funding process, RPAB maintains summary information about each project for reporting purposes. All project records are then given pre-funding preliminary coding and post-funding scientific coding for detailed and accurate classification. Based on all available project data, highly-flexible querying options allow users to generate various standard and customized reports as necessary for interested internal and external entities.

31. Please describe in detail any processes in place to: (1) notify and obtain consent from the individuals whose IIF is in the system when major changes occur to the system (e.g., disclosure and/or data uses have changed since the notice at the time of the original collection); and (2) notify and obtain consent from individuals regarding what IIF is being collected from them and how the information will be used or shared: The system contains no IIF

32. Does the system host a website?: Yes

37. Does the website have any information or pages directed at children under the age of thirteen?: No

50. Are there policies or guidelines in place with regard to the retention and destruction of IIF?: No

54. Briefly describe in detail how the IIF will be secured on the system using administrative, technical, and physical controls.: No

PIA Reviewer Approval: Promote


PIA Reviewer Name: Aubrey Callwood

Sr. Official for Privacy Approval: Promote


Sr. Official for Privacy Name: Karen Plá

Sign-off Date: Aug 10, 2007

Date Published: Jun 26, 2008


06.3 HHS PIA Summary for Posting (Form) / NIH NICHD Extramural Tracking System (CERES) (Item)






PIA Summary


Is this a new PIA 2008?: No

If this is an existing PIA, please provide a reason for revision: PIA Validation

1. Date of this Submission: Jul 5, 2007

2. OPDIV Name: NIH

3. Unique Project Identifier (UPI) Number: 009-25-04-00-02-4404-00-202-069

4. Privacy Act System of Records (SOR) Number: 09-25-0036

5. OMB Information Collection Approval Number: No

6. Other Identifying Number(s): NICHD-0001

7. System Name: CERES

9. System Point of Contact (POC). The System POC is the person to whom questions about the system and the responses to this PIA may be addressed: Aubrey Callwood

10. Provide an overview of the system: The CERES system is an automated, web-based tool created to provide an automated method to track the planning and production phases for all proposed and approved scientific initiatives. CERES facilitates the creation of scientific initiatives and related documents; streamlines and controls the structured initiative review, prioritization, and approval process; maintains a strictly controlled repository of all versions of documents and templates; and most importantly, collects initiative-related information, including historic, active, and projected initiative data.

13. Indicate if the system is new or an existing one being modified: Existing

17. Does/Will the system collect, maintain (store), disseminate and/or pass through IIF within any database(s), record(s), file(s) or website(s) hosted by this system?: No

Note: This question seeks to identify any, and all, personal information associated with the system. This includes any IIF, whether or not it is subject to the Privacy Act, whether the individuals are employees, the public, research subjects, or business partners, and whether provided voluntarily or collected by mandate. Later questions will try to understand the character of the data and its applicability to the requirements under the Privacy Act or other legislation

Note: If no IIF is contained in the system, please answer questions 21, 23, 30, 31, 37, 50 and 54, then promote the PIA to the Sr. Privacy Official who will authorize the PIA.

If this system contains IIF, all remaining questions on the PIA Form Tabs must be completed prior to signature and promotion

21. Is the system subject to the Privacy Act?: Yes

23. If the system shares or discloses IIF please specify with whom and for what purpose(s): No

30. Please describe in detail: (1) the information the agency will collect, maintain, or disseminate; (2) why and for what purpose the agency will use the information; (3) In this description, indicate whether the information contains IIF; and (4) whether submission of personal information is voluntary or mandatory: No Information in Identffiable Fom (IIF) is collected. No data is pulled from IMPACII.

CERES collects initiative-related information, including historic, active, and projected initiative data. The documents created and managed within CERES are related to the extramural grant-, contract-, and intramural contract-related scientific initiatives and the production process for extramural grant-related initiatives.

31. Please describe in detail any processes in place to: (1) notify and obtain consent from the individuals whose IIF is in the system when major changes occur to the system (e.g., disclosure and/or data uses have changed since the notice at the time of the original collection); and (2) notify and obtain consent from individuals regarding what IIF is being collected from them and how the information will be used or shared: The system contains no IIF

32. Does the system host a website?: Yes

37. Does the website have any information or pages directed at children under the age of thirteen?: No

50. Are there policies or guidelines in place with regard to the retention and destruction of IIF?: No

54. Briefly describe in detail how the IIF will be secured on the system using administrative, technical, and physical controls.: No

PIA Reviewer Approval: Promote


PIA Reviewer Name: Aubrey Callwood

Sr. Official for Privacy Approval: Promote


Sr. Official for Privacy Name: Karen Plá

Sign-off Date: Aug 10, 2007

Date Published: Jun 26, 2008


06.3 HHS PIA Summary for Posting (Form) / NIH NICHD Visual Employee Database System (VEDS) (Item)






PIA Summary


Is this a new PIA 2008?: No

If this is an existing PIA, please provide a reason for revision: PIA Validation

1. Date of this Submission: Jul 5, 2007

2. OPDIV Name: NIH

3. Unique Project Identifier (UPI) Number: 009-25-01-09-02-3196-00-403-131

4. Privacy Act System of Records (SOR) Number: 09-90-0018

5. OMB Information Collection Approval Number: No

6. Other Identifying Number(s): NICHD-0004

7. System Name: VEDS (Visual Employee Database Software)

9. System Point of Contact (POC). The System POC is the person to whom questions about the system and the responses to this PIA may be addressed: Aubrey Callwood

10. Provide an overview of the system: Visual Employee Database System (VEDS) is a multi-user windows application primarily used by NIH institutes, and centers, Administrative Officers, Human Resources Specialists and Business Management staff

13. Indicate if the system is new or an existing one being modified: Existing

17. Does/Will the system collect, maintain (store), disseminate and/or pass through IIF within any database(s), record(s), file(s) or website(s) hosted by this system?: Yes

Note: This question seeks to identify any, and all, personal information associated with the system. This includes any IIF, whether or not it is subject to the Privacy Act, whether the individuals are employees, the public, research subjects, or business partners, and whether provided voluntarily or collected by mandate. Later questions will try to understand the character of the data and its applicability to the requirements under the Privacy Act or other legislation

Note: If no IIF is contained in the system, please answer questions 21, 23, 30, 31, 37, 50 and 54, then promote the PIA to the Sr. Privacy Official who will authorize the PIA.

If this system contains IIF, all remaining questions on the PIA Form Tabs must be completed prior to signature and promotion.

21. Is the system subject to the Privacy Act?: Yes

23. If the system shares or discloses IIF please specify with whom and for what purpose(s): No

30. Please describe in detail: (1) the information the agency will collect, maintain, or disseminate; (2) why and for what purpose the agency will use the information; (3) In this description, indicate whether the information contains IIF; and (4) whether submission of personal information is voluntary or mandatory: VEDS tracks all information pertinent to a personnel file for the purpose of personnel management activities. Information is collected from employees via the HRDB system. Uses consist of the following: a) tracking a time-limited appointment to ensure renewals are done in a timely manner, thereby avoiding any break in service, b) ensuring that allocated FTE ceilings are maintained, c) ensuring salary equality for various hiring mechanisms, d) providing reports requested by the NIH Director, NICHD Director and other management staff, as requested, and e) maintaining lists of non FTEs, special volunteers, contractors, and other hiring appointments. The information collected constitutes IIF, and is mandatory for all employees.

31. Please describe in detail any processes in place to: (1) notify and obtain consent from the individuals whose IIF is in the system when major changes occur to the system (e.g., disclosure and/or data uses have changed since the notice at the time of the original collection); and (2) notify and obtain consent from individuals regarding what IIF is being collected from them and how the information will be used or shared: IIF in the system is gathered from the HRDB system. Changes to the system or changes in the way the information is used is relayed to employees via official notices from NICHD. Individuals are notified of the collection and use of data as part of the hiring process and is mandatory if the potential job applicant wishes to seek employment at NIH.

32. Does the system host a website?: No

37. Does the website have any information or pages directed at children under the age of thirteen?: No

50. Are there policies or guidelines in place with regard to the retention and destruction of IIF?: Yes

54. Briefly describe in detail how the IIF will be secured on the system using administrative, technical, and physical controls.: Records are maintained on-line by the system and may be printed by authorized requesters. Access to and use of these records are limited to those persons whose official duties require such access.

Secured via signon and authentication methods.

PIA Reviewer Approval: Promote


PIA Reviewer Name: Aubrey Callwood

Sr. Official for Privacy Approval: Promote


Sr. Official for Privacy Name: Karen Pla

Sign-off Date: Aug 10, 2007

Date Published: Jun 26, 2008


06.3 HHS PIA Summary for Posting (Form) / NIH NICHD Visual Status of Funds (VSOF) (Item)






PIA Summary


Is this a new PIA 2008?: NoIf this is an existing PIA, please provide a reason for revision: PIA Validation

1. Date of this Submissio

3. Unique Project Identifier (UPI) Number: 009-25-01-01-02-3198-00-402-125

4. Privacy Act System of Records (SOR) Number: 09-90-0024

5. OMB Information Collection Approval Number: No

6. Other Identifying Number(s): NICHD-0003

7. System Name: VSOF (Visual Status of Funds)

9. System Point of Contact (POC). The System POC is the person to whom questions about the system and the responses to this PIA may be addressed: Aubrey Callwood

10. Provide an overview of the system: Visual Status of Funds (VSOF) is a multi-user integrated database of financial transactions that provides budget and accounting information in a user-designed format. VSOF is a linked Microsoft Excel spreadsheets meets particular requirements

13. Indicate if the system is new or an existing one being modified: Existing

17. Does/Will the system collect, maintain (store), disseminate and/or pass through IIF within any database(s), record(s), file(s) or website(s) hosted by this system?: No

Note: This question seeks to identify any, and all, personal information associated with the system. This includes any IIF, whether or not it is subject to the Privacy Act, whether the individuals are employees, the public, research subjects, or business partners, and whether provided voluntarily or collected by mandate. Later questions will try to understand the character of the data and its applicability to the requirements under the Privacy Act or other legislation

Note: If no IIF is contained in the system, please answer questions 21, 23, 30, 31, 37, 50 and 54, then promote the PIA to the Sr. Privacy Official who will authorize the PIA.

If this system contains IIF, all remaining questions on the PIA Form Tabs must be completed prior to signature and promotion.

21. Is the system subject to the Privacy Act?: Yes

23. If the system shares or discloses IIF please specify with whom and for what purpose(s): No

30. Please describe in detail: (1) the information the agency will collect, maintain, or disseminate; (2) why and for what purpose the agency will use the information; (3) In this description, indicate whether the information contains IIF; and (4) whether submission of personal information is voluntary or mandatory: No Information in Indentifiable Form (IIF) is collected or stored. Accounting data and related document information is downloaded from DataWarehouse and is relevant or specific to NICHD for its fiscal year operations tracking of expenditures

31. Please describe in detail any processes in place to: (1) notify and obtain consent from the individuals whose IIF is in the system when major changes occur to the system (e.g., disclosure and/or data uses have changed since the notice at the time of the original collection); and (2) notify and obtain consent from individuals regarding what IIF is being collected from them and how the information will be used or shared: The system contains no IIF

32. Does the system host a website?: No

37. Does the website have any information or pages directed at children under the age of thirteen?: No

50. Are there policies or guidelines in place with regard to the retention and destruction of IIF?: No

54. Briefly describe in detail how the IIF will be secured on the system using administrative, technical, and physical controls.: No

PIA Reviewer Approval: Promote


PIA Reviewer Name: Aubrey Callwood

Sr. Official for Privacy Approval: Promote


Sr. Official for Privacy Name: Karen Plá

Sign-off Date: Aug 10, 2007

Date Published: Jun 26, 2008


06.3 HHS PIA Summary for Posting (Form) / NIH NIDA Drug Inventory Supply and Control System (DISCS) (Item)






PIA Summary


Is this a new PIA 2008?: No

If this is an existing PIA, please provide a reason for revision: PIA Validation

1. Date of this Submission: Jun 26, 2007

2. OPDIV Name: NIH

3. Unique Project Identifier (UPI) Number: Unknown

4. Privacy Act System of Records (SOR) Number: 09-25-0210

5. OMB Information Collection Approval Number: No

6. Other Identifying Number(s): NIDA3

7. System Name: Drug Inventory Supply and Control System (DISCS)

9. System Point of Contact (POC). The System POC is the person to whom questions about the system and the responses to this PIA may be addressed: Berhane Yitbarek

10. Provide an overview of the system: This system accounts for research grade drugs made available for distribution for research and analytical purposes. Materials are provided on request from persons authorized by the DEA (Drug Enforcement Administration) and following procedures specified by that agency. This system maintains (1) records of quantities in inventory by DEA classification and locally assigned catalog information, (2) records of all distributions of quantities of materials by inventory account, order number and requesting individual. If shipment is to a secondary address becasue of DEA registration or radiation safety requirements, that information is also maintained.

13. Indicate if the system is new or an existing one being modified: Existing

17. Does/Will the system collect, maintain (store), disseminate and/or pass through IIF within any database(s), record(s), file(s) or website(s) hosted by this system?: Yes

Note: This question seeks to identify any, and all, personal information associated with the system. This includes any IIF, whether or not it is subject to the Privacy Act, whether the individuals are employees, the public, research subjects, or business partners, and whether provided voluntarily or collected by mandate. Later questions will try to understand the character of the data and its applicability to the requirements under the Privacy Act or other legislation

Note: If no IIF is contained in the system, please answer questions 21, 23, 30, 31, 37, 50 and 54, then promote the PIA to the Sr. Privacy Official who will authorize the PIA.

If this system contains IIF, all remaining questions on the PIA Form Tabs must be completed prior to signature and promotion.

21. Is the system subject to the Privacy Act?: Yes

23. If the system shares or discloses IIF please specify with whom and for what purpose(s): This information is shared with contractors for the purpose of verifying eligibility to receive material and to provide shipping information. This information will also be shared as indicated in SOR 09-25-0210 and with law enforcement in accordance with existing laws.

30. Please describe in detail: (1) the information the agency will collect, maintain, or disseminate; (2) why and for what purpose the agency will use the information; (3) In this description, indicate whether the information contains IIF; and (4) whether submission of personal information is voluntary or mandatory: Types of information contained in the records are: researchers name, DEA (Drug Enforcement Administration) registration numbers, business address (location of research project), telephone number and e-mail address, requests for substance(s), name and amount of each compound requested and shipped, date material is shipped and received, shipment numbers, and DEA order form numbers. Data collected are the minimum necessary to satisfy DEA record requirements, to allow contact with requestor and, finally, to ship materials to requestor.

31. Please describe in detail any processes in place to: (1) notify and obtain consent from the individuals whose IIF is in the system when major changes occur to the system (e.g., disclosure and/or data uses have changed since the notice at the time of the original collection); and (2) notify and obtain consent from individuals regarding what IIF is being collected from them and how the information will be used or shared: There are no procedures to notify users of changes in use of IIF collected. This system serves the single purpose of accounting for drugs distributed primarily for research and analytical purposes and providing the distributor with contact and shipping address information to comply with requests for materials from NIDA supplies. Additional information is collected for the sole purpose of accounting for the drug materials in accordance with law and regulations pertaining.

32. Does the system host a website?: No

37. Does the website have any information or pages directed at children under the age of thirteen?: No

50. Are there policies or guidelines in place with regard to the retention and destruction of IIF?: Yes

54. Briefly describe in detail how the IIF will be secured on the system using administrative, technical, and physical controls.: Authorized users only. The "hard copy" records and main computer are physically located at the Neuroscience Center, Bethesda, Maryland. The computerized records are kept in a room with controlled access. The room is locked at all times. The "hard copy" records are stored in locked file cabinets in a room with controlled access. This room is locked when not occupied. The Neuroscience Center has a 24-hour guard patrol service. The terminals are housed in a secured work area with limited admittance. Contract personnel use a password identification system to obtain access and encrypted connections to ensure data security.

PIA Reviewer Approval: Promote


PIA Reviewer Name: Mark Green, 301-435-1431

Sr. Official for Privacy Approval: Promote


Sr. Official for Privacy Name: Karen Plá

Sign-off Date: Aug 10, 2007

Date Published: Jun 26, 2008


06.3 HHS PIA Summary for Posting (Form) / NIH NIDA Extramural Project System (NEPS) (Item)






PIA Summary


Is this a new PIA 2008?: No

If this is an existing PIA, please provide a reason for revision: PIA Validation

1. Date of this Submission: Jul 2, 2007

2. OPDIV Name: NIH

3. Unique Project Identifier (UPI) Number: 009-25-01-26-02-9301-00-202-069

4. Privacy Act System of Records (SOR) Number: 09-25-0036

5. OMB Information Collection Approval Number: N/A

6. Other Identifying Number(s): NIDA 1

7. System Name: National Institutes on Drug Abuse Extramural Project System (NEPS)

9. System Point of Contact (POC). The System POC is the person to whom questions about the system and the responses to this PIA may be addressed: Berhane Yitbarek

10. Provide an overview of the system: NEPS is a NIDA coporate extension system to IMPAC II. This system provides online management, reporting, and tracking of grant data.

13. Indicate if the system is new or an existing one being modified: New

17. Does/Will the system collect, maintain (store), disseminate and/or pass through IIF within any database(s), record(s), file(s) or website(s) hosted by this system?: Yes

Note: This question seeks to identify any, and all, personal information associated with the system. This includes any IIF, whether or not it is subject to the Privacy Act, whether the individuals are employees, the public, research subjects, or business partners, and whether provided voluntarily or collected by mandate. Later questions will try to understand the character of the data and its applicability to the requirements under the Privacy Act or other legislation

Note: If no IIF is contained in the system, please answer questions 21, 23, 30, 31, 37, 50 and 54, then promote the PIA to the Sr. Privacy Official who will authorize the PIA.

If this system contains IIF, all remaining questions on the PIA Form Tabs must be completed prior to signature and promotion.

21. Is the system subject to the Privacy Act?: Yes

23. If the system shares or discloses IIF please specify with whom and for what purpose(s): IIF is disclosed to general public and Congress as requested per SOR 09-25-0036

30. Please describe in detail: (1) the information the agency will collect, maintain, or disseminate; (2) why and for what purpose the agency will use the information; (3) In this description, indicate whether the information contains IIF; and (4) whether submission of personal information is voluntary or mandatory: Authority for collection of this information is 5. U.S.C. 301; 42 U.S.C. 217a, 241, 282(b)(6), 284a, and 288. 48 CFR Subpart 15.3 and Subpart 42.15. The IIF that the system captures on the public is obtained from the NIH IMPACII system. This system does not directly collect information but rather retrieves the information from the NIH IMPACII system. The IIF that the system retrieves is about individuals employed by NIDA and involved in the grants business process. IIF includes name, address, phone number, and financial account information. Most information supplied is mandatory as it is needed to process a grant application.

31. Please describe in detail any processes in place to: (1) notify and obtain consent from the individuals whose IIF is in the system when major changes occur to the system (e.g., disclosure and/or data uses have changed since the notice at the time of the original collection); and (2) notify and obtain consent from individuals regarding what IIF is being collected from them and how the information will be used or shared: There are no processes in place to notify and obtain consent from individuals regarding the IIF used in this system when major changes have occurred.

Forms used by NIH to collect Privacy information (such as PHS 398) clearly state the purpose of the information being collected.

32. Does the system host a website?: Yes

37. Does the website have any information or pages directed at children under the age of thirteen?: No

50. Are there policies or guidelines in place with regard to the retention and destruction of IIF?: Yes

54. Briefly describe in detail how the IIF will be secured on the system using administrative, technical, and physical controls.: Information is secured using username/passwor­ds, least privilege, separation of duties, firewalls, locks, badge access, background investigations.

PIA Reviewer Approval: Promote


PIA Reviewer Name: Mark Green, 301-435-1431

Sr. Official for Privacy Approval: Promote


Sr. Official for Privacy Name: Karen Plá

Sign-off Date: Aug 10, 2007

Date Published: Jun 26, 2008


06.3 HHS PIA Summary for Posting (Form) / NIH NIDA Human Research Information System (HuRIS) (Item)






PIA Summary


Is this a new PIA 2008?: No

If this is an existing PIA, please provide a reason for revision: PIA Validation

1. Date of this Submission: Jun 28, 2007

2. OPDIV Name: NIH

3. Unique Project Identifier (UPI) Number: 009-25-01-26-02-9318-00-202-069

4. Privacy Act System of Records (SOR) Number: 09-25-0203

5. OMB Information Collection Approval Number: No

6. Other Identifying Number(s): NIDA 5

7. System Name: Human Research Information System (HuRIS)

9. System Point of Contact (POC). The System POC is the person to whom questions about the system and the responses to this PIA may be addressed: Pei-Li Chao

10. Provide an overview of the system: To collect and maintain a database for research activities at NIDA/IRP. To enable Federal drug abuse researchers to evaluate and monitor the subjects' health during participation in a research project. The areas of research include, but are not limited to, biomedical, clinical, behavioral,

pharmacological, psychiatric, psychosocial, epidemiological, etiological, statistical, treatment and prevention of narcotic addiction and drug abuse.

Authority: Public Health Service Act, Section 301(a) (42 U.S.C. 241(a)); Sections 341(a) and 344 (d) (42 U.S.C. 257(a) and 260

13. Indicate if the system is new or an existing one being modified: Existing

17. Does/Will the system collect, maintain (store), disseminate and/or pass through IIF within any database(s), record(s), file(s) or website(s) hosted by this system?: Yes

Note: This question seeks to identify any, and all, personal information associated with the system. This includes any IIF, whether or not it is subject to the Privacy Act, whether the individuals are employees, the public, research subjects, or business partners, and whether provided voluntarily or collected by mandate. Later questions will try to understand the character of the data and its applicability to the requirements under the Privacy Act or other legislation

Note: If no IIF is contained in the system, please answer questions 21, 23, 30, 31, 37, 50 and 54, then promote the PIA to the Sr. Privacy Official who will authorize the PIA.

If this system contains IIF, all remaining questions on the PIA Form Tabs must be completed prior to signature and promotion.

21. Is the system subject to the Privacy Act?: Yes

23. If the system shares or discloses IIF please specify with whom and for what purpose(s): The authorized users at the NIDA/IRP and other authorized individuals according to the Privacy Act System of Records (SOR) Number 09-25-0203. This information is further addressed in the NIH Privacy Act Systems of Record Notice 09-25-0203, published in the Federal Register, Volume 67, No. 187, September 26, 2002.

30. Please describe in detail: (1) the information the agency will collect, maintain, or disseminate; (2) why and for what purpose the agency will use the information; (3) In this description, indicate whether the information contains IIF; and (4) whether submission of personal information is voluntary or mandatory: The National Institute on Drug Abuse (NIDA) recruits volunteers and screens these individuals for their acceptability to participate in specific research projects. For this purpose, HuRIS is used to collect, manage and maintain information on these participants. The collected data contains information in identifiable form (IIF) and includes, but is not limited to: name, study identification number, address, relevant telephone numbers, social security number, date of birth, weight, height, sex, race, and social, economic and demographic data. In compliance with relevant regulations, NIDA may disclose information to State or local public health departments. Submission of all information by research participants is voluntary.

31. Please describe in detail any processes in place to: (1) notify and obtain consent from the individuals whose IIF is in the system when major changes occur to the system (e.g., disclosure and/or data uses have changed since the notice at the time of the original collection); and (2) notify and obtain consent from individuals regarding what IIF is being collected from them and how the information will be used or shared: The information is strictly used for the purposes for which consent has been obtained. No other use of the data is allowed which is outside the scope of the existing consent; a major change in the research requires new consent. The participants are made well aware of the usage of the information they provide and sign consent for which it is obtained by Federal personnel that they are eligible to participate and consent.

32. Does the system host a website?: Yes

37. Does the website have any information or pages directed at children under the age of thirteen?: No

50. Are there policies or guidelines in place with regard to the retention and destruction of IIF?: Yes

54. Briefly describe in detail how the IIF will be secured on the system using administrative, technical, and physical controls.: Only authorized NIDA Intramural Research Program staff are allowed access to these files. Physical Safeguards: Files and file rooms are locked after business hours. Building has electronic controlled entry at all times with a 24-hour security guard and television surveillance

system. The computer terminals are in a further secured area.

Procedural Safeguards: All users of personal information in

connection with the performance of their jobs protect information from

unauthorized personnel. Access codes to the research records are available only to the Principal Investigator and his/her research team. Access to the records is strictly limited to those staff members trained in

accordance with the Privacy Act. The contractor staff members are required to secure the information in accordance with the Privacy Act. Project Officer and contracting officials will monitor contractor compliance.

Access to the Human Research Information System (HuRIS): The NIDA IRP computerized medical and research record is strictly limited. All staff must be authorized to use the system and be granted an access code

(user name and password) by the system sponsor (NIDA, IRP Chief of Biomedical Informatics). Passwords are required to be changed every six months. Access is limited by job classification and is on a need to know basis only. Data entered is time and date stamped by the staff member’s name. Data is not altered once entered. While logged into the system, the

name of the staff member is displayed on the screen. An activity log of each use is kept. Data is backed up on a daily basis. Implementation

Guidelines: These practices are in compliance with the standards of Chapter 45-13 of the HHS General Administration Manual, "Safeguarding Records Contained in Systems of Records," supplementary Chapter PHS hf: 45-13, and the HHS Automated Information Systems Security Program

Handbook. In addition, because much of the data collected in these esearch projects are sensitive and confidential, special safeguards have been established. Certificates of confidentiality have been issued under Protection of Identity - Research Subjects Regulations (42 CFR Part 2a) to those projects initiated since February 1980. This authorization enables

persons engaged in research on mental health, including research on the use and effect of psychoactive drugs, to protect the privacy of research subjects by withholding their names or other identifying characteristics

from all persons not connected with the conduct of the research. Persons so authorized may not be compelled in any Federal, State, or local civil, criminal, administrative, legislative, or other proceeding to identify such individuals. In addition, these records are subject to 42 CFR Part 2, the Confidentiality of Alcohol and Drug Abuse Patient Records Regulations (42 CFR 2.56), which state: "Where the content of patient records has been disclosed pursuant to these regulations for the purpose of conducting scientific research...information contained therein which would directly or indirectly identify any patient may not be disclosed by the recipient thereof either voluntarily or in response to any legal process whether Federal or State."PIA Reviewer Approval: Promote


PIA Reviewer Name: Mark Green, 301-435-1431

Sr. Official for Privacy Approval: Promote


Sr. Official for Privacy Name: Karen Plá

Sign-off Date: Aug 10, 2007

Date Published: Jun 26, 2008


06.3 HHS PIA Summary for Posting (Form) / NIH NIDA NIDA Internet Website (Item)






PIA Summary


Is this a new PIA 2008?: No

If this is an existing PIA, please provide a reason for revision: PIA Validation

1. Date of this Submission: Jun 28, 2007

2. OPDIV Name: NIH

3. Unique Project Identifier (UPI) Number: 009-25-02-00-01-3109-00-109-026

4. Privacy Act System of Records (SOR) Number: No

5. OMB Information Collection Approval Number: No

6. Other Identifying Number(s): No

7. System Name: NIH NIDA Internet Website

9. System Point of Contact (POC). The System POC is the person to whom questions about the system and the responses to this PIA may be addressed: Mark Fleming

10. Provide an overview of the system: Website for the National Institute on Drug Abuse for public use.

13. Indicate if the system is new or an existing one being modified: Existing

17. Does/Will the system collect, maintain (store), disseminate and/or pass through IIF within any database(s), record(s), file(s) or website(s) hosted by this system?: Yes

Note: This question seeks to identify any, and all, personal information associated with the system. This includes any IIF, whether or not it is subject to the Privacy Act, whether the individuals are employees, the public, research subjects, or business partners, and whether provided voluntarily or collected by mandate. Later questions will try to understand the character of the data and its applicability to the requirements under the Privacy Act or other legislation

Note: If no IIF is contained in the system, please answer questions 21, 23, 30, 31, 37, 50 and 54, then promote the PIA to the Sr. Privacy Official who will authorize the PIA.

If this system contains IIF, all remaining questions on the PIA Form Tabs must be completed prior to signature and promotion.

21. Is the system subject to the Privacy Act?: No

23. If the system shares or discloses IIF please specify with whom and for what purpose(s): Yes with contractors for order fulfillment.

30. Please describe in detail: (1) the information the agency will collect, maintain, or disseminate; (2) why and for what purpose the agency will use the information; (3) In this description, indicate whether the information contains IIF; and (4) whether submission of personal information is voluntary or mandatory: Log files for statistical purposes.

The webserver logfile logs the following information

The Internet domain (for example, "" if you use a private Internet access account, or "" if you connect from a university's domain), and IP address (an IP address is a number that is automatically assigned to your computer whenever you are surfing the Web) from which you access our website

The type of browser and operating system used to access our site,

The date and time you access our site,

The pages you visit, and

If you linked to our website from another website, the address of that website.

Ordering information for product fulfillment. This information is collect through an online form and is only kept long enought to fullfill the obligation. Upon completion, this information is deleted immediately. Voluntary submission by user.

31. Please describe in detail any processes in place to: (1) notify and obtain consent from the individuals whose IIF is in the system when major changes occur to the system (e.g., disclosure and/or data uses have changed since the notice at the time of the original collection); and (2) notify and obtain consent from individuals regarding what IIF is being collected from them and how the information will be used or shared: The information is not stored for any length of time and is deleted once completefd. No need for notification of change and there are no processes in place to notify individual when major changes occur. The information is sent to the contractor for order fulfillment only.

There are processes inplace to obtain consent and information is stored as described in privacy policy.

from privacy policy *

"If you choose to provide us with additional information about yourself through an e-mail message, form, survey, etc., we will only maintain the information as long as needed to respond to your question or to fulfill the stated purpose of the communication."

32. Does the system host a website?: Yes

37. Does the website have any information or pages directed at children under the age of thirteen?: Yes

50. Are there policies or guidelines in place with regard to the retention and destruction of IIF?: Yes

54. Briefly describe in detail how the IIF will be secured on the system using administrative, technical, and physical controls.: Secured through cipher locked office, badge entry to building, passwords, and key card usage.

PIA Reviewer Approval: Promote


PIA Reviewer Name: Mark Green, 301-435-1431

Sr. Official for Privacy Approval: Promote


Sr. Official for Privacy Name: Karen Plá

Sign-off Date: Aug 10, 2007

Date Published: Jun 26, 2008


06.3 HHS PIA Summary for Posting (Form) / NIH NIDA NIDA Intranet Website (Item)






PIA Summary


Is this a new PIA 2008?: No

If this is an existing PIA, please provide a reason for revision: PIA Validation

1. Date of this Submission: Jun 28, 2007

2. OPDIV Name: NIH

3. Unique Project Identifier (UPI) Number: 009-25-02-00-01-3109-00-109-026

4. Privacy Act System of Records (SOR) Number: No

5. OMB Information Collection Approval Number: No

6. Other Identifying Number(s): No

7. System Name: NIH NIDA Intranet

9. System Point of Contact (POC). The System POC is the person to whom questions about the system and the responses to this PIA may be addressed: Mark Fleming

10. Provide an overview of the system: Internal resources for NIDA staff.

13. Indicate if the system is new or an existing one being modified: Existing

17. Does/Will the system collect, maintain (store), disseminate and/or pass through IIF within any database(s), record(s), file(s) or website(s) hosted by this system?: No

Note: This question seeks to identify any, and all, personal information associated with the system. This includes any IIF, whether or not it is subject to the Privacy Act, whether the individuals are employees, the public, research subjects, or business partners, and whether provided voluntarily or collected by mandate. Later questions will try to understand the character of the data and its applicability to the requirements under the Privacy Act or other legislation

Note: If no IIF is contained in the system, please answer questions 21, 23, 30, 31, 37, 50 and 54, then promote the PIA to the Sr. Privacy Official who will authorize the PIA.

If this system contains IIF, all remaining questions on the PIA Form Tabs must be completed prior to signature and promotion.

21. Is the system subject to the Privacy Act?: No

23. If the system shares or discloses IIF please specify with whom and for what purpose(s): No30. Please describe in detail: (1) the information the agency will collect, maintain, or disseminate; (2) why and for what purpose the agency will use the information; (3) In this description, indicate whether the information contains IIF; and (4) whether submission of personal information is voluntary or mandatory: Log files for statistical purposes.

The webserver logs the following information

The Internet domain (for example, "" if you use a private Internet access account, or "" if you connect from a university's domain), and IP address (an IP address is a number that is automatically assigned to your computer whenever you are surfing the Web) from which you access our website

The type of browser and operating system used to access our site,

The date and time you access our site,

The pages you visit, and

If you linked to our website from another website, the address of that website.

There is no IIF data.

31. Please describe in detail any processes in place to: (1) notify and obtain consent from the individuals whose IIF is in the system when major changes occur to the system (e.g., disclosure and/or data uses have changed since the notice at the time of the original collection); and (2) notify and obtain consent from individuals regarding what IIF is being collected from them and how the information will be used or shared: No

32. Does the system host a website?: Yes

37. Does the website have any information or pages directed at children under the age of thirteen?: No

50. Are there policies or guidelines in place with regard to the retention and destruction of IIF?: No

54. Briefly describe in detail how the IIF will be secured on the system using administrative, technical, and physical controls.: No

PIA Reviewer Approval: Promote


PIA Reviewer Name: Mark Green, 301-435-1431

Sr. Official for Privacy Approval: Promote


Sr. Official for Privacy Name: Karen Plá

Sign-off Date: Aug 10, 2007

Date Published: Jun 26, 2008


06.3 HHS PIA Summary for Posting (Form) / NIH NIDA Visual Status of Funds (VSOF) (Item)






PIA Summary


Is this a new PIA 2008?: No

If this is an existing PIA, please provide a reason for revision: PIA Validation

1. Date of this Submission: Jun 28, 2007

2. OPDIV Name: NIH

3. Unique Project Identifier (UPI) Number: 009-25-01-01-02-3198-00-402-125

4. Privacy Act System of Records (SOR) Number: No

5. OMB Information Collection Approval Number: Unknown

6. Other Identifying Number(s): NIDA 6

7. System Name: Visual Status of Funds (VSOF)

9. System Point of Contact (POC). The System POC is the person to whom questions about the system and the responses to this PIA may be addressed: Donna M. Jones

10. Provide an overview of the system: The purpose of the system is for query and review of accounting data in order to monitor obligations and expenditures associated with current and prior fiscal years. An organizational reporting tool that allows manipulation and reporting on financial transactions downloaded from the central accounting system.

13. Indicate if the system is new or an existing one being modified: Existing

17. Does/Will the system collect, maintain (store), disseminate and/or pass through IIF within any database(s), record(s), file(s) or website(s) hosted by this system?: No

Note: This question seeks to identify any, and all, personal information associated with the system. This includes any IIF, whether or not it is subject to the Privacy Act, whether the individuals are employees, the public, research subjects, or business partners, and whether provided voluntarily or collected by mandate. Later questions will try to understand the character of the data and its applicability to the requirements under the Privacy Act or other legislation

Note: If no IIF is contained in the system, please answer questions 21, 23, 30, 31, 37, 50 and 54, then promote the PIA to the Sr. Privacy Official who will authorize the PIA.

If this system contains IIF, all remaining questions on the PIA Form Tabs must be completed prior to signature and promotion.

21. Is the system subject to the Privacy Act?: No

23. If the system shares or discloses IIF please specify with whom and for what purpose(s): No

30. Please describe in detail: (1) the information the agency will collect, maintain, or disseminate; (2) why and for what purpose the agency will use the information; (3) In this description, indicate whether the information contains IIF; and (4) whether submission of personal information is voluntary or mandatory: Accounting data and related document information is downloaded from a central accounting mainframe and is relevant or specific to an institute or center for its fiscal year operations.

31. Please describe in detail any processes in place to: (1) notify and obtain consent from the individuals whose IIF is in the system when major changes occur to the system (e.g., disclosure and/or data uses have changed since the notice at the time of the original collection); and (2) notify and obtain consent from individuals regarding what IIF is being collected from them and how the information will be used or shared: No

32. Does the system host a website?: No

37. Does the website have any information or pages directed at children under the age of thirteen?: No

50. Are there policies or guidelines in place with regard to the retention and destruction of IIF?: No

54. Briefly describe in detail how the IIF will be secured on the system using administrative, technical, and physical controls.: No

PIA Reviewer Approval: Promote


PIA Reviewer Name: Mark Green, 301-435-1431

Sr. Official for Privacy Approval: Promote


Sr. Official for Privacy Name: Karen Plá

Sign-off Date: Aug 10, 2007

Date Published: Jun 26, 2008


06.3 HHS PIA Summary for Posting (Form) / NIH NIDCD CMS (CMS) (Item)






PIA Summary


Is this a new PIA 2008?: No

If this is an existing PIA, please provide a reason for revision: PIA Validation

1. Date of this Submission: Jul 6, 2007

2. OPDIV Name: NIH

3. Unique Project Identifier (UPI) Number: No

4. Privacy Act System of Records (SOR) Number: 09-25-0106

5. OMB Information Collection Approval Number: No

6. Other Identifying Number(s): No

7. System Name: NIDCD Content Management Server (CMS)

9. System Point of Contact (POC). The System POC is the person to whom questions about the system and the responses to this PIA may be addressed: Jackie Jones (NIDCD CIO, 301-402-1128)

*10. Provide an overview of the system: The CMS System is a comprehensive solution for managing web content and support’s NIDCD’s mission to the general public. CMS allows creation of dynamic web sites using extensible CMS controls. Users can create, publish, and manage their own web content through the appropriate CMS control. NIDCD General public sites are Internet and StemCell. Internal sites are NIDCD Intranet, NIDCD Board of Scientific Counselors

and Advisory Council.

13. Indicate if the system is new or an existing one being modified: Existing

17. Does/Will the system collect, maintain (store), disseminate and/or pass through IIF within any database(s), record(s), file(s) or website(s) hosted by this system?: Yes

Note: This question seeks to identify any, and all, personal information associated with the system. This includes any IIF, whether or not it is subject to the Privacy Act, whether the individuals are employees, the public, research subjects, or business partners, and whether provided voluntarily or collected by mandate. Later questions will try to understand the character of the data and its applicability to the requirements under the Privacy Act or other legislation

Note: If no IIF is contained in the system, please answer questions 21, 23, 30, 31, 37, 50 and 54, then promote the PIA to the Sr. Privacy Official who will authorize the PIA.

If this system contains IIF, all remaining questions on the PIA Form Tabs must be completed prior to signature and promotion.

21. Is the system subject to the Privacy Act?: Yes

23. If the system shares or discloses IIF please specify with whom and for what purpose(s): Information is used internally only. SOR # 09-25-0106 safeguards are used to ensure only appropriate people have access to the information, and that they are aware of their responsibilities for proper handling of the information.

30. Please describe in detail: (1) the information the agency will collect, maintain, or disseminate; (2) why and for what purpose the agency will use the information; (3) In this description, indicate whether the information contains IIF; and (4) whether submission of personal information is voluntary or mandatory: Employee contact information is pulled from the NIH Emplolyee Database (NED) system for all NIDCD employees. Fields pulled are: First name, Last name, Phone number, e-mail address, org. unit, Building number, room number, Fax number, NED Classification (employee, fellow, contractor etc) and Mail Stop Code.

The information is displayed on the Intranet site and is used to facilitate communication between employees. The NIDCD CMS system does not feed into any system.

The information is stored in identifyiable form.

Inclusion is mandatory since inclusion in NED is mandatory for all people working at NIH who require an ID badge and or AD account.

31. Please describe in detail any processes in place to: (1) notify and obtain consent from the individuals whose IIF is in the system when major changes occur to the system (e.g., disclosure and/or data uses have changed since the notice at the time of the original collection); and (2) notify and obtain consent from individuals regarding what IIF is being collected from them and how the information will be used or shared: Consent for the listing of personal information in the NIH Employee Database (NED) is given at the time they are hired \ begin working at the NIH. No additional processes are employed by NIDCD to inform individuals when major system changes are made to the CMS System, or to inform them how their information will be used or shared on the CMS System.

32. Does the system host a website?: Yes

37. Does the website have any information or pages directed at children under the age of thirteen?: No

50. Are there policies or guidelines in place with regard to the retention and destruction of IIF?: Yes

54. Briefly describe in detail how the IIF will be secured on the system using administrative, technical, and physical controls.: Information is in an electronic system on NIH secure network infrastructure and is password protected with access limited to only authorized users. NIDCD periodically reviews and implements policies in line with HHS guidelines.

PIA Reviewer Approval: Promote

Comments: Reviewed & promoted by NIDCD ISSO (7-5-07)

PIA Reviewer Name: Luis Ochoa (NIDCD ISSO - 301.402.1128)

Sr. Official for Privacy Approval: Promote


Sr. Official for Privacy Name: Karen Pla

Sign-off Date: Aug 10, 2007

Date Published: Jun 26, 2008


06.3 HHS PIA Summary for Posting (Form) / NIH NIDCD LMG (Olioga) (LMG) (Item)






PIA Summary


Is this a new PIA 2008?: No

If this is an existing PIA, please provide a reason for revision: PIA Validation

1. Date of this Submission: Jul 6, 2007

2. OPDIV Name: NIH

3. Unique Project Identifier (UPI) Number: No

4. Privacy Act System of Records (SOR) Number: 09-25-0200

5. OMB Information Collection Approval Number: No

6. Other Identifying Number(s): No

7. System Name: NIDCD Laboratory Molecular Genetics (LMG)

9. System Point of Contact (POC). The System POC is the person to whom questions about the system and the responses to this PIA may be addressed: Jackie Jones (NIDCD CIO, 301-402-1128)10. Provide an overview of the system: The NIDCD Laboratory of Molecular Genetics (LMG) database system is a comprehensive solution for managing, tracking laboratory specimens\supplies stored in laboratory freezers. The LMG Intranet system supports approximately 32 users in the NIDCD LMG Group located at the 5 Research Court facility.

13. Indicate if the system is new or an existing one being modified: Existing

17. Does/Will the system collect, maintain (store), disseminate and/or pass through IIF within any database(s), record(s), file(s) or website(s) hosted by this system?: Yes

Note: This question seeks to identify any, and all, personal information associated with the system. This includes any IIF, whether or not it is subject to the Privacy Act, whether the individuals are employees, the public, research subjects, or business partners, and whether provided voluntarily or collected by mandate. Later questions will try to understand the character of the data and its applicability to the requirements under the Privacy Act or other legislation

Note: If no IIF is contained in the system, please answer questions 21, 23, 30, 31, 37, 50 and 54, then promote the PIA to the Sr. Privacy Official who will authorize the PIA.

If this system contains IIF, all remaining questions on the PIA Form Tabs must be completed prior to signature and promotion.

21. Is the system subject to the Privacy Act?: Yes

23. If the system shares or discloses IIF please specify with whom and for what purpose(s): Information is used internally only. SOR # 09-25-0200 safeguards are used to ensure only appropriate people have access to the information, and that they are aware of their responsibilities for proper handling of the information.

30. Please describe in detail: (1) the information the agency will collect, maintain, or disseminate; (2) why and for what purpose the agency will use the information; (3) In this description, indicate whether the information contains IIF; and (4) whether submission of personal information is voluntary or mandatory: The information contained in the LMG System includes patient first name, last name, close familial relation to other individuals contained in the system (suh as father, mother, brother, sister, aunt, uncle etc), Hearing loss status (affected vs not affected), Gene mutation information , only where it relates to the hearing loss trait.

The information is used as part of an IRB approved study to identify, and better understand the relationship between hearing loss and genetics.

The information is stored in Identifyable Form

Inclusion in the study and therefore this database is completely voluntary and there is a process by which a subject can request that they no longer be included in the study \ database.

31. Please describe in detail any processes in place to: (1) notify and obtain consent from the individuals whose IIF is in the system when major changes occur to the system (e.g., disclosure and/or data uses have changed since the notice at the time of the original collection); and (2) notify and obtain consent from individuals regarding what IIF is being collected from them and how the information will be used or shared: Patients are informed in writing concerning how their information will be collected, used, and shared during the course of the study. Patient consent for the use of their information is obtained prior to inclusion in the study.

No additional processes are employed by NIDCD to inform individuals when major system changes are made to the LMG System.

32. Does the system host a website?: No

37. Does the website have any information or pages directed at children under the age of thirteen?: No

50. Are there policies or guidelines in place with regard to the retention and destruction of IIF?: Yes

54. Briefly describe in detail how the IIF will be secured on the system using administrative, technical, and physical controls.: The IIF is secured using layered security practices. The information is contained in a password protected database. Physical security of the building does not allow unauthorized people to enter, and the computer facilities are further protected by locked doors. Multiple layers of firewalls also ensure that only appropriate network traffic is allowed to pass.

PIA Reviewer Approval: Promote

Comments: Reviewed by NIDCD ISSO (7-5-07)

PIA Reviewer Name: Luis Ochoa (NIDCD ISSO, 301.402.1128)

Sr. Official for Privacy Approval: Promote


Sr. Official for Privacy Name: Karen Pla

Sign-off Date: Aug 10, 2007

Date Published: Jun 26, 2008


06.3 HHS PIA Summary for Posting (Form) / NIH NIDCD Visual Status of Funds (VSOF) (Item)






PIA Summary


Is this a new PIA 2008?: No

If this is an existing PIA, please provide a reason for revision: PIA Validation

1. Date of this Submission: Jul 6, 2007

2. OPDIV Name: NIH

3. Unique Project Identifier (UPI) Number: 009-25-01-01-02-3198-00-402-125

4. Privacy Act System of Records (SOR) Number: 09-90-0024

5. OMB Information Collection Approval Number: No

6. Other Identifying Number(s): No

7. System Name: NIDCD Visual Status of Funds (VSOF)

9. System Point of Contact (POC). The System POC is the person to whom questions about the system and the responses to this PIA may be addressed: Jackie Jones (NIDCD CIO, 301-402-1128)

10. Provide an overview of the system: The purpose of the system is for query and review of accounting data in order to monitor obligations and expenditures associated with a current fiscal year. Accounting data and related document information is downloaded from a central accounting mainframe and is relevant or specific to an institute or center for its fiscal year operations. System is able to monitor, track, query and report on the Institute’s fiscal and budgetary data.

13. Indicate if the system is new or an existing one being modified: Existing

17. Does/Will the system collect, maintain (store), disseminate and/or pass through IIF within any database(s), record(s), file(s) or website(s) hosted by this system?: NoNote: This question seeks to identify any, and all, personal information associated with the system. This includes any IIF, whether or not it is subject to the Privacy Act, whether the individuals are employees, the public, research subjects, or business partners, and whether provided voluntarily or collected by mandate. Later questions will try to understand the character of the data and its applicability to the requirements under the Privacy Act or other legislation

Note: If no IIF is contained in the system, please answer questions 21, 23, 30, 31, 37, 50 and 54, then promote the PIA to the Sr. Privacy Official who will authorize the PIA.

If this system contains IIF, all remaining questions on the PIA Form Tabs must be completed prior to signature and promotion.

21. Is the system subject to the Privacy Act?: No

23. If the system shares or discloses IIF please specify with whom and for what purpose(s): No PII is collected.

30. Please describe in detail: (1) the information the agency will collect, maintain, or disseminate; (2) why and for what purpose the agency will use the information; (3) In this description, indicate whether the information contains IIF; and (4) whether submission of personal information is voluntary or mandatory: No PII is collected. Accounting data and related document information is downloaded from a central accounting mainframe and is relevant or specific to an institute or center for its fiscal year operations.

31. Please describe in detail any processes in place to: (1) notify and obtain consent from the individuals whose IIF is in the system when major changes occur to the system (e.g., disclosure and/or data uses have changed since the notice at the time of the original collection); and (2) notify and obtain consent from individuals regarding what IIF is being collected from them and how the information will be used or shared: No PII is collected.

32. Does the system host a website?: No

37. Does the website have any information or pages directed at children under the age of thirteen?: No

50. Are there policies or guidelines in place with regard to the retention and destruction of IIF?: Yes

54. Briefly describe in detail how the IIF will be secured on the system using administrative, technical, and physical controls.: No PII is collected.

Information is in an electronic system on NIH secure network infrastructure and is password protected with access limited to only authorized users. NIDCD periodically reviews and implements policies in line with HHS guidelines.

PIA Reviewer Approval: Promote

Comments: Reviewed & promoted by NIDCD ISSO (7/6/07)

PIA Reviewer Name: NIDCD ISSO (Luis Ochoa, 301.402.1128)

Sr. Official for Privacy Approval: Promote


Sr. Official for Privacy Name: Karen Plá

Sign-off Date: Aug 10, 2007

Date Published: Jun 26, 2008


06.3 HHS PIA Summary for Posting (Form) / NIH NIDDK CReW BioInformatics (Item)






PIA Summary


Is this a new PIA 2008?: Yes

If this is an existing PIA, please provide a reason for revision:

1. Date of this Submission: Jul 11, 2007

2. OPDIV Name: NIH

3. Unique Project Identifier (UPI) Number: 009-25-01-05-02-0727-00-110-249

4. Privacy Act System of Records (SOR) Number: 09-25-0200

5. OMB Information Collection Approval Number: No

6. Other Identifying Number(s): 05-DK-0085

7. System Name: CReW BioInformatics

9. System Point of Contact (POC). The System POC is the person to whom questions about the system and the responses to this PIA may be addressed: Errin Frahm

10. Provide an overview of the system: The CReW system is an Intramural NIDDK system that manages the clinical trails. The system was installed specifically for the needs of our intramural research staff and is tailored to meet the needs of a diverse range of studies.

The driving factors for the installation of the system were:

- Provide a means to handle the specialized requirements of NIDDK study processes

- Provide a location to save the large volume of outside clinical data

- Allow retrieval of data for research purposes.

13. Indicate if the system is new or an existing one being modified: New

17. Does/Will the system collect, maintain (store), disseminate and/or pass through IIF within any database(s), record(s), file(s) or website(s) hosted by this system?: Yes

Note: This question seeks to identify any, and all, personal information associated with the system. This includes any IIF, whether or not it is subject to the Privacy Act, whether the individuals are employees, the public, research subjects, or business partners, and whether provided voluntarily or collected by mandate. Later questions will try to understand the character of the data and its applicability to the requirements under the Privacy Act or other legislation

Note: If no IIF is contained in the system, please answer questions 21, 23, 30, 31, 37, 50 and 54, then promote the PIA to the Sr. Privacy Official who will authorize the PIA.

If this system contains IIF, all remaining questions on the PIA Form Tabs must be completed prior to signature and promotion.

21. Is the system subject to the Privacy Act?: Yes

23. If the system shares or discloses IIF please specify with whom and for what purpose(s): A record may be disclosed for a research purpose, when the Department: (A) has determined that the use or disclosure does not violate legal or policy limitations under which the record was provided, collected, or obtained; patient records will be made only in accordance with the restrictions of confidentiality statutes and regulations 42 U.S.C. 241, 42 U.S.C. 290dd-2, 42 CFR Part 2, and where applicable, no disclosures will be made inconsistent with an authorization of confidentiality under 42 U.S.C. 241 and 42 CFR Part 2a; (B) has determined that the research purpose (1) cannot be reasonably accomplished unless the record is privacy of the individual that additional exposure of the record might bring; (C) has required the recipient to (1) establish reasonable administrative, technical, and physical safeguards to prevent unauthorized use or disclosure of the record; (2) remove or destroy the information that identifies the individual at the earliest time at which removal or destruction can be accomplished consistent with the purpose of the research project, unless the recipient has presented adequate justification of a research or health nature for retaining such information, and (3) make no further use or disclosure of the record except (a) in emergency circumstances affecting the health or safety of any individual, (b) for use in another research project, under these same conditions, and with written authorization of the Department, (c) for disclosure to a properly identified person for the purpose of an audit related to the research project, if information that would enable research subjects to be identified is removed or destroyed at the earliest opportunity consistent with the purpose of the audit, or (d) when required by law; and (D) has secured a written statement attesting to the recipient's understanding of, and willingness to abide by, these provisions. Recipients shall be required to comply with the requirements of the Privacy Act of 1974, as amended, pursuant to 5 U.S.C. 552a(m). Medical information may be disclosed in identifiable form to tumor registries for maintenance of health statistics, e.g., for use in research studies. PHS may inform the sexual and/or needle-sharing partner(s) of a subject individual who is infected with the human immunodeficiency virus (HIV) of their exposure to HIV, under the following circumstances: (1) The information has been obtained in the course of clinical activities at PHS facilities carried out by PHS personnel or contractors; (2) The PHS employee or contractor has made reasonable efforts to counsel and encourage the subject individual to provide the information to the individual's sexual or needle-sharing partner(s); (3) The PHS employee or contractor determines that the subject individual is unlikely to provide the information to the sexual or needle-sharing partner(s) or that the provision of such information cannot reasonably be verified; (4) The notification of the partner(s) is made, whenever possible, by the subject individual's physician or by a professional counselor and shall follow standard counseling practices. PHS may disclose information to State or local public health departments, to assist in notification of the subject indidivual's sexual and/or needle-sharing partner(s), or in verification that the subject individual has notified such sexual or needle-sharing partner(s). Certain diseases and conditions, including infectious diseases, may be reported to appropriate representatives of State or Federal Government as required by State or Federal law. Disclosure may be made for the purpose of reporting child, elder or spousal abuse or neglect or any other type of abuse or neglect as required by State or Federal law.

30. Please describe in detail: (1) the information the agency will collect, maintain, or disseminate; (2) why and for what purpose the agency will use the information; (3) In this description, indicate whether the information contains IIF; and (4) whether submission of personal information is voluntary or mandatory: Patients sign a written consent form, entitled "Consent to Participate in a Clinical Research Study" with continuation sheets, as required. The information is collected from patients, outside medical entities (referring physicians of the patients), and the NIH Clinical Center. The collected data is used as an aid for clinical personnel as well as the basis for research in diabetes, digestive and kidney diseases. The data consists of basic demographics, laboratory test results, medications, diagnostic images and other medical data. This data is the minimum necessary to present a clinical description of a patient and to allow retrospective research on clinical outcomes. Data submission is voluntary. Information collected, maintained and disseminated as part of this clinical study contains information in identifiable form that is voluntarily provided by the subjects of this research.31. Please describe in detail any processes in place to: (1) notify and obtain consent from the individuals whose IIF is in the system when major changes occur to the system (e.g., disclosure and/or data uses have changed since the notice at the time of the original collection); and (2) notify and obtain consent from individuals regarding what IIF is being collected from them and how the information will be used or shared: Collection and use: Prior to any treatment and collection of medical data, the patient signs a protocol consent form. Via consent to medical treatment, the patient is implicitly acknowledging the collection of medical data. The protocol consent form explicitly addresses the use and distribution of that data with respect to confidentiality and the Federal Privacy Act.

System changes: There is a mechanism to amend the consent based on protocol changes. Patients are required to sign any new approved amendments. This mechanism could be used to cover changes in data policy and/or usage.

32. Does the system host a website?: Yes

37. Does the website have any information or pages directed at children under the age of thirteen?: No

50. Are there policies or guidelines in place with regard to the retention and destruction of IIF?: Yes

54. Briefly describe in detail how the IIF will be secured on the system using administrative, technical, and physical controls.: Technical, physical and administrative controls are in place to ensure the security of the information. The application enforces assigned authorizations for controlling role-based access to records at the application level using user identification and password. Role-based access is limited to the nurses and doctors conducting patient data collection and research. Restricted access to privileged functions additionally uses enforcement mechanism of two-factor authentication using RSA tokens. Privileged access is limited to the system administrators, programmers, and database administrator supporting the CReW BioInformatics application.

PIA Reviewer Approval: Promote


PIA Reviewer Name: Cyrus Karimian, CIO, NIDDK

Sr. Official for Privacy Approval: Promote

Comments:Sr. Official for Privacy Name: Karen PláSign-off Date: Aug 10, 2007

Date Published: Jun 26, 2008


06.3 HHS PIA Summary for Posting (Form) / NIH NIDDK GI DOCS (GI DOCS) (Item)






PIA Summary


Is this a new PIA 2008?: No

If this is an existing PIA, please provide a reason for revision: PIA Validation

1. Date of this Submission: Jul 11, 2007

2. OPDIV Name: NIH

3. Unique Project Identifier (UPI) Number: No

4. Privacy Act System of Records (SOR) Number: 09-25-0200

5. OMB Information Collection Approval Number: No

6. Other Identifying Number(s): No

7. System Name: GI Docs

9. System Point of Contact (POC). The System POC is the person to whom questions about the system and the responses to this PIA may be addressed: Tahir Rameez

10. Provide an overview of the system: GI DOCS is a Major Application whose mission is to digitally report findings from gastroenterological endoscopic exams of the upper and lower gastrointestinal tract, including the ability to record digital pictures. It is part of modern clinical practice in gastroenterology and considered a part of routine clinical care. Procedures are recorded as they are done and the information for each procedure is collected from a particular patient for a particular procedure.

13. Indicate if the system is new or an existing one being modified: Existing

17. Does/Will the system collect, maintain (store), disseminate and/or pass through IIF within any database(s), record(s), file(s) or website(s) hosted by this system?: Yes

Note: This question seeks to identify any, and all, personal information associated with the system. This includes any IIF, whether or not it is subject to the Privacy Act, whether the individuals are employees, the public, research subjects, or business partners, and whether provided voluntarily or collected by mandate. Later questions will try to understand the character of the data and its applicability to the requirements under the Privacy Act or other legislation

Note: If no IIF is contained in the system, please answer questions 21, 23, 30, 31, 37, 50 and 54, then promote the PIA to the Sr. Privacy Official who will authorize the PIA.

If this system contains IIF, all remaining questions on the PIA Form Tabs must be completed prior to signature and promotion.

21. Is the system subject to the Privacy Act?: Yes

23. If the system shares or discloses IIF please specify with whom and for what purpose(s): No

30. Please describe in detail: (1) the information the agency will collect, maintain, or disseminate; (2) why and for what purpose the agency will use the information; (3) In this description, indicate whether the information contains IIF; and (4) whether submission of personal information is voluntary or mandatory: GI DOCS is a Major Application whose mission is to digitally report findings from gastroenterologi­cal endoscopic exams of the upper and lower gastrointestinal­ tract, including the ability to record digital pictures. It is part of modern clinical practice in gastroenterology­ and considered a part of routine clinical care. Procedures are recorded as they are done and the information for each procedure is collected from a particular patient for a particular procedure.

The submission of the personal information is voluntary. SSNs are not entered into the GIDOCS database here at NIH although there is a field that could be used. Instead, we identify and track patients by their medical record #, name and dates. We have no plans to use SSNs

31. Please describe in detail any processes in place to: (1) notify and obtain consent from the individuals whose IIF is in the system when major changes occur to the system (e.g., disclosure and/or data uses have changed since the notice at the time of the original collection); and (2) notify and obtain consent from individuals regarding what IIF is being collected from them and how the information will be used or shared: GI DOCS is a Major Application whose mission is to digitally report findings from gastroenterologi­cal endoscopic exams of the upper and lower gastrointestinal­ tract, including the ability to record digital pictures. It is part of modern clinical practice in gastroenterology­ and considered a part of routine clinical care. Procedures are recorded as they are done and the information for each procedure is collected from a particular patient for a particular procedure.

Consent is usually not obtained from patients to maintain medical records. Data is retained on servers maintained by NIDDK, and a hard copy is printed which is inserted into the patient’s medical chart. This is kept in medical records.

32. Does the system host a website?: No

37. Does the website have any information or pages directed at children under the age of thirteen?: No

50. Are there policies or guidelines in place with regard to the retention and destruction of IIF?: No

54. Briefly describe in detail how the IIF will be secured on the system using administrative, technical, and physical controls.: Technical, Physical and administrative controls are in place to ensure the security of the information. These include an up to date System Security Plan, Contingency Plan, regular offsite backup of the data, and yearly security awareness training for all personnel. The system is certified and accredited.

The information is secured through multiple levels of security and access controls have been established to authenticate the user and to determine if the user has the authorization to perform actions requested. The access controls are supplemented with a secure network at both NIH and NIDDK.

PIA Reviewer Approval: Promote


PIA Reviewer Name: Cyrus Karimian

Sr. Official for Privacy Approval: Promote


Sr. Official for Privacy Name: Karen Pla

Sign-off Date: Aug 10, 2007

Date Published: Jun 26, 2008


06.3 HHS PIA Summary for Posting (Form) / NIH NIDDK Human Nutrition Research and Information Management (HNRIM) (Item)






PIA Summary


Is this a new PIA 2008?: No

If this is an existing PIA, please provide a reason for revision: PIA Validation

1. Date of this Submission: Jul 11, 2007

2. OPDIV Name: NIH

3. Unique Project Identifier (UPI) Number: No

4. Privacy Act System of Records (SOR) Number: 09-25-0036

5. OMB Information Collection Approval Number: No

6. Other Identifying Number(s): No

7. System Name: Human Nutrition Research Information Management System (HNRIM)9. System Point of Contact (POC). The System POC is the person to whom questions about the system and the responses to this PIA may be addressed: James Krebs-Smith10. Provide an overview of the system: The Human Nutrition Research and Information Management (HNRIM) system is a database of federally funded research projects created for the purpose of fiscal accounting, management, and control of cross-agency human nutrition research activities.

13. Indicate if the system is new or an existing one being modified: Existing

17. Does/Will the system collect, maintain (store), disseminate and/or pass through IIF within any database(s), record(s), file(s) or website(s) hosted by this system?: No

Note: This question seeks to identify any, and all, personal information associated with the system. This includes any IIF, whether or not it is subject to the Privacy Act, whether the individuals are employees, the public, research subjects, or business partners, and whether provided voluntarily or collected by mandate. Later questions will try to understand the character of the data and its applicability to the requirements under the Privacy Act or other legislation

Note: If no IIF is contained in the system, please answer questions 21, 23, 30, 31, 37, 50 and 54, then promote the PIA to the Sr. Privacy Official who will authorize the PIA.

If this system contains IIF, all remaining questions on the PIA Form Tabs must be completed prior to signature and promotion.

21. Is the system subject to the Privacy Act?: Yes

23. If the system shares or discloses IIF please specify with whom and for what purpose(s): System Does not Store IIF : Reference 09-25-0036

30. Please describe in detail: (1) the information the agency will collect, maintain, or disseminate; (2) why and for what purpose the agency will use the information; (3) In this description, indicate whether the information contains IIF; and (4) whether submission of personal information is voluntary or mandatory: The Human Nutrition Research and Information Management (HNRIM) system is a database of federally funded research projects created for the purpose of fiscal accounting, management, and control of cross-agency human nutrition research activities. The database was developed under a plan for a human nutrition management system, pursuant to Section 1427 of the National Agricultural Research, Extension, and Teaching Policy Act of 1977 (P.L. 95-113), as amended by Section 1425 of the National Agricultural Research, Extension, and Teaching Policy Act Amendments of 1981 (P.L. 97-98). The system has been fully operational since 1985.

The HNRIM system includes data on nutrition research and training expenditures from: Department of Health and Human Services (DHHS), U.S. Department of Agriculture (USDA), Department of Veterans Affairs (DVA), Agency for International Development (AID), Department of Defense (DOD), and Department of Commerce (DOC); it also includes data from the National Aeronautics and Space Administration (NASA) and National Science Foundation (NSF) when they sponsor nutrition research. The information provided for each project includes sponsoring organization, project identifier numbers, project title, principal investigator, organization name, address, project abstract, fiscal year, start date, project expenditures, estimated nutrition expenditures, nutrition classification codes, and project abstracts. The information can be retrieved through a web-based query system. The collected information has a variety of uses, including the following: providing the NIH Office of Financial Management with final confirmed Institute/Center obligations for nutrition-related research and training activities; providing information for reports such as the Annual Report of the NIH Program in Biomedical and Behavioral Nutrition Research and Training; Nutrition Research at the NIH, NIH Data Book, and Report on USDA Human Nutrition and Education Activities; providing information for nutrition-related congressional testimony; responding to requests from other government agencies, academic researchers, professional and trade organizations, health care providers, industry and the general public. Data collected for HNRIM are the minimum necessary to support these uses. HNRIM contains no IIF.

31. Please describe in detail any processes in place to: (1) notify and obtain consent from the individuals whose IIF is in the system when major changes occur to the system (e.g., disclosure and/or data uses have changed since the notice at the time of the original collection); and (2) notify and obtain consent from individuals regarding what IIF is being collected from them and how the information will be used or shared: System Does not Store IIF

32. Does the system host a website?: Yes

37. Does the website have any information or pages directed at children under the age of thirteen?: No

50. Are there policies or guidelines in place with regard to the retention and destruction of IIF?: No

54. Briefly describe in detail how the IIF will be secured on the system using administrative, technical, and physical controls.: The data resides on a secure server, protected by user ID, passwords, firewall, and intrusion detection

PIA Reviewer Approval: Promote


PIA Reviewer Name: Thomas, Howard

Sr. Official for Privacy Approval: Promote


Sr. Official for Privacy Name: Karen Plá

Sign-off Date: Aug 10, 2007

Date Published: Jun 26, 2008


06.3 HHS PIA Summary for Posting (Form) / NIH NIDDK Internet Website (Item)






PIA Summary


Is this a new PIA 2008?: Yes

If this is an existing PIA, please provide a reason for revision: PIA Validation

1. Date of this Submission: Jul 11, 2007

2. OPDIV Name: NIH

3. Unique Project Identifier (UPI) Number: No

4. Privacy Act System of Records (SOR) Number: 09-25-0106

5. OMB Information Collection Approval Number: No

6. Other Identifying Number(s): No

7. System Name: NIH NIDDK Internet Web site

9. System Point of Contact (POC). The System POC is the person to whom questions about the system and the responses to this PIA may be addressed: Roberta Albert

10. Provide an overview of the system: The NIDDK Internet Web site system includes the development and mainentance environment for all public Web sites hosted by NIDDK. These Web sites serve as communication tools for disseminating information to support the mission of the Institute.

13. Indicate if the system is new or an existing one being modified: Existing

17. Does/Will the system collect, maintain (store), disseminate and/or pass through IIF within any database(s), record(s), file(s) or website(s) hosted by this system?: Yes

Note: This question seeks to identify any, and all, personal information associated with the system. This includes any IIF, whether or not it is subject to the Privacy Act, whether the individuals are employees, the public, research subjects, or business partners, and whether provided voluntarily or collected by mandate. Later questions will try to understand the character of the data and its applicability to the requirements under the Privacy Act or other legislation

Note: If no IIF is contained in the system, please answer questions 21, 23, 30, 31, 37, 50 and 54, then promote the PIA to the Sr. Privacy Official who will authorize the PIA.

If this system contains IIF, all remaining questions on the PIA Form Tabs must be completed prior to signature and promotion.

21. Is the system subject to the Privacy Act?: Yes

23. If the system shares or discloses IIF please specify with whom and for what purpose(s): On IIF from Intramural researchers is displayed to the general public in order to provide contact information and a description of the research conducted. Ref.SOR #: 09-25-0106

30. Please describe in detail: (1) the information the agency will collect, maintain, or disseminate; (2) why and for what purpose the agency will use the information; (3) In this description, indicate whether the information contains IIF; and (4) whether submission of personal information is voluntary or mandatory: The system hosts web based forms that offer one way the public can communicate with NIDDK. These forms are designed to collect a name, mailing address, phone number, comment, or email address; however, the user is never required to provide this information. This information is then forwarded via email to either NIDDK’s webmaster or the Office of Public Liaison. (This information is never captured, stored or maintained on the web system.) The forwarded email communication, when received by the designated office, is addressed and then promptly deleted. The Office of Public Liaison may keep email for several months in order to provide follow up actions.

IIF from Intramural researchers (name, photograph, lab location, email address, lab phone, lab fax, research statement, education info, and publications) is collected and stored through NIDDK’s Intranet system and displayed on the Internet system (public access web pages). For example please see The submission of information is voluntary.

31. Please describe in detail any processes in place to: (1) notify and obtain consent from the individuals whose IIF is in the system when major changes occur to the system (e.g., disclosure and/or data uses have changed since the notice at the time of the original collection); and (2) notify and obtain consent from individuals regarding what IIF is being collected from them and how the information will be used or shared: All NIDDK Web pages display a link called “Privacy” which directs users to our Institute’s privacy policy. This page can be seen at

This page explains that NIDDK does not capture personally identifiable information unless provided by the user. This page also offers contact information for NIDDK’s Privacy officer, in the event the user has additional questions.

32. Does the system host a website?: Yes

37. Does the website have any information or pages directed at children under the age of thirteen?: No

50. Are there policies or guidelines in place with regard to the retention and destruction of IIF?: Yes

54. Briefly describe in detail how the IIF will be secured on the system using administrative, technical, and physical controls.: NIH NIDDK Internet Web site system does not store IIF.

PIA Reviewer Approval: Promote


PIA Reviewer Name: Thomas, Howard

Sr. Official for Privacy Approval: Promote


Sr. Official for Privacy Name: Karen Pla

Sign-off Date: Aug 10, 2007

Date Published: Jun 26, 2008


06.3 HHS PIA Summary for Posting (Form) / NIH NIDDK Intranet Website (Item)






PIA Summary


Is this a new PIA 2008?: Yes

If this is an existing PIA, please provide a reason for revision: PIA Validation

1. Date of this Submission: Jul 11, 2007

2. OPDIV Name: NIH

3. Unique Project Identifier (UPI) Number: No

4. Privacy Act System of Records (SOR) Number: 09-25-0216

5. OMB Information Collection Approval Number: No

6. Other Identifying Number(s): No

7. System Name: NIH NIDDK Intranet Web site

9. System Point of Contact (POC). The System POC is the person to whom questions about the system and the responses to this PIA may be addressed: Roberta Albert

10. Provide an overview of the system: The NIDDK Intranet Web site system provides and manages information that supports the work of NIDDK employees.

13. Indicate if the system is new or an existing one being modified: Existing

17. Does/Will the system collect, maintain (store), disseminate and/or pass through IIF within any database(s), record(s), file(s) or website(s) hosted by this system?: Yes

Note: This question seeks to identify any, and all, personal information associated with the system. This includes any IIF, whether or not it is subject to the Privacy Act, whether the individuals are employees, the public, research subjects, or business partners, and whether provided voluntarily or collected by mandate. Later questions will try to understand the character of the data and its applicability to the requirements under the Privacy Act or other legislation

Note: If no IIF is contained in the system, please answer questions 21, 23, 30, 31, 37, 50 and 54, then promote the PIA to the Sr. Privacy Official who will authorize the PIA.

If this system contains IIF, all remaining questions on the PIA Form Tabs must be completed prior to signature and promotion.

21. Is the system subject to the Privacy Act?: Yes

23. If the system shares or discloses IIF please specify with whom and for what purpose(s): The IIF collected by the Intranet system is only shared/disclosed to NIDDK staff responsible for managing that information. Ref SOR # 09-25-0216

30. Please describe in detail: (1) the information the agency will collect, maintain, or disseminate; (2) why and for what purpose the agency will use the information; (3) In this description, indicate whether the information contains IIF; and (4) whether submission of personal information is voluntary or mandatory: NIDDK Intranet uses a web based form to collect staff registration information for Institute retreats. The type of information collected includes staff name, lab address, phone number, email address, whether they are presenting, special dietary requirements, transportation needs and roommate preference. This information is only used by administrative staff responsible for organizing these retreats. Supplying this personal information through the system is NOT mandatory.

In addition, another form collects Investigator information such as name, lab address, email, education, research statement, publications, research interests, and a photograph. This information is posted on the public facing website located at . Only web staff and owner of the content have direct access to this information within the intranet web system. The submission of this information is voluntary.

31. Please describe in detail any processes in place to: (1) notify and obtain consent from the individuals whose IIF is in the system when major changes occur to the system (e.g., disclosure and/or data uses have changed since the notice at the time of the original collection); and (2) notify and obtain consent from individuals regarding what IIF is being collected from them and how the information will be used or shared: Both web forms display language that indicates the intended use of the collected information and provides contact information for the staff handling this collected information. The forms that collect Investigator information (for display on the public website) additionally contain a link titled “Privacy” which leads to a page that posts NIDDK’s privacy policy and provides contact information for NIDDK’s Privacy Officer. Investigators are required to review and update their own information on a yearly basis. All changes to the system are approved by an Intramural Web Advisory Group and then investigators are notified via email.

32. Does the system host a website?: Yes

37. Does the website have any information or pages directed at children under the age of thirteen?: No

50. Are there policies or guidelines in place with regard to the retention and destruction of IIF?: Yes

54. Briefly describe in detail how the IIF will be secured on the system using administrative, technical, and physical controls.: The Intranet web system requires user authentication provided by active directory. Further controls are put in place on individual IIF containers. The IIF for staff retreats are contained within a spreadsheet in a restricted folder. This folder can only be accessed by web and administrative staff responsible for retreat. The IIF for the public facing website can only be accessed by web staff and the owner of the content. All IIF are contained on servers that are located behind firewalls, password protected and are physically locked in a server room.

PIA Reviewer Approval: romote


PIA Reviewer Name: Thomas Howard

Sr. Official for Privacy Approval: Promote


Sr. Official for Privacy Name: Karen Plá

Sign-off Date: Aug 10, 2007

Date Published: Jun 26, 2008


06.3 HHS PIA Summary for Posting (Form) / NIH NIDDK Patient Information System (Item)






PIA Summary


Is this a new PIA 2008?: No

If this is an existing PIA, please provide a reason for revision: PIA Validation

1. Date of this Submission: Jul 11, 2007

2. OPDIV Name: NIH

3. Unique Project Identifier (UPI) Number: 009-25-01-26-02-8412-00-202-069

4. Privacy Act System of Records (SOR) Number: 09-25-0200

5. OMB Information Collection Approval Number: No

6. Other Identifying Number(s): No

7. System Name: NIH NIDDK Patient Information System

9. System Point of Contact (POC). The System POC is the person to whom questions about the system and the responses to this PIA may be addressed: Tahir Rameez

10. Provide an overview of the system: Medical data storage and analysis system involving the study of diabetes, obesity and related diseases among American Indian tribes, in particular the Pima of Arizona.

13. Indicate if the system is new or an existing one being modified: Existing

17. Does/Will the system collect, maintain (store), disseminate and/or pass through IIF within any database(s), record(s), file(s) or website(s) hosted by this system?: Yes

Note: This question seeks to identify any, and all, personal information associated with the system. This includes any IIF, whether or not it is subject to the Privacy Act, whether the individuals are employees, the public, research subjects, or business partners, and whether provided voluntarily or collected by mandate. Later questions will try to understand the character of the data and its applicability to the requirements under the Privacy Act or other legislation

Note: If no IIF is contained in the system, please answer questions 21, 23, 30, 31, 37, 50 and 54, then promote the PIA to the Sr. Privacy Official who will authorize the PIA.

If this system contains IIF, all remaining questions on the PIA Form Tabs must be completed prior to signature and promotion.

21. Is the system subject to the Privacy Act?: Yes

23. If the system shares or discloses IIF please specify with whom and for what purpose(s): IIF is made available to designated administrative personnel for data collection and maintenance. IIF is made available to designated NIH research scientists for analysis in the context of diabetes and obesity research and treatment. Data is shared with Indian Health Service and the Gila River Indian Community through the Gila River Health Care Corporation, both as research findings and as records affecting patient care.

Also see Privacy Act System of Records (SOR) Number 09-25-0200.

30. Please describe in detail: (1) the information the agency will collect, maintain, or disseminate; (2) why and for what purpose the agency will use the information; (3) In this description, indicate whether the information contains IIF; and (4) whether submission of personal information is voluntary or mandatory: Medical data is collected under IRB approved protocols at periodic examinations in support of various research studies among native Americans principally involving diabetes and obesity. The data contains IIF. Participation in the research as well as submission of the IIF is voluntary.

31. Please describe in detail any processes in place to: (1) notify and obtain consent from the individuals whose IIF is in the system when major changes occur to the system (e.g., disclosure and/or data uses have changed since the notice at the time of the original collection); and (2) notify and obtain consent from individuals regarding what IIF is being collected from them and how the information will be used or shared: Subjects are required to sign a consent form before any information can be collected. The form describes what is to be collected, the reasons therefor, and the destination of that data.

In the event of a major system change subjects still living will be asked to re-consent to such changes. Ongoing demographic data is maintained by the system to facilitate contacting of subjects.

32. Does the system host a website?: No

37. Does the website have any information or pages directed at children under the age of thirteen?: No

50. Are there policies or guidelines in place with regard to the retention and destruction of IIF?: Yes

54. Briefly describe in detail how the IIF will be secured on the system using administrative, technical, and physical controls.: Computerized copies of the data collected are physically maintained on a computer server. Paper records are maintained in a designated records room. Both the server and paper records are protected by key entry doors and further protected 24/7 by security guards in the context of overall campus security. Access to both systems is restricted to personnel determined administratively on a need to know basis. Access to computerized data is password restricted to authorized personnel.

PIA Reviewer Approval: Promote


PIA Reviewer Name: Howard Thomas

Sr. Official for Privacy Approval: Promote


Sr. Official for Privacy Name: Karen PláSign-off Date: Aug 10, 2007

Date Published: Jun 26, 2008


06.3 HHS PIA Summary for Posting (Form) / NIH NIDDK RAID Type 1 - Diabetes (Item)






PIA Summary


Is this a new PIA 2008?: No

If this is an existing PIA, please provide a reason for revision: PIA Validation

1. Date of this Submission: Jul 11, 2007

2. OPDIV Name: NIH

3. Unique Project Identifier (UPI) Number: No

4. Privacy Act System of Records (SOR) Number: No

5. OMB Information Collection Approval Number: No

6. Other Identifying Number(s): No

7. System Name: T1D-RAID Database

9. System Point of Contact (POC). The System POC is the person to whom questions about the system and the responses to this PIA may be addressed: Tahir Rameez

10. Provide an overview of the system: The T1D RAID Tracking System is adapted from a tracking system initially built by the National Cancer Institute. It is a customizable database application for tracking requests to the T1D RAID program. The system enables the T1D RAID program officer and administrator to maintain a historical accounting of all requests received and their handling after peer review for reporting to management on the progress of the program. For requests currently under consideration, it allows tracking of the proposals as they are reviewed and, if applicable, as a project is being supported.

13. Indicate if the system is new or an existing one being modified: Existing

17. Does/Will the system collect, maintain (store), disseminate and/or pass through IIF within any database(s), record(s), file(s) or website(s) hosted by this system?: No

Note: This question seeks to identify any, and all, personal information associated with the system. This includes any IIF, whether or not it is subject to the Privacy Act, whether the individuals are employees, the public, research subjects, or business partners, and whether provided voluntarily or collected by mandate. Later questions will try to understand the character of the data and its applicability to the requirements under the Privacy Act or other legislation

Note: If no IIF is contained in the system, please answer questions 21, 23, 30, 31, 37, 50 and 54, then promote the PIA to the Sr. Privacy Official who will authorize the PIA.

If this system contains IIF, all remaining questions on the PIA Form Tabs must be completed prior to signature and promotion.

21. Is the system subject to the Privacy Act?: No

23. If the system shares or discloses IIF please specify with whom and for what purpose(s): NO

30. Please describe in detail: (1) the information the agency will collect, maintain, or disseminate; (2) why and for what purpose the agency will use the information; (3) In this description, indicate whether the information contains IIF; and (4) whether submission of personal information is voluntary or mandatory: The T1D RAID Tracking System is adapted from a tracking system initially built by the National Cancer Institute. It is a customizable database application for tracking requests to the T1D RAID program. The system enables the T1D RAID program officer and administrator to maintain a historical accounting of all requests received and their handling after peer review for reporting to management on the progress of the program. For requests currently under consideration, it allows tracking of the proposals as they are reviewed and if applicable, as a project is being supported. This data is not retrieved by any personal identifiers.

T1D-RAID Database does not store IIF

31. Please describe in detail any processes in place to: (1) notify and obtain consent from the individuals whose IIF is in the system when major changes occur to the system (e.g., disclosure and/or data uses have changed since the notice at the time of the original collection); and (2) notify and obtain consent from individuals regarding what IIF is being collected from them and how the information will be used or shared: T1D-RAID Database does not store IIF

32. Does the system host a website?: No

37. Does the website have any information or pages directed at children under the age of thirteen?: No

50. Are there policies or guidelines in place with regard to the retention and destruction of IIF?: No

54. Briefly describe in detail how the IIF will be secured on the system using administrative, technical, and physical controls.: T1D-RAID Database does not store IIF

PIA Reviewer Approval: Promote


PIA Reviewer Name: Howard Thomas

Sr. Official for Privacy Approval: Promote


Sr. Official for Privacy Name: Karen Pla

Sign-off Date: Aug 10, 2007

Date Published: Jun 26, 2008


06.3 HHS PIA Summary for Posting (Form) / NIH NIDDK Scientific Information Management Online Network Financial Management System (SIMON) (Item)






PIA Summary


Is this a new PIA 2008?: No

If this is an existing PIA, please provide a reason for revision: PIA Validation

1. Date of this Submission: Jul 11, 2007

2. OPDIV Name: NIH

3. Unique Project Identifier (UPI) Number: 009-25-02-01-02-3103-00

4. Privacy Act System of Records (SOR) Number: 09-25-0036

5. OMB Information Collection Approval Number: No

6. Other Identifying Number(s): No

7. System Name: NIH NIDDK Financial Management System (SIMON) Scientific Information Management On-Line Network

9. System Point of Contact (POC). The System POC is the person to whom questions about the system and the responses to this PIA may be addressed: Tahir Rameez

10. Provide an overview of the system: SIMON) is a system which tracks applications and grants submitted to the NIH by biomedical institutions requesting Federal funding in support of their research and which are administered by the NIDDK. (SIMON) is a management/reporting tool to assist NIDDK program administrative staff in the management of their grant/application portfolios. The data contained in (SIMON) is not collected by the NIDDK but is downloaded from the NIH relational database system (IMPACII).

The information contained in (SIMON) is collected by the NIH pursuant to its statutory authorities for awarding grants, contained in Sections 301 (a) and 487 of the PHS Act, as amended (42 USC 241a and 42 USC 288).

13. Indicate if the system is new or an existing one being modified: Existing17. Does/Will the system collect, maintain (store), disseminate and/or pass through IIF within any database(s), record(s), file(s) or website(s) hosted by this system?: No

Note: This question seeks to identify any, and all, personal information associated with the system. This includes any IIF, whether or not it is subject to the Privacy Act, whether the individuals are employees, the public, research subjects, or business partners, and whether provided voluntarily or collected by mandate. Later questions will try to understand the character of the data and its applicability to the requirements under the Privacy Act or other legislation

Note: If no IIF is contained in the system, please answer questions 21, 23, 30, 31, 37, 50 and 54, then promote the PIA to the Sr. Privacy Official who will authorize the PIA.

If this system contains IIF, all remaining questions on the PIA Form Tabs must be completed prior to signature and promotion.

21. Is the system subject to the Privacy Act?: No

23. If the system shares or discloses IIF please specify with whom and for what purpose(s): No

30. Please describe in detail: (1) the information the agency will collect, maintain, or disseminate; (2) why and for what purpose the agency will use the information; (3) In this description, indicate whether the information contains IIF; and (4) whether submission of personal information is voluntary or mandatory: The available information provided for each grant/application includes name, institution, address, phone number, and e-mail address of the principal investigator; title of the research project; project number assigned by the NIH; total fiscal year expenditures of the project; and other data used by the NIH and NIDDK for administrative purposes . The information can be retrieved through a intranet web-based reporting system. The information has a variety of uses, including the following: reports used by NIDDK staff to manage their portfolio of grants and/or applications, providing the NIH Office of Financial Management with final confirmed Institute/Center obligations for research and training activities; preparing reports; providing information for congressional testimony; responding to requests from other government agencies, academic researchers, professional and trade organizations, private industry and the news media. Data available in (SIMON) are the minimum necessary to support these uses.

The data contained in (SIMON) is submitted to the NIH by institutions as part of their request for Federal support.

SIMON Does not store IIF

31. Please describe in detail any processes in place to: (1) notify and obtain consent from the individuals whose IIF is in the system when major changes occur to the system (e.g., disclosure and/or data uses have changed since the notice at the time of the original collection); and (2) notify and obtain consent from individuals regarding what IIF is being collected from them and how the information will be used or shared: SIMON Does not store IIF

32. Does the system host a website?: No

37. Does the website have any information or pages directed at children under the age of thirteen?: No

50. Are there policies or guidelines in place with regard to the retention and destruction of IIF?: No

54. Briefly describe in detail how the IIF will be secured on the system using administrative, technical, and physical controls.: The data resides on a secure server, protected by user ID, passwords, firewall, and intrusion detection

PIA Reviewer Approval: Promote


PIA Reviewer Name: Howard Thomas

Sr. Official for Privacy Approval: Promote


Sr. Official for Privacy Name: Karen Plá

Sign-off Date: Aug 10, 2007

Date Published: Jun 26, 2008


06.3 HHS PIA Summary for Posting (Form) / NIH NIDDK Technology Transfer (TTTS) (Item)






PIA Summary


Is this a new PIA 2008?: No

If this is an existing PIA, please provide a reason for revision: PIA Validation

1. Date of this Submission: Jul 11, 2007

2. OPDIV Name: NIH

3. Unique Project Identifier (UPI) Number: NO

4. Privacy Act System of Records (SOR) Number: 09-25-0168

5. OMB Information Collection Approval Number: NO

6. Other Identifying Number(s): 09-25-0168

7. System Name: Technology Transfer Tracking System

Health Service by its Employees, Grantees, Fellowship Recipients, and Contractors, HHS/NIH/OD

9. System Point of Contact (POC). The System POC is the person to whom questions about the system and the responses to this PIA may be addressed: Tahir Rameez

10. Provide an overview of the system: The Technology Transfer Tracking System (TTTS) is a commercial off-the-shelf (COTS) product developed by Knowledge Sharing Systems that is a customizable database application for managing and tracking data and processes related to protecting and transferring technologies including patenting and agreements negotiations and pre-issuance and post-execution monitoring. The TTTS system enables the Office of Technology Transfer Development to identify legal deadlines, store agreements and technologies, provide information access to technology managers and investigators, track events, and automate processes. The system automatically generates documents, logs events, and logs due dates when certain criteria are met or triggers are hit.

13. Indicate if the system is new or an existing one being modified: Existing

17. Does/Will the system collect, maintain (store), disseminate and/or pass through IIF within any database(s), record(s), file(s) or website(s) hosted by this system?: Yes

Note: This question seeks to identify any, and all, personal information associated with the system. This includes any IIF, whether or not it is subject to the Privacy Act, whether the individuals are employees, the public, research subjects, or business partners, and whether provided voluntarily or collected by mandate. Later questions will try to understand the character of the data and its applicability to the requirements under the Privacy Act or other legislation

Note: If no IIF is contained in the system, please answer questions 21, 23, 30, 31, 37, 50 and 54, then promote the PIA to the Sr. Privacy Official who will authorize the PIA.

If this system contains IIF, all remaining questions on the PIA Form Tabs must be completed prior to signature and promotion.

21. Is the system subject to the Privacy Act?: Yes

23. If the system shares or discloses IIF please specify with whom and for what purpose(s): Only employees of NIDDK and contractors working on the NIDDK domain can access the names, work addresses and phone numbers in the system provided for the purpose of contacting or tracking contacts of the persons who provided their information for that person. Reference SOR # :09-25-0168

30. Please describe in detail: (1) the information the agency will collect, maintain, or disseminate; (2) why and for what purpose the agency will use the information; (3) In this description, indicate whether the information contains IIF; and (4) whether submission of personal information is voluntary or mandatory: The system contains contact information, including name, work address, work e-mail address, work phone numbers and in a few instances, cell phone number, for persons who are involved in collaborations or negotiations for collaborations with NIDDK or for transfer of scientific materials, including NIDDK employees. The information is used to contact persons for communications involving the relevant collaboration or request. No particular information is mandatory

31. Please describe in detail any processes in place to: (1) notify and obtain consent from the individuals whose IIF is in the system when major changes occur to the system (e.g., disclosure and/or data uses have changed since the notice at the time of the original collection); and (2) notify and obtain consent from individuals regarding what IIF is being collected from them and how the information will be used or shared: No processes are in place to notify individuals whose information is in the system.

32. Does the system host a website?: Yes

37. Does the website have any information or pages directed at children under the age of thirteen?: No

50. Are there policies or guidelines in place with regard to the retention and destruction of IIF?: Yes

54. Briefly describe in detail how the IIF will be secured on the system using administrative, technical, and physical controls.: The system is accessible only through a username and password. The policy for passwords is that they include at least one number and at least one capital letter. Only the administrative access permits permissions of users to be provided or removed. The system is operated and accessed only on government-owned computer systems, behind a firewall. The user must be accessing the system from a recognized and previously-identified static IP address from within the NIDDK.

PIA Reviewer Approval: Promote


PIA Reviewer Name: Howard Thomas

Sr. Official for Privacy Approval: PromoteComments:

Sr. Official for Privacy Name: Karen Plá

Sign-off Date: Aug 10, 2007

Date Published: Jun 26, 2008


06.3 HHS PIA Summary for Posting (Form) / NIH NIDDK Teleresults (Item)






PIA Summary


Is this a new PIA 2008?: No

If this is an existing PIA, please provide a reason for revision: PIA Validation

1. Date of this Submission: Jul 11, 2007

2. OPDIV Name: NIH

3. Unique Project Identifier (UPI) Number: NO

4. Privacy Act System of Records (SOR) Number: 09-25-0099

5. OMB Information Collection Approval Number: NO

6. Other Identifying Number(s): NIDDK P.O. number 263-MK-015345 for Teleresults

7. System Name: Teleresults

9. System Point of Contact (POC). The System POC is the person to whom questions about the system and the responses to this PIA may be addressed: Dr. Michael Ring

10. Provide an overview of the system: The Teleresults/Lab Grabber system manages the clinical and research data for patients of the Transplant Branch and the Autoimmunity and Islet Branch. The system was installed specifically for the needs of the solid organ transplant floor, but its use now includes other patients as well.

The driving factors for the installation of the system were:

- Provide a means to handle the specialized requirements of ransplant processes

- Provide a location to save the large volume of outside clinical data

- Allow retrieval of data for research purposes.

13. Indicate if the system is new or an existing one being modified: Existing

17. Does/Will the system collect, maintain (store), disseminate and/or pass through IIF within any database(s), record(s), file(s) or website(s) hosted by this system?: Yes

Note: This question seeks to identify any, and all, personal information associated with the system. This includes any IIF, whether or not it is subject to the Privacy Act, whether the individuals are employees, the public, research subjects, or business partners, and whether provided voluntarily or collected by mandate. Later questions will try to understand the character of the data and its applicability to the requirements under the Privacy Act or other legislation

Note: If no IIF is contained in the system, please answer questions 21, 23, 30, 31, 37, 50 and 54, then promote the PIA to the Sr. Privacy Official who will authorize the PIA.

If this system contains IIF, all remaining questions on the PIA Form Tabs must be completed prior to signature and promotion.

21. Is the system subject to the Privacy Act?: Yes

23. If the system shares or discloses IIF please specify with whom and for what purpose(s): Walter Reed Army Medical Center for medical evaluation and consults. In addition, please refer to SOR #09-25-0099

30. Please describe in detail: (1) the information the agency will collect, maintain, or disseminate; (2) why and for what purpose the agency will use the information; (3) In this description, indicate whether the information contains IIF; and (4) whether submission of personal information is voluntary or mandatory: The information is collected from patients, outside medical entities, and the NIH Clinical Center. The collected data is used as an aid for clinical personnel as well as the basis for research in organ transplant and immunology. The data consists of basic demographics, laboratory test results, medications, and other medical data. This data is the minimum necessary to present a clinical description of a patient and to allow retrospective research on clinical outcomes. Data submission is voluntary.

31. Please describe in detail any processes in place to: (1) notify and obtain consent from the individuals whose IIF is in the system when major changes occur to the system (e.g., disclosure and/or data uses have changed since the notice at the time of the original collection); and (2) notify and obtain consent from individuals regarding what IIF is being collected from them and how the information will be used or shared: Collection and use: Prior to any treatment and collection of medical data, the patient signs a protocol consent form. Via consent to medical treatment, the patient is implicitly acknowledging the collection of medical data. The protocol consent form explicitly addresses the use and distribution of that data with respect to confidentaility and the Federal Privacy Act.

System changes: There is a mechanism to amend the consent based on protocol changes. Patients are required to sign any new approved amendments. This mechanism could be used to cover changes in data policy and/or usage. Given the nature of the system (clinical/research), we have had no need for such amendments based on data policy nor do we anticipate any.

32. Does the system host a website?: No

37. Does the website have any information or pages directed at children under the age of thirteen?: No

50. Are there policies or guidelines in place with regard to the retention and destruction of IIF?: No

54. Briefly describe in detail how the IIF will be secured on the system using administrative, technical, and physical controls.: Technical, Physical and administrative controls are in place to ensure the security of the information. These include an up to date System Security Plan, Contingency Plan, regular offsite backup of the data, and yearly security awareness training for all personnel. The system is certified and accredited.

The information is secured through multiple levels of security and access controls have been established to authenticate the user and to determine if the user has the authorization to perform actions requested. The access controls are supplemented with a secure network at both NIH and NIDDK.

PIA Reviewer Approval: Promote


PIA Reviewer Name: Howard Thomas

Sr. Official for Privacy Approval: Promote


Sr. Official for Privacy Name: Karen Plá

Sign-off Date: Aug 10, 2007

Date Published: Jun 26, 2008


06.3 HHS PIA Summary for Posting (Form) / NIH NIDDK Title 42 (Title 42) (Item)






PIA Summary


Is this a new PIA 2008?: No

If this is an existing PIA, please provide a reason for revision: PIA Validation

1. Date of this Submission: Jul 11, 2007

2. OPDIV Name: NIH

3. Unique Project Identifier (UPI) Number: No

4. Privacy Act System of Records (SOR) Number: 09-90-0024

5. OMB Information Collection Approval Number: No

6. Other Identifying Number(s): No

7. System Name: T42 Tracking System

9. System Point of Contact (POC). The System POC is the person to whom questions about the system and the responses to this PIA may be addressed: Tahir Rameez

10. Provide an overview of the system: T 42 Tracking System is used to gather and report on “special pay” T42 employee’s financial data

13. Indicate if the system is new or an existing one being modified: Existing

17. Does/Will the system collect, maintain (store), disseminate and/or pass through IIF within any database(s), record(s), file(s) or website(s) hosted by this system?: Yes

Note: This question seeks to identify any, and all, personal information associated with the system. This includes any IIF, whether or not it is subject to the Privacy Act, whether the individuals are employees, the public, research subjects, or business partners, and whether provided voluntarily or collected by mandate. Later questions will try to understand the character of the data and its applicability to the requirements under the Privacy Act or other legislation

Note: If no IIF is contained in the system, please answer questions 21, 23, 30, 31, 37, 50 and 54, then promote the PIA to the Sr. Privacy Official who will authorize the PIA.

If this system contains IIF, all remaining questions on the PIA Form Tabs must be completed prior to signature and promotion.

21. Is the system subject to the Privacy Act?: Yes

23. If the system shares or discloses IIF please specify with whom and for what purpose(s): System Does Not share IIF : Ref. SOR # 09-90-0024

30. Please describe in detail: (1) the information the agency will collect, maintain, or disseminate; (2) why and for what purpose the agency will use the information; (3) In this description, indicate whether the information contains IIF; and (4) whether submission of personal information is voluntary or mandatory: The information that is collected is the name, title, series, organizational location, salary, and award data for T42 employees in the NIDDK. It is used to monitor this information and provide reports to senior administrative officials who have a need to know the information. This information contains IIF and is downloaded from the NIH Data Warehouse; the submission is mandatory.

31. Please describe in detail any processes in place to: (1) notify and obtain consent from the individuals whose IIF is in the system when major changes occur to the system (e.g., disclosure and/or data uses have changed since the notice at the time of the original collection); and (2) notify and obtain consent from individuals regarding what IIF is being collected from them and how the information will be used or shared: There is no process in place to notify or obtain consent from individuals whose IIF is in the system.

32. Does the system host a website?: No

37. Does the website have any information or pages directed at children under the age of thirteen?: No50. Are there policies or guidelines in place with regard to the retention and destruction of IIF?: Yes

54. Briefly describe in detail how the IIF will be secured on the system using administrative, technical, and physical controls.: Technical, Physical and administrative controls are in place to ensure the security of the information. These include an up to date System Security Plan, Contingency Plan, regular offsite backup of the data, and yearly security awareness training for all personnel. The system is certified and accredited.

The information is secured through multiple levels of security and access controls have been established to authenticate the user and to determine if the user has the authorization to perform actions requested. The access controls are supplemented with a secure network at both NIH and NIDDK.

PIA Reviewer Approval: Promote


PIA Reviewer Name: Howard Thomas

Sr. Official for Privacy Approval: Promote


Sr. Official for Privacy Name: Karen Plá

Sign-off Date: Aug 10, 2007

Date Published: Jun 26, 2008


06.3 HHS PIA Summary for Posting (Form) / NIH NIDDK Visual Employee Database System (VEDS) (Item)






PIA Summary


Is this a new PIA 2008?: No

If this is an existing PIA, please provide a reason for revision: PIA Validation

1. Date of this Submission: Jul 11, 2007

2. OPDIV Name: NIH

3. Unique Project Identifier (UPI) Number: 009-25-01-09-02-3196-00-403-131

4. Privacy Act System of Records (SOR) Number: 09-90-0018

5. OMB Information Collection Approval Number: NO

6. Other Identifying Number(s): NO

7. System Name: Visual Employee Data System

9. System Point of Contact (POC). The System POC is the person to whom questions about the system and the responses to this PIA may be addressed: Tahir Rameez

10. Provide an overview of the system: The VEDS application supports the efforts of the NIDDK, with tracking employee information. The application downloads this information from the Human Resources Database (HRDB) weekly. Information entered into the VEDS database is not uploaded into the HRDB

13. Indicate if the system is new or an existing one being modified: Existing

17. Does/Will the system collect, maintain (store), disseminate and/or pass through IIF within any database(s), record(s), file(s) or website(s) hosted by this system?: Yes

Note: This question seeks to identify any, and all, personal information associated with the system. This includes any IIF, whether or not it is subject to the Privacy Act, whether the individuals are employees, the public, research subjects, or business partners, and whether provided voluntarily or collected by mandate. Later questions will try to understand the character of the data and its applicability to the requirements under the Privacy Act or other legislation

Note: If no IIF is contained in the system, please answer questions 21, 23, 30, 31, 37, 50 and 54, then promote the PIA to the Sr. Privacy Official who will authorize the PIA.

If this system contains IIF, all remaining questions on the PIA Form Tabs must be completed prior to signature and promotion.

21. Is the system subject to the Privacy Act?: Yes

23. If the system shares or discloses IIF please specify with whom and for what purpose(s): The System Does not share IFF with any other system. this system is under SOR # 09-90-0018. This information is further addressed in the HHS Privacy Act Systems of Record Notice 09-90-0018, published in the Federal Register, Volume 59, November 9, 1994.

30. Please describe in detail: (1) the information the agency will collect, maintain, or disseminate; (2) why and for what purpose the agency will use the information; (3) In this description, indicate whether the information contains IIF; and (4) whether submission of personal information is voluntary or mandatory: The NETCOMM application collects personal information from the NIH Human Resource Database (HRDB) through bi-weekly downloads. Social security numbers are included in the data collected. The data collected is used to manage the organization's personnel information. Individuals are notified of the collection and use of data as part of the hiring process and is mandatory if the potential job applicant wishes to seek employment at NIH

31. Please describe in detail any processes in place to: (1) notify and obtain consent from the individuals whose IIF is in the system when major changes occur to the system (e.g., disclosure and/or data uses have changed since the notice at the time of the original collection); and (2) notify and obtain consent from individuals regarding what IIF is being collected from them and how the information will be used or shared: IIF in the system is gathered from the HRDB system. Changes to the system or changes in the way the information is used is relayed to employees via official notices from IC. Individuals are notified of the collection and use of data as part of the hiring process and is mandatory if the potential job applicant wishes to seek employment at NIH.

32. Does the system host a website?: No

37. Does the website have any information or pages directed at children under the age of thirteen?: No

50. Are there policies or guidelines in place with regard to the retention and destruction of IIF?: Yes

54. Briefly describe in detail how the IIF will be secured on the system using administrative, technical, and physical controls.: The system is accessible only through a username and password. The policy for passwords is that they include at least one number and at least one capital letter. Only the administrative access permits permissions of users to be provided or removed. The system is operated and accessed only on government-owned computer systems, behind a firewall.

PIA Reviewer Approval: Promote


PIA Reviewer Name: Howard Thomas

Sr. Official for Privacy Approval: Promote


Sr. Official for Privacy Name: Karen Plá

Sign-off Date: Aug 10, 2007

Date Published: Jun 26, 2008


06.3 HHS PIA Summary for Posting (Form) / NIH NIDDK Visual Ststus of Funds (VSOF) (Item)






PIA Summary


Is this a new PIA 2008?: No

If this is an existing PIA, please provide a reason for revision: PIA Validation

1. Date of this Submission: Jul 11, 2007

2. OPDIV Name: NIH

3. Unique Project Identifier (UPI) Number: 009-25-01-01-02-3198-00-402-125

4. Privacy Act System of Records (SOR) Number: NO

5. OMB Information Collection Approval Number: NO

6. Other Identifying Number(s): NO

7. System Name: Status of Funds (VSOF)

9. System Point of Contact (POC). The System POC is the person to whom questions about the system and the responses to this PIA may be addressed: Tahir Rameez

10. Provide an overview of the system: The VSOF application supports the efforts of the NIDDK, with tracking employee information. The application downloads this information from the Human Resources Database (HRDB) weekly. Information entered into the VSOF database is not uploaded into the HRDB

13. Indicate if the system is new or an existing one being modified: Existing

17. Does/Will the system collect, maintain (store), disseminate and/or pass through IIF within any database(s), record(s), file(s) or website(s) hosted by this system?: No

Note: This question seeks to identify any, and all, personal information associated with the system. This includes any IIF, whether or not it is subject to the Privacy Act, whether the individuals are employees, the public, research subjects, or business partners, and whether provided voluntarily or collected by mandate. Later questions will try to understand the character of the data and its applicability to the requirements under the Privacy Act or other legislation

Note: If no IIF is contained in the system, please answer questions 21, 23, 30, 31, 37, 50 and 54, then promote the PIA to the Sr. Privacy Official who will authorize the PIA.

If this system contains IIF, all remaining questions on the PIA Form Tabs must be completed prior to signature and promotion.

21. Is the system subject to the Privacy Act?: No

23. If the system shares or discloses IIF please specify with whom and for what purpose(s): NO

30. Please describe in detail: (1) the information the agency will collect, maintain, or disseminate; (2) why and for what purpose the agency will use the information; (3) In this description, indicate whether the information contains IIF; and (4) whether submission of personal information is voluntary or mandatory: The application downloads this information from the Human Resources Database (HRDB) weekly. Information entered into the VSOF database is not uploaded into the HRDB. VSOF system does not store any IFF.

31. Please describe in detail any processes in place to: (1) notify and obtain consent from the individuals whose IIF is in the system when major changes occur to the system (e.g., disclosure and/or data uses have changed since the notice at the time of the original collection); and (2) notify and obtain consent from individuals regarding what IIF is being collected from them and how the information will be used or shared: Status of Funds (VSOF) Does not store IIF

32. Does the system host a website?: No

37. Does the website have any information or pages directed at children under the age of thirteen?: No

50. Are there policies or guidelines in place with regard to the retention and destruction of IIF?: No

54. Briefly describe in detail how the IIF will be secured on the system using administrative, technical, and physical controls.: Status of Funds (VSOF) Does not store IIF

PIA Reviewer Approval: Promote


PIA Reviewer Name: Howard Thomas

Sr. Official for Privacy Approval: Promote


Sr. Official for Privacy Name: Karen Plá

Sign-off Date: Aug 10, 2007

Date Published: Jun 26, 2008


06.3 HHS PIA Summary for Posting (Form) / NIH NIDCR Internet Website (Item)






PIA Summary


Is this a new PIA 2008?: No

If this is an existing PIA, please provide a reason for revision: PIA Validation

1. Date of this Submission: Jul 6, 2007

2. OPDIV Name: NIH

3. Unique Project Identifier (UPI) Number: 009-25-02-00-01-3109-00-109-026

4. Privacy Act System of Records (SOR) Number: 09-25-0106

5. OMB Information Collection Approval Number: 42 U.S.C. 203, 241, 2891-1 and 45 U.S.C. 3101 and Section 301 of the Public Health Act.

6. Other Identifying Number(s): NIDCR-8

7. System Name: NIDCR Internet Website

9. System Point of Contact (POC). The System POC is the person to whom questions about the system and the responses to this PIA may be addressed: Jody Dove

10. Provide an overview of the system: The web site disseminates information about oral health, research advances, funding and training opportunities, and Institute priorities to researchers, patients, health care providers, policymakers, and the public.

13. Indicate if the system is new or an existing one being modified: Existing

17. Does/Will the system collect, maintain (store), disseminate and/or pass through IIF within any database(s), record(s), file(s) or website(s) hosted by this system?: Yes

Note: This question seeks to identify any, and all, personal information associated with the system. This includes any IIF, whether or not it is subject to the Privacy Act, whether the individuals are employees, the public, research subjects, or business partners, and whether provided voluntarily or collected by mandate. Later questions will try to understand the character of the data and its applicability to the requirements under the Privacy Act or other legislation

Note: If no IIF is contained in the system, please answer questions 21, 23, 30, 31, 37, 50 and 54, then promote the PIA to the Sr. Privacy Official who will authorize the PIA.

If this system contains IIF, all remaining questions on the PIA Form Tabs must be completed prior to signature and promotion.

21. Is the system subject to the Privacy Act?: Yes

23. If the system shares or discloses IIF please specify with whom and for what purpose(s): SOR 09-25-0106

The information collected is disclosed only to specific clearinghouse staff so they can process the orders and mail out publications to those who have requested them. The SOR on file for this system contains language which details potential disclosure of information practices. NIDCR will comply with the SOR.

30. Please describe in detail: (1) the information the agency will collect, maintain, or disseminate; (2) why and for what purpose the agency will use the information; (3) In this description, indicate whether the information contains IIF; and (4) whether submission of personal information is voluntary or mandatory: If someone wishes to order a publication they must supply the following IIF information: name, address, and phone number. This information is required to mail the publication. But it is entirely up to individuals to decide if they wish to order publications.

31. Please describe in detail any processes in place to: (1) notify and obtain consent from the individuals whose IIF is in the system when major changes occur to the system (e.g., disclosure and/or data uses have changed since the notice at the time of the original collection); and (2) notify and obtain consent from individuals regarding what IIF is being collected from them and how the information will be used or shared: NIDCR does not plan to make any changes to the system. However, if a change were to occur, NIDCR would post a written notice directly on the publication order form to inform individuals of this change.

• The publication order form makes clear what information is being collected (name, address, and telephone number) and why (to mail out publications that an individual requests). The order form states that this information is shared only with our clearinghouse for the purpose of complying with the individual’s publication request.

32. Does the system host a website?: Yes

37. Does the website have any information or pages directed at children under the age of thirteen?: Yes

50. Are there policies or guidelines in place with regard to the retention and destruction of IIF?: Yes

54. Briefly describe in detail how the IIF will be secured on the system using administrative, technical, and physical controls.: If someone wishes to order a publication, they must supply their name, address, and phone number through the publication order form on the NIDCR web site. The information is stored and managed by our clearinghouse, IQ Solutions. Access to IIF requires a password for system access. Such access is limited to authorized system users, administrators, developers, and information technology support personnel.

PIA Reviewer Approval: Promote


PIA Reviewer Name: Mary Daum

Sr. Official for Privacy Approval: Promote


Sr. Official for Privacy Name: Karen Plá

Sign-off Date: Aug 10, 2007

Date Published: Jun 26, 2008


06.3 HHS PIA Summary for Posting (Form) / NIH NIDCR Intramural Research Training Awards Database (IRTA) (Item)






PIA Summary


Is this a new PIA 2008?: No

If this is an existing PIA, please provide a reason for revision: PIA Validation

1. Date of this Submission: Jul 6, 2007

2. OPDIV Name: NIH

3. Unique Project Identifier (UPI) Number: No

4. Privacy Act System of Records (SOR) Number: NIH 09-25-0158

5. OMB Information Collection Approval Number: No

6. Other Identifying Number(s): NIDCR-05

7. System Name: NIDCR Intramural Research Training Awards Database (IRTA)

9. System Point of Contact (POC). The System POC is the person to whom questions about the system and the responses to this PIA may be addressed: Deborah Philp

10. Provide an overview of the system: Records of Appicants and Awardees of the NIH Intramural Research Training Awards Program

13. Indicate if the system is new or an existing one being modified: Existing

17. Does/Will the system collect, maintain (store), disseminate and/or pass through IIF within any database(s), record(s), file(s) or website(s) hosted by this system?: Yes

Note: This question seeks to identify any, and all, personal information associated with the system. This includes any IIF, whether or not it is subject to the Privacy Act, whether the individuals are employees, the public, research subjects, or business partners, and whether provided voluntarily or collected by mandate. Later questions will try to understand the character of the data and its applicability to the requirements under the Privacy Act or other legislation

Note: If no IIF is contained in the system, please answer questions 21, 23, 30, 31, 37, 50 and 54, then promote the PIA to the Sr. Privacy Official who will authorize the PIA.

If this system contains IIF, all remaining questions on the PIA Form Tabs must be completed prior to signature and promotion.

21. Is the system subject to the Privacy Act?: Yes

23. If the system shares or discloses IIF please specify with whom and for what purpose(s): IRTA does not currently share or disclose IIF information. It is covered by the SOR 09-25-0158 for potential disclosures.

30. Please describe in detail: (1) the information the agency will collect, maintain, or disseminate; (2) why and for what purpose the agency will use the information; (3) In this description, indicate whether the information contains IIF; and (4) whether submission of personal information is voluntary or mandatory: Name, Mailing Address, Phone numbers, email Address, Education Records.

This information will be used in generating reports for our programs, but no personal information will be given in these reports. The information does contain IIF and the submission of personal information is voluntary.

31. Please describe in detail any processes in place to: (1) notify and obtain consent from the individuals whose IIF is in the system when major changes occur to the system (e.g., disclosure and/or data uses have changed since the notice at the time of the original collection); and (2) notify and obtain consent from individuals regarding what IIF is being collected from them and how the information will be used or shared: No process is in place.

32. Does the system host a website?: No

37. Does the website have any information or pages directed at children under the age of thirteen?: No

50. Are there policies or guidelines in place with regard to the retention and destruction of IIF?: No

54. Briefly describe in detail how the IIF will be secured on the system using administrative, technical, and physical controls.: The IIF will be secured using role based assignments and limited computer access. Password controls are inplace for this IIF and I am the only person with access to this system. Technical controls for this system include strong password authentication and fire wall protection. Physical controls include cipher locks, key card access and Identification badges for access to database servers.

PIA Reviewer Approval: Promote

Comments: Approved by Mary Daum

PIA Reviewer Name:

Sr. Official for Privacy Approval: Promote


Sr. Official for Privacy Name: Karen Plá

Sign-off Date: Aug 10, 2007

Date Published: Aug 15, 2007


06.3 HHS PIA Summary for Posting (Form) / NIH NIDCR Personnel Database (Item)






PIA Summary


Is this a new PIA 2008?: No

If this is an existing PIA, please provide a reason for revision: PIA Validation

1. Date of this Submission: Jul 6, 2007

2. OPDIV Name: NIH

3. Unique Project Identifier (UPI) Number: 009-25-01-02-02-7302-00-403-131

4. Privacy Act System of Records (SOR) Number: 09-90-0018

5. OMB Information Collection Approval Number: No

6. Other Identifying Number(s): NIDCR-06

7. System Name: NIDCR Personnel Database

9. System Point of Contact (POC). The System POC is the person to whom questions about the system and the responses to this PIA may be addressed: Carol Beasley

10. Provide an overview of the system: A small Microsoft Access database that supports Institute-specific and non-FTE data not available in the enterprise system

13. Indicate if the system is new or an existing one being modified: Existing

17. Does/Will the system collect, maintain (store), disseminate and/or pass through IIF within any database(s), record(s), file(s) or website(s) hosted by this system?: Yes

Note: This question seeks to identify any, and all, personal information associated with the system. This includes any IIF, whether or not it is subject to the Privacy Act, whether the individuals are employees, the public, research subjects, or business partners, and whether provided voluntarily or collected by mandate. Later questions will try to understand the character of the data and its applicability to the requirements under the Privacy Act or other legislation

Note: If no IIF is contained in the system, please answer questions 21, 23, 30, 31, 37, 50 and 54, then promote the PIA to the Sr. Privacy Official who will authorize the PIA.

If this system contains IIF, all remaining questions on the PIA Form Tabs must be completed prior to signature and promotion.

21. Is the system subject to the Privacy Act?: Yes23. If the system shares or discloses IIF please specify with whom and for what purpose(s): The system does not currently share or disclose IIF information. It is covered by the SOR NIH 09-90-0018 for potential disclosures.

30. Please describe in detail: (1) the information the agency will collect, maintain, or disseminate; (2) why and for what purpose the agency will use the information; (3) In this description, indicate whether the information contains IIF; and (4) whether submission of personal information is voluntary or mandatory: Use system to track personnel information: Name, DOB, SSN, Mailing Address, Phone #s, email address; education records; employment status; military status, in order to manage human capital. All IIF in the Personnel Database is collected and maintained by the NIH enterprise system, HRDB and the information collected constitues IIF, and it is mandatory for all employees.

31. Please describe in detail any processes in place to: (1) notify and obtain consent from the individuals whose IIF is in the system when major changes occur to the system (e.g., disclosure and/or data uses have changed since the notice at the time of the original collection); and (2) notify and obtain consent from individuals regarding what IIF is being collected from them and how the information will be used or shared: Data is downloaded from the NIH HRDB, NIDCR adheres to OHR's policies pertaining to notification and consent.

32. Does the system host a website?: No

37. Does the website have any information or pages directed at children under the age of thirteen?: No

50. Are there policies or guidelines in place with regard to the retention and destruction of IIF?: Yes

54. Briefly describe in detail how the IIF will be secured on the system using administrative, technical, and physical controls.: Administrative controls include role based assignments and limited access. Technical controls include strong password authentication, firewall protection. Physical controls include cipher locks, key cards, CCTV and identification badges for access to database servers.

PIA Reviewer Approval: Promote

Comments: approval by Mary Daum

PIA Reviewer Name:

Sr. Official for Privacy Approval: Promote


Sr. Official for Privacy Name: Karen Plá

Sign-off Date: Aug 10, 2007

Date Published: Jun 26, 2008


06.3 HHS PIA Summary for Posting (Form) / NIH NIDCR Science Coding and Reporting System (SCORE) (Item)






PIA Summary


Is this a new PIA 2008?: No

If this is an existing PIA, please provide a reason for revision: PIA Validation

1. Date of this Submission: Jul 6, 2007

2. OPDIV Name: NIH

3. Unique Project Identifier (UPI) Number: 009-25-01-26-02-7304-00-202-069

4. Privacy Act System of Records (SOR) Number: NIH 09-25-0036

5. OMB Information Collection Approval Number: No

6. Other Identifying Number(s): NIDCR-03

7. System Name: Scientific Coding and Reporting (SCORE)

9. System Point of Contact (POC). The System POC is the person to whom questions about the system and the responses to this PIA may be addressed: Sarah L. Glavin

10. Provide an overview of the system: SCORE is a scientific coding system that assigns science coding terms to specific grants, projects, and contracts funded by NIDCR. SCORE draws information about funded grants from the NIH enterprise system on grants (IMPAC II), and then adds NIDCR-specific science coding information. SCORE is used primarily for budget reporting, program evaluation, and other analysis.

13. Indicate if the system is new or an existing one being modified: Existing

17. Does/Will the system collect, maintain (store), disseminate and/or pass through IIF within any database(s), record(s), file(s) or website(s) hosted by this system?: Yes

Note: This question seeks to identify any, and all, personal information associated with the system. This includes any IIF, whether or not it is subject to the Privacy Act, whether the individuals are employees, the public, research subjects, or business partners, and whether provided voluntarily or collected by mandate. Later questions will try to understand the character of the data and its applicability to the requirements under the Privacy Act or other legislation

Note: If no IIF is contained in the system, please answer questions 21, 23, 30, 31, 37, 50 and 54, then promote the PIA to the Sr. Privacy Official who will authorize the PIA.

If this system contains IIF, all remaining questions on the PIA Form Tabs must be completed prior to signature and promotion.

21. Is the system subject to the Privacy Act?: Yes

23. If the system shares or discloses IIF please specify with whom and for what purpose(s): The SCORE system does not currently share or disclose IIF information. It is covered by the SOR NIH 09-25-0036 for potential disclosures.

30. Please describe in detail: (1) the information the agency will collect, maintain, or disseminate; (2) why and for what purpose the agency will use the information; (3) In this description, indicate whether the information contains IIF; and (4) whether submission of personal information is voluntary or mandatory: All IIF in the SCORE system is collected and maintained by the NIH enterprise system IMPAC II. SCORE stores this information but does not collect or disseminate it.

31. Please describe in detail any processes in place to: (1) notify and obtain consent from the individuals whose IIF is in the system when major changes occur to the system (e.g., disclosure and/or data uses have changed since the notice at the time of the original collection); and (2) notify and obtain consent from individuals regarding what IIF is being collected from them and how the information will be used or shared: This process occurs through the NIH enterprise system IMPAC II. SCORE does not have separate procedures for this activity because all IIF in the SCORE system is downloaded from IMPAC II.

32. Does the system host a website?: No

37. Does the website have any information or pages directed at children under the age of thirteen?: No

50. Are there policies or guidelines in place with regard to the retention and destruction of IIF?: Yes

54. Briefly describe in detail how the IIF will be secured on the system using administrative, technical, and physical controls.: Administrative controls include role-based assignments and limited access. Technical controls include strong password authentication, firewall protection, and administrative logs. Physical controls include cipher locks, key cards, CCTV, and identification badges for access to database servers.

PIA Reviewer Approval: Promote

Comments: approval by Mary Daum

PIA Reviewer Name:

Sr. Official for Privacy Approval: Promote


Sr. Official for Privacy Name: Karen Plá

Sign-off Date: Aug 10, 2007

Date Published: Jun 26, 2008


06.3 HHS PIA Summary for Posting (Form) / NIH NIDCR SOFie (Item)






PIA Summary


Is this a new PIA 2008?: YesIf this is an existing PIA, please provide a reason for revision: PIA Validation

1. Date of this Submission: Jul 6, 2007

2. OPDIV Name: NIH

3. Unique Project Identifier (UPI) Number: N/A

4. Privacy Act System of Records (SOR) Number: No

5. OMB Information Collection Approval Number: No

6. Other Identifying Number(s): No

7. System Name: NIH NIDCR Status of Funds Internet Edition (SOFie)

9. System Point of Contact (POC). The System POC is the person to whom questions about the system and the responses to this PIA may be addressed: George J. Coy

10. Provide an overview of the system: SOFie is a Web-based financial reporting/tracking tool that enables NIH ICs to manipulate and report on financial transactions downloaded from the Budget & Finance database in the NIH Data Warehouse. (The NIH DW Budget & Finance database comprises data downloaded from the NIH Business System).

13. Indicate if the system is new or an existing one being modified: New

17. Does/Will the system collect, maintain (store), disseminate and/or pass through IIF within any database(s), record(s), file(s) or website(s) hosted by this system?: No

Note: This question seeks to identify any, and all, personal information associated with the system. This includes any IIF, whether or not it is subject to the Privacy Act, whether the individuals are employees, the public, research subjects, or business partners, and whether provided voluntarily or collected by mandate. Later questions will try to understand the character of the data and its applicability to the requirements under the Privacy Act or other legislation

Note: If no IIF is contained in the system, please answer questions 21, 23, 30, 31, 37, 50 and 54, then promote the PIA to the Sr. Privacy Official who will authorize the PIA.

If this system contains IIF, all remaining questions on the PIA Form Tabs must be completed prior to signature and promotion.

21. Is the system subject to the Privacy Act?: No

23. If the system shares or discloses IIF please specify with whom and for what purpose(s): No sharing or disclosures at this time.

30. Please describe in detail: (1) the information the agency will collect, maintain, or disseminate; (2) why and for what purpose the agency will use the information; (3) In this description, indicate whether the information contains IIF; and (4) whether submission of personal information is voluntary or mandatory: Grantee and contractor (NIH grant recipient and contractor) information maintained financial account information. IC accounting transactions are downloaded from the Budget & Finance database in the NIH Data Warehouse. The data contains no IIF information and it used to plan, track, and report on IC fiscal budgets.

31. Please describe in detail any processes in place to: (1) notify and obtain consent from the individuals whose IIF is in the system when major changes occur to the system (e.g., disclosure and/or data uses have changed since the notice at the time of the original collection); and (2) notify and obtain consent from individuals regarding what IIF is being collected from them and how the information will be used or shared: N/A

32. Does the system host a website?: Yes

37. Does the website have any information or pages directed at children under the age of thirteen?: No

50. Are there policies or guidelines in place with regard to the retention and destruction of IIF?: No

54. Briefly describe in detail how the IIF will be secured on the system using administrative, technical, and physical controls.: N/A

PIA Reviewer Approval: Promote


PIA Reviewer Name: Mary Daum/301.594.7559

Sr. Official for Privacy Approval: Promote


Sr. Official for Privacy Name: Karen Plá

Sign-off Date: Jan 26, 2007

Date Published: Jun 26, 2008


06.3 HHS PIA Summary for Posting (Form) / NIH NIDCR Visual Employee Database System (VEDS) (Item)






PIA Summary


Is this a new PIA 2008?: No

If this is an existing PIA, please provide a reason for revision: PIA Validation

1. Date of this Submission: Jul 6, 2007

2. OPDIV Name: NIH

3. Unique Project Identifier (UPI) Number: 009-25-01-09-02-3196-00-403-131

4. Privacy Act System of Records (SOR) Number: 09-90-0018

5. OMB Information Collection Approval Number: No

6. Other Identifying Number(s): NIDCR-07

7. System Name: Visual Employee Data System (VEDS)

9. System Point of Contact (POC). The System POC is the person to whom questions about the system and the responses to this PIA may be addressed: Carol Beasley

10. Provide an overview of the system: A windows application used for tracking and managing personnel information.

13. Indicate if the system is new or an existing one being modified: Existing

17. Does/Will the system collect, maintain (store), disseminate and/or pass through IIF within any database(s), record(s), file(s) or website(s) hosted by this system?: Yes

Note: This question seeks to identify any, and all, personal information associated with the system. This includes any IIF, whether or not it is subject to the Privacy Act, whether the individuals are employees, the public, research subjects, or business partners, and whether provided voluntarily or collected by mandate. Later questions will try to understand the character of the data and its applicability to the requirements under the Privacy Act or other legislation

Note: If no IIF is contained in the system, please answer questions 21, 23, 30, 31, 37, 50 and 54, then promote the PIA to the Sr. Privacy Official who will authorize the PIA.

If this system contains IIF, all remaining questions on the PIA Form Tabs must be completed prior to signature and promotion.

21. Is the system subject to the Privacy Act?: Yes

23. If the system shares or discloses IIF please specify with whom and for what purpose(s): VEDS does not currently share or disclose IIF information. It is covered by the SOR 09-90-0018 for potential disclosures. This information is further addressed in the HHS Privacy Act Systems of Record Notice 09-90-0018, published in the Federal Register, Volume 59, November 9, 1994.

30. Please describe in detail: (1) the information the agency will collect, maintain, or disseminate; (2) why and for what purpose the agency will use the information; (3) In this description, indicate whether the information contains IIF; and (4) whether submission of personal information is voluntary or mandatory: VEDS tracks all information pertinent to a personnel file for the purpose of personnel management activities. Information is collected from employees via the HRDB system. Uses consist of the following: a) tracking a time-limited appointment to ensure renewals are done in a timely manner, thereby avoiding any break in service, b) ensuring that allocated FTE ceilings are maintained, c) ensuring salary equality for various hiring mechanisms, d) providing reports requested by the NIH Director, IC Director and other management staff, as requested), and e) maintaining lists of non FTEs, special volunteers, contractors, and other hiring appointments. The information collected constitutes IIF, and is mandatory for all employees.

31. Please describe in detail any processes in place to: (1) notify and obtain consent from the individuals whose IIF is in the system when major changes occur to the system (e.g., disclosure and/or data uses have changed since the notice at the time of the original collection); and (2) notify and obtain consent from individuals regarding what IIF is being collected from them and how the information will be used or shared: IIF in the system is gathered from the HRDB system. Changes to the system or changes in the way the information is used is relayed to employees via official notices from OHR. Individuals are notified of the collection and use of data as part of the hiring process and it is mandatory if the potential job applicant wishes to seek employment at NIH.

32. Does the system host a website?: No

37. Does the website have any information or pages directed at children under the age of thirteen?: No

50. Are there policies or guidelines in place with regard to the retention and destruction of IIF?: Yes

54. Briefly describe in detail how the IIF will be secured on the system using administrative, technical, and physical controls.: Administrative controls include role based assignments and limited access. Technical controls include strong password authentication, firewall protection. Physical controls include cipher locks, key cards, CCTV and identification badges for access to database servers.

PIA Reviewer Approval: Promote

Comments: approval by Mary Daum

PIA Reviewer Name:

Sr. Official for Privacy Approval: Promote


Sr. Official for Privacy Name: Karen Plá

Sign-off Date: Aug 10, 2007

Date Published: Jun 26, 2008


06.3 HHS PIA Summary for Posting (Form) / NIH NIEHS Budget Management Support Systems (BMSS) (Item)






PIA Summary


Is this a new PIA 2008?: No

If this is an existing PIA, please provide a reason for revision: PIA Validation

1. Date of this Submission: Jul 13, 2007

2. OPDIV Name: NIH

3. Unique Project Identifier (UPI) Number: 009-25-01-09-02-6201-00-402-129

4. Privacy Act System of Records (SOR) Number: n/a

5. OMB Information Collection Approval Number: n/a

6. Other Identifying Number(s): none

7. System Name: Budget Management Support Systems

9. System Point of Contact (POC). The System POC is the person to whom questions about the system and the responses to this PIA may be addressed: Nancy Stegman

10. Provide an overview of the system: Maintenance of small budget office systems that extract various National Institute of Environmental Health Sciences (NIEHS) financial expenditure and Full Time Equivalent (FTE) use data from the NIH data warehouse and generate reports to support NIEHS's tracking, monitoring, planning and decision-making.

13. Indicate if the system is new or an existing one being modified: Existing

17. Does/Will the system collect, maintain (store), disseminate and/or pass through IIF within any database(s), record(s), file(s) or website(s) hosted by this system?: No

Note: This question seeks to identify any, and all, personal information associated with the system. This includes any IIF, whether or not it is subject to the Privacy Act, whether the individuals are employees, the public, research subjects, or business partners, and whether provided voluntarily or collected by mandate. Later questions will try to understand the character of the data and its applicability to the requirements under the Privacy Act or other legislation

Note: If no IIF is contained in the system, please answer questions 21, 23, 30, 31, 37, 50 and 54, then promote the PIA to the Sr. Privacy Official who will authorize the PIA.

If this system contains IIF, all remaining questions on the PIA Form Tabs must be completed prior to signature and promotion.

21. Is the system subject to the Privacy Act?: No

23. If the system shares or discloses IIF please specify with whom and for what purpose(s): No IIF

30. Please describe in detail: (1) the information the agency will collect, maintain, or disseminate; (2) why and for what purpose the agency will use the information; (3) In this description, indicate whether the information contains IIF; and (4) whether submission of personal information is voluntary or mandatory: The data is downloaded from NIH data warehouse. Local information is added and processed. There is no information collected that is not required for local budgetary utilization. Private personnel information is not added to the system by NIEHS budget applications. Information is about positions occupied and funds spent.

31. Please describe in detail any processes in place to: (1) notify and obtain consent from the individuals whose IIF is in the system when major changes occur to the system (e.g., disclosure and/or data uses have changed since the notice at the time of the original collection); and (2) notify and obtain consent from individuals regarding what IIF is being collected from them and how the information will be used or shared: no IIF

32. Does the system host a website?: Yes

37. Does the website have any information or pages directed at children under the age of thirteen?: No

50. Are there policies or guidelines in place with regard to the retention and destruction of IIF?: No

54. Briefly describe in detail how the IIF will be secured on the system using administrative, technical, and physical controls.: No IIF

PIA Reviewer Approval: Promote


PIA Reviewer Name: Nancy Stegman

Sr. Official for Privacy Approval: Promote


Sr. Official for Privacy Name: Karen Plá

Sign-off Date: Aug 10, 2007

Date Published: Jun 26, 2008


06.3 HHS PIA Summary for Posting (Form) / NIH NIEHS CRU Clinical Management System (Item)






PIA Summary


Is this a new PIA 2008?: Yes

If this is an existing PIA, please provide a reason for revision:

1. Date of this Submission: Nov 6, 2007

2. OPDIV Name: NIH

3. Unique Project Identifier (UPI) Number: NO

4. Privacy Act System of Records (SOR) Number: 09-25-0200

5. OMB Information Collection Approval Number: N/A

6. Other Identifying Number(s): n/a

7. System Name: NIH NIEHS CRU Clinical Management System

9. System Point of Contact (POC). The System POC is the person to whom questions about the system and the responses to this PIA may be addressed: Robert LeVine

10. Provide an overview of the system: The NIEHS Clinical Management System (eSphere - software name) is an Oracle based database and work flow mapping system that will serve as the main patient record, scheduling, and data management tool for the new CRU. The system will hold patient records and medical history as approved by the NIEHS IRB, physician educational and credentialing/privileging data, calendar scheduling, and some basic statistical analysis tools. The system is needed because the NIEHS CRU is a new out patient based clinical reserach clinic that will open and begin seeing patients in January of 2008.

13. Indicate if the system is new or an existing one being modified: New

17. Does/Will the system collect, maintain (store), disseminate and/or pass through IIF within any database(s), record(s), file(s) or website(s) hosted by this system?: Yes

Note: This question seeks to identify any, and all, personal information associated with the system. This includes any IIF, whether or not it is subject to the Privacy Act, whether the individuals are employees, the public, research subjects, or business partners, and whether provided voluntarily or collected by mandate. Later questions will try to understand the character of the data and its applicability to the requirements under the Privacy Act or other legislation

Note: If no IIF is contained in the system, please answer questions 21, 23, 30, 31, 37, 50 and 54, then promote the PIA to the Sr. Privacy Official who will authorize the PIA.

If this system contains IIF, all remaining questions on the PIA Form Tabs must be completed prior to signature and promotion.

21. Is the system subject to the Privacy Act?: Yes

23. If the system shares or discloses IIF please specify with whom and for what purpose(s): The purpose is to track, monitor, and evaluate NIH clinical, basic, and population-based research activities and protocols. The system may share or disclose infomration to NIH researchers, agency contractors, consultants, etc. who have been engaged by the agency to perform reserach related activities. Other discolusres may inlcude Congress, the Department of Health and Human Services, the Department of Justice, and the Public Health Service. Disclosures and sharing of information will only be for and will be in compliance of SORN 09-25-0200.

30. Please describe in detail: (1) the information the agency will collect, maintain, or disseminate; (2) why and for what purpose the agency will use the information; (3) In this description, indicate whether the information contains IIF; and (4) whether submission of personal information is voluntary or mandatory: The information is used to document, track, monitor, analyze, and evaluate NIH clinical, basic, and population-based reserach activities and protocols. The exact data collected for each protocol and from each individual will differ based on final approval of the NIEHS IRB but could include name, date of birth, SSN, mailing address, phone numbers, previous medical records and medical history (as well as newly generated medical notes from new procedures), email addresses, educational levels, military service and deployment locations, foreign activities, height, weight, gender, lab values, and other yet to be determined data.

Submission of all data is voluntary, but is a required condition to participate in the research protocol/activity. Failure to provide any or all required data may exclude the particpant from reserach activity eligibility.

31. Please describe in detail any processes in place to: (1) notify and obtain consent from the individuals whose IIF is in the system when major changes occur to the system (e.g., disclosure and/or data uses have changed since the notice at the time of the original collection); and (2) notify and obtain consent from individuals regarding what IIF is being collected from them and how the information will be used or shared: All IIF that is being collected is clearly communicated and listed on the consent forms that are required to be read and signed by all reserach protocol/activity participants. These forms clearly let the participant know what is being collected from them, for what purpose, and who al will see it. It also asks permission to re-contact the individuals in the future if changes are needed. If participants elect not o be re-contatced any changes will result in that person's IIF and dat being destroyed. If re-contact is approved on the original consent forms, any changes will result in re-contact at which time new consent forms will be presented and signed outlining any changes. All consent forms (and all research protocol/activity forms and IIF data) must be reviewed, approved, and cleared by the NIEHS IRB prior to any data being collected.

32. Does the system host a website?: No

37. Does the website have any information or pages directed at children under the age of thirteen?: No

50. Are there policies or guidelines in place with regard to the retention and destruction of IIF?: Yes

54. Briefly describe in detail how the IIF will be secured on the system using administrative, technical, and physicalcontrols.: The system is password protected according to NIH policy. The system is housed in the NIEHS facility with tightly controlled access. Please refer to the NIEHS General Support System Certification and Accredidation Package for more details.

PIA Reviewer Approval: Promote

Comments: The PIA is complete as best we can define at this early stage.

PIA Reviewer Name: Robert LeVine

Sr. Official for Privacy Approval: Promote


Sr. Official for Privacy Name: Karen Plá

Sign-off Date: Nov 20, 2007

Date Published: Jun 26, 2008


06.3 HHS PIA Summary for Posting (Form) / NIH NIEHS Extramural Research Extension Systems (ERES) (Item)






PIA Summary


Is this a new PIA 2008?: No

If this is an existing PIA, please provide a reason for revision: PIA Validation

1. Date of this Submission: Jul 13, 2007

2. OPDIV Name: NIH

3. Unique Project Identifier (UPI) Number: 009-25-01-05-02-6299-00-110-249

4. Privacy Act System of Records (SOR) Number: 09-25-0036

5. OMB Information Collection Approval Number: n/a

6. Other Identifying Number(s): none

7. System Name: NIEHS Extramural Research Extension Systems

9. System Point of Contact (POC). The System POC is the person to whom questions about the system and the responses to this PIA may be addressed: Nancy Stegman

10. Provide an overview of the system: System provides functionality not available via central systems to support the mission of extramural research.

13. Indicate if the system is new or an existing one being modified: Existing

17. Does/Will the system collect, maintain (store), disseminate and/or pass through IIF within any database(s), record(s), file(s) or website(s) hosted by this system?: Yes

Note: This question seeks to identify any, and all, personal information associated with the system. This includes any IIF, whether or not it is subject to the Privacy Act, whether the individuals are employees, the public, research subjects, or business partners, and whether provided voluntarily or collected by mandate. Later questions will try to understand the character of the data and its applicability to the requirements under the Privacy Act or other legislation

Note: If no IIF is contained in the system, please answer questions 21, 23, 30, 31, 37, 50 and 54, then promote the PIA to the Sr. Privacy Official who will authorize the PIA.

If this system contains IIF, all remaining questions on the PIA Form Tabs must be completed prior to signature and promotion.

21. Is the system subject to the Privacy Act?: Yes

23. If the system shares or discloses IIF please specify with whom and for what purpose(s): This is an extension of the NIH grant management system. Information is downloaded for reporting and used in the local grants managment process. Information stored in this system is not shared. Information is used primarily in applications to aid in identifying NIH grantees. The fields that are extracted by NIEHS are not shared by the NIEHS application.

30. Please describe in detail: (1) the information the agency will collect, maintain, or disseminate; (2) why and for what purpose the agency will use the information; (3) In this description, indicate whether the information contains IIF; and (4) whether submission of personal information is voluntary or mandatory: IIF data is not collected via this system from persons, but rather is downloaded from the eRA IMPAC II enterprise database. This is a reporting system that uses data about grants and grantees downloaded from an enterprise system to track and manage NIEHS grants. No IIF data is collected by this system.

31. Please describe in detail any processes in place to: (1) notify and obtain consent from the individuals whose IIF is in the system when major changes occur to the system (e.g., disclosure and/or data uses have changed since the notice at the time of the original collection); and (2) notify and obtain consent from individuals regarding what IIF is being collected from them and how the information will be used or shared: IIF data is obtained from the IMPAC II database. according to procedures used by that enterprise system. The IIF portion of this grant related data is not altered or augmented. Only information related to the grant application is augmented and only NIEHS extramural program staff add this information. NO IIF data is collected or altered in this system. It is copied nightly from an NIH database. IMPAC II data management proceures apply. Procedures regarding notification would be covered by the IMPACII system.

32. Does the system host a website?: Yes

37. Does the website have any information or pages directed at children under the age of thirteen?: No

50. Are there policies or guidelines in place with regard to the retention and destruction of IIF?: Yes

54. Briefly describe in detail how the IIF will be secured on the system using administrative, technical, and physical controls.: Information is stored on a secure Oracle 9i database that is password protected and is behind the NIH and NIEHS firewalls.

PIA Reviewer Approval: Promote


PIA Reviewer Name: Nancy Stegman

Sr. Official for Privacy Approval: Promote


Sr. Official for Privacy Name: Karen Plá

Sign-off Date: Aug 10, 2007

Date Published: Jun 26, 2008


06.3 HHS PIA Summary for Posting (Form) / NIH NIEHS General Support System (Item)






PIA Summary


Is this a new PIA 2008?: Yes

If this is an existing PIA, please provide a reason for revision: PIA Validation

1. Date of this Submission: Jul 13, 2007

2. OPDIV Name: NIH

3. Unique Project Identifier (UPI) Number: 009-25-02-00-01-3109-00-109-026

4. Privacy Act System of Records (SOR) Number: n/a

5. OMB Information Collection Approval Number: n/a

6. Other Identifying Number(s): none

7. System Name: NIEHS General Support System

9. System Point of Contact (POC). The System POC is the person to whom questions about the system and the responses to this PIA may be addressed: Nancy Stegman

10. Provide an overview of the system: The is the certified secure infrastrure that supports NIEHS operations. NIEHS applications and databse reside on this system. There is no specific data collection system

13. Indicate if the system is new or an existing one being modified: Existing

17. Does/Will the system collect, maintain (store), disseminate and/or pass through IIF within any database(s), record(s), file(s) or website(s) hosted by this system?: No

Note: This question seeks to identify any, and all, personal information associated with the system. This includes any IIF, whether or not it is subject to the Privacy Act, whether the individuals are employees, the public, research subjects, or business partners, and whether provided voluntarily or collected by mandate. Later questions will try to understand the character of the data and its applicability to the requirements under the Privacy Act or other legislation

Note: If no IIF is contained in the system, please answer questions 21, 23, 30, 31, 37, 50 and 54, then promote the PIA to the Sr. Privacy Official who will authorize the PIA.

If this system contains IIF, all remaining questions on the PIA Form Tabs must be completed prior to signature and promotion.

21. Is the system subject to the Privacy Act?: No

23. If the system shares or discloses IIF please specify with whom and for what purpose(s): No

30. Please describe in detail: (1) the information the agency will collect, maintain, or disseminate; (2) why and for what purpose the agency will use the information; (3) In this description, indicate whether the information contains IIF; and (4) whether submission of personal information is voluntary or mandatory: Infrastructure only. Individual systems are addressed separately

31. Please describe in detail any processes in place to: (1) notify and obtain consent from the individuals whose IIF is in the system when major changes occur to the system (e.g., disclosure and/or data uses have changed since the notice at the time of the original collection); and (2) notify and obtain consent from individuals regarding what IIF is being collected from them and how the information will be used or shared: Infrastructre only. Individual systems are addressed separately

32. Does the system host a website?: Yes

37. Does the website have any information or pages directed at children under the age of thirteen?: Yes

50. Are there policies or guidelines in place with regard to the retention and destruction of IIF?: Yes

54. Briefly describe in detail how the IIF will be secured on the system using administrative, technical, and physical controls.: No IIF

PIA Reviewer Approval: Promote


PIA Reviewer Name: Nancy Stegman

Sr. Official for Privacy Approval: Promote


Sr. Official for Privacy Name: Karen Plá

Sign-off Date: Aug 10, 2007

Date Published: Jun 26, 2008


06.3 HHS PIA Summary for Posting (Form) / NIH NIEHS Health & Safety Systems (HSS) (Item)






PIA Summary


Is this a new PIA 2008?: No

If this is an existing PIA, please provide a reason for revision: PIA Validation

1. Date of this Submission: Jul 13, 2007

2. OPDIV Name: NIH

3. Unique Project Identifier (UPI) Number: 009-25-01-05-02-6299-00-110-249

4. Privacy Act System of Records (SOR) Number: 09250105

5. OMB Information Collection Approval Number: n/a

6. Other Identifying Number(s): none

7. System Name: NIH NIEHS Health and Safety Systems

9. System Point of Contact (POC). The System POC is the person to whom questions about the system and the responses to this PIA may be addressed: Nancy Stegman

10. Provide an overview of the system: Systems relating to monitoring and tracking the NIEHS health and safety program in conjunction with the NIH mission.

13. Indicate if the system is new or an existing one being modified: Existing

17. Does/Will the system collect, maintain (store), disseminate and/or pass through IIF within any database(s), record(s), file(s) or website(s) hosted by this system?: Yes

Note: This question seeks to identify any, and all, personal information associated with the system. This includes any IIF, whether or not it is subject to the Privacy Act, whether the individuals are employees, the public, research subjects, or business partners, and whether provided voluntarily or collected by mandate. Later questions will try to understand the character of the data and its applicability to the requirements under the Privacy Act or other legislation

Note: If no IIF is contained in the system, please answer questions 21, 23, 30, 31, 37, 50 and 54, then promote the PIA to the Sr. Privacy Official who will authorize the PIA.

If this system contains IIF, all remaining questions on the PIA Form Tabs must be completed prior to signature and promotion.

21. Is the system subject to the Privacy Act?: Yes

23. If the system shares or discloses IIF please specify with whom and for what purpose(s): No individual information is shared by this system. However, procedures in SOR #09250105 apply

30. Please describe in detail: (1) the information the agency will collect, maintain, or disseminate; (2) why and for what purpose the agency will use the information; (3) In this description, indicate whether the information contains IIF; and (4) whether submission of personal information is voluntary or mandatory: Information collected is needed to assure and monitor employee health and safety in the NIEHS workplace . Information is obtained from other NIH systems or from NIEHS employees in an on-site medical facility or when safety incidents occur. Health monitoring is mandatory for certain laboratory employees

31. Please describe in detail any processes in place to: (1) notify and obtain consent from the individuals whose IIF is in the system when major changes occur to the system (e.g., disclosure and/or data uses have changed since the notice at the time of the original collection); and (2) notify and obtain consent from individuals regarding what IIF is being collected from them and how the information will be used or shared: Information is collected only from employees in conjunction with their job responsibilities. Individuals are made aware of the program when they are hired. the Health and Safety Office and their supervisors would inform them of changes in requirements.

32. Does the system host a website?: Yes

37. Does the website have any information or pages directed at children under the age of thirteen?: No

50. Are there policies or guidelines in place with regard to the retention and destruction of IIF?: Yes

54. Briefly describe in detail how the IIF will be secured on the system using administrative, technical, and physical controls.: Information is maintained on a database with access only by authorized users with a valid password. Facility is locked with limited key card entry.

PIA Reviewer Approval: Promote


PIA Reviewer Name: Nancy Stegman

Sr. Official for Privacy Approval: Promote


Sr. Official for Privacy Name: Karen Plá

Sign-off Date: Aug 10, 2007

Date Published: Jun 26, 2008


06.3 HHS PIA Summary for Posting (Form) / NIH NIEHS National Toxicology Program Systems (NTPS) (Item)






PIA Summary


Is this a new PIA 2008?: No

If this is an existing PIA, please provide a reason for revision: PIA Validation

1. Date of this Submission: Jul 13, 2007

2. OPDIV Name: NIH

3. Unique Project Identifier (UPI) Number: 009-25-01-05-02-6202-00-110-249 ,009-25-01-05-02-6205-00-110-249

4. Privacy Act System of Records (SOR) Number: n/a

5. OMB Information Collection Approval Number: n/a

6. Other Identifying Number(s): none

7. System Name: TDMS and Other NTP Systems

9. System Point of Contact (POC). The System POC is the person to whom questions about the system and the responses to this PIA may be addressed: Nancy Stegman

10. Provide an overview of the system: TDMS /LDAS collects in-life and pathology data from rodent studies and transmits data to the TDMS database where it is stored and analyzed. Other systems maintain and make available in relational databases suitable for analysis all the information resulting from the conduct of multiple types of NTP studies. Also includes loading completed study data into the NIEHS Oracle database, developing procedures for the testing labs to electronically download study data directly and enhancing the study tracking system..

13. Indicate if the system is new or an existing one being modified: Existing

17. Does/Will the system collect, maintain (store), disseminate and/or pass through IIF within any database(s), record(s), file(s) or website(s) hosted by this system?: No

Note: This question seeks to identify any, and all, personal information associated with the system. This includes any IIF, whether or not it is subject to the Privacy Act, whether the individuals are employees, the public, research subjects, or business partners, and whether provided voluntarily or collected by mandate. Later questions will try to understand the character of the data and its applicability to the requirements under the Privacy Act or other legislation

Note: If no IIF is contained in the system, please answer questions 21, 23, 30, 31, 37, 50 and 54, then promote the PIA to the Sr. Privacy Official who will authorize the PIA.

If this system contains IIF, all remaining questions on the PIA Form Tabs must be completed prior to signature and promotion.

21. Is the system subject to the Privacy Act?: No

23. If the system shares or discloses IIF please specify with whom and for what purpose(s): No IIF

30. Please describe in detail: (1) the information the agency will collect, maintain, or disseminate; (2) why and for what purpose the agency will use the information; (3) In this description, indicate whether the information contains IIF; and (4) whether submission of personal information is voluntary or mandatory: Data are collected in multiple research laboratories following scientific study protocols. The data comes from the numerous scientifc studies conducted by the National Toxicology Program. The testing program is described at No personal information is collected

31. Please describe in detail any processes in place to: (1) notify and obtain consent from the individuals whose IIF is in the system when major changes occur to the system (e.g., disclosure and/or data uses have changed since the notice at the time of the original collection); and (2) notify and obtain consent from individuals regarding what IIF is being collected from them and how the information will be used or shared: No IIF

32. Does the system host a website?: Yes

37. Does the website have any information or pages directed at children under the age of thirteen?: No

50. Are there policies or guidelines in place with regard to the retention and destruction of IIF?: Yes

54. Briefly describe in detail how the IIF will be secured on the system using administrative, technical, and physical controls.: No IIF

PIA Reviewer Approval: Promote


PIA Reviewer Name: Nancy Stegman

Sr. Official for Privacy Approval: Promote


Sr. Official for Privacy Name: Karen Plá

Sign-off Date: Aug 10, 2007

Date Published: Jun 26, 2008


06.3 HHS PIA Summary for Posting (Form) / NIH NIEHS Pegasus (Item)






PIA Summary


Is this a new PIA 2008?: No

If this is an existing PIA, please provide a reason for revision: PIA Validation

1. Date of this Submission: Jul 13, 2007

2. OPDIV Name: NIH

3. Unique Project Identifier (UPI) Number: NO

4. Privacy Act System of Records (SOR) Number: 09-25-0216

5. OMB Information Collection Approval Number: n/a

6. Other Identifying Number(s): n/a

7. System Name: Pegasus

9. System Point of Contact (POC). The System POC is the person to whom questions about the system and the responses to this PIA may be addressed: Nancy Stegman

10. Provide an overview of the system: System identifies employees and contractors with badges and allows authorized badge holders to access the NIEHS facility.

13. Indicate if the system is new or an existing one being modified: Existing

17. Does/Will the system collect, maintain (store), disseminate and/or pass through IIF within any database(s), record(s), file(s) or website(s) hosted by this system?: Yes

Note: This question seeks to identify any, and all, personal information associated with the system. This includes any IIF, whether or not it is subject to the Privacy Act, whether the individuals are employees, the public, research subjects, or business partners, and whether provided voluntarily or collected by mandate. Later questions will try to understand the character of the data and its applicability to the requirements under the Privacy Act or other legislation

Note: If no IIF is contained in the system, please answer questions 21, 23, 30, 31, 37, 50 and 54, then promote the PIA to the Sr. Privacy Official who will authorize the PIA.

If this system contains IIF, all remaining questions on the PIA Form Tabs must be completed prior to signature and promotion.

21. Is the system subject to the Privacy Act?: Yes

23. If the system shares or discloses IIF please specify with whom and for what purpose(s): The system is used to issue badges and is used only by staff involved with issuing badges and parking permits. SOR# 09-25-0216

30. Please describe in detail: (1) the information the agency will collect, maintain, or disseminate; (2) why and for what purpose the agency will use the information; (3) In this description, indicate whether the information contains IIF; and (4) whether submission of personal information is voluntary or mandatory: The information is used to identify badge holders and issue badges that allow employees and contractors access to NIEHS facilities. Information is copied from the NIH directory (NED) or is provided by the badge holder. The only IIF collected in this system is vehicle information and a photo for the badge. Information can be retrieved by name. The information is mandatory for employees and others who are given NIH badges.

31. Please describe in detail any processes in place to: (1) notify and obtain consent from the individuals whose IIF is in the system when major changes occur to the system (e.g., disclosure and/or data uses have changed since the notice at the time of the original collection); and (2) notify and obtain consent from individuals regarding what IIF is being collected from them and how the information will be used or shared: If changes are made to the badge system, personnel are notified by all-hands e-mail. Information that is not already in the NIH Enterprise Directory is collected from individuals when they request a badge. Only individuals who are in NED are eligible for badges. The information is used by security personnel to issue badges and parking hangers. It is not shared. The photo is required for a badge. The vehicle information is required for a parking hanger. Individuals may report any changes in information to security personnel who will change it.

32. Does the system host a website?: No

37. Does the website have any information or pages directed at children under the age of thirteen?: No

50. Are there policies or guidelines in place with regard to the retention and destruction of IIF?: Yes

54. Briefly describe in detail how the IIF will be secured on the system using administrative, technical, and physical controls.: The system is password protected according to NIH policy. System access is limited to those who use or manage the system. The system is housed in the NIEHS facility with tightly controlled access including guards, key cards and badges. The NIH?NIEHS network is protected by firewall and intrusion detection systems. Remote access requires VPN ..

PIA Reviewer Approval: Promote


PIA Reviewer Name: Nancy Stegman

Sr. Official for Privacy Approval: Promote


Sr. Official for Privacy Name: Karen Plá

Sign-off Date: Aug 10, 2007

Date Published: Jun 26, 2008


06.3 HHS PIA Summary for Posting (Form) / NIH NIEHS Small Program Support Systems (SPSS) (Item)






PIA Summary


Is this a new PIA 2008?: No

If this is an existing PIA, please provide a reason for revision: PIA Validation

1. Date of this Submission: Jul 13, 2007

2. OPDIV Name: NIH

3. Unique Project Identifier (UPI) Number: 009-25-01-05-02-6299-00-110-249

4. Privacy Act System of Records (SOR) Number: n/a

5. OMB Information Collection Approval Number: n/a

6. Other Identifying Number(s): n/a

7. System Name: Small Program Support Systems

9. System Point of Contact (POC). The System POC is the person to whom questions about the system and the responses to this PIA may be addressed: Nancy Stegman

10. Provide an overview of the system: Small applications that support NIEHS program areas including systems for: management and evaluation of programs and research areas; local workflow; tracking scientific activities; project management; library services; information dissemination; and managing application and technical standards for local systems.

13. Indicate if the system is new or an existing one being modified: Existing

17. Does/Will the system collect, maintain (store), disseminate and/or pass through IIF within any database(s), record(s), file(s) or website(s) hosted by this system?: No

Note: This question seeks to identify any, and all, personal information associated with the system. This includes any IIF, whether or not it is subject to the Privacy Act, whether the individuals are employees, the public, research subjects, or business partners, and whether provided voluntarily or collected by mandate. Later questions will try to understand the character of the data and its applicability to the requirements under the Privacy Act or other legislation

Note: If no IIF is contained in the system, please answer questions 21, 23, 30, 31, 37, 50 and 54, then promote the PIA to the Sr. Privacy Official who will authorize the PIA.

If this system contains IIF, all remaining questions on the PIA Form Tabs must be completed prior to signature and promotion.

21. Is the system subject to the Privacy Act?: No

23. If the system shares or discloses IIF please specify with whom and for what purpose(s): No IIF

30. Please describe in detail: (1) the information the agency will collect, maintain, or disseminate; (2) why and for what purpose the agency will use the information; (3) In this description, indicate whether the information contains IIF; and (4) whether submission of personal information is voluntary or mandatory: Data is collected in conjunction with NIEHS business processes or activity . It is used to track, administer or perform NIEHS activities in conjunction with its programs. Systems that have private information are not included. Examples of data that is collected are ordering information, project status information or information about Institute program activities.

31. Please describe in detail any processes in place to: (1) notify and obtain consent from the individuals whose IIF is in the system when major changes occur to the system (e.g., disclosure and/or data uses have changed since the notice at the time of the original collection); and (2) notify and obtain consent from individuals regarding what IIF is being collected from them and how the information will be used or shared: No IIF32. Does the system host a website?: Yes

37. Does the website have any information or pages directed at children under the age of thirteen?: No

50. Are there policies or guidelines in place with regard to the retention and destruction of IIF?: No

54. Briefly describe in detail how the IIF will be secured on the system using administrative, technical, and physical controls.: No IIF

PIA Reviewer Approval: Promote


PIA Reviewer Name: Nancy Stegman

Sr. Official for Privacy Approval: Promote


Sr. Official for Privacy Name: Karen Plá

Sign-off Date: Aug 10, 2007

Date Published: Jun 26, 2008


06.3 HHS PIA Summary for Posting (Form) / NIH NIEHS Toxicogenomics Initiative Database (CEBS) (Item)






PIA Summary


Is this a new PIA 2008?: No

If this is an existing PIA, please provide a reason for revision: PIA Validation

1. Date of this Submission: Jul 13, 2007

2. OPDIV Name: NIH

3. Unique Project Identifier (UPI) Number: 009-25-01-05-02-6204-00-110-249

4. Privacy Act System of Records (SOR) Number: 09-25-0200

5. OMB Information Collection Approval Number: n/a

6. Other Identifying Number(s): none

7. System Name: CEBS

9. System Point of Contact (POC). The System POC is the person to whom questions about the system and the responses to this PIA may be addressed: Nancy Stegman

10. Provide an overview of the system: Development of knowledge base including collection, processing, search and display of data from microarray, proteomics and toxicological assays conducted through a variety of intramural and extramural research partnerships. Goals include creating a public database relating environmental stressors to biological responses, collecting information relating environmental exposures to disease, and developing an improved paradigm for use of computational mathematics for understanding responses to environmental stressors.

13. Indicate if the system is new or an existing one being modified: Existing

17. Does/Will the system collect, maintain (store), disseminate and/or pass through IIF within any database(s), record(s), file(s) or website(s) hosted by this system?: Yes

Note: This question seeks to identify any, and all, personal information associated with the system. This includes any IIF, whether or not it is subject to the Privacy Act, whether the individuals are employees, the public, research subjects, or business partners, and whether provided voluntarily or collected by mandate. Later questions will try to understand the character of the data and its applicability to the requirements under the Privacy Act or other legislation

Note: If no IIF is contained in the system, please answer questions 21, 23, 30, 31, 37, 50 and 54, then promote the PIA to the Sr. Privacy Official who will authorize the PIA.

If this system contains IIF, all remaining questions on the PIA Form Tabs must be completed prior to signature and promotion.

21. Is the system subject to the Privacy Act?: Yes

23. If the system shares or discloses IIF please specify with whom and for what purpose(s): It discloses the name and affiliation of scientists who have contributed data in order to credit their work. SOR 09-25-0200

30. Please describe in detail: (1) the information the agency will collect, maintain, or disseminate; (2) why and for what purpose the agency will use the information; (3) In this description, indicate whether the information contains IIF; and (4) whether submission of personal information is voluntary or mandatory: Data is from microarray, proteomics and toxicological assays conducted through a variety of intramural and extramural research partnerships. Data is collected in multiple research settings following scientific study protocols. No personal information is collected about experimental subjects. Scientific collaborators may voluntarily register and provide their names, affiliation and contact information.

31. Please describe in detail any processes in place to: (1) notify and obtain consent from the individuals whose IIF is in the system when major changes occur to the system (e.g., disclosure and/or data uses have changed since the notice at the time of the original collection); and (2) notify and obtain consent from individuals regarding what IIF is being collected from them and how the information will be used or shared: All registrations are voluntary. Contributors to the database register to be credited with their contribution. Changes to the system are announced on the Web page. The Web site contains a privacy statement. the CEBS adminstrator can be asked at any time to change or remove information.32. Does the system host a website?: Yes

37. Does the website have any information or pages directed at children under the age of thirteen?: No

50. Are there policies or guidelines in place with regard to the retention and destruction of IIF?: Yes

54. Briefly describe in detail how the IIF will be secured on the system using administrative, technical, and physical controls.: Information is password protected and stored in a database in the NIEHS facility which has been certified and accredited

PIA Reviewer Approval: Promote


PIA Reviewer Name: Nancy Stegman

Sr. Official for Privacy Approval: Promote


Sr. Official for Privacy Name: Karen Plá

Sign-off Date: Aug 10, 2007

Date Published: Jun 26, 2008


06.3 HHS PIA Summary for Posting (Form) / NIH NIGMS CAGT System (Item)




Is this a new PIA 2008?: Yes

If this is an existing PIA, please provide a reason for revision:

1. Date of this Submission: Jul 9, 2007

2. OPDIV Name: NIH

3. Unique Project Identifier (UPI) Number: 009-25-01-09-25-5156-00

4. Privacy Act System of Records (SOR) Number: 09-25-0036

5. OMB Information Collection Approval Number: N/A

6. Other Identifying Number(s): N/A

7. System Name: NIH NIGMS Community for Advanced Graduate Training (CAGT) System

9. System Point of Contact (POC). The System POC is the person to whom questions about the system and the responses to this PIA may be addressed: Stacy H. Charland

10. Provide an overview of the system: An interactive web-based system to promote collaboration between T34 and T32 PIs and between T32 PIs and T34 undergraduate minority students seeking graduate training in NIGMS pre-doctoral biomedical programs

13. Indicate if the system is new or an existing one being modified: New

17. Does/Will the system collect, maintain (store), disseminate and/or pass through IIF within any database(s), record(s), file(s) or website(s) hosted by this system?: Yes

Note: This question seeks to identify any, and all, personal information associated with the system. This includes any IIF, whether or not it is subject to the Privacy Act, whether the individuals are employees, the public, research subjects, or business partners, and whether provided voluntarily or collected by mandate. Later questions will try to understand the character of the data and its applicability to the requirements under the Privacy Act or other legislation

Note: If no IIF is contained in the system, please answer questions 21, 23, 30, 31, 37, 50 and 54, then promote the PIA to the Sr. Privacy Official who will authorize the PIA.

If this system contains IIF, all remaining questions on the PIA Form Tabs must be completed prior to signature and promotion.

21. Is the system subject to the Privacy Act?: Yes

23. If the system shares or discloses IIF please specify with whom and for what purpose(s): IIF is disclosed or shared only as described in the SOR. This information is addressed in the NIH Privacy Act Systems of Record Notice 09-25-0036, published in the Federal Register, Volume 67, No. 187, September 26, 2002.

30. Please describe in detail: (1) the information the agency will collect, maintain, or disseminate; (2) why and for what purpose the agency will use the information; (3) In this description, indicate whether the information contains IIF; and (4) whether submission of personal information is voluntary or mandatory: We do not maintain NIH employees' information in this system.

CAGT has 2 types of system users:

1) Current students participating in T34 programs seeking information about T32 pre-doctoral biomedical programs at various institutions.

2) T34 and T32 professors who are conducting training research programs supported via an NIH grant within NIGMS.

For the above users, the following IIF is collected: names, mailing addresses, phone numbers, email addresses, institution names and affiliations, and areas of scientific training interests.

All the information collected is not voluntary.

31. Please describe in detail any processes in place to: (1) notify and obtain consent from the individuals whose IIF is in the system when major changes occur to the system (e.g., disclosure and/or data uses have changed since the notice at the time of the original collection); and (2) notify and obtain consent from individuals regarding what IIF is being collected from them and how the information will be used or shared: There is no standard process to notify and obtain consent from the individuals whose IIF is in the system when major changes occur to the system, however, since contact information is updated regularly, contact in this situation could be performed by correspondance, email, or phone.

The data is collected and maintained for one year, and deleted in July of every year. New participant contact information is collected and maintained from August throught May.

The system has a privacy notice that notifies individuals of their rights regarding privacy act data which is displayed on the website.

32. Does the system host a website?: Yes

37. Does the website have any information or pages directed at children under the age of thirteen?: No

50. Are there policies or guidelines in place with regard to the retention and destruction of IIF?: Yes

54. Briefly describe in detail how the IIF will be secured on the system using administrative, technical, and physical controls.: Access to certain information with different levels of authorization in CAGT is limited to NIGMS/NIH Program Officials, and Principal Investigators (PIs) and students at institutions who are currently participating in the NIGMS T32 and T34 biomedical programs. NIGMS/NIH Program Officials use their NIH Single Sign-On username and password to access CAGT. They oversee the training programs and have access to the user contact information. PIs can gain access to CAGT via their active NIH eRA COMMONS account. PIs have access to their students' data. Students gain access to CAGT by registering on the website and getting approval from their respective PI at their institution on the annual basis.

Technical Controls, currently in place, are: user identification and passwords (as described above), and NIGMS and NIH firewalls - set to protect all the NIGMS and NIH systems.

Administrative Controls are as follows: the implementation of the NIGMS standard security plan, process and procedure for purging files, required user training, and distribution of CAGT system user's guide that are given to PIs to distribute to students in the T32/T34 training programs.

Physical Access Controls include:

1) controlled physical access to the server via a key card access control list indicating administrators allowed to access the LAN Room.

2) The database server is maintained by CIT in an access controlled location.

PIA Reviewer Approval: Promote


PIA Reviewer Name: Stacy H. Charland

Sr. Official for Privacy Approval: Promote


Sr. Official for Privacy Name: Karen Plá

Sign-off Date: Mar 3, 2008

Date Published: Jun 26, 2008


06.3 HHS PIA Summary for Posting (Form) / NIH NIGMS Employee Directory (GMED) (Item)






PIA Summary


Is this a new PIA 2008?: No

If this is an existing PIA, please provide a reason for revision: PIA Validation

1. Date of this Submission: Jul 2, 2007

2. OPDIV Name: NIH

3. Unique Project Identifier (UPI) Number: 009-25-01-09-02-5151-00

4. Privacy Act System of Records (SOR) Number: 09-25-0216

5. OMB Information Collection Approval Number: No

6. Other Identifying Number(s): NIGMS-0015

7. System Name: NIGMS Employee Directory (GMED)

9. System Point of Contact (POC). The System POC is the person to whom questions about the system and the responses to this PIA may be addressed: Stacy H. Charland

10. Provide an overview of the system: Provides photographs and contact information for NIGMS staff. Photographs are for internal use only.

13. Indicate if the system is new or an existing one being modified: Existing

17. Does/Will the system collect, maintain (store), disseminate and/or pass through IIF within any database(s), record(s), file(s) or website(s) hosted by this system?: Yes

Note: This question seeks to identify any, and all, personal information associated with the system. This includes any IIF, whether or not it is subject to the Privacy Act, whether the individuals are employees, the public, research subjects, or business partners, and whether provided voluntarily or collected by mandate. Later questions will try to understand the character of the data and its applicability to the requirements under the Privacy Act or other legislation

Note: If no IIF is contained in the system, please answer questions 21, 23, 30, 31, 37, 50 and 54, then promote the PIA to the Sr. Privacy Official who will authorize the PIA.

If this system contains IIF, all remaining questions on the PIA Form Tabs must be completed prior to signature and promotion.

21. Is the system subject to the Privacy Act?: Yes

23. If the system shares or discloses IIF please specify with whom and for what purpose(s): SOR 09-25-0216. This information is further addressed in the NIH Privacy Act Systems of Record Notice 09-25-0216, published in the Federal Register, Volume 67, No. 187, September 26, 2002.

30. Please describe in detail: (1) the information the agency will collect, maintain, or disseminate; (2) why and for what purpose the agency will use the information; (3) In this description, indicate whether the information contains IIF; and (4) whether submission of personal information is voluntary or mandatory: The only IIF information collected from the employee by this system is the digital image, for use to familiarize other staff with new employees. Other information in the system includes work related (work number, room) data and is accessed from the NED system. Other work related information entered includes start and end date and organization unit. Submission/collection of the image is voluntary.

31. Please describe in detail any processes in place to: (1) notify and obtain consent from the individuals whose IIF is in the system when major changes occur to the system (e.g., disclosure and/or data uses have changed since the notice at the time of the original collection); and (2) notify and obtain consent from individuals regarding what IIF is being collected from them and how the information will be used or shared: As part of the new staff orientation procedures, staff are given verbal notice for their consent to display the photograph on the NIGMS intranet and verbally advised on the use of the photograph.

Email notification would be used to notify and obtain consent from individuals when major changes, if any, occur to the system.

32. Does the system host a website?: Yes

37. Does the website have any information or pages directed at children under the age of thirteen?: No

50. Are there policies or guidelines in place with regard to the retention and destruction of IIF?: Yes

54. Briefly describe in detail how the IIF will be secured on the system using administrative, technical, and physical controls.: The digital image is stored using NTSF file protections. The intranet site that displays the photographs is available only on the NIGMS Intranet, and is protected by AD account and password in a secure room with restricted Card Key access.

PIA Reviewer Approval: Promote


PIA Reviewer Name: Stacy Charland, 301.594.2680

Sr. Official for Privacy Approval: Promote


Sr. Official for Privacy Name: Karen Plá

Sign-off Date: Aug 10, 2007

Date Published: Jun 26, 2008


06.3 HHS PIA Summary for Posting (Form) / NIH NIGMS Extramural Support System (NESS) (Item)






PIA Summary


Is this a new PIA 2008?: No

If this is an existing PIA, please provide a reason for revision: PIA Validation

1. Date of this Submission: Jun 29, 2007

2. OPDIV Name: NIH

3. Unique Project Identifier (UPI) Number: 009-25-01-05-02-5111-00


4. Privacy Act System of Records (SOR) Number: 09-25-0036

5. OMB Information Collection Approval Number: No

6. Other Identifying Number(s): NIGMS-0008

7. System Name: NIGMS Extramural Support System

9. System Point of Contact (POC). The System POC is the person to whom questions about the system and the responses to this PIA may be addressed: Stacy H. Charland

10. Provide an overview of the system: Support extramural research activities for NIGMS that are not supported by NIH or HHS enterprise systems. NESS systems provides support to NIGMS extramural staff to manage their grant portfolios and support council activities. The system uses enterprise (SOR 09-25-0036) IMPAC2 data. The system does not contain IIF data.

13. Indicate if the system is new or an existing one being modified: Existing

17. Does/Will the system collect, maintain (store), disseminate and/or pass through IIF within any database(s), record(s), file(s) or website(s) hosted by this system?: No

Note: This question seeks to identify any, and all, personal information associated with the system. This includes any IIF, whether or not it is subject to the Privacy Act, whether the individuals are employees, the public, research subjects, or business partners, and whether provided voluntarily or collected by mandate. Later questions will try to understand the character of the data and its applicability to the requirements under the Privacy Act or other legislation

Note: If no IIF is contained in the system, please answer questions 21, 23, 30, 31, 37, 50 and 54, then promote the PIA to the Sr. Privacy Official who will authorize the PIA.

If this system contains IIF, all remaining questions on the PIA Form Tabs must be completed prior to signature and promotion.

21. Is the system subject to the Privacy Act?: No

23. If the system shares or discloses IIF please specify with whom and for what purpose(s): No

30. Please describe in detail: (1) the information the agency will collect, maintain, or disseminate; (2) why and for what purpose the agency will use the information; (3) In this description, indicate whether the information contains IIF; and (4) whether submission of personal information is voluntary or mandatory: The system downloads and stores grant data from the IMPAC 2 database. The data are stored locally for performance reasons, and are refreshed daily to ensure accuracy. Data includes application review status (preaward data) and Principal Investigator name, work address and phone number. The data also includes the assigned program official's name and work contact data, and the assigned grants management specialist's name and work contact data. The data are used to support local extramural research activities for NIGMS that are not supported by NIH or HHS enterprise systems. The system uses enterprise (SOR 09-25-0036) IMPAC2 data. The system does not download, collect, maintain, or disseminate any IIF.

31. Please describe in detail any processes in place to: (1) notify and obtain consent from the individuals whose IIF is in the system when major changes occur to the system (e.g., disclosure and/or data uses have changed since the notice at the time of the original collection); and (2) notify and obtain consent from individuals regarding what IIF is being collected from them and how the information will be used or shared: No

32. Does the system host a website?: Yes

37. Does the website have any information or pages directed at children under the age of thirteen?: No

50. Are there policies or guidelines in place with regard to the retention and destruction of IIF?: No

54. Briefly describe in detail how the IIF will be secured on the system using administrative, technical, and physical controls.: No

PIA Reviewer Approval: Promote


PIA Reviewer Name: Stacy Charland, 301.594.2680

Sr. Official for Privacy Approval: Promote


Sr. Official for Privacy Name: Karen Plá

Sign-off Date: Aug 10, 2007

Date Published: Jun 26, 2008


06.3 HHS PIA Summary for Posting (Form) / NIH NIGMS Grantee Email System (GEMS) (Item)






PIA Summary


Is this a new PIA 2008?: No

If this is an existing PIA, please provide a reason for revision: PIA Validation

1. Date of this Submission: Jul 2, 2007

2. OPDIV Name: NIH

3. Unique Project Identifier (UPI) Number: 009-25-01-09-02-5153-00

4. Privacy Act System of Records (SOR) Number: No

5. OMB Information Collection Approval Number: No

6. Other Identifying Number(s): NIGMS-0005

7. System Name: Grantee Email System (GEMS)

9. System Point of Contact (POC). The System POC is the person to whom questions about the system and the responses to this PIA may be addressed: Stacy Charland

10. Provide an overview of the system: The system is used to generate email messages regarding NIGMS Extramural program information to targeted groups of NIGMS grantees.

13. Indicate if the system is new or an existing one being modified: Existing

17. Does/Will the system collect, maintain (store), disseminate and/or pass through IIF within any database(s), record(s), file(s) or website(s) hosted by this system?: No

Note: This question seeks to identify any, and all, personal information associated with the system. This includes any IIF, whether or not it is subject to the Privacy Act, whether the individuals are employees, the public, research subjects, or business partners, and whether provided voluntarily or collected by mandate. Later questions will try to understand the character of the data and its applicability to the requirements under the Privacy Act or other legislation

Note: If no IIF is contained in the system, please answer questions 21, 23, 30, 31, 37, 50 and 54, then promote the PIA to the Sr. Privacy Official who will authorize the PIA.

If this system contains IIF, all remaining questions on the PIA Form Tabs must be completed prior to signature and promotion.

21. Is the system subject to the Privacy Act?: No

23. If the system shares or discloses IIF please specify with whom and for what purpose(s): No

30. Please describe in detail: (1) the information the agency will collect, maintain, or disseminate; (2) why and for what purpose the agency will use the information; (3) In this description, indicate whether the information contains IIF; and (4) whether submission of personal information is voluntary or mandatory: The system generates email messages regarding NIGMS Extramural programs to targeted groups of NIGMS grantees. The system uses IMPAC/eRA data for this purpose, selecting the grantee's name and work email address, and storing it locally on a temporary basis to improve performance. The system does not collect, manipulate, manage, or disseminate this data. It is used only for the purposes expressed in the IMPAC SOR (09-25-0036)

31. Please describe in detail any processes in place to: (1) notify and obtain consent from the individuals whose IIF is in the system when major changes occur to the system (e.g., disclosure and/or data uses have changed since the notice at the time of the original collection); and (2) notify and obtain consent from individuals regarding what IIF is being collected from them and how the information will be used or shared: No

32. Does the system host a website?: No

37. Does the website have any information or pages directed at children under the age of thirteen?: No

50. Are there policies or guidelines in place with regard to the retention and destruction of IIF?: No

54. Briefly describe in detail how the IIF will be secured on the system using administrative, technical, and physical controls.: No

PIA Reviewer Approval: Promote


PIA Reviewer Name: Stacy Charland, 301.594.2680

Sr. Official for Privacy Approval: Promote


Sr. Official for Privacy Name: Karen Plá

Sign-off Date: Aug 10, 2007

Date Published: Jun 26, 2008


06.3 HHS PIA Summary for Posting (Form) / NIH NIGMS Integrated Software and Equipment Tracking System (ISETS) (Item)






PIA Summary


Is this a new PIA 2008?: No

If this is an existing PIA, please provide a reason for revision: PIA Validation

1. Date of this Submission: Jun 29, 2007

2. OPDIV Name: NIH

3. Unique Project Identifier (UPI) Number: 009-25-01-09-02-5146-00

4. Privacy Act System of Records (SOR) Number: No

5. OMB Information Collection Approval Number: No

6. Other Identifying Number(s): NIGMS-0016

7. System Name: Integrated Software and Equipment Tracking System (ISETS)

9. System Point of Contact (POC). The System POC is the person to whom questions about the system and the responses to this PIA may be addressed: Stacy H. Charland

10. Provide an overview of the system: IT support system that allows detailed tracking of reservations and returns of portable accountable equipment such as laptops and PDAs. Phase II of system provides ability to track software purchases and licensing.

13. Indicate if the system is new or an existing one being modified: Existing

17. Does/Will the system collect, maintain (store), disseminate and/or pass through IIF within any database(s), record(s), file(s) or website(s) hosted by this system?: No

Note: This question seeks to identify any, and all, personal information associated with the system. This includes any IIF, whether or not it is subject to the Privacy Act, whether the individuals are employees, the public, research subjects, or business partners, and whether provided voluntarily or collected by mandate. Later questions will try to understand the character of the data and its applicability to the requirements under the Privacy Act or other legislation

Note: If no IIF is contained in the system, please answer questions 21, 23, 30, 31, 37, 50 and 54, then promote the PIA to the Sr. Privacy Official who will authorize the PIA.

21. Is the system subject to the Privacy Act?: No

23. If the system shares or discloses IIF please specify with whom and for what purpose(s): No

30. Please describe in detail: (1) the information the agency will collect, maintain, or disseminate; (2) why and for what purpose the agency will use the information; (3) In this description, indicate whether the information contains IIF; and (4) whether submission of personal information is voluntary or mandatory: The systems collects equipment information and tracks loaned equipment and software for NIGMS. An internal id is used to link the equipment to the name of the requestor, as provided by the NED system. The ISETS system does not contain any IIF.

31. Please describe in detail any processes in place to: (1) notify and obtain consent from the individuals whose IIF is in the system when major changes occur to the system (e.g., disclosure and/or data uses have changed since the notice at the time of the original collection); and (2) notify and obtain consent from individuals regarding what IIF is being collected from them and how the information will be used or shared: No

32. Does the system host a website?: Yes

37. Does the website have any information or pages directed at children under the age of thirteen?: No

50. Are there policies or guidelines in place with regard to the retention and destruction of IIF?: No

54. Briefly describe in detail how the IIF will be secured on the system using administrative, technical, and physical controls.: No

PIA Reviewer Approval: Promote


PIA Reviewer Name: Stacy Charland, 301.594.2680

Sr. Official for Privacy Approval: Promote


Sr. Official for Privacy Name: Karen Plá

Sign-off Date: Aug 10, 2007

Date Published: Jun 26, 2008


06.3 HHS PIA Summary for Posting (Form) / NIH NIGMS Internet (Item)






PIA Summary


Is this a new PIA 2008?: No

If this is an existing PIA, please provide a reason for revision: PIA Validation

1. Date of this Submission: Jul 3, 2007

2. OPDIV Name: NIH

3. Unique Project Identifier (UPI) Number: 009-25-02-00-01-3109-00

4. Privacy Act System of Records (SOR) Number: No

5. OMB Information Collection Approval Number: No

6. Other Identifying Number(s): NIGMS-0007

7. System Name: NIGMS Internet

9. System Point of Contact (POC). The System POC is the person to whom questions about the system and the responses to this PIA may be addressed: Ann Dieffenbach

10. Provide an overview of the system: The NIGMS Internet is a website that provides information about the mission and programs of the NIGMS.

13. Indicate if the system is new or an existing one being modified: Existing

17. Does/Will the system collect, maintain (store), disseminate and/or pass through IIF within any database(s), record(s), file(s) or website(s) hosted by this system?: No

Note: This question seeks to identify any, and all, personal information associated with the system. This includes any IIF, whether or not it is subject to the Privacy Act, whether the individuals are employees, the public, research subjects, or business partners, and whether provided voluntarily or collected by mandate. Later questions will try to understand the character of the data and its applicability to the requirements under the Privacy Act or other legislation

Note: If no IIF is contained in the system, please answer questions 21, 23, 30, 31, 37, 50 and 54, then promote the PIA to the Sr. Privacy Official who will authorize the PIA.

If this system contains IIF, all remaining questions on the PIA Form Tabs must be completed prior to signature and promotion

21. Is the system subject to the Privacy Act?: No

23. If the system shares or discloses IIF please specify with whom and for what purpose(s): No

30. Please describe in detail: (1) the information the agency will collect, maintain, or disseminate; (2) why and for what purpose the agency will use the information; (3) In this description, indicate whether the information contains IIF; and (4) whether submission of personal information is voluntary or mandatory: The NIGMS Internet is a website that provides information about the mission and programs of the NIGMS. The system does not contain any IIF.

31. Please describe in detail any processes in place to: (1) notify and obtain consent from the individuals whose IIF is in the system when major changes occur to the system (e.g., disclosure and/or data uses have changed since the notice at the time of the original collection); and (2) notify and obtain consent from individuals regarding what IIF is being collected from them and how the information will be used or shared: No

32. Does the system host a website?: Yes

37. Does the website have any information or pages directed at children under the age of thirteen?: No

50. Are there policies or guidelines in place with regard to the retention and destruction of IIF?: No

54. Briefly describe in detail how the IIF will be secured on the system using administrative, technical, and physical controls.: No

PIA Reviewer Approval: Promote


PIA Reviewer Name: Stacy Charland, 301.594.2680

Sr. Official for Privacy Approval: Promote


Sr. Official for Privacy Name: Karen Plá

Sign-off Date: Aug 10, 2007

Date Published: Jun 26. 2008


06.3 HHS PIA Summary for Posting (Form) / NIH NIGMS Internet Employee Directory (NIED) (Item)






PIA Summary


Is this a new PIA 2008?: Yes

If this is an existing PIA, please provide a reason for revision:

1. Date of this Submission: Jun 28, 2007

2. OPDIV Name: NIH

3. Unique Project Identifier (UPI) Number: 009-25-01-09-02-5152-00

4. Privacy Act System of Records (SOR) Number: No

5. OMB Information Collection Approval Number: No

6. Other Identifying Number(s): NIGMS-0026

7. System Name: NIGMS Internet Employee Directory (NIED)

9. System Point of Contact (POC). The System POC is the person to whom questions about the system and the responses to this PIA may be addressed: Stacy Charland

10. Provide an overview of the system: The Staff Contacts page facilitates the public’s ability to locate and contact members of NIGMS. The system provides the ability to search NIGMS staff contact information based on First Name, Last Name or Division/Branch. Partial searches are supported for any of the possible search terms.

13. Indicate if the system is new or an existing one being modified: New

17. Does/Will the system collect, maintain (store), disseminate and/or pass through IIF within any database(s), record(s), file(s) or website(s) hosted by this system?: No

Note: This question seeks to identify any, and all, personal information associated with the system. This includes any IIF, whether or not it is subject to the Privacy Act, whether the individuals are employees, the public, research subjects, or business partners, and whether provided voluntarily or collected by mandate. Later questions will try to understand the character of the data and its applicability to the requirements under the Privacy Act or other legislation

Note: If no IIF is contained in the system, please answer questions 21, 23, 30, 31, 37, 50 and 54, then promote the PIA to the Sr. Privacy Official who will authorize the PIA.

If this system contains IIF, all remaining questions on the PIA Form Tabs must be completed prior to signature and promotion.

21. Is the system subject to the Privacy Act?: No

23. If the system shares or discloses IIF please specify with whom and for what purpose(s): No

30. Please describe in detail: (1) the information the agency will collect, maintain, or disseminate; (2) why and for what purpose the agency will use the information; (3) In this description, indicate whether the information contains IIF; and (4) whether submission of personal information is voluntary or mandatory: The data disseminated by the system consists of following elements: NIGMS employees first name, last name, position, work phone, work room number and the NIGMS organizational component. The system does not contain any IIF.

31. Please describe in detail any processes in place to: (1) notify and obtain consent from the individuals whose IIF is in the system when major changes occur to the system (e.g., disclosure and/or data uses have changed since the notice at the time of the original collection); and (2) notify and obtain consent from individuals regarding what IIF is being collected from them and how the information will be used or shared: No

32. Does the system host a website?: Yes

37. Does the website have any information or pages directed at children under the age of thirteen?: No

50. Are there policies or guidelines in place with regard to the retention and destruction of IIF?: No

54. Briefly describe in detail how the IIF will be secured on the system using administrative, technical, and physical controls.: No

PIA Reviewer Approval: Promote


PIA Reviewer Name: Stacy Charland, (301) 594-2680

Sr. Official for Privacy Approval: Promote


Sr. Official for Privacy Name: Karen Plá

Sign-off Date: Aug 10, 2007

Date Published: Jun 26, 2008


06.3 HHS PIA Summary for Posting (Form) / NIH NIGMS Intranet (Item)






PIA Summary


Is this a new PIA 2008?: No

If this is an existing PIA, please provide a reason for revision: PIA Validation

1. Date of this Submission: Jul 2, 2007

2. OPDIV Name: NIH

3. Unique Project Identifier (UPI) Number: 009-25-01-09-02-5144-00

4. Privacy Act System of Records (SOR) Number No

5. OMB Information Collection Approval Number: No

6. Other Identifying Number(s): NIGMS-0018

7. System Name: NIGMS Intranet

9. System Point of Contact (POC). The System POC is the person to whom questions about the system and the responses to this PIA may be addressed: Stacy Charland, CIO, NIGMS

10. Provide an overview of the system: Support NIGMS staff using Intranet content and administrative support systems. Although some content is program related, the majority of content and applications are supporting general and administrative functions.

13. Indicate if the system is new or an existing one being modified: Existing

17. Does/Will the system collect, maintain (store), disseminate and/or pass through IIF within any database(s), record(s), file(s) or website(s) hosted by this system?: No

Note: This question seeks to identify any, and all, personal information associated with the system. This includes any IIF, whether or not it is subject to the Privacy Act, whether the individuals are employees, the public, research subjects, or business partners, and whether provided voluntarily or collected by mandate. Later questions will try to understand the character of the data and its applicability to the requirements under the Privacy Act or other legislation

Note: If no IIF is contained in the system, please answer questions 21, 23, 30, 31, 37, 50 and 54, then promote the PIA to the Sr. Privacy Official who will authorize the PIA.

If this system contains IIF, all remaining questions on the PIA Form Tabs must be completed prior to signature and promotion.

21. Is the system subject to the Privacy Act?: No

23. If the system shares or discloses IIF please specify with whom and for what purpose(s): No

30. Please describe in detail: (1) the information the agency will collect, maintain, or disseminate; (2) why and for what purpose the agency will use the information; (3) In this description, indicate whether the information contains IIF; and (4) whether submission of personal information is voluntary or mandatory: NIGMS Intranet is used for content, typically to provide staff with policies and procedures, information and forms related to specific business areas.

The NIGMS Intranet is organized by the following major areas:

Administrative Services – Provides staff with information about NIGMS facilities, procurement policies, property, travel, and building/campus security.

Computer Services – Provides staff with information about laptop/equipment requests, how to request IT services, user documentation for custom developed applications, status of current service requests, etc.

Employee Information – Provides staff with employment related information, such as benefits, supervisor responsibilities, awards forms and procedures, and training information.

Grants – Provides staff with procedures and information on the grants process, including GAB policies and procedures, the Office Procedures Handbook.

Management Policy and Procedures – Repository of information on management policies and procedures, including IT policies, policies for documents management, privacy act, NIGMS workforce plans,

Public Information – Resources, guidance, and policies related to communication to the public.

The system does not contain any IIF.

31. Please describe in detail any processes in place to: (1) notify and obtain consent from the individuals whose IIF is in the system when major changes occur to the system (e.g., disclosure and/or data uses have changed since the notice at the time of the original collection); and (2) notify and obtain consent from individuals regarding what IIF is being collected from them and how the information will be used or shared: No

32. Does the system host a website?: Yes

37. Does the website have any information or pages directed at children under the age of thirteen?: No

50. Are there policies or guidelines in place with regard to the retention and destruction of IIF?: No

54. Briefly describe in detail how the IIF will be secured on the system using administrative, technical, and physical controls.: No

PIA Reviewer Approval: Promote


PIA Reviewer Name: Stacy Charland, 301.594.2680

Sr. Official for Privacy Approval: Promote


Sr. Official for Privacy Name: Karen Plá

Sign-off Date: Aug 10, 2007

Date Published: Jun 26, 2008


06.3 HHS PIA Summary for Posting (Form) / NIH NIGMS MDR Supplements System (Item)






PIA Summary


Is this a new PIA 2008?: No

If this is an existing PIA, please provide a reason for revision: PIA Validation

1. Date of this Submission: Jun 29, 2007

2. OPDIV Name: NIH

3. Unique Project Identifier (UPI) Number: 009-25-04-09-02-5154-00

4. Privacy Act System of Records (SOR) Number: 09-25-0036

5. OMB Information Collection Approval Number: No

6. Other Identifying Number(s): NIGMS-0003

7. System Name: Supplements Tracking System

9. System Point of Contact (POC). The System POC is the person to whom questions about the system and the responses to this PIA may be addressed: Stacy H. Charland

10. Provide an overview of the system: Collect and maintain data used to generate a required report on Research Supplements for Underrepresented Minorities and Individuals with Disabilities

13. Indicate if the system is new or an existing one being modified: Existing

17. Does/Will the system collect, maintain (store), disseminate and/or pass through IIF within any database(s), record(s), file(s) or website(s) hosted by this system?: Yes

Note: This question seeks to identify any, and all, personal information associated with the system. This includes any IIF, whether or not it is subject to the Privacy Act, whether the individuals are employees, the public, research subjects, or business partners, and whether provided voluntarily or collected by mandate. Later questions will try to understand the character of the data and its applicability to the requirements under the Privacy Act or other legislation

Note: If no IIF is contained in the system, please answer questions 21, 23, 30, 31, 37, 50 and 54, then promote the PIA to the Sr. Privacy Official who will authorize the PIA.

If this system contains IIF, all remaining questions on the PIA Form Tabs must be completed prior to signature and promotion.

21. Is the system subject to the Privacy Act?: Yes

23. If the system shares or discloses IIF please specify with whom and for what purpose(s): The information is normally only shared in aggregate form in a report. The data collected is made available to those outside NIH only as specified in the SOR (09-25-0036)

30. Please describe in detail: (1) the information the agency will collect, maintain, or disseminate; (2) why and for what purpose the agency will use the information; (3) In this description, indicate whether the information contains IIF; and (4) whether submission of personal information is voluntary or mandatory: The information collected is required for determining the eligability of the requestor for a financial supplement, it is mandatory information and is provided by the applicant as part of the application process. The information that is input into the Supplement system is collected from the application. Data input into the system includes name and SSN for identification purposes. The system also contains data on educational level, gender, citizenship status, and ethnicity. The data are used only for reporting purposes, and is only provided in aggregate form without identifying information.

31. Please describe in detail any processes in place to: (1) notify and obtain consent from the individuals whose IIF is in the system when major changes occur to the system (e.g., disclosure and/or data uses have changed since the notice at the time of the original collection); and (2) notify and obtain consent from individuals regarding what IIF is being collected from them and how the information will be used or shared: No information is collected from individuals, so there is no method to notify individuals or obtain consent. There is no process to notify or obtain consent from individuals in the event of a major system change.

32. Does the system host a website?: No

37. Does the website have any information or pages directed at children under the age of thirteen?: No

50. Are there policies or guidelines in place with regard to the retention and destruction of IIF?: Yes

54. Briefly describe in detail how the IIF will be secured on the system using administrative, technical, and physical controls.: Regular access to information is limited to NIGMS staff that are collecting the information or generating the report. Contractor employees may have access on an as-needed basis for system administration and maintenance. Other access is granted only on a case-by-case basis, consistent with the restrictions required by the Privacy Act (e.g., when disclosure is required by the Freedom of Information Act), as authorized by the system manager.

Access is controlled by individualized Oracle accounts, providing role based access to the database. NIH AD accounts provide access to the client side application via server ACLs, authenticating and authorizing the appropriate staff to the server housing the client side application.

The Oracle database is protected within a CIT locked lan room facility while the NIGMS server housing the client side application is located within a key card controlled access Lan Room at the NIGMS location.

PIA Reviewer Approval: Promote


PIA Reviewer Name: Stacy Charland, 301.594.2680

Sr. Official for Privacy Approval: Promote


Sr. Official for Privacy Name: Karen Plá

Sign-off Date: Aug 10, 2007

Date Published: Jun 26, 2008


06.3 HHS PIA Summary for Posting (Form) / NIH NIGMS Meeting Registration System (MREGS) (Item)






PIA Summary


Is this a new PIA 2008?: No

If this is an existing PIA, please provide a reason for revision: PIA Validation

1. Date of this Submission: Jun 29, 2007

2. OPDIV Name: NIH

3. Unique Project Identifier (UPI) Number: 009-25-01-09-02-5143-00

4. Privacy Act System of Records (SOR) Number: 09-25-0106

5. OMB Information Collection Approval Number: No

6. Other Identifying Number(s): NIGMS-0017

9. System Point of Contact (POC). The System POC is the person to whom questions about the system and the responses to this PIA may be addressed: Stacy Charland

10. Provide an overview of the system: Provides support for various extramural and scientific meetings, including meeting information dissemination and registration.

13. Indicate if the system is new or an existing one being modified: Existing

17. Does/Will the system collect, maintain (store), disseminate and/or pass through IIF within any database(s), record(s), file(s) or website(s) hosted by this system?: Yes

Note: This question seeks to identify any, and all, personal information associated with the system. This includes any IIF, whether or not it is subject to the Privacy Act, whether the individuals are employees, the public, research subjects, or business partners, and whether provided voluntarily or collected by mandate. Later questions will try to understand the character of the data and its applicability to the requirements under the Privacy Act or other legislation

Note: If no IIF is contained in the system, please answer questions 21, 23, 30, 31, 37, 50 and 54, then promote the PIA to the Sr. Privacy Official who will authorize the PIA.

If this system contains IIF, all remaining questions on the PIA Form Tabs must be completed prior to signature and promotion.

21. Is the system subject to the Privacy Act?: Yes

23. If the system shares or discloses IIF please specify with whom and for what purpose(s): IIF is disclosed or shared only as described in the SOR. This information is addressed in the NIH Privacy Act Systems of Record Notice 09-25-0106, published in the Federal Register, Volume 67, No. 187, September 26, 2002.

30. Please describe in detail: (1) the information the agency will collect, maintain, or disseminate; (2) why and for what purpose the agency will use the information; (3) In this description, indicate whether the information contains IIF; and (4) whether submission of personal information is voluntary or mandatory: The systems collects the registrant's name, title, address and e-mail. The meeting registrant can provide either work or home contact information, but normally the information collected is work related. The purpose is for registering attendees for meetings. All the information collected is voluntary.31. Please describe in detail any processes in place to: (1) notify and obtain consent from the individuals whose IIF is in the system when major changes occur to the system (e.g., disclosure and/or data uses have changed since the notice at the time of the original collection); and (2) notify and obtain consent from individuals regarding what IIF is being collected from them and how the information will be used or shared: This data is temporary maintained only during the meeting period and shortly thereafter for sending out post meeting materials. Major systems changes do not occur during data collection (registration) period.

The system has a privacy notice that notifies individuals of their rights regarding privacy act data.

32. Does the system host a website?: Yes

37. Does the website have any information or pages directed at children under the age of thirteen?: No

50. Are there policies or guidelines in place with regard to the retention and destruction of IIF?: Yes

54. Briefly describe in detail how the IIF will be secured on the system using administrative, technical, and physical controls.: Access to registration data is limited to the meeting sponsor and assistants, and to administrative staff. Meeting registrants may indicate if their information may be displayed on the website for collaboration and networking. Contractor employees may have access on an as-needed basis for system administration and maintenance, and data may be provided to contractors who are facilitating the meeting for developing name tags, determining rooms requirements, etc. Other access is granted only on a case-by-case basis, consistent with the restrictions required by the Privacy Act (e.g., when disclosure is required by the Freedom of Information Act), as authorized by the system manager.

Technical Access control include:

- controlled physical access to the server via a key card access control list indicating administrators allowed to access the Lan Room. The database server is maintained by CIT in an access controlled location.

- Meeting sponsors, assistants and developers have role based access to the Oracle backend database via individualized Oracle accounts.

-Meeting sponsors and assistants access administrative meeting functions via a web interface located on the NIGMS Intranet rather than via a public web server. The Intranet requires authentication via NIH AD accounts and NIH Enterprise Single Sign On.

- Server admins control access to the server via ACLs and NIH AD accounts.

PIA Reviewer Approval: Promote


PIA Reviewer Name: Stacy Charland, 301.594.2680

Sr. Official for Privacy Approval: Promote


Sr. Official for Privacy Name: Karen Plá

Sign-off Date: Aug 10, 2007

Date Published: Jun 26, 2008


06.3 HHS PIA Summary for Posting (Form) / NIH NIGMS OCPL Image Gallery (OCPLIG) (Item)






PIA Summary


Is this a new PIA 2008?: Yes

If this is an existing PIA, please provide a reason for revision:

1. Date of this Submission: Jun 29, 2007

2. OPDIV Name: NIH

3. Unique Project Identifier (UPI) Number: 009-25-01-09-02-5157-00

4. Privacy Act System of Records (SOR) Number: No

5. OMB Information Collection Approval Number: No

6. Other Identifying Number(s): NIGMS-0024

7. System Name: OCPL Image Gallery (OCPLIG)

9. System Point of Contact (POC). The System POC is the person to whom questions about the system and the responses to this PIA may be addressed: Stacy Charland

10. Provide an overview of the system: OCPLIG is a repository of NIGMS still image and video media that can be accessed by the public for media relations and educational resources. The OCPLIG supports storing, locating and retrieving of visual media by the public.

13. Indicate if the system is new or an existing one being modified: New

17. Does/Will the system collect, maintain (store), disseminate and/or pass through IIF within any database(s), record(s), file(s) or website(s) hosted by this system?: No

Note: This question seeks to identify any, and all, personal information associated with the system. This includes any IIF, whether or not it is subject to the Privacy Act, whether the individuals are employees, the public, research subjects, or business partners, and whether provided voluntarily or collected by mandate. Later questions will try to understand the character of the data and its applicability to the requirements under the Privacy Act or other legislation

Note: If no IIF is contained in the system, please answer questions 21, 23, 30, 31, 37, 50 and 54, then promote the PIA to the Sr. Privacy Official who will authorize the PIA.

If this system contains IIF, all remaining questions on the PIA Form Tabs must be completed prior to signature and promotion.

21. Is the system subject to the Privacy Act?: No

23. If the system shares or discloses IIF please specify with whom and for what purpose(s): No

30. Please describe in detail: (1) the information the agency will collect, maintain, or disseminate; (2) why and for what purpose the agency will use the information; (3) In this description, indicate whether the information contains IIF; and (4) whether submission of personal information is voluntary or mandatory: The systems collects NIGMS still images and video information and consists of the following elements: description type, source, date, size and format. The OCPLIG system does not contain any IIF.

31. Please describe in detail any processes in place to: (1) notify and obtain consent from the individuals whose IIF is in the system when major changes occur to the system (e.g., disclosure and/or data uses have changed since the notice at the time of the original collection); and (2) notify and obtain consent from individuals regarding what IIF is being collected from them and how the information will be used or shared: No

32. Does the system host a website?: Yes

37. Does the website have any information or pages directed at children under the age of thirteen?: No

50. Are there policies or guidelines in place with regard to the retention and destruction of IIF?: No

54. Briefly descry

PIA Reviewer Approval: Promote


PIA Reviewer Name: Stacy Charland, tel: 301.594.2680

Sr. Official for Privacy Approval: Promote


Sr. Official for Privacy Name: Karen Plá

Sign-off Date: Aug 10, 2007

Date Published: Jun 26. 2008


06.3 HHS PIA Summary for Posting (Form) / NIH NIGMS OCPL Mailing List Database (OMLD) (Item)






PIA Summary


Is this a new PIA 2008?: No

If this is an existing PIA, please provide a reason for revision: PIA Validation

1. Date of this Submission: Jul 5, 2006

2. OPDIV Name: NIH

3. Unique Project Identifier (UPI) Number: 009-25-01-09-02-5158-00

4. Privacy Act System of Records (SOR) Number: 09-25-0106

5. OMB Information Collection Approval Number: No

6. Other Identifying Number(s): NIGMS-0004

7. System Name: OCPL Mailing Labels Database

9. System Point of Contact (POC). The System POC is the person to whom questions about the system and the responses to this PIA may be addressed: Stacy Charland

10. Provide an overview of the system: Collect and maintain addresses of people who have requested receipt of NIGMS educational materials and publications. NIGMS and its contractors will use the data to generate mailing labels.

13. Indicate if the system is new or an existing one being modified: Existing

17. Does/Will the system collect, maintain (store), disseminate and/or pass through IIF within any database(s), record(s), file(s) or website(s) hosted by this system?: Yes

Note: This question seeks to identify any, and all, personal information associated with the system. This includes any IIF, whether or not it is subject to the Privacy Act, whether the individuals are employees, the public, research subjects, or business partners, and whether provided voluntarily or collected by mandate. Later questions will try to understand the character of the data and its applicability to the requirements under the Privacy Act or other legislation

Note: If no IIF is contained in the system, please answer questions 21, 23, 30, 31, 37, 50 and 54, then promote the PIA to the Sr. Privacy Official who will authorize the PIA.

If this system contains IIF, all remaining questions on the PIA Form Tabs must be completed prior to signature and promotion.

21. Is the system subject to the Privacy Act?: Yes

23. If the system shares or discloses IIF please specify with whom and for what purpose(s): No

30. Please describe in detail: (1) the information the agency will collect, maintain, or disseminate; (2) why and for what purpose the agency will use the information; (3) In this description, indicate whether the information contains IIF; and (4) whether submission of personal information is voluntary or mandatory: The NIGMS Internet website provides a listing of publications and electronic mailing lists that are available free of charge. Persons wishing to obtain the materials or subscribe to electronic information must provide their email address or mailing information. Data includes name and mailing address(es), phone number, and email address. This contact information may be for work or home, depending on the preference of the person requesting the materials. No other identifiable information is requested, and the use of personal email and address, if used, would classify the information as IIF. These data are used in sending the requested materials to the requestor. The information being requested is voluntary, however, we can not respond to the request for materials without their name and email or location address.

31. Please describe in detail any processes in place to: (1) notify and obtain consent from the individuals whose IIF is in the system when major changes occur to the system (e.g., disclosure and/or data uses have changed since the notice at the time of the original collection); and (2) notify and obtain consent from individuals regarding what IIF is being collected from them and how the information will be used or shared: The website contains a privacy act statement notifying individuals about what IIF is being collected from them and how the information will be used.

The website privacy policy describes the process for removing or correcting this information.

There is no process in place to notify individuals when major changes occur to the system.

32. Does the system host a website?: Yes

37. Does the website have any information or pages directed at children under the age of thirteen?: No

50. Are there policies or guidelines in place with regard to the retention and destruction of IIF?: Yes

54. Briefly describe in detail how the IIF will be secured on the system using administrative, technical, and physical controls.: Regular access to information is limited to NIGMS staff that are collecting the information or sending materials. Developers and/or Contractor employees may have access on an as-needed basis for system administration and maintenance. Other access is granted only on a case-by-case basis, consistent with the restrictions required by the Privacy Act (e.g., when disclosure is required by the Freedom of Information Act), as authorized by the system manager.)

The database is protected within a locked facility with card key and controlled access.

PIA Reviewer Approval: Promote


PIA Reviewer Name: Stacy Charland, tel : 301.594.2680

Sr. Official for Privacy Approval: Promote


Sr. Official for Privacy Name: Karen Plá

Sign-off Date: Aug 10, 2007

Date Published: Jun 26, 2008


06.3 HHS PIA Summary for Posting (Form) / NIH NIGMS Pharmacology Research Associate Tracking System (PRAT) (Item)






PIA Summary


Is this a new PIA 2008?: No

If this is an existing PIA, please provide a reason for revision: New Public Access

1. Date of this Submission: Jul 2, 2007

2. OPDIV Name: NIH

3. Unique Project Identifier (UPI) Number: 009-25-01-09-02-5159-00

4. Privacy Act System of Records (SOR) Number: 09-25-0124

5. OMB Information Collection Approval Number: No

6. Other Identifying Number(s): NIGMS-0006

7. System Name: PRAT System

9. System Point of Contact (POC). The System POC is the person to whom questions about the system and the responses to this PIA may be addressed: Stacy H. Charland

10. Provide an overview of the system: The PRAT system is a web-based system that was developed to collect and maintain information on PRAT participants. In particular, this system enables PRAT administrators to track alumni's career progress, and subsequently, use the collected information to report to NIH, the GAO and Congress.NIH, the GAO and Congress.

13. Indicate if the system is new or an existing one being modified: Existing

17. Does/Will the system collect, maintain (store), disseminate and/or pass through IIF within any database(s), record(s), file(s) or website(s) hosted by this system?: Yes

Note: This question seeks to identify any, and all, personal information associated with the system. This includes any IIF, whether or not it is subject to the Privacy Act, whether the individuals are employees, the public, research subjects, or business partners, and whether provided voluntarily or collected by mandate. Later questions will try to understand the character of the data and its applicability to the requirements under the Privacy Act or other legislation

Note: If no IIF is contained in the system, please answer questions 21, 23, 30, 31, 37, 50 and 54, then promote the PIA to the Sr. Privacy Official who will authorize the PIA.

If this system contains IIF, all remaining questions on the PIA Form Tabs must be completed prior to signature and promotion.

21. Is the system subject to the Privacy Act?: Yes

23. If the system shares or discloses IIF please specify with whom and for what purpose(s): The data collected is made available to those outside the NIH only described in the SOR (09-25-0124). This information is further addressed in the NIH Privacy Act Systems of Record Notice 09-25-0124, published in the Federal Register, Volume 67, No. 187, September 26, 2002.

30. Please describe in detail: (1) the information the agency will collect, maintain, or disseminate; (2) why and for what purpose the agency will use the information; (3) In this description, indicate whether the information contains IIF; and (4) whether submission of personal information is voluntary or mandatory: IIF data includes name and addresses for identification purposes, and is entered into the database while the PRAT fellow is an employee of NIGMS. Other data include contact information such as phone number if work contact information is not available. These data are used in maintaining contact with the former fellows for collecting yearly status on progress after the program. Awards, degrees, and other education and employment information are used in aggregate for determining summary outcomes for congressional justification and reporting.

The PRAT program regularly requests the most recent CV’s from all former fellows. Standard information from these (title, organization, work address etc) is used to update the PRAT database. Submission of these CV’s is voluntary.

31. Please describe in detail any processes in place to: (1) notify and obtain consent from the individuals whose IIF is in the system when major changes occur to the system (e.g., disclosure and/or data uses have changed since the notice at the time of the original collection); and (2) notify and obtain consent from individuals regarding what IIF is being collected from them and how the information will be used or shared: There is no standard process notify and obtain consent from the individuals whose IIF is in the system when major changes occur to the system, however, since contact information is updated regularly, contact in this situation could be performed by correspondance, email, or phone.

Initial entry of IIF (name, address, phone numbers) is required by the program and is not voluntary. When former PRAT fellows are contacted and asked to submit their CV's, they are told that submission is voluntary. No IIF that is outside of the public domain is requested after the initial, mandatory entry.

32. Does the system host a website?: Yes

37. Does the website have any information or pages directed at children under the age of thirteen?: No

50. Are there policies or guidelines in place with regard to the retention and destruction of IIF?: Yes

54. Briefly describe in detail how the IIF will be secured on the system using administrative, technical, and physical controls.: Regular access to information is limited to NIGMS staff who are collecting the information or sending materials. Developers and/or Contractor employees may have access on an as-needed basis for system administration and maintenance. Other access is granted only on a case-by-case basis, consistent with the restrictions required by the Privacy Act (e.g., when disclosure is required by the Freedom of Information Act), as authorized by the system manager.

The database is protected within a locked facility with key card controlled access.

PIA Reviewer Approval: Promote


PIA Reviewer Name: Stacy Charland, 301.594.2680

Sr. Official for Privacy Approval: Promote


Sr. Official for Privacy Name: Karen Plá

Sign-off Date: Aug 10, 2007

Date Published: Jun 26, 2008


06.3 HHS PIA Summary for Posting (Form) / NIH NIGMS SOFIE (Item)






PIA Summary


Is this a new PIA 2008?: Yes

If this is an existing PIA, please provide a reason for revision:

1. Date of this Submission: Jul 3, 2007

2. OPDIV Name: NIH

3. Unique Project Identifier (UPI) Number: 009-25-01-09-02-3199-00

4. Privacy Act System of Records (SOR) Number: No

5. OMB Information Collection Approval Number: No

6. Other Identifying Number(s): NIGMS-0022

7. System Name: Status of Funds Internet Edition (SOFIE)

9. System Point of Contact (POC). The System POC is the person to whom questions about the system and the responses to this PIA may be addressed: Stacy H. Charland

10. Provide an overview of the system: The SOFie application is a reporting tool that allows budget offices to track expenditures in appropriated funds in a fiscal year. The application downloads information from the NIH Data Warehouse.

13. Indicate if the system is new or an existing one being modified: New

17. Does/Will the system collect, maintain (store), disseminate and/or pass through IIF within any database(s), record(s), file(s) or website(s) hosted by this system?: No

Note: This question seeks to identify any, and all, personal information associated with the system. This includes any IIF, whether or not it is subject to the Privacy Act, whether the individuals are employees, the public, research subjects, or business partners, and whether provided voluntarily or collected by mandate. Later questions will try to understand the character of the data and its applicability to the requirements under the Privacy Act or other legislation

Note: If no IIF is contained in the system, please answer questions 21, 23, 30, 31, 37, 50 and 54, then promote the PIA to the Sr. Privacy Official who will authorize the PIA.

If this system contains IIF, all remaining questions on the PIA Form Tabs must be completed prior to signature and promotion.

21. Is the system subject to the Privacy Act?: No

23. If the system shares or discloses IIF please specify with whom and for what purpose(s): No

30. Please describe in detail: (1) the information the agency will collect, maintain, or disseminate; (2) why and for what purpose the agency will use the information; (3) In this description, indicate whether the information contains IIF; and (4) whether submission of personal information is voluntary or mandatory: The system does not collect Privacy Act Information. The system provides access to accounting data from the NIH Data Warehouse and does not contain any IIF.

31. Please describe in detail any processes in place to: (1) notify and obtain consent from the individuals whose IIF is in the system when major changes occur to the system (e.g., disclosure and/or data uses have changed since the notice at the time of the original collection); and (2) notify and obtain consent from individuals regarding what IIF is being collected from them and how the information will be used or shared: No

32. Does the system host a website?: Yes

37. Does the website have any information or pages directed at children under the age of thirteen?: No

50. Are there policies or guidelines in place with regard to the retention and destruction of IIF?: No

54. Briefly describe in detail how the IIF will be secured on the system using administrative, technical, and physical controls.: No

PIA Reviewer Approval: Promote

Comments: New PIA

PIA Reviewer Name: Sally Lee or Stacy Charland

Sr. Official for Privacy Approval: Promote


Sr. Official for Privacy Name: Karen Plá

Sign-off Date: Feb 15, 2008

Date Published: Jun 26, 2008


06.3 HHS PIA Summary for Posting (Form) / NIH NIMH Administrative System (NAS) (Item)






PIA Summary


Is this a new PIA 2008?: No

If this is an existing PIA, please provide a reason for revision: PIA Validation

1. Date of this Submission: Jul 10, 2007

2. OPDIV Name: NIH

3. Unique Project Identifier (UPI) Number: 009-25-04-00-02-9203-00-205-080

4. Privacy Act System of Records (SOR) Number: 09-25-0217

5. OMB Information Collection Approval Number: N/A

6. Other Identifying Number(s): N/A

7. System Name: NIMH Administrative System (NAS)

9. System Point of Contact (POC). The System POC is the person to whom questions about the system and the responses to this PIA may be addressed: William Hermach, NIMH ISSO

10. Provide an overview of the system: The NIMH Administrative System facilitates all the administrative support services necessary to support the NIMH mission.

13. Indicate if the system is new or an existing one being modified: Existing

17. Does/Will the system collect, maintain (store), disseminate and/or pass through IIF within any database(s), record(s), file(s) or website(s) hosted by this system?: Yes

Note: This question seeks to identify any, and all, personal information associated with the system. This includes any IIF, whether or not it is subject to the Privacy Act, whether the individuals are employees, the public, research subjects, or business partners, and whether provided voluntarily or collected by mandate. Later questions will try to understand the character of the data and its applicability to the requirements under the Privacy Act or other legislation

Note: If no IIF is contained in the system, please answer questions 21, 23, 30, 31, 37, 50 and 54, then promote the PIA to the Sr. Privacy Official who will authorize the PIA.

If this system contains IIF, all remaining questions on the PIA Form Tabs must be completed prior to signature and promotion.

21. Is the system subject to the Privacy Act?: Yes

23. If the system shares or discloses IIF please specify with whom and for what purpose(s): system store employee data such as name and phone numbers for NIMH Administrative Officer (AO) use. Reference SOR#: 09-25-0217

30. Please describe in detail: (1) the information the agency will collect, maintain, or disseminate; (2) why and for what purpose the agency will use the information; (3) In this description, indicate whether the information contains IIF; and (4) whether submission of personal information is voluntary or mandatory: The system collects employee IIF data such as name and phone numbers for NIMH internal use in maintaining IT accounts and emergency contact information. Submission personal information is voluntary.

31. Please describe in detail any processes in place to: (1) notify and obtain consent from the individuals whose IIF is in the system when major changes occur to the system (e.g., disclosure and/or data uses have changed since the notice at the time of the original collection); and (2) notify and obtain consent from individuals regarding what IIF is being collected from them and how the information will be used or shared: The system follows the NIMH Emergency Contact Procedure and Account Procedures for maintaining individual IIF information. Individuals are notified via email by their respective AO when any major changes to the system or data use occurs. NIMH staff consent to have their IIF stored in the system at the time of employment.

32. Does the system host a website?: Yes

37. Does the website have any information or pages directed at children under the age of thirteen?: No

50. Are there policies or guidelines in place with regard to the retention and destruction of IIF?: Yes

54. Briefly describe in detail how the IIF will be secured on the system using administrative, technical, and physical controls.: The IIF will be secured on the system using NIMH Administrative Policies, technical access controls that enforce least privilage access, and encryption of sensitive data as well as limited physical access to the system via card key.

PIA Reviewer Approval: Promote


Sr. Official for Privacy Approval: Promote


Sr. Official for Privacy Name: Karen Plá

Sign-off Date: Aug 10, 2007

Date Published: Jun 26, 2008


06.3 HHS PIA Summary for Posting (Form) / NIH NIMH Clinical Brain Disorders Branch Database (CBDB) (Item)






PIA Summary


Is this a new PIA 2008?: No

If this is an existing PIA, please provide a reason for revision: PIA Validation

1. Date of this Submission: Jul 10, 2007

2. OPDIV Name: NIH

3. Unique Project Identifier (UPI) Number: N/A

4. Privacy Act System of Records (SOR) Number: 09-25-0200

5. OMB Information Collection Approval Number: N/A

6. Other Identifying Number(s): N/A

7. System Name: Clinical Brain Disorders Branch Clinical Database (CBDB)

9. System Point of Contact (POC). The System POC is the person to whom questions about the system and the responses to this PIA may be addressed: Michael F. Egan, MD

10. Provide an overview of the system: This database includes clinical data on research subjects studied at the NIH in the Clinical Brain Disorders Branch. The authorizing authority is NIH Public Health Service Act, Section 301.

13. Indicate if the system is new or an existing one being modified: Existing

17. Does/Will the system collect, maintain (store), disseminate and/or pass through IIF within any database(s), record(s), file(s) or website(s) hosted by this system?: Yes

Note: This question seeks to identify any, and all, personal information associated with the system. This includes any IIF, whether or not it is subject to the Privacy Act, whether the individuals are employees, the public, research subjects, or business partners, and whether provided voluntarily or collected by mandate. Later questions will try to understand the character of the data and its applicability to the requirements under the Privacy Act or other legislation

Note: If no IIF is contained in the system, please answer questions 21, 23, 30, 31, 37, 50 and 54, then promote the PIA to the Sr. Privacy Official who will authorize the PIA.

If this system contains IIF, all remaining questions on the PIA Form Tabs must be completed prior to signature and promotion.

21. Is the system subject to the Privacy Act?: Yes

23. If the system shares or discloses IIF please specify with whom and for what purpose(s): The system does not share or disclose IIF. Reference SOR#: 09-25-0200

30. Please describe in detail: (1) the information the agency will collect, maintain, or disseminate; (2) why and for what purpose the agency will use the information; (3) In this description, indicate whether the information contains IIF; and (4) whether submission of personal information is voluntary or mandatory: We collect IIF information (name, phone, email, address and other research info) when subjects apply to volunteer for research protocols approved by our Institutional Review Board. We use the information to study brain function and the biology of mental illness. Personal information collected from subjects who apply for entry into the research studies includes a limited amount of demographics, psychiatric and medical history and related clinical information. Personal information collected from subjects accepted into the research studies includes additional demographics, psychiatric and medical history and related clinical information, as well as developmental history, and a variety of measures of brain function. Submission of IIF is voluntary to participate in research studies.

31. Please describe in detail any processes in place to: (1) notify and obtain consent from the individuals whose IIF is in the system when major changes occur to the system (e.g., disclosure and/or data uses have changed since the notice at the time of the original collection); and (2) notify and obtain consent from individuals regarding what IIF is being collected from them and how the information will be used or shared: Information is obtained from subjects who contact our recruitment department and from subjects who participate in our research protocols. Subjects are requested to provide us with this information for the purposes of evaluating their suitability for research and for the actual research itself. Subjects who are accepted into the protocol sign an IRB approved consent form, which describes what information is to be collected. Participants are told that information they provide is confidential and will only be shared with members our research team. Notification is provided to individuals upon application to participate in a research protocol. Notification is provided via email or Web publication when major changes occur to the system.

32. Does the system host a website?: No

37. Does the website have any information or pages directed at children under the age of thirteen?: No

50. Are there policies or guidelines in place with regard to the retention and destruction of IIF?: Yes

54. Briefly describe in detail how the IIF will be secured on the system using administrative, technical, and physical controls.: The information is stored in a password protected computer database, physically located in a locked research ward. The IIF will be secured on the system using NIMH Administrative Policies, technical and encryption access controls and limited personnel physical access to the system via card key.

PIA Reviewer Approval: Promote


PIA Reviewer Name: Robert Willcoxon

Sr. Official for Privacy Approval: Promote


Sr. Official for Privacy Name: Karen Plá

Sign-off Date: Aug 10, 2007

Date Published: Jun 26, 2008


06.3 HHS PIA Summary for Posting (Form) / NIH NIMH Extensive Neuro-imaging Archiving Toolkit (XNAT) (Item)






PIA Summary


Is this a new PIA 2008?: Yes

If this is an existing PIA, please provide a reason for revision: PIA Validation

1. Date of this Submission: Jul 10, 2007

2. OPDIV Name: NIH

3. Unique Project Identifier (UPI) Number: No

4. Privacy Act System of Records (SOR) Number: 09-25-0200

5. OMB Information Collection Approval Number: No

6. Other Identifying Number(s): No

7. System Name: Extensive Neuro-imaging Archiving Toolkit at NIH (XNAT@NIH)

9. System Point of Contact (POC). The System POC is the person to whom questions about the system and the responses to this PIA may be addressed: Thalene T. Mallus

10. Provide an overview of the system: The XNAT application supports neuro-imaging research by archiving and processing information about subjects and neuro-imaging scans in which they have participated. The database maintains information on approximately 1800 subjects and approximately 10,200 scans over the past 6 years.

13. Indicate if the system is new or an existing one being modified: New

17. Does/Will the system collect, maintain (store), disseminate and/or pass through IIF within any database(s), record(s), file(s) or website(s) hosted by this system?: Yes

Note: This question seeks to identify any, and all, personal information associated with the system. This includes any IIF, whether or not it is subject to the Privacy Act, whether the individuals are employees, the public, research subjects, or business partners, and whether provided voluntarily or collected by mandate. Later questions will try to understand the character of the data and its applicability to the requirements under the Privacy Act or other legislation

Note: If no IIF is contained in the system, please answer questions 21, 23, 30, 31, 37, 50 and 54, then promote the PIA to the Sr. Privacy Official who will authorize the PIA.

If this system contains IIF, all remaining questions on the PIA Form Tabs must be completed prior to signature and promotion.

21. Is the system subject to the Privacy Act?: Yes

23. If the system shares or discloses IIF please specify with whom and for what purpose(s): he system does not share or disclose IIF.

30. Please describe in detail: (1) the information the agency will collect, maintain, or disseminate; (2) why and for what purpose the agency will use the information; (3) In this description, indicate whether the information contains IIF; and (4) whether submission of personal information is voluntary or mandatory: The system will store personal (IIF) and medical information about subjects and neuro-imaging scans for the purpose of mental health research. The submission of IIF is voluntary.

31. Please describe in detail any processes in place to: (1) notify and obtain consent from the individuals whose IIF is in the system when major changes occur to the system (e.g., disclosure and/or data uses have changed since the notice at the time of the original collection); and (2) notify and obtain consent from individuals regarding what IIF is being collected from them and how the information will be used or shared: Subjects of the system will be contacted electronically and/or in person regarding any major system changes.

A protocol consent notice for each subject that has laboratory contact and data use information as well as patient rights and concerns will be used prior to collection of IIF.

32. Does the system host a website?: Yes

37. Does the website have any information or pages directed at children under the age of thirteen?: No

50. Are there policies or guidelines in place with regard to the retention and destruction of IIF?: Yes

54. Briefly describe in detail how the IIF will be secured on the system using administrative, technical, and physical controls.: The database system is behind the perimeters of the NIH firewalls. Least privilege password access to the database is utilized to restrict role based access.

Administrative and technical

- Multifactor authentication:

+ originating IP address

+ x.509 client certificates

+ password authentication

- Encrypted file system for fields containing IIF

- Ongoing host and network security processing, including

regular software and OS patching

- Appropriate logging for audits

Physical controls

- Restricted access to host computer

PIA Reviewer Approval: Promote


PIA Reviewer Name: Robert Willcoxon

Sr. Official for Privacy Approval: Promote


Sr. Official for Privacy Name: Karen Plá

Sign-off Date: Jan 25, 2007

Date Published: Jun 26, 2008


06.3 HHS PIA Summary for Posting (Form) / NIH NIMH Grants Management System (GMS) (Item)






PIA Summary


Is this a new PIA 2008?: No

If this is an existing PIA, please provide a reason for revision: PIA Validation

1. Date of this Submission: Jul 10, 2007

2. OPDIV Name: NIH

3. Unique Project Identifier (UPI) Number: 009-25-04-00-02-9203-00-205-080

4. Privacy Act System of Records (SOR) Number: 09-25-0036

5. OMB Information Collection Approval Number: N/A

6. Other Identifying Number(s): N/A

7. System Name: NIMH Grants Management System (GMS)

9. System Point of Contact (POC). The System POC is the person to whom questions about the system and the responses to this PIA may be addressed: William Hermach

10. Provide an overview of the system: The Grants Management System overall purpose is to support the management and administration of NIMH’s grants.

13. Indicate if the system is new or an existing one being modified: Existing

17. Does/Will the system collect, maintain (store), disseminate and/or pass through IIF within any database(s), record(s), file(s) or website(s) hosted by this system?: Yes

Note: This question seeks to identify any, and all, personal information associated with the system. This includes any IIF, whether or not it is subject to the Privacy Act, whether the individuals are employees, the public, research subjects, or business partners, and whether provided voluntarily or collected by mandate. Later questions will try to understand the character of the data and its applicability to the requirements under the Privacy Act or other legislation

Note: If no IIF is contained in the system, please answer questions 21, 23, 30, 31, 37, 50 and 54, then promote the PIA to the Sr. Privacy Official who will authorize the PIA.

If this system contains IIF, all remaining questions on the PIA Form Tabs must be completed prior to signature and promotion.

21. Is the system subject to the Privacy Act?: Yes

23. If the system shares or discloses IIF please specify with whom and for what purpose(s): The system shares and discloses IIF with the NIMH support and Program staff to send information and correspond with the contacts. Reference SOR number: 09-25-003630. Please describe in detail: (1) the information the agency will collect, maintain, or disseminate; (2) why and for what purpose the agency will use the information; (3) In this description, indicate whether the information contains IIF; and (4) whether submission of personal information is voluntary or mandatory: The NIMH collects and maintains researcher names, mailing addresses, phone numbers, professional qualifications and areas of expertise for NIMH grants management purposes. The information is voluntarily submitted.

31. Please describe in detail any processes in place to: (1) notify and obtain consent from the individuals whose IIF is in the system when major changes occur to the system (e.g., disclosure and/or data uses have changed since the notice at the time of the original collection); and (2) notify and obtain consent from individuals regarding what IIF is being collected from them and how the information will be used or shared: The NIMH grants management procedures involve notification and consent to submit IIF to the system during the grant application process. Individuals whose IIF is in the system are notified when major changes occur by email. Individuals are notified and consent to provide IIF collected by the system in order to provide contact information when appling for NIMH grants.

32. Does the system host a website?: Yes

37. Does the website have any information or pages directed at children under the age of thirteen?: No

50. Are there policies or guidelines in place with regard to the retention and destruction of IIF?: Yes

54. Briefly describe in detail how the IIF will be secured on the system using administrative, technical, and physical controls.: The IIF will be secured on the system using NIMH Administrative Policies, technical and encryption access controls and limited personnel physical access to the system via card key.

PIA Reviewer Approval: Promote


PIA Reviewer Name: Robert Willcoxon

Sr. Official for Privacy Approval: Promote


Sr. Official for Privacy Name: Karen Plá

Sign-off Date: Aug 10, 2007

Date Published: Jun 26, 2008


06.3 HHS PIA Summary for Posting (Form) / NIH NIMH Human Subject Research Database (MAP) (Item)






PIA Summary


Is this a new PIA 2008?: Yes

If this is an existing PIA, please provide a reason for revision: PIA Validation

1. Date of this Submission: Jul 10, 2007

2. OPDIV Name: NIH

3. Unique Project Identifier (UPI) Number: No

4. Privacy Act System of Records (SOR) Number: 09-25-0200

5. OMB Information Collection Approval Number: No

6. Other Identifying Number(s): No

7. System Name: MAP Human Subject Research Database

9. System Point of Contact (POC). The System POC is the person to whom questions about the system and the responses to this PIA may be addressed: Dr. Daniel Pine, 15K North Dr. Bethesda, MD 20892

10. Provide an overview of the system: The MAP system collects and centralizes research data for human subjects enrolled in studies conducted by MAP. IIF is stored in order to adequately distinguish subjects, and contact subjects, if necessary. Demographic data and results from psychological testing are stored and used for research purposes. Scientific data which is large in size (such as MRI scans, EEG scans, some genetics results) is not likely to be stored, although fields describing their location are sometimes used.

13. Indicate if the system is new or an existing one being modified: New

17. Does/Will the system collect, maintain (store), disseminate and/or pass through IIF within any database(s), record(s), file(s) or website(s) hosted by this system?: Yes

Note: This question seeks to identify any, and all, personal information associated with the system. This includes any IIF, whether or not it is subject to the Privacy Act, whether the individuals are employees, the public, research subjects, or business partners, and whether provided voluntarily or collected by mandate. Later questions will try to understand the character of the data and its applicability to the requirements under the Privacy Act or other legislation

Note: If no IIF is contained in the system, please answer question

If this system contains IIF, all remaining questions on the PIA Form Tabs must be completed prior to signature and promotion.

30. Please describe in detail: (1) the information the agency will collect, maintain, or disseminate; (2) why and for what purpose the agency will use the information; (3) In this description, indicate whether the information contains IIF; and (4) whether submission of personal information is voluntary or mandatory: IIF is collected with the main purpose of recording human subject, classification data for medical research. Certain IIF such as date of birth may be used for scientific purposes (e.g., correlating an observation with age), but never in a manner that could breach confidentiality. The submission of IIF is voluntary.

31. Please describe in detail any processes in place to: (1) notify and obtain consent from the individuals whose IIF is in the system when major changes occur to the system (e.g., disclosure and/or data uses have changed since the notice at the time of the original collection); and (2) notify and obtain consent from individuals regarding what IIF is being collected from them and how the information will be used or shared: Subjects of the system will be contacted electronically and/or in person regarding any major syste

50. Are there policies or guidelines in place with regard to the retention and destruction of IIF?: Yes

54. Briefly describe in detail how the IIF will be secured on the system using administrative, technical, and physical controls.: The database system is behind the perimeters of the NIH firewalls. Least privilege password access to the database is utilized to restrict role based access.

Administrative and technical

- Multifactor authentication:

+ originating IP address

+ x.509 client certificates

+ password authentication

- Encrypted file system for fields containing IIF

- Ongoing host and network security processing, including

regular software and OS patching

- Appropriate logging for audits

Physical controls

- Restricted access to host computer

PIA Reviewer Approval: Promote


Sr. Official for Privacy Approval: Promote


Sign-off Date: Jan 25, 2007

Date Published: Jun 26. 2008


06.3 HHS PIA Summary for Posting (Form) / NIH NIMH Internet and Intranet Web Sites (Item)






PIA Summary


Is this a new PIA 2008?: No

If this is an existing PIA, please provide a rea

2. OPDIV Name: NIH

3. Unique Project Identifier (UPI) Number: 009-25-01-27-02-9218-00-305-108

4. Privacy Act System of Records (SOR) Number: 09-25-0036

5. OMB Information Collection Approval Number: N/A

6. Other Identifying Number(s): N/A

7. System Name: NIMH Websites

9. System Point of Contact (POC). The System POC is the person to whom questions about the system and the responses to this PIA may be addressed: William Hermach

10. Provide an overview of the system: To disseminate Institute information to the public in accordance with Public Law 102-321.

13. Indicate if the system is new or an existing one being modified: Existing

17. Does/Will the system collect, maintain (store), disseminate and/or pass through IIF within any database(s), record(s), file(s) or website(s) hosted by this system?: Yes

Note: This question seeks to identify any, and all, personal information associated with the system. This includes any IIF, whether or not it is subject to the Privacy Act, whether the individuals are employees, the public, research subjects, or business partners, and whether provided voluntarily or collected by mandate. Later questions will try to understand the character of the data and its applicability to the requirements under the Privacy Act or other

Note: If no IIF is contained in the system, please answer questions 21, 23, 30, 31, 37, 50 and 54, then promote the PIA to the Sr. Privacy Official who will authorize the PIA.

If this system contains IIF, all remaining questions on the PIA Form Tabs must be completed prior to signature and promotion.

21. Is the system subject to the Privacy Act?: Yes

23. If the system shares or discloses IIF please specify with whom and for what purpose(s): The system shares and discloses IIF with the NIMH staff and research partners in support of the NIMH mission. Reference SOR #: 09-25-0036

30. Please describe in detail: (1) the information the agency will collect, maintain, or disseminate; (2) why and for what purpose the agency will use the information; (3) In this description, indicate whether the information contains IIF; and (4) whether submission of personal information is voluntary or mandatory: NIMH Websites maintain and disseminate information about mental health disorders, news, research and funding opportunities as well as institue information. In addition NIMH Websites provide a portal to access NIMH Web based applications for grants management, research and administrative functions. The NIMH collects and maintains researcher names, mailing addresses, phone numbers, professional qualifications and areas of expertise for NIMH grants management purposes. The information is submitted voluntarily.

31. Please describe in detail any processes in place to: (1) notify and obtain consent from the individuals whose IIF is in the system when major changes occur to the system (e.g., disclosure and/or data uses have changed since the notice at the time of the original collection); and (2) notify and obtain consent from individuals regarding what IIF is being collected from them and how the information will be used or shared: The NIMH procedures involve notification and consent to submit IIF to the system during the grant application and administrative processes. Potential grantees must consent to provide IIF to the system in order to apply for NIMH grants. NIMH consent to have IIF stored in the system as a condition of employment during the hiring process. NIMH Web communications staff notify individuals when major system changes or data use changes occur.

32. Does the system host a website?: Yes

37. Does the website have any information or pages directed at children under the age of thirteen?: No

50. Are there policies or guidelines in place with regard to the retention and destruction of IIF?: Yes

54. Briefly describe in detail how the IIF will be secured on the system using administrative, technical, and physical controls.: The IIF will be secured on the system using NIMH Administrative Policies, technical and encryption access controls and limited personnel physical access to the system via card key.

PIA Reviewer Approval: Promote


PIA Reviewer Name: Robert Willcoxon

Sr. Official for Privacy Approval: Promote


Sr. Official for Privacy Name: Karen Plá

Sign-off Date: Aug 10, 2007

Date Published: Jun 26, 2008


06.3 HHS PIA Summary for Posting (Form) / NIH NIMH Laboratory of Brain and Cognition Database (LBC) (Item)






PIA Summary


Is this a new PIA 2008?: No

If this is an existing PIA, please provide a reason for revision: PIA Validation

1. Date of this Submission: Jul 10, 2007

2. OPDIV Name: NIH

3. Unique Project Identifier (UPI) Number: N/A

4. Privacy Act System of Records (SOR) Number: 09-25-0200

5. OMB Information Collection Approval Number: N/A

6. Other Identifying Number(s): N/A

7. System Name: Laboratory of Brain and Cognition Database (LBC)

9. System Point of Contact (POC). The System POC is the person to whom questions about the system and the responses to this PIA may be addressed: Thalene T. Mallus

10. Provide an overview of the system: A central repository of subjects and associated contact, demographic, and medical information necessary for LBC Researchers, Post-Docs and Research Assistants to determine study availability, eligibility, and obtain MIS requests for LBC cognitive/imaging research protocols.

13. Indicate if the system is new or an existing one being modified: Existing

17. Does/Will the system collect, maintain (store), disseminate and/or pass through IIF within any database(s), record(s), file(s) or website(s) hosted by this system?: Yes

Note: This question seeks to identify any, and all, personal information associated with the system. This includes any IIF, whether or not it is subject to the Privacy Act, whether the individuals are employees, the public, research subjects, or business partners, and whether provided voluntarily or collected by mandate. Later questions will try to understand the character of the data and its applicability to the requirements under the Privacy Act or other legislation

Note: If no IIF is contained in the system, please answer questions 21, 23, 30, 31, 37, 50 and 54, then promote the PIA to the Sr. Privacy Official who will authorize the PIA.

If this system contains IIF, all remaining questions on the PIA Form Tabs must be completed prior to signature and promotion.

21. Is the system subject to the Privacy Act?: Yes

23. If the system shares or discloses IIF please specify with whom and for what purpose(s): The system does not share or disclose IIF. Reference SOR#: 09-25-0200

30. Please describe in detail: (1) the information the agency will collect, maintain, or disseminate; (2) why and for what purpose the agency will use the information; (3) In this description, indicate whether the information contains IIF; and (4) whether submission of personal information is voluntary or mandatory: The database collects names, contact information, demographics, medical, psychiatric, language, eligibility, and availability information for subjects tested under LBC research protocols. This voluntary information is used as a source pool of available testing subjects and the personally identifiable information collected is used for scheduling and eligibility requirements for LBC cognitive/imaging.

31. Please describe in detail any processes in place to: (1) notify and obtain consent from the individuals whose IIF is in the system when major changes occur to the system (e.g., disclosure and/or data uses have changed since the notice at the time of the original collection); and (2) notify and obtain consent from individuals regarding what IIF is being collected from them and how the information will be used or shared: The information is obtained from telephone conversations with potential research participants. Subjects are told verbally that the information is being collected into a central repository and will be treated as confidential and used for research purposes only. Subjects may discontinue participation at any time. After an initial screening, subjects are scheduled for a history and physical to determine further eligibility. Consent to participate in the research effort is obtained at the time of the scanning appointment.

Users of the system are contacted electronically and/or in person regarding any major system changes. Signed protocol consent form for each subject has laboratory contact information for study and/or patient rights concerns.

32. Does the system host a website?: No

37. Does the website have any information or pages directed at children under the age of thirteen?: No

50. Are there policies or guidelines in place with regard to the retention and destruction of IIF?: Yes

54. Briefly describe in detail how the IIF will be secured on the system using administrative, technical, and physical controls.: The information is housed on a Filemaker Pro Macintosh Server in a locked office space. The database system is behind the perimeters of the NIH firewalls. Least privilege password access to the database is utilized to restrict unnecessary access.

PIA Reviewer Approval: Promote


PIA Reviewer Name: Robert Willcoxon

Sr. Official for Privacy Approval: Promote


Sr. Official for Privacy Name: Karen Plá

Sign-off Date: Aug 10, 2007

Date Published: Jun 26, 2008


06.3 HHS PIA Summary for Posting (Form) / NIH NIMH Laboratory of Genes, Cognition and Psychosis (GCAP) (Item)






PIA Summary


Is this a new PIA 2008?: No

If this is an existing PIA, please provide a reason for revision: PIA Validation

1. Date of this Submission: Jul 10, 2007

2. OPDIV Name: NIH

3. Unique Project Identifier (UPI) Number: N/A

4. Privacy Act System of Records (SOR) Number: 09-25-0200

5. OMB Information Collection Approval Number: N/A

6. Other Identifying Number(s): N/A

7. System Name: NIMH Laboratory of Genes, Cognition and Phsycosis (GCAP) Database

9. System Point of Contact (POC). The System POC is the person to whom questions about the system and the responses to this PIA may be addressed: Thalene Mallus

10. Provide an overview of the system: A central repository of subjects and associated contact, demographic, and medical information necessary for GCAP research staff to determine study availability, eligibility, and obtain MIS requests for GCAP cognitive/imaging research protocols. Legislation authorizing this activity is NIH Public Health Service Act, Section 301.

13. Indicate if the system is new or an existing one being modified: Existing

17. Does/Will the system collect, maintain (store), disseminate and/or pass through IIF within any database(s), record(s), file(s) or website(s) hosted by this system?: Yes

Note: This question seeks to identify any, and all, personal information associated with the system. This includes any IIF, whether or not it is subject to the Privacy Act, whether the individuals are employees, the public, research subjects, or business partners, and whether provided voluntarily or collected by mandate. Later questions will try to understand the character of the data and its applicability to the requirements under the Privacy Act or other legislation

Note: If no IIF is contained in the system, please answer questions 21, 23, 30, 31, 37, 50 and 54, then promote the PIA to the Sr. Privacy Official who will authorize the PIA.

If this system contains IIF, all remaining questions on the PIA Form Tabs must be completed prior to signature and promotion.

21. Is the system subject to the Privacy Act?: Yes

23. If the system shares or discloses IIF please specify with whom and for what purpose(s): The system does not share or disclose IIF. Reference SOR#: 09-25-0200

30. Please describe in detail: (1) the information the agency will collect, maintain, or disseminate; (2) why and for what purpose the agency will use the information; (3) In this description, indicate whether the information contains IIF; and (4) whether submission of personal information is voluntary or mandatory: The database collects multimodal human brain images (MRI, fMRI, DTI, MRSI) acquired in the past 6 more years. It also downloads genotype and diagnosis info of subjects from CBDB database.

This information contains IIF that will be used for studies in GCAP. Submission of the information is voluntary.

31. Please describe in detail any processes in place to: (1) notify and obtain consent from the individuals whose IIF is in the system when major changes occur to the system (e.g., disclosure and/or data uses have changed since the notice at the time of the original collection); and (2) notify and obtain consent from individuals regarding what IIF is being collected from them and how the information will be used or shared: Users of the system are contacted electronically and/or in person regarding any major system changes. Signed protocol consent form for each subject has laboratory contact information for study and/or patient rights concerns. The information will be used for GCAP research and will not be shared.

32. Does the system host a website?: Yes

37. Does the website have any information or pages directed at children under the age of thirteen?: No

50. Are there policies or guidelines in place with regard to the retention and destruction of IIF?: Yes

54. Briefly describe in detail how the IIF will be secured on the system using administrative, technical, and physical controls.: The information is housed on a Redhat Linux enterprise Server in a locked office space. The database system

PIA Reviewer Approval: Promote


PIA Reviewer Name: Robert Willcoxon

Sr. Official for Privacy Approval: Promote


Sr. Official for Privacy Name: Karen Plá

Sign-off Date: Aug 10, 2007

Date Published: Jun 26, 2008


06.3 HHS PIA Summary for Posting (Form) / NIH NIMH Pediatric MRI Database (PedsMRI) (Item)






PIA Summary


Is this a new PIA 2008?: Yes

If this is an existing PIA, please provide a reason for revision: PIA Validation

1. Date of this Submission: Jul 10, 2007

2. OPDIV Name: NIH

3. Unique Project Identifier (UPI) Number: N/A

4. Privacy Act System of Records (SOR) Number: 09-25-0200

5. OMB Information Collection Approval Number: N/A

6. Other Identifying Number(s): N/A

7. System Name: diatric MRI Data Repository (PedsMRI)

9. System Point of Contact (POC). The System POC is the person to whom questions about the system and the responses to this PIA may be addressed: Judith Rumsey and Alex Zijdenbos

10. Provide an overview of the system: Pediatric MRI Data Repository contains longitudinal MRI images and clinical/behavioral data from over 500 healthy, typically-developing subjects, age newborn to young adult. The data repository is currently located at the Montreal Neurological Institute.

13. Indicate if the system is new or an existing one being modified: New

17. Does/Will the system collect, maintain (store), disseminate and/or pass through IIF within any database(s), record(s), file(s) or website(s) hosted by this system?: Yes

Note: This question seeks to identify any, and all, personal information associated with the system. This includes any IIF, whether or not it is subject to the Privacy Act, whether the individuals are employees, the public, research subjects, or business partners, and whether provided voluntarily or collected by mandate. Later questions will try to understand the character of the data and its applicability to the requirements under the Privacy Act or other legislation

ote: If no IIF is contained in the system, please answer questions 21, 23, 30, 31, 37, 50 and 54, then promote the PIA to the Sr. Privacy Official who will authorize the PIA.

If this system contains IIF, all remaining questions on the PIA Form Tabs must be completed prior to signature and promotion.

21. Is the system subject to the Privacy Act?: Yes

23. If the system shares or discloses IIF please specify with whom and for what purpose(s): A record may be disclosed for a research purpose, when the Department: (A) has determined that the use or disclosure does not violate legal or policy limitations under which the record was provided, collected, or obtained; (B) has determined that the research purpose (1) cannot be reasonably accomplished unless the record is provided in individually identifiable form, and (2) warrants the risk to the privacy of the individual that additional exposure of the record might bring; (C) has required the recipient to (1) establish reasonable administrative, technical, and physical safeguards to prevent unauthorized use or disclosure of the record, (2) remove or destroy the information that identifies the individual at the earliest time at which removal or destruction can be accomplished consistent with the purpose of the research project, unless the recipient has presented adequate justification of a research or health nature for retaining such information, and (3) make no further use or disclosure of the record; (D) has secured a written statement attesting to the recipient's understanding of, and willingness to abide by, these provisions.

Disclosure may be made to agency contractors, grantees, experts, consultants, collaborating researchers, or volunteers who have been engaged by the agency to assist in the performance of a service related to this system of records and who need to have access to the records in order to perform the activity. Recipients shall be required to comply with the requirements of the Privacy Act of 1974, as amended, pursuant to 5 U.S.C. 552a(m).

Disclosure may be made for the purpose of reporting child, elder or spousal abuse or neglect or any other type of abuse or neglect as required by State or Federal law.

30. Please describe in detail: (1) the information the agency will collect, maintain, or disseminate; (2) why and for what purpose the agency will use the information; (3) In this description, indicate whether the information contains IIF; and (4) whether submission of personal information is voluntary or mandatory: The system collected names, birthdates, dates on which data were collected, and MRI images of the head and brain, age, sex, race/ethnicity, other demographic variables, clinical/behavioral data, e.g., test scores, brain measures. The data included in the Pediatric Data Repository for public release has been de-identified, removing any and all of the 18 identifiers specified by HIPAA. Birthdates and dates seen have been converted to ages. MRI images have been de-faced/de-identified. Submission of personal information is voluntary.

31. Please describe in detail any processes in place to: (1) notify and obtain consent from the individuals whose IIF is in the system when major changes occur to the system (e.g., disclosure and/or data uses have changed since the notice at the time of the original collection); and (2) notify and obtain consent from individuals regarding what IIF is being collected from them and how the information will be used or shared: Prior to the collection of the data in the Pediatric MRI Data Repository, participants were consented/assented (through NINDS IC) regarding what IIF is collected and shared for research purposes. A privacy notice was included with the consent forms. Participants will be notified via email when major changes occur to the system.

32. Does the system host a website?: Yes

37. Does the website have any information or pages directed at children under the age of thirteen?: No

0. Are there policies or guidelines in place with regard to the retention and destruction of IIF?: Yes

54. Briefly describe in detail how the IIF will be secured on the system using administrative, technical, and physical controls.: The database system is behind a firewall. In addition, the database connection is made through secure http, which is the encrypted authentication method that is being used to restrict data access. Least privilege password access to the database is utilized to restrict role-based access.

Administrative and technical

- Multifactor authentication:

+ Identity and access validation

+ password authentication

- Ongoing host and network security processing, including regular software and OS patching

- Appropriate logging for audits

Physical controls

- Restricted access to host computer

PIA Reviewer Approval: Promote


PIA Reviewer Name: Dominica Roth, 301-443-4462,

Sr. Official for Privacy Approval: Promote


Sr. Official for Privacy Name: Karen Plá

Sign-off Date: Aug 10, 2007

Date Published: Jun 26, 2008


06.3 HHS PIA Summary for Posting (Form) / NIH NIMH Unit on Integrative Neuroimaging Database (UINDB) (Item)






PIA Summary


Is this a new PIA 2008?: No

If this is an existing PIA, please provide a reason for revision: A Validation

1. Date of this Submission: Jul 10, 2007

2. OPDIV Name: NIH

3. Unique Project Identifier (UPI) Number: N/A

4. Privacy Act System of Records (SOR) Number: 09-25-0200

5. OMB Information Collection Approval Number: N/A

6. Other Identifying Number(s): N/A

7. System Name: Unit on Integrative Neuroimaging Database (UINDB)

9. System Point of Contact (POC). The System POC is the person to whom questions about the system and the responses to this PIA may be addressed: Jonathan Shane Kippenhan

10. Provide an overview of the system: This system collects and maintains information about subjects and neuroimaging scans they have participated in. NIH Public Health Services Act, Sec. 301.13. Indicate if the system is new or an existing one being modified: Existing

17. Does/Will the system collect, maintain (store), disseminate and/or pass through IIF within any database(s), record(s), file(s) or website(s) hosted by this system?: Yes

Note: This question seeks to identify any, and all, personal information associated with the system. This includes any IIF, whether or not it is subject to the Privacy Act, whether the individuals are employees, the public, research subjects, or business partners, and whether provided voluntarily or collected by mandate. Later questions will try to understand the character of the data and its applicability to the requirements under the Privacy Act or other legislation

Note: If no IIF is contained in the system, please answer questions 21, 23, 30, 31, 37, 50 and 54, then promote the PIA to the Sr. Privacy Official who will authorize the PIA.

If this system contains IIF, all remaining questions on the PIA Form Tabs must be completed prior to signature and promotion.

21. Is the system subject to the Privacy Act?: Yes

23. If the system shares or discloses IIF please specify with whom and for what purpose(s): The system does not share or disclose IIF. Reference SOR#: 09-25-0200

30. Please describe in detail: (1) the information the agency will collect, maintain, or disseminate; (2) why and for what purpose the agency will use the information; (3) In this description, indicate whether the information contains IIF; and (4) whether submission of personal information is voluntary or mandatory: The system collects information on demographics, medical history, medications and neuroimaging scans, all of which is used to facilitate neuroimaging research. Submission is voluntary. Information is collected from subjects, who are told that the information will be kept confidential and used only for purposes of our research projects.

31. Please describe in detail any processes in place to: (1) notify and obtain consent from the individuals whose IIF is in the system when major changes occur to the system (e.g., disclosure and/or data uses have changed since the notice at the time of the original collection); and (2) notify and obtain consent from individuals regarding what IIF is being collected from them and how the information will be used or shared: Users of the system are contacted electronically and/or in person regarding any major system changes. Signed protocol consent form for each subject has laboratory contact information for study and/or patient rights concerns.

32. Does the system host a website?: No

37. Does the website have any information or pages directed at children under the age of thirteen?: No

50. Are there policies or guidelines in place with regard to the retention and destruction of IIF?: Yes

54. Briefly describe in detail how the IIF will be secured on the system using administrative, technical, and physical controls.: Data access is restricted to users with passwords known only to the user (passwords are not stored). System security is maintained via a combination of physical security, passwords, and firewalls.

PIA Reviewer Approval: Promote


PIA Reviewer Name: Robert Willcoxon

Sr. Official for Privacy Approval: Promote


Sr. Official for Privacy Name: Karen Plá

Sign-off Date: Aug 10, 2007

Date Published: Jun 26, 2008


06.3 HHS PIA Summary for Posting (Form) / NIH NIMH Visual Employee Database System (VEDS) (Item)






PIA Summary


Is this a new PIA 2008?: No

If this is an existing PIA, please provide a reason for revision: PIA Validation

1. Date of this Submission: Jul 10, 2007

2. OPDIV Name: NIH

3. Unique Project Identifier (UPI) Number: 009-25-01-09-02-3196-00-403-131

4. Privacy Act System of Records (SOR) Number: 09-90-0018

5. OMB Information Collection Approval Number: No

6. Other Identifying Number(s): No

7. System Name: Visual Employment Database System (VEDS)

9. System Point of Contact (POC). The System POC is the person to whom questions about the system and the responses to this PIA may be addressed: Quang Tran

10. Provide an overview of the system: VEDS is a windows-based application primarily used to manage and track personnel information. Authority for maintenance of the system is 5 U.S.C. 1302, 2951, 4118, 4308, 4506, 7501, 7511, 7521, and Executive Order 10561.

13. Indicate if the system is new or an existing one being modified: Existing

17. Does/Will the system collect, maintain (store), disseminate and/or pass through IIF within any database(s), record(s), file(s) or website(s) hosted by this system?: Yes

Note: This question seeks to identify any, and all, personal information associated with the system. This includes any IIF, whether or not it is subject to the Privacy Act, whether the individuals are employees, the public, research subjects, or business partners, and whether provided voluntarily or collected by mandate. Later questions will try to understand the character of the data and its applicability to the requirements under the Privacy Act or other legislation

Note: If no IIF is contained in the system, please answer questions 21, 23, 30, 31, 37, 50 and 54, then promote the PIA to the Sr. Privacy Official who will authorize the PIA.

If this system contains IIF, all remaining questions on the PIA Form Tabs must be completed prior to signature and promotion.

21. Is the system subject to the Privacy Act?: Yes

23. If the system shares or discloses IIF please specify with whom and for what purpose(s): The system does not share or disclose IIF. Reference SOR#: 09-90-0018. This information is further addressed in the HHS Privacy Act Systems of Record Notice 09-90-0018, published in the Federal Register, Volume 59, November 9, 1994.

30. Please describe in detail: (1) the information the agency will collect, maintain, or disseminate; (2) why and for what purpose the agency will use the information; (3) In this description, indicate whether the information contains IIF; and (4) whether submission of personal information is voluntary or mandatory: VEDS tracks all information pertinent to a personnel file for the purpose of personnel management activities. Information is collected from employees via the NED system. Uses consist of the following: a) tracking a time-limited appointment to ensure renewals are done in a timely manner, thereby avoiding any break in service, b) ensuring that allocated FTE ceilings are maintained, c) ensuring salary equality for various hiring mechanisms, d) providing reports requested by the NIH Director, IC Director and other management staff, as requested), and e) maintaining lists of non FTEs, special volunteers, contractors, and other hiring appointments. The information collected constitutes IIF, and is mandatory for all employees.

31. Please describe in detail any processes in place to: (1) notify and obtain consent from the individuals whose IIF is in the system when major changes occur to the system (e.g., disclosure and/or data uses have changed since the notice at the time of the original collection); and (2) notify and obtain consent from individuals regarding what IIF is being collected from them and how the information will be used or shared: IIF in the system is gathered from the NED system. Changes to the system or changes in the way the information is used is relayed to employees via official notices from the NIMH AO. Individuals are notified of the collection and use of data as part of the hiring process and is mandatory if the potential job applicant wishes to seek employment at NIH.

32. Does the system host a website?: No

37. Does the website have any information or pages directed at children under the age of thirteen?: No

50. Are there policies or guidelines in place with regard to the retention and destruction of IIF?: Yes

54. Briefly describe in detail how the IIF will be secured on the system using adm Authorized users have been trained in the Privacy Act and systems security requirements. To insure security of the data, each individual user’s access level is managed by the Administrator to ensure minimum and necessary access. The server is located in a locked room and is accessible only to specified system support personnel and is also protected by a limited access log-on procedure. inistrative, technical, and physical controls.:

PIA Reviewer Approval: Promote


PIA Reviewer Name: Robert Willcoxon

Sr. Official for Privacy Approval: Promote


Sr. Official for Privacy Name: Karen Plá

Sign-off Date: Aug 10, 2007

Date Published: Jun 26, 2008


06.3 HHS PIA Summary for Posting (Form) / NIH NIMH Visual Status of Funds (VSOF) (Item)






PIA Summary


Is this a new PIA 2008?: No

If this is an existing PIA, please provide a reason for revision: PIA Validation

1. Date of this Submission: Jul 10, 2007

2. OPDIV Name: NIH

3. Unique Project Identifier (UPI) Number: 009-25-01-01-02-3198-00-402-125

4. Privacy Act System of Records (SOR) Number: No

5. OMB Information Collection Approval Number: No

6. Other Identifying Number(s): No

7. System Name: Visual Status of Funds (VSOF)

9. System Point of Contact (POC). The System POC is the person to whom questions about the system and the responses to this PIA may be addressed: Quang Tran

10. Provide an overview of the system: Visual Status of Funds (VSOF) facilitates viewing and managing an organization’s accounts. The database stores the organization’s financial transactions and allows the user to view and summarize as needed for different reporting mechanisms.

13. Indicate if the system is new or an existing one being modified: Existing

17. Does/Will the system collect, maintain (store), disseminate and/or pass through IIF within any database(s), record(s), file(s) or website(s) hosted by this system?: No

Note: This question seeks to identify any, and all, personal information associated with the system. This includes any IIF, whether or not it is subject to the Privacy Act, whether the individuals are employees, the public, research subjects, or business partners, and whether provided voluntarily or collected by mandate. Later questions will try to understand the character of the data and its applicability to the requirements under the Privacy Act or other legislation

Note: If no IIF is contained in the system, please answer questions 21, 23, 30, 31, 37, 50 and 54, then promote the PIA to the Sr. Privacy Official who will authorize the PIA.

If this system contains IIF, all remaining questions on the PIA Form Tabs must be completed prior to signature and promotion.

21. Is the system subject to the Privacy Act?: No

23. If the system shares or discloses IIF please specify with whom and for what purpose(s): e system does not share or disclose IIF. Reference SOR#: 09-25-0217

30. Please describe in detail: (1) the information the agency will collect, maintain, or disseminate; (2) why and for what purpose the agency will use the information; (3) In this description, indicate whether the information contains IIF; and (4) whether submission of personal information is voluntary or mandatory: VSOF stores the IC’s financial transactions, which are downloaded daily from the NIH Data Warehouse. The IC’s use the information to monitor spending trends, monitor balances in the accounts, also for specialized reporting, such as, travel reports and salary trends. No personal identifying information is collected.

31. Please describe in detail any processes in place to: (1) notify and obtain consent from the individuals whose IIF is in the system when major changes occur to the system (e.g., disclosure and/or data uses have changed since the notice at the time of the original collection); and (2) notify and obtain consent from individuals regarding what IIF is being collected from them and how the information will be used or shared: No IIF is contained in the system.

32. Does the system host a website?: No

37. Does the website have any information or pages directed at children under the age of thirteen?: No

50. Are there policies or guidelines in place with regard to the retention and destruction of IIF?: Yes

54. Briefly describe in detail how the IIF will be secured on the system using administrative, technical, and physical controls.: Authorized users have been trained in the Privacy Act and systems security requirements. To insure security of the data, each individual user’s access level is managed by the Administrator to ensure minimum and necessary access. The server is located in a locked room and is accessible only to specified system support personnel and is also protected by a limited access log-on procedure.

PIA Reviewer Approval: Promote


Reviewer Name: Bill Hermach

Sr. Official for Privacy Approval: Promote


Sr. Official for Privacy Name: Karen Pla

Sign-off Date: Aug 10, 2007

Date Published: Jun 26, 2008


06.3 HHS PIA Summary for Posting (Form) / NIH NINDS Alchemy (Item)






PIA Summary


Is this a new PIA 2008?: Yes

If this is an existing PIA, please provide a reason for revision: PIA Validation

1. Date of this Submission: Jul 2, 2007

2. OPDIV Name: NIH

3. Unique Project Identifier (UPI) Number:

4. Privacy Act System of Records (SOR) Number: 9-25-0200

5. OMB Information Collection Approval Number: N/A

6. Other Identifying Number(s): N/A

7. System Name: Alchemy

9. System Point of Contact (POC). The System POC is the person to whom questions about the system and the responses to this PIA may be addressed: Donna Stephenson

10. Provide an overview of the system: The primary purpose of the Alchemy system is to support the NINDS ASP by managing the large volumes of Utah test result data and other ASP files.

Alchemy also provides a way for authorized users to search for legacy Utah test result data through functions for indexing, archival, query, retrieval, and viewing. The ability to perform searches via Alchemy reduces the need to store microfilm and paper copies on NINDS premises. This, in turn, reduces the requirement for ever-increasing storage space.

The Alchemy system supports the mission ASP, which is to encourage and facilitate the discovery and development of therapeutics for treatment of seizure disorders. The success of these efforts translates directly into new drugs to treat patients with these disorders.

13. Indicate if the system is new or an existing one being modified: Existing

17. Does/Will the system collect, maintain (store), disseminate and/or pass through IIF within any database(s), record(s), file(s) or website(s) hosted by this system?: Yes

Note: This question seeks to identify any, and all, personal information associated with the system. This includes any IIF, whether or not it is subject to the Privacy Act, whether the individuals are employees, the public, research subjects, or business partners, and whether provided voluntarily or collected by mandate. Later questions will try to understand the character of the data and its applicability to the requirements under the Privacy Act or other legislation

Note: If no IIF is contained in the system, please answer questions 21, 23, 30, 31, 37, 50 and 54, then promote the PIA to the Sr. Privacy Official who will authorize the PIA.

If this system contains IIF, all remaining questions on the PIA Form Tabs must be completed prior to signature and promotion.

21. Is the system subject to the Privacy Act?: Yes

23. If the system shares or discloses IIF please specify with whom and for what purpose(s): Researchers receive the letters. Data includes contact information for individual researchers IAW SOR# 09-25-0200.

30. Please describe in detail: (1) the information the agency will collect, maintain, or disseminate; (2) why and for what purpose the agency will use the information; (3) In this description, indicate whether the information contains IIF; and (4) whether submission of personal information is voluntary or mandatory: Correspondence Letter which includes name and business address.

Publically available journal articles which possibly contain name and email address. Submission of the information is voluntary.

31. Please describe in detail any processes in place to: (1) notify and obtain consent from the individuals whose IIF is in the system when major changes occur to the system (e.g., disclosure and/or data uses have changed since the notice at the time of the original collection); and (2) notify and obtain consent from individuals regarding what IIF is being collected from them and how the information will be used or shared: The letters either come from the person or are sent ot the person as a part of the process in entering test results. Consent and notification are assumed when the individual sends or receives the letter containing the information. No other notification is done.

32. Does the system host a website?: No

37. Does the website have any information or pages directed at children under the age of thirteen?: No

50. Are there policies or guidelines in place with regard to the retention and destruction of IIF?: Yes

54. Briefly describe in detail how the IIF will be secured on the system using administrative, technical, and physical controls.: Single sign-on using user name and password, system resides behind a firewall and is in a server room with no external access. All personal not having card key access are escorted.

PIA Reviewer Approval: Promote


PIA Reviewer Name: Peter Soltys/Sue Titman (301) 496-9244

Sr. Official for Privacy Approval: Promote


Sr. Official for Privacy Name: Karen Pla

Sign-off Date: Aug 10, 2007

Date Published: Jun 26, 2008


06.3 HHS PIA Summary for Posting (Form) / NIH NINDS Anti-Epileptic Drug Discovery System II (ADDS II) (Item)






PIA Summary


Is this a new PIA 2008?: Yes

If this is an existing PIA, please provide a reason for revision: PIA Validation

1. Date of this Submission: Jul 2, 2007

2. OPDIV Name: NIH

3. Unique Project Identifier (UPI) Number: 009-25-01-09-02-8610-00-402-125

4. Privacy Act System of Records (SOR) Number: 09-25-0200

5. OMB Information Collection Approval Number: NO

6. Other Identifying Number(s): NO

7. System Name: Anti-Epileptic Drug Discovery System II (ADDS II)

9. System Point of Contact (POC). The System POC is the person to whom questions about the system and the responses to this PIA may be addressed: Donna Stephenson

10. Provide an overview of the system: The purpose of the ADDS II system is to facilitate the establishment of worldwide collaborative relationships among the government, academia, and industry to search for a cure of epilepsies and to provide the necessary incentives for discovery, characterization, and development of novel antiseizure/anticonvulsant agents.

These efforts are undertaken through multi-level testing directed toward the development of safer and more effective therapies for treating the various seizure disorders. To aid in the process, the Anti-Epileptic Drug Discovery System II (ADDS II) application was developed. ADDS II provides a fully integrated system to support the preclinical drug discovery business area. Users can access chemical compound data, order and manage tests, enter test results, and manage inventory using predefined forms and reports.

13. Indicate if the system is new or an existing one being modified: Existing

17. Does/Will the system collect, maintain (store), disseminate and/or pass through IIF within any database(s), record(s), file(s) or website(s) hosted by this system?: Yes

Note: This question seeks to identify any, and all, personal information associated with the system. This includes any IIF, whether or not it is subject to the Privacy Act, whether the individuals are employees, the public, research subjects, or business partners, and whether provided voluntarily or collected by mandate. Later questions will try to understand the character of the data and its applicability to the requirements under the Privacy Act or other legislation

Note: If no IIF is contained in the system, please answer questions 21, 23, 30, 31, 37, 50 and 54, then promote the PIA to the Sr. Privacy Official who will authorize the PIA.

If this system contains IIF, all remaining questions on the PIA Form Tabs must be completed prior to signature and promotion.

21. Is the system subject to the Privacy Act?: Yes

23. If the system shares or discloses IIF please specify with whom and for what purpose(s): Data is not shared. The data is used by NIH personnel only to contact researchers who submitted the data. SOR# 09-25-0200

30. Please describe in detail: (1) the information the agency will collect, maintain, or disseminate; (2) why and for what purpose the agency will use the information; (3) In this description, indicate whether the information contains IIF; and (4) whether submission of personal information is voluntary or mandatory: Collect name, business telephone number, business email address, business address, institution/company/agency name, public website url. Information is collected from researchers who submit compounds for testing. It is used to communicate test results back to the researcher. Information is mandatory.

31. Please describe in detail any processes in place to: (1) notify and obtain consent from the individuals whose IIF is in the system when major changes occur to the system (e.g., disclosure and/or data uses have changed since the notice at the time of the original collection); and (2) notify and obtain consent from individuals regarding what IIF is being collected from them and how the information will be used or shared: Institutions submit compounds and test results voluntarily. Consent to collect this information is assumed upon submission. There are no other processes in place associated with the ADDS II system to notify or obtain consent.

32. Does the system host a website?: No

37. Does the website have any information or pages directed at children under the age of thirteen?: No

50. Are there policies or guidelines in place with regard to the retention and destruction of IIF?: Yes

54. Briefly describe in detail how the IIF will be secured on the system using administrative, technical, and physical controls.: Role base security, using user name and password for network and Oracle, system resides behind a firewall and is in a server room with no external access. All personal not having card key access are escorted.

PIA Reviewer Approval: PromoteComments:

PIA Reviewer Name: Peter Soltys/Sue Titman (301) 496-9244

Sr. Official for Privacy Approval: Promote


Sr. Official for Privacy Name: Karen Pla

Sign-off Date: Aug 10, 2007

Date Published: Jun 26, 2008


06.3 HHS PIA Summary for Posting (Form) / NIH NINDS Bioinformatics (mADB) (Item)






PIA Summary


Is this a new PIA 2008?: Yes

If this is an existing PIA, please provide a reason for revision: Validation

1. Date of this Submission: Jul 2, 2007

2. OPDIV Name: NIH

3. Unique Project Identifier (UPI) Number: N/A

4. Privacy Act System of Records (SOR) Number: N/A

5. OMB Information Collection Approval Number: N/A

6. Other Identifying Number(s): N/A

7. System Name: Bioinformatics (mADB)

9. System Point of Contact (POC). The System POC is the person to whom questions about the system and the responses to this PIA may be addressed: Donna Stephenson

10. Provide an overview of the system: The MaDB system is an internal microarray database system that archives, retrieves via query, manages, and uses custom tools to analyze data resulting from NINDS Intramural research experiments. The data assetts comprising the MaDB system consist of NINDS DIR bioinformatics data and Biospecimin data that cannot be tied to any individual. The data is retrived using a randomized identifier. The system is accessible only within the NIH campus through a web-based interface and contains no IIF.

13. Indicate if the system is new or an existing one being modified: Existing

17. Does/Will the system collect, maintain (store), disseminate and/or pass through IIF within any database(s), record(s), file(s) or website(s) hosted by this system?: No

Note: This question seeks to identify any, and all, personal information associated with the system. This includes any IIF, whether or not it is subject to the Privacy Act, whether the individuals are employees, the public, research subjects, or business partners, and whether provided voluntarily or collected by mandate. Later questions will try to understand the character of the data and its applicability to the requirements under the Privacy Act or other legislation

ote: If no IIF is contained in the system, please answer questions 21, 23, 30, 31, 37, 50 and 54, then promote the PIA to the Sr. Privacy Official who will authorize the PIA.

If this system contains IIF, all remaining questions on the PIA Form Tabs must be completed prior to signature and promotion.

21. Is the system subject to the Privacy Act?: No

23. If the system shares or discloses IIF please specify with whom and for what purpose(s): N/A

30. Please describe in detail: (1) the information the agency will collect, maintain, or disseminate; (2) why and for what purpose the agency will use the information; (3) In this description, indicate whether the information contains IIF; and (4) whether submission of personal information is voluntary or mandatory: NINDS DIR bioinformatics data and Biospecimen data that that contains no IIF and is referenced by a random generated number. This data cannot be tied back to an individual patient. The system provides NINDS Intramural scientists with a web-accessible, centralized database they can use for storage, retrieval, aggregation, and statistical analysis of NINDS bioinformatics data.

31. Please describe in detail any processes in place to: (1) notify and obtain consent from the individuals whose IIF is in the system when major changes occur to the system (e.g., disclosure and/or data uses have changed since the notice at the time of the original collection); and (2) notify and obtain consent from individuals regarding what IIF is being collected from them and how the information will be used or shared: No IIF stored in this system.

32. Does the system host a website?: No

37. Does the website have any information or pages directed at children under the age of thirteen?: No

50. Are there policies or guidelines in place with regard to the retention and destruction of IIF?: No

54. Briefly describe in detail how the IIF will be secured on the system using administrative, technical, and physical controls.: No IIF on stored on this system.

PIA Reviewer Appr

PIA Reviewer Name: Peter Soltys/Sue Titman (301) 496-9244

Sr. Official for Privacy Approval: Promote


Sr. Official for Privacy Name: Karen Plá

Sign-off Date: Aug 10, 2007

Date Published: Jun 26, 2008


06.3 HHS PIA Summary for Posting (Form) / NIH NINDS Coding (Item)






PIA Summary


Is this a new PIA 2008?: Yes

If this is an existing PIA, please provide a reason for revision: PIA Validation

1. Date of this Submission: Jul 2, 2007

2. OPDIV Name: NIH

3. Unique Project Identifier (UPI) Number: 09-25-01-09-02-8601-00-402-125

4. Privacy Act System of Records (SOR) Number: 09-25-0036

5. OMB Information Collection Approval Number: No

6. Other Identifying Number(s): No

7. System Name: Coding

9. System Point of Contact (POC). The System POC is the person to whom questions about the system and the responses to this PIA may be addressed: Donna Stephenson

0. Provide an overview of the system: The NINDS Coding system is a web-based application enabling NINDS institute personnel, both Intramural and Extramural, to assign codes to grants and contracts. These code values denote the relationship between the Institute's expenditure and an area of science, disease, or disorder. The system also enables Program, Scientific, and Budget Analysts to analyze expenditures by fiscal year and generate reports. Using this system, analysts generate budgetary and scientific year-end reports that are used to respond to internal and external requests for information.

the database is driven by a frozen table of awarded grants and contracts for both Extramural and Intramural research by fiscal year. The data for the frozen table comes from the IRMB database as well as from local NINDS-specific data sources.

13. Indicate if the system is new or an existing one being modified: New

17. Does/Will the system collect, maintain (store), disseminate and/or pass through IIF within any database(s), record(s), file(s) or website(s) hosted by this system?: Yes

Note: This question seeks to identify any, and all, personal information associated with the system. This includes any IIF, whether or not it is subject to the Privacy Act, whether the individuals are employees, the public, research subjects, or business partners, and whether provided voluntarily or collected by mandate. Later questions will try to understand the character of the data and its applicability to the requirements under the Privacy Act or other legislation

Note: If no IIF is contained in the system, please answer questions 21, 23, 30, 31, 37, 50 and 54, then promote the PIA to the Sr. Privacy Official who will authorize the PIA.

f this system contains IIF, all remaining questions on the PIA Form Tabs must be completed prior to signature and promotion.

21. Is the system subject to the Privacy Act?: Yes

23. If the system shares or discloses IIF please specify with whom and for what purpose(s): The system maintains the names of Principal Investigators (PI) who receive grants from the NIH, NINDS Coding system users and Program Directors. System users can generate reports that display the name and institution of the PIs and the name of the grant's Program Director. These reports are provided to NINDS and NIH management as requested. Information regarding IIF disclosure practices is further addressed in the NIH Privacy Act Systems of Record Notice 09-25-0036, published in the Federal register, volume 67, No. 187, September 26, 2002.

30. Please describe in detail: (1) the information the agency will collect, maintain, or disseminate; (2) why and for what purpose the agency will use the information; (3) In this description, indicate whether the information contains IIF; and (4) whether submission of personal information is voluntary or mandatory: The system stores the following information:

- Principal Investigator Name.

- System User Name.

- Program Director Name.

- Principal Investigator Institution Name.

- System User Email Address.

As a part of the NIH grant application process, Principal Investigators are required to provide their name and institution name. The NINDS Coding system downloads this information that the IMPACII database has already collected.

Grants are assigned to Program Directors (PDs), and the PD names are stored to record these assignments. This data is a mandatory part of the grant submission process. The data is used to track PD assignments is association with grant applications and awards.

31. Please describe in detail any processes in place to: (1) notify and obtain consent from the individuals whose IIF is in the system when major changes occur to the system (e.g., disclosure and/or data uses have changed since the notice at the time of the original collection); and (2) notify and obtain consent from individuals regarding what IIF is being collected from them and how the information will be used or shared: Individuals are notified of the requirement to collect the IIF in the grant application process. They are informed their grant application cannot be processed without it and their consent is assumed when they submit a signed application. The NINDS Coding system obtains this information and any changes from the IMPACII database. Notification is provided by the IMPACII system. Individuals are not notified when major changes occur to the NINDS Coding system. Changes to the NINDS Coding system that affect IIF would only be made if major changes were made to the IMPACII system. If that were to happen those individuals would be informed through the IMPACII system.

32. Does the system host a website?: No

37. Does the website have any information or pages directed at children under the age of thirteen?: No

50. Are there policies or guidelines in place with regard to the retention and destruction of IIF?: Yes

54. Briefly describe in detail how the IIF will be secured on the system using administrative, technical, and physical controls.: The system has several administrative controls in place to secure the data. The NIH requires security training fro all system users on an annual basis. Also, the security controls and disaster recovery plan are documented as part of the certification and accreditation process. Finally, teh system maintains several user roles, and each system user is given teh least privilege needed top perform his or her business function. The system has several technical controls in place to secure the data. A user must first provide a valid username and password to access the NINDS network. The user must also be a system user before he or she can log onto the system. The system is also protected by guards, ID badge requirements, key card access, cipher locks, and closed circuit television.

PIA Reviewer Approval: Promote


PIA Reviewer Name: Peter Soltys/Sue Titman (301) 496-9244

Sr. Official for Privacy Approval: Promote


Sr. Official for Privacy Name: Karen Plá

Sign-off Date: Jan 25, 2007

Date Published: Jun 26, 2008


06.3 HHS PIA Summary for Posting (Form) / NIH NINDS FinEx (Item)






PIA Summary


Is this a new PIA 2008?: Yes

If this is an existing PIA, please provide a reason for revision: PIA Validation

1. Date of this Submission: Jul 2, 2007

2. OPDIV Name: NIH

3. Unique Project Identifier (UPI) Number: 009-25-01-05-02-8606-00-305-109

4. Privacy Act System of Records (SOR) Number: 9-25-0036

5. OMB Information Collection Approval Number: N/A

6. Other Identifying Number(s): N/A

7. System Name: NINDS FinEx

9. System Point of Contact (POC). The System POC is the person to whom questions about the system and the responses to this PIA may be addressed: Donna Stephenson

10. Provide an overview of the system: The FINeX application is a centralized, Internet-based relational database environment that stores data and business rules (procedures) required to maintain the Extramural grant budget. The FINeX application includes the tools necessary to estimate, award, obligate, forecast and report on grant budgets in the Extramural program.

In its in-production state, FINeX resides on the NINDSAPPS3 server as a .Net, web-deployed application. Its interdependencies on other resources (or dynamically-linked libraries (DLLs)) are fully compiled into the installed version of FINeX on NINDSAPPS3. NINDSAPPS3 serves as the web application server for NINDS, where FINeX is exclusively used. The databases on which FINeX is dependant reside on NINDS resources, SQLCLUSTER (SQL Server 2000 database server) and IRIS (Oracle 10 database server). FINeX utilizes, but is not dependent on NIH CIT resources for supplemental data (e.g., IRDB—an Oracle database warehouse server and DataWarehouse—an IBM mainframe finance data warehouse).

13. Indicate if the system is new or an existing one being modified: Existing

17. Does/Will the system collect, maintain (store), disseminate and/or pass through IIF within any database(s), record(s), file(s) or website(s) hosted by this system?: Yes

Note: This question seeks to identify any, and all, personal information associated with the system. This includes any IIF, whether or not it is subject to the Privacy Act, whether the individuals are employees, the public, research subjects, or business partners, and whether provided voluntarily or collected by mandate. Later questions will try to understand the character of the data and its applicability to the requirements under the Privacy Act or other legislation

Note: If no IIF is contained in the system, please answer questions 21, 23, 30, 31, 37, 50 and 54, then promote the PIA to the Sr. Privacy Official who will authorize the PIA.

If this system contains IIF, all remaining questions on the PIA Form Tabs must be completed prior to signature and promotion.

21. Is the system subject to the Privacy Act?: Yes

23. If the system shares or discloses IIF please specify with whom and for what purpose(s): IIF is obtained from the eRA system in the administration of research grants IAW SOR#09-25-0036

30. Please describe in detail: (1) the information the agency will collect, maintain, or disseminate; (2) why and for what purpose the agency will use the information; (3) In this description, indicate whether the information contains IIF; and (4) whether submission of personal information is voluntary or mandatory: Financial Grant informaiton. The FINeX application is a centralized, Internet-based relational database environment that stores data and business rules (procedures) required to maintain the Extramural grant budget. The FINeX application includes the tools necessary to estimate, award, obligate, forecast and report on grant budgets in the Extramural program. IIF contained in NINDS FinEx is obtained from the eRA system and is a requrired part of the Grant submission process.

31. Please describe in detail any processes in place to: (1) notify and obtain consent from the individuals whose IIF is in the system when major changes occur to the system (e.g., disclosure and/or data uses have changed since the notice at the time of the original collection); and (2) notify and obtain consent from individuals regarding what IIF is being collected from them and how the information will be used or shared: IIF is submitted as a part of the grant application process. Information used by the NINDS FinEx is taken from the ERA grant application. Notification and consent from the individual is assumed when the grant application is submitted. All notification and consent is taken care of via the Grant application submission process and eRA systems.

32. Does the system host a website?: Yes

37. Does the website have any information or pages directed at children under the age of thirteen?: No

50. Are there policies or guidelines in place with regard to the retention and destruction of IIF?: Yes

54. Briefly describe in detail how the IIF will be secured on the system using administrative, technical, and physical controls.: Role base security, single sign-on using user name and password, system resides behind a firewall and is in a server room with no external access. All personal not having card key access are escorted.

PIA Reviewer Approval: Promote


PIA Reviewer Name: Peter Soltys/Sue Titman (301) 496-9244

Sr. Official for Privacy Approval: Promote


Sr. Official for Privacy Name: Karen Pla

Sign-off Date: Aug 10, 2007

Date Published: Jun 26, 2008


06.3 HHS PIA Summary for Posting (Form) / NIH NINDS Intent 2 Pay (I2P) (Item)






PIA Summary


Is this a new PIA 2008?: Yes

If this is an existing PIA, please provide a reason for revision: PIA Validation

1. Date of this Submission:

3. Unique Project Identifier (UPI) Number: 009-25-01-09-02-8610-00-402-125

4. Privacy Act System of Records (SOR) Number: 09-25-0036

5. OMB Information Collection Approval Number: N/A

6. Other Identifying Number(s): N/A

7. System Name: Intent 2 Pay (I2P)

9. System Point of Contact (POC). The System POC is the person to whom questions about the system and the responses to this PIA may be addressed: Donna Stephenson

10. Provide an overview of the system: Intent to Pay application aids in the administration of grants by providing a single difinitive list of grant application to pay during a council round.

13. Indicate if the system is new or an existing one being modified: New

17. Does/Will the system collect, maintain (store), disseminate and/or pass through IIF within any database(s), record(s), file(s) or website(s) hosted by this system?: Yes

Note: This question seeks to identify any, and all, personal information associated with the system. This includes any IIF, whether or not it is subject to the Privacy Act, whether the individuals are employees, the public, research subjects, or business partners, and whether provided voluntarily or collected by mandate. Later questions will try to understand the character of the data and its applicability to the requirements under the Privacy Act or other legislation

Note: If no IIF is contained in the system, please answer questions 21, 23, 30, 31, 37, 50 and 54, then promote the PIA to the Sr. Privacy Official who will authorize the PIA.

If this system contains IIF, all remaining questions on the PIA Form Tabs must be completed prior to signature and promotion.

21. Is the system subject to the Privacy Act?: Yes

23. If the system shares or discloses IIF please specify with whom and for what purpose(s): I2P passess information to other internal systems (FINEX, iWin, Council Web Site)

30. Please describe in detail: (1) the information the agency will collect, maintain, or disseminate; (2) why and for what purpose the agency will use the information; (3) In this description, indicate whether the information contains IIF; and (4) whether submission of personal information is voluntary or mandatory: Grant Number, PI Name, Financial information are collected, maintianed, disseminated. This system is used to review grant applications and indicate which will be paid. IIF informaiton is mandatory.

31. Please describe in detail any processes in place to: (1) notify and obtain consent from the individuals whose IIF is in the system when major changes occur to the system (e.g., disclosure and/or data uses have changed since the notice at the time of the original collection); and (2) notify and obtain consent from individuals regarding what IIF is being collected from them and how the information will be used or shared: IIF is submitted as a part of the grant application process. Information used by the NINDS FinEx is taken from the ERA grant application. Notification and consent from the individual is assumed when the grant application is submitted. All notification and consent is taken care of via the Grant application submission process and eRA systems.

32. Does the system host a website?: Yes

37. Does the website have any information or pages directed at children under the age of thirteen?: No

50. Are there policies or guidelines in place with regard to the retention and destruction of IIF?: Yes

54. Briefly describe in detail how the IIF will be secured on the system using administrative, technical, and physical controls.: Role base security, single sign-on using user name and password, system resides behind a firewall and is in a server room with no external access. All personal not having card key access are escorted.

PIA Reviewer Approval: Promote


PIA Reviewer Name: Peter Soltys/Sue Titman (301) 496-9244

Sr. Official for Privacy Approval: Promote


Sr. Official for Privacy Name: Karen Plá

Sign-off Date: Aug 10, 2007

Date Published: Jun 26, 2008


06.3 HHS PIA Summary for Posting (Form) / NIH NINDS Intranet (Item)






PIA Summary


Is this a new PIA 2008?: Yes

If this is an existing PIA, please provide a reason for revision: PIA Validation

1. Date of this Submission: Jul 2, 2007

2. OPDIV Name: NIH

3. Unique Project Identifier (UPI) Number: 009-25-01-04-02-8610-00-404-136

4. Privacy Act System of Records (SOR) Number: 09-25-0106

5. OMB Information Collection Approval Number: N/A

6. Other Identifying Number(s): N/A

7. System Name: NINDS Intranet

9. System Point of Contact (POC). The System POC is the person to whom questions about the system and the responses to this PIA may be addressed: Donna Stephenson

10. Provide an overview of the system: The NINDSINTRANET server is a dedicated Web server comprised of a Compaq ProLiant server running the Windows 2000 Advanced Server operating system (OS). The server supports the “NINDS Intranet Employee Website” located at The server provides advanced symmetric multiprocessing (SMP) support, clustering, and load-balancing technologies to meet the requirements of NINDS Intranet users.

The server resides on the NINDS private network (Intranet) and, thus, the services it supports are not accessible to the general public.

13. Indicate if the system is new or an existing one being modified: Existing

17. Does/Will the system collect, maintain (store), disseminate and/or pass through IIF within any database(s), record(s), file(s) or website(s) hosted by this system?: Yes

Note: This question seeks to identify any, and all, personal information associated with the system. This includes any IIF, whether or not it is subject to the Privacy Act, whether the individuals are employees, the public, research subjects, or business partners, and whether provided voluntarily or collected by mandate. Later questions will try to understand the character of the data and its applicability to the requirements under the Privacy Act or other legislation

Note: If no IIF is contained in the system, please answer questions 21, 23, 30, 31, 37, 50 and 54, then promote the PIA to the Sr. Privacy Official who will authorize the PIA.

If this system contains IIF, all remaining questions on the PIA Form Tabs must be completed prior to signature and promotion.

21. Is the system subject to the Privacy Act?: Yes

23. If the system shares or discloses IIF please specify with whom and for what purpose(s): This system discloses IIF to authorized NIH Staff with logon access through links to other NIH systems such as NED IAW SOR 09-25-0106

30. Please describe in detail: (1) the information the agency will collect, maintain, or disseminate; (2) why and for what purpose the agency will use the information; (3) In this description, indicate whether the information contains IIF; and (4) whether submission of personal information is voluntary or mandatory: Information is now directly submitted through the NINDS Intranet. All information displayed on the NINDS Intranet is collected and stored by other systems within the NIH. As far as NINDS Intranet is concerned this IIF is voluntary although it may be required by other NIH systems.

· NINDS directory, including employee contact information

· NINDS calendar

· News and alerts

· NINDS policies

· NINDS forms

· Human resources information

· Jobs and training information

· Information about funding opportunities

31. Please describe in detail any processes in place to: (1) notify and obtain consent from the individuals whose IIF is in the system when major changes occur to the system (e.g., disclosure and/or data uses have changed since the notice at the time of the original collection); and (2) notify and obtain consent from individuals regarding what IIF is being collected from them and how the information will be used or shared: The Intranet only accesses and displays data from otehr systems. Consent is assumed to have been given whe the information was collected by those systems. Notification of major changes to the system are disiminated via email to all NINDS personnel. Consent from individuals concerning IIF that may be displayed on the Intranet is the responsibility of the system actually collecting that information. IIF is only displayed to those Staff who have login access to the systems containing the IIF.

32. Does the system host a website?: Yes

37. Does the website have any information or pages directed at children under the age of thirteen?: No

50. Are there policies or guidelines in place with regard to the retention and destruction of IIF?: Yes

54. Briefly describe in detail how the IIF will be secured on the system using administrative, technical, and physical controls.: Network sign-on using user name and password, system resides behind a firewall and is in a server room with no external access. All personal not having card key access are escorted.

PIA Reviewer Approval: Promote


PIA Reviewer Name: Peter Soltys/Sue Titman (301) 496-9244

Sr. Official for Privacy Approval: Promote


Sr. Official for Privacy Name: Karen Plá

Sign-off Date: Aug 10, 2007

Date Published: Jun 26, 2008


06.3 HHS PIA Summary for Posting (Form) / NIH NINDS iWIN (Item)






PIA Summary


Is this a new PIA 2008?: Yes

If this is an existing PIA, please provide a reason for revision: PIA Validation

1. Date of this Submission:

3. Unique Project Identifier (UPI) Number: 009-25-01-05-02-8606-00-305-109

4. Privacy Act System of Records (SOR) Number: 09-25-0036

5. OMB Information Collection Approval Number: No

6. Other Identifying Number(s): No

7. System Name: iWIN

9. System Point of Contact (POC). The System POC is the person to whom questions about the system and the responses to this PIA may be addressed: Donna Stephenson

10. Provide an overview of the system: The NINDS is responsible for supporting all aspects of biomedical research on disorders of the brain and nervous system. Although NINDS relies heavily on investigator –initiated research, it undertakes specific initiatives to focus efforts on particular problems or opportunities when its leadership in warranted. NINDS plans and implements research through the Initiatives and Workshops in Neuroscience (iWIN) process. The iWIN application is a centralized, Internet-based relational database environment that stores data and business rules (procedures) required to maintain initiative and workshop information for reporting and tracking. In its in-production state, iWIN resides on the NINDSAPPS3 server as a .Net, web-deployed application. Its interdependencies on other resources (or dynamically-linked libraries (DLLs)) are fully compiled into the installed version of iWIN on NINDSAPPS3. NINDSAPPS3 serves as the web application server for NINDS, where iWIN is exclusively used. The databases on which iWIN is dependant reside on a NINDS resource named SQLCLUSTER (SQL Server 2000 database server).

13. Indicate if the system is new or an existing one being modified: Existing

7. Does/Will the system collect, maintain (store), disseminate and/or pass through IIF within any database(s), record(s), file(s) or website(s) hosted by this system?: Yes

ote: This question seeks to identify any, and all, personal information associated with the system. This includes any IIF, whether or not it is subject to the Privacy Act, whether the individuals are employees, the public, research subjects, or business partners, and whether provided voluntarily or collected by mandate. Later questions will try to understand the character of the data and its applicability to the requirements under the Privacy Act or other legislation

Note: If no IIF is contained in the system, please answer questions 21, 23, 30, 31, 37, 50 and 54, then promote the PIA to the Sr. Privacy Official who will authorize the PIA.

If this system contains IIF, all remaining questions on the PIA Form Tabs must be completed prior to signature and promotion.

21. Is the system subject to the Privacy Act?: Yes

23. If the system shares or discloses IIF please specify with whom and for what purpose(s): Data is kept in house and used to maintain initiative and workshop information for reporting and tracking. Information regarding IIF disclosure practices is further addressed in the NIH Privacy Act Systems of Record Notice 09-25-0036, published in the Federal register, volume 67, No. 187, September 26, 2002.

30. Please describe in detail: (1) the information the agency will collect, maintain, or disseminate; (2) why and for what purpose the agency will use the information; (3) In this description, indicate whether the information contains IIF; and (4) whether submission of personal information is voluntary or mandatory: Initiative and Workshop information. The iWIN application is a centralized, Internet-based relational database environment that stores data and business rules (procedures) required to maintain initiative and workshop information for reporting and tracking. IIF data stored in the iWIN database includes Name, phone, address and email of the initiative and workshop contact person. This information is mandatory.

31. Please describe in detail any processes in place to: (1) notify and obtain consent from the individuals whose IIF is in the system when major changes occur to the system (e.g., disclosure and/or data uses have changed since the notice at the time of the original collection); and (2) notify and obtain consent from individuals regarding what IIF is being collected from them and how the information will be used or shared: IIF is submitted as a part of the initiative and workshop process. Notification and consent from the individual is assumed when the initiative and/or workshop is proposed.

32. Does the system host a website?: Yes

37. Does the website have any information or pages directed at children under the age of thirteen?: No

50. Are there policies or guidelines in place with regard to the retention and destruction of IIF?: Yes

54. Briefly describe in detail how the IIF will be secured on the system using administrative, technical, and physical controls.: Role-based security, single sign-on using username and password, system resides behind a firewall and is in a server room with no external access. All personnel not having card key access are escorted

A Reviewer Approval: Promote


PIA Reviewer Name: Peter Soltys/Sue Titman (301) 496-9244

Sr. Official for Privacy Approval: Promote


Sr. Official for Privacy Name: Karen Plá

Sign-off Date: Jan 25, 2007

Date Published: Jun 26, 2008


06.3 HHS PIA Summary for Posting (Form) / NIH NINDS Parkinson's Coding (Item)






PIA Summary


Is this a new PIA 2008?: Yes

If this is an existing PIA, please provide a reason for revision: PIA Validation

1. Date of this Submission: Jul 2, 2007

2. OPDIV Name: NIH

3. Unique Project Identifier (UPI) Number: 009-25-01-09-02-8601-00-402-125

4. Privacy Act System of Records (SOR) Number: 09-25-0036

5. OMB Information Collection Approval Number: No

6. Other Identifying Number(s): No

7. System Name: Parkinson’s Coding System

9. System Point of Contact (POC). The System POC is the person to whom questions about the system and the responses to this PIA may be addressed: Donna Stephenson

10. Provide an overview of the system: The Parkinson’s Coding System is a database application that has developed along the lines of the NINDS Coding System. It is a scaled down version of the NINDS Coding System, and it enables the NINDS Neurodegeneration cluster to assign codes to Parkinson’s grants and contracts. The code values assigned to grants denote the relationship of the institute’s expenditure to Parkinson’s disease. The system is driven by a frozen table of awarded grants and contracts by fiscal year. The system is also an analytical and reporting tool that enables Program Analysts to analyze expenditures by fiscal year and generate reports. The data is also available earlier in the fiscal year so that the burden on program and budget staff to code grants and generate reports in a timely manner is greatly reduced. Additionally, the ability of the institute to respond to external queries is greatly enhanced.

13. Indicate if the system is new or an existing one being modified: Existing

17. Does/Will the system collect, maintain (store), disseminate and/or pass through IIF within any database(s), record(s), file(s) or website(s) hosted by this system?: Yes

Note: This question seeks to identify any, and all, personal information associated with the system. This includes any IIF, whether or not it is subject to the Privacy Act, whether the individuals are employees, the public, research subjects, or business partners, and whether provided voluntarily or collected by mandate. Later questions will try to understand the character of the data and its applicability to the requirements under the Privacy Act or other legislation

Note: If no IIF is contained in the system, please answer questions 21, 23, 30, 31, 37, 50 and 54, then promote the PIA to the Sr. Privacy Official who will authorize the PIA.

If this system contain

21. Is the system subject to the Privacy Act?: Yes

23. If the system shares or discloses IIF please specify with whom and for what purpose(s): The system maintains the names of Principal Investigators who receive grants from the NIH, Parkinson’s Coding System Users, and Program Directors. System users can generate reports that display the name and institution of the Principal Investigators and the name of the grant’s Program Director. These reports are provided to NINDS and NIH management as requested.

30. Please describe in detail: (1) the information the agency will collect, maintain, or disseminate; (2) why and for what purpose the agency will use the information; (3) In this description, indicate whether the information contains IIF; and (4) whether submission of personal information is voluntary or mandatory: The system stores the following information:

Principal Investigator Name.

System User Name.

Program Director Name.

Principal Investigator Institution Name.

System User Email Address.

As a part of the NIH grant application process, Principal Investigators are required to provide their name and institution name. The Parkinson’s Coding System receives its data from the NINDS Coding System and other external sources, which have already collected the IIF.

Grants are assigned to Program Directors (PDs), and the PD names are stored to record these assignments.

31. Please describe in detail any processes in place to: (1) notify and obtain consent from the individuals whose IIF is in the system when major changes occur to the system (e.g., disclosure and/or data uses have changed since the notice at the time of the original collection); and (2) notify and obtain consent from individuals regarding what IIF is being collected from them and how the information will be used or shared: Individuals are notified of the requirement to collect the IIF in the grant application process. They are informed their grant application cannot be processed without it and their consent is assumed when they submit a signed application. The NINDS Parkinson's Coding system obtains this information and any changes from the IMPACII database. Notification is provided by the IMPACII system. Individuals are not notified when major changes occur to the NINDS Coding system. Changes to the NINDS Parkinson's Coding system that affect IIF would only be made if major changes were made to the IMPACII system. If that were to happen those individuals would be informed through the IMPACII system.

32. Does the system host a website?: No

37. Does the website have any information or pages directed at children under the age of thirteen?: No

50. Are there policies or guidelines in place with regard to the retention and destruction of IIF?: Yes

54. Briefly describe in detail how the IIF will be secured on the system using administrative, technical, and physical controls.: The system has several administrative controls in place to secure the data. The NIH requires security training for all system users on an annual basis. Finally, the system maintains several user roles, and each system user is given the least privilege needed to perform his or her business function.

The system has several technical controls in place to secure the data. A user must first provide a valid username and password to access the NINDS network. The user must also be a system user before he or she can log onto the system. The system is also protected by the Institute’s firewall and intrusion detection systems.

The system also has several physical controls in place to secure the data. The system is protected by guards, ID badge requirements, key card access, cipher locks, and closed-circuit television. See SOR# 09-25-0036

PIA Reviewer Approval: Promote

Comments: Peter Soltys; NINDS; Co-Acting CIO; 301-496-0583

PIA Reviewer Name: Peter Soltys; NINDS; Co-Acting CIO; 301-496-0583

Sr. Official for Privacy Approval: Promote


Sr. Official for Privacy Name: Karen Plá

Sign-off Date: Aug 10, 2007

Date Published: Jun 26, 2008


06.3 HHS PIA Summary for Posting (Form) / NIH NINDS Project Central System (Item)






PIA Summary


Is this a new PIA 2008?: Yes

If this is an existing PIA, please provide a reason for revision: PIA Validation

1. Date of this Submission: Jul 2, 2007

2. OPDIV Name: NIH

3. Unique Project Identifier (UPI) Number: 009-25-01-09-02-8610-00-402-125

4. Privacy Act System of Records (SOR) Number: No

5. OMB Information Collection Approval Number: No

6. Other Identifying Number(s): No

7. System Name: Project Central System

9. System Point of Contact (POC). The System POC is the person to whom questions about the system and the responses to this PIA may be addressed: Donna Stephenson

10. Provide an overview of the system: Project Management and Collaboration tool for planning and tracking projects and tasks within projects. provides time and assett management leading to more efficient use of manpower and funding..

13. Indicate if the system is new or an existing one being modified: New

17. Does/Will the system collect, maintain (store), disseminate and/or pass through IIF within any database(s), record(s), file(s) or website(s) hosted by this system?: No

Note: This question seeks to identify any, and all, personal information associated with the system. This includes any IIF, whether or not it is subject to the Privacy Act, whether the individuals are employees, the public, research subjects, or business partners, and whether provided voluntarily or collected by mandate. Later questions will try to understand the character of the data and its applicability to the requirements under the Privacy Act or other legislation

Note: If no IIF is contained in the system, please answer questions 21, 23, 30, 31, 37, 50 and 54, then promote the PIA to the Sr. Privacy Official who will authorize the PIA.

If this system contains IIF, all remaining questions on the PIA Form Tabs must be completed prior to signature and promotion.

21. Is the system subject to the Privacy Act?: No

23. If the system shares or discloses IIF please specify with whom and for what purpose(s): No

30. Please describe in detail: (1) the information the agency will collect, maintain, or disseminate; (2) why and for what purpose the agency will use the information; (3) In this description, indicate whether the information contains IIF; and (4) whether submission of personal information is voluntary or mandatory: Project Management and Collaboration information including projected and actual hours to complete a project. This system does not collect or store IIF.

31. Please describe in detail any processes in place to: (1) notify and obtain consent from the individuals whose IIF is in the system when major changes occur to the system (e.g., disclosure and/or data uses have changed since the notice at the time of the original collection); and (2) notify and obtain consent from individuals regarding what IIF is being collected from them and how the information will be used or shared: No IIF collected

32. Does the system host a website?: Yes

37. Does the website have any information or pages directed at children under the age of thirteen?: No

50. Are there policies or guidelines in place with regard to the retention and destruction of IIF?: No

54. Briefly describe in detail how the IIF will be secured on the system using administrative, technical, and physical controls.: No IIF

PIA Reviewer Approval: Promote


PIA Reviewer Name: Peter Soltys/Sue Titman


Sign-off Date: Jan 25, 2007

Date Published: Jun 26, 2008


06.3 HHS PIA Summary for Posting (Form) / NIH NINDS Purchasing Online Tracking System Extramural (POTX) (Item)






PIA Summary


Is this a new PIA 2008?: Yes

If this is an existing PIA, please provide a reason for revision: PIA Validation

1. Date of this Submission: Jul 2, 2007

2. OPDIV Name: NIH

3. Unique Project Identifier (UPI) Number: 09-25-01-09-02-8601-00-402-125

4. Privacy Act System of Records (SOR) Number: 09-25-0217

5. OMB Information Collection Approval Number: No

*6. Other Identifying Number(s): No

7. System Name: Purchaseing Online Tracking System Extramural (POTX)

9. System Point of Contact (POC). The System POC is the person to whom questions about the system and the responses to this PIA may be addressed: Donna Stephenson

10. Provide an overview of the system:

The Purchasing Online Tracking System is an enhancement of the old NINDS system. POTX:

· Provides a central repository for all purchase-related forms. The system allows Requesters, Approvers, and Purchasing Agents to use one Web-based system to perform the tasks needed to submit, review, and approve purchase requests.

· Revises the system to meet Section 508 compliance.

· Reduces the use of paper.

13. Indicate if the system is new or an existing one being modified: New

17. Does/Will the system collect, maintain (store), disseminate and/or pass through IIF within any database(s), record(s), file(s) or website(s) hosted by this system?: Yes

Note: This question seeks to identify any, and all, personal information associated with the system. This includes any IIF, whether or not it is subject to the Privacy Act, whether the individuals are employees, the public, research subjects, or business partners, and whether provided voluntarily or collected by mandate. Later questions will try to understand the character of the data and its applicability to the requirements under the Privacy Act or other legislation

Note: If no IIF is contained in the system, please answer questions 21, 23, 30, 31, 37, 50 and 54, then promote the PIA to the Sr. Privacy Official who will authorize the PIA.

If this system contains IIF, all remaining questions on the PIA Form Tabs must be completed prior to signature and promotion.

21. Is the system subject to the Privacy Act?: Yes

23. If the system shares or discloses IIF please specify with whom and for what purpose(s): The system maintains contact information for vendors and requesters so supplies and equipment can be purchased and delivered. Information is shared with vendors and requesters as needed to complete the purchase order. Information regarding potential IIF disclosure practices is further addressed in the NIH Privacy Act Systems of Record Notice 09-25-0217, published in the Federal Register, Volume 67, No. 187, September 26, 2002.

30. Please describe in detail: (1) the information the agency will collect, maintain, or disseminate; (2) why and for what purpose the agency will use the information; (3) In this description, indicate whether the information contains IIF; and (4) whether submission of personal information is voluntary or mandatory:

The system stores the following information:

- Vendor name.

- Vendor address.

- Vendor phone number.

- Name of salesperson.

- Name of quote provider.

- System user name.

- System user address.

- System user phone number.

- System user email address.

The system maintains contact information for venders so supplies can be purchased. The system maintains contact information for system users so purchases can be delivered. Submission of this information is mandatory for completion of the purchase order.

31. Please describe in detail any processes in place to: (1) notify and obtain consent from the individuals whose IIF is in the system when major changes occur to the system (e.g., disclosure and/or data uses have changed since the notice at the time of the original collection); and (2) notify and obtain consent from individuals regarding what IIF is being collected from them and how the information will be used or shared: Information contained in the POTX system is required for completion of the purchase. This information is normally publically available from the vendor and is collected as a part of the purchase order negotiations. Consent is assumed when the vendor supplies the contact information in response to a purchase order request.

No efforts are made to inform vendors when the POTX system undergoes changes.

32. Does the system host a website?:

37. Does the website have any information or pages directed at children under the age of thirteen?: No

50. Are there policies or guidelines in place with regard to the retention and destruction of IIF?: Yes

54. Briefly describe in detail how the IIF will be secured on the system using administrative, technical, and physical controls.: The system has several administrative controls in place to secrue the data. The NIH requiers security training for all system users on an annual basis. Also, the security contriols and disaster recovery plan are documented as part of the Certification and Accreditation process. Finally, the system maintains several user roles, and each system user is given the least privilege needed to perform his or her business function. The system has several technincal controls in place to secure the data. A user must first provide a valid username and password to access teh NIH network. A user must also be an authorized system user, with a record in the user table. The system is also protected b y the Institute's firewall and intrusion detection systems.

The system also has several physical controls in place to secure the data. The system is protected by guards, ID badge requirements, key card access, cipher locks, and closed circuit television

PIA Reviewer Approval: Promote


PIA Reviewer Name: Peter Soltys/Sue Titman (301) 496-9244

Sr. Official for Privacy Approval: Promote


Sr. Official for Privacy Name: Karen Plá

Sign-off Date: 25, 2007

Date Published: Jun 26, 2008


06.3 HHS PIA Summary for Posting (Form) / NIH NINDS Quick Response Internet Website (Item)






PIA Summary


Is this a new PIA 2008?: Yes

If this is an existing PIA, please provide a reason for revision: PIA Validation

1. Date of this Submission: Jul 2, 2007

2. OPDIV Name: NIH

3. Unique Project Identifier (UPI) Number: 009-25-01-04-02-8610-00-404-136

4. Privacy Act System of Records (SOR) Number: NO

5. OMB Information Collection Approval Number: N/A

6. Other Identifying Number(s): N/A

7. System Name: NINDS Quick Response Internet Website

9. System Point of Contact (POC). The System POC is the person to whom questions about the system and the responses to this PIA may be addressed: Donna Stephenson

10. Provide an overview of the system: The purpose of the system is to provide 1) email response and 2) brochure fulfillment capabilities, both of which are described below:

1) The email response component tracks, routes, and enables IQ Solutions—the contractor assigned to public outreach—staff to respond to email generated by visitors to the NINDS Public Website. The new Quick Response system will serve as an email inquiry system whereby incoming, Web-generated email requests are transformed into Remedy information requests. The system provides staff members with answers to frequently asked questions so they can more easily draft replies to public requests for information. A library of keywords is kept in Remedy to assist NINDS staff in selecting the correct response to an information request. A knowledge base is kept for searching previously sent responses. Staff will monitor the Remedy tickets via the Quick Response system.

2) The brochure fulfillment component routes requests for publications (a selection of the Publications Request option on the Contact Us page of the NINDS public website) to a Publications Requests folder. IQ Solutions staff members then locate and package the appropriate brochures for mailing. Once a request is fulfilled, the system keeps a record of the task and shows the request as filled.

Reporting capabilities allow NINDS managers to monitor response performance.

13. Indicate if the system is new or an existing one being modified: Existing

17. Does/Will the system collect, maintain (store), disseminate and/or pass through IIF within any database(s), record(s), file(s) or website(s) hosted by this system?: Yes

Note: This question seeks to identify any, and all, personal information associated with the system. This includes any IIF, whether or not it is subject to the Privacy Act, whether the individuals are employees, the public, research subjects, or business partners, and whether provided voluntarily or collected by mandate. Later questions will try to understand the character of the data and its applicability to the requirements under the Privacy Act or other legislation

Note: If no IIF is contained in the system, please answer questions 21, 23, 30, 31, 37, 50 and 54, then promote the PIA to the Sr. Privacy Official who will authorize the PIA.

If this system contains IIF, all remaining questions on the PIA Form Tabs must be completed prior to signature and promotion.

21. Is the system subject to the Privacy Act?: No

23. If the system shares or discloses IIF please specify with whom and for what purpose(s): Data is kept in house and used to respond to questions/requests from the public. Data is sent to appropriate in house personnel to respond to requests/questions. Data is disclosed only to those who require it to send requested information.

30. Please describe in detail: (1) the information the agency will collect, maintain, or disseminate; (2) why and for what purpose the agency will use the information; (3) In this description, indicate whether the information contains IIF; and (4) whether submission of personal information is voluntary or mandatory: Domain name, date and time of visit, pages visited, address of website you came from are recorded and used fro statistical purposes.

Questions/requests, Name and address of the requester used to respond to the request. IIF supplied by the requester is voluntary.

31. Please describe in detail any processes in place to: (1) notify and obtain consent from the individuals whose IIF is in the system when major changes occur to the system (e.g., disclosure and/or data uses have changed since the notice at the time of the original collection); and (2) notify and obtain consent from individuals regarding what IIF is being collected from them and how the information will be used or shared: All personal information is provided voluntarily. Information is only used to honor the individual's request. Consent to collect the information is assumed when the request is submitted. Notification of changes to the system are through changes to the web site. No IIF is retained in the system. Individuals who have previously supplied their information are not notified of changes to the system.

32. Does the system host a website?: Yes

37. Does the website have any information or pages directed at children under the age of thirteen?: No

50. Are there policies or guidelines in place with regard to the retention and destruction of IIF?: Yes

54. Briefly describe in detail how the IIF will be secured on the system using administrative, technical, and physical controls.: System resides behind a firewall and is in a server room with no external access. All personal not having card key access are escorted. Intrusion detection software.

PIA Reviewer Approval: Promote


PIA Reviewer Name: Peter Soltys/Sue Titman (301) 496-9244

Sr. Official for Privacy Approval: Promote


Sr. Official for Privacy Name: Karen Pla

Sign-off Date: Aug 10, 2007

Date Published: Jun 26, 2008


06.3 HHS PIA Summary for Posting (Form) / NIH NINDS Receipt & Referral System (RRS) (Item)






PIA Summary


Is this a new PIA 2008?: Yes

If this is an existing PIA, please provide a reason for revision: PIA Validation

1. Date of this Submission: Jul 2, 2007

2. OPDIV Name: NIH

3. Unique Project Identifier (UPI) Number: 009-25-01-09-02-8610-00-402-125

4. Privacy Act System of Records (SOR) Number: 09-25-0036

5. OMB Information Collection Approval Number: N/A

6. Other Identifying Number(s): N/A

7. System Name: NINDS Receipt & Referral System (RRS)

9. System Point of Contact (POC). The System POC is the person to whom questions about the system and the responses to this PIA may be addressed: Donna Stephenson

10. Provide an overview of the system: The RRS is an electronic reading room that allows NINDS DER Program Directors (PDs) and Program Analysts (PAs) to perform the following tasks:

Pre-sort Type 1 grant applications into clusters.

Indicate an interest in being either the primary Program Director assigned to the grant or the secondary Program Director.

The system allows an administrator, normally the Referral Liaison (RL), to approve the grant application assignments and send this information, i.e., the assigned Program Director’s program class code (PCC), to the eRA system. The administrator also has the capability to perform certain system utilities.

13. Indicate if the system is new or an existing one being modified: Existing

17. Does/Will the system collect, maintain (store), disseminate and/or pass through IIF within any database(s), record(s), file(s) or website(s) hosted by this system?: Yes

Note: This question seeks to identify any, and all, personal information associated with the system. This includes any IIF, whether or not it is subject to the Privacy Act, whether the individuals are employees, the public, research subjects, or business partners, and whether provided voluntarily or collected by mandate. Later questions will try to understand the character of the data and its applicability to the requirements under the Privacy Act or other legislation

Note: If no IIF is contained in the system, please answer questions 21, 23, 30, 31, 37, 50 and 54, then promote the PIA to the Sr. Privacy Official who will authorize the PIA.

If this system contains IIF, all remaining questions on the PIA Form Tabs must be completed prior to signature and promotion.

21. Is the system subject to the Privacy Act?: Yes

23. If the system shares or discloses IIF please specify with whom and for what purpose(s): See SOR# 09-25-0036. This information is further addressed in the NIH Privacy Act Systems of Record Notice 09-25-0036, published in the Federal Register, Volume 67, No. 187, September 26, 2002.

30. Please describe in detail: (1) the information the agency will collect, maintain, or disseminate; (2) why and for what purpose the agency will use the information; (3) In this description, indicate whether the information contains IIF; and (4) whether submission of personal information is voluntary or mandatory: IIF information in the form of PI Name and grant application number are obtained from eRA for use in processing grant applications. The information is mandatory for processing a grant application and is submitted with the grant application to the eRA system.

31. Please describe in detail any processes in place to: (1) notify and obtain consent from the individuals whose IIF is in the system when major changes occur to the system (e.g., disclosure and/or data uses have changed since the notice at the time of the original collection); and (2) notify and obtain consent from individuals regarding what IIF is being collected from them and how the information will be used or shared: IIF is submitted as a part of the grant application process. Information used by RRS is taken from the ERA grant application. Notification and consent from the individual is assumed when the grant application is submitted. All notification and consent is taken care of via the Grant application submission process and eRA systems.

32. Does the system host a website?: Yes

37. Does the website have any information or pages directed at children under the age of thirteen?: No

50. Are there policies or guidelines in place with regard to the retention and destruction of IIF?: Yes

54. Briefly describe in detail how the IIF will be secured on the system using administrative, technical, and physical controls.: Role base security, user name and password, system resides behind a firewall and is in a server room with no external access. All personal not having card key access are escorted.

PIA Reviewer Approval: Promote


PIA Reviewer Name: Peter Soltys/Sue Titman (301) 496-9244

Sr. Official for Privacy Approval: Promote


Sr. Official for Privacy Name: Karen Plá

Sign-off Date: Aug 10, 2007

Date Published: Jun 26, 2008


06.3 HHS PIA Summary for Posting (Form) / NIH NINDS Remedy (Item)






PIA Summary


Is this a new PIA 2008?: Yes

If this is an existing PIA, please provide a reason for revision: PIA Validation

1. Date of this Submission: Jul 2, 2007

2. OPDIV Name: NIH

3. Unique Project Identifier (UPI) Number: 009-25-01-09-02-8601-00-402-125

4. Privacy Act System of Records (SOR) Number: No

5. OMB Information Collection Approval Number: No

6. Other Identifying Number(s): No

7. System Name: Remedy

9. System Point of Contact (POC). The System POC is the person to whom questions about the system and the responses to this PIA may be addressed: Donna Stephenson

10. Provide an overview of the system: NINDS Remedy is a change management solution where system change requests can be tracked, validated, and reported against. These change requests are requests to add/modify features in the various NINDS software systems nad servers. NINDSREMEDY1 serves as the server for NINDS, where Remedy is exclusively used. The database on which Remedy is dependent resides on a NINDS resource named SQLCLUSTER (SQL Server 2000 database server).

13. Indicate if the system is new or an existing one being modified: Existing

17. Does/Will the system collect, maintain (store), disseminate and/or pass through IIF within any database(s), record(s), file(s) or website(s) hosted by this system?: No

Note: This question seeks to identify any, and all, personal information associated with the system. This includes any IIF, whether or not it is subject to the Privacy Act, whether the individuals are employees, the public, research subjects, or business partners, and whether provided voluntarily or collected by mandate. Later questions will try to understand the character of the data and its applicability to the requirements under the Privacy Act or other legislation

Note: If no IIF is contained in the system, please answer questions 21, 23, 30, 31, 37, 50 and 54, then promote the PIA to the Sr. Privacy Official who will authorize the PIA.

If this system contains IIF, all remaining questions on the PIA Form Tabs must be completed prior to signature and promotion.

21. Is the system subject to the Privacy Act?: No

23. If the system shares or discloses IIF please specify with whom and for what purpose(s): Data is kept in house and used to track, validate and report change requests.

30. Please describe in detail: (1) the information the agency will collect, maintain, or disseminate; (2) why and for what purpose the agency will use the information; (3) In this description, indicate whether the information contains IIF; and (4) whether submission of personal information is voluntary or mandatory: Information identifying the individual submitting a change request is submitted as a part of the change management process. The information is used to contact the individual for additional information/justification for the change. This system stores name and contact information for the individual submitting the change request. The information is mandatory to ensure the request can be processed in a timely manner.

31. Please describe in detail any processes in place to: (1) notify and obtain consent from the individuals whose IIF is in the system when major changes occur to the system (e.g., disclosure and/or data uses have changed since the notice at the time of the original collection); and (2) notify and obtain consent from individuals regarding what IIF is being collected from them and how the information will be used or shared: Notification and consent to collect and store IIF is assumed when the change request is submitted. Individuals are informed of this policy and the use of the information when they are trained in the use of the Remedy system. IIF stored in the system includes name and contact information of the person submitting the change request. Personnel are informed of changes to the system via email.

32. Does the system host a website?: No

37. Does the website have any information or pages directed at children under the age of thirteen?: No

50. Are there policies or guidelines in place with regard to the retention and destruction of IIF?: Yes

54. Briefly describe in detail how the IIF will be secured on the system using administrative, technical, and physical controls.: Role-based security, single sign-on using username and password. The system resides behind a firewall and is in a server room with no external access. All personnel not having card key access are escorted.

PIA Reviewer Approval: Promote


PIA Reviewer Name: Peter Soltys/Sue Titman (301) 496-9244

Sr. Official for Privacy Approval: Promote


Sr. Official for Privacy Name: Karen Plá

Sign-off Date: Jan 26, 2007

Date Published: Jun 26, 2008


06.3 HHS PIA Summary for Posting (Form) / NIH NINDS Repatriation Tracking System (RTS) (Item)






PIA Summary


Is this a new PIA 2008?: Yes

If this is an existing PIA, please provide a reason for revision: PIA Validation

1. Date of this Submission: Jul 2, 2007

2. OPDIV Name: NIH

3. Unique Project Identifier (UPI) Number: 009-25-01-09-02-8601-00-402-125

4. Privacy Act System of Records (SOR) Number: 09-25-0036

5. OMB Information Collection Approval Number: No

6. Other Identifying Number(s): No

7. System Name: Repatriation Tracking System (RTS)

9. System Point of Contact (POC). The System POC is the person to whom questions about the system and the responses to this PIA may be addressed: Donna Stephenson

10. Provide an overview of the system: The Repatriation Tracking System allows Program Officers in multiple ICs to track the mice test subjects given to various researchers. With each mice line, important data can be entered, including links to on-line resources. This system also allows the Program Officers to make note of their communications with the researchers. The system also allows for reporting of the repatriation process.

13. Indicate if the system is new or an existing one being modified: New

17. Does/Will the system collect, maintain (store), disseminate and/or pass through IIF within any database(s), record(s), file(s) or website(s) hosted by this system?: Yes

Note: This question seeks to identify any, and all, personal information associated with the system. This includes any IIF, whether or not it is subject to the Privacy Act, whether the individuals are employees, the public, research subjects, or business partners, and whether provided voluntarily or collected by mandate. Later questions will try to understand the character of the data and its applicability to the requirements under the Privacy Act or other legislation

Note: If no IIF is contained in the system, please answer questions 21, 23, 30, 31, 37, 50 and 54, then promote the PIA to the Sr. Privacy Official who will authorize the PIA.

If this system contains IIF, all remaining questions on the PIA Form Tabs must be completed prior to signature and promotion.

21. Is the system subject to the Privacy Act?: Yes

23. If the system shares or discloses IIF please specify with whom and for what purpose(s): The system maintains the names of Principal Investigators (PI) and RTS System Users. System users can generate reports that display the Principal Investigators’ name and the name of the Program Director assigned to follow the PI. These reports are provided to NINDS and NIH management as requested.

30. Please describe in detail: (1) the information the agency will collect, maintain, or disseminate; (2) why and for what purpose the agency will use the information; (3) In this description, indicate whether the information contains IIF; and (4) whether submission of personal information is voluntary or mandatory:

The system stores the following information:

Principal Investigator Name.

Principal Investigator Phone Number.

Principal Investigator Email.

Principal Investigator Institution.

System User Name.

System User Email.

System User Organization.

System User Phone Number.

As a condition of receiving recourses and support from the NIH, Principal Investigators are required to provide their name and contact information.

31. Please describe in detail any processes in place to: (1) notify and obtain consent from the individuals whose IIF is in the system when major changes occur to the system (e.g., disclosure and/or data uses have changed since the notice at the time of the original collection); and (2) notify and obtain consent from individuals regarding what IIF is being collected from them and how the information will be used or shared: The NIH collects the IIF, and NINDS relies upon the NIH policy for notifying and obtaining consent from individuals. The NIH users are responsible for informing the individual Principal Investigator (PI) when they collect the IIF and what it will be used for. They are also responsible for obtaining the PI's consent to collect the data. The users are informed of major changes to the system and in turn inform the PIs if there is a change to the use of, or need for the IIF.

32. Does the system host a website?: No

37. Does the website have any information or pages directed at children under the age of thirteen?: No

50. Are there policies or guidelines in place with regard to the retention and destruction of IIF?: Yes

54. Briefly describe in detail how the IIF will be secured on the system using administrative, technical, and physical controls.: The system has several administrative controls in place to secure the data. The NIH requires security training for all system users on an annual basis. Also, the security controls and disaster recovery plan are documented as part of the Certification and Accreditation process.

The system has several technical controls in place to secure the data. A user must first provide a valid username and password to access the NINDS network. The user must also be a system user before he or she can log onto the system. The system is also protected by the Institute’s firewall and intrusion detection systems.

The system also has several physical controls in place to secure the data. The system is protected by guards, ID badge requirements, key card access, cipher locks, and closed-circuit television.

PIA Reviewer Approval: Promote

Comments: Peter Soltys; NINDS; Co-Acting CIO; 301-496-0583

PIA Reviewer Name:

Peter Soltys; NINDS; Co-Acting CIO; 301-496-0583

Peter Soltys; NINDS; Co-Acting CIO; 301-496-0583

Sr. Official for Privacy Approval: Promote


Sr. Official for Privacy Name: Karen Plá

Sign-off Date: Aug 10, 2007

Date Published: Jun 26, 2008


06.3 HHS PIA Summary for Posting (Form) / NIH NINDS Scientific Review Branch (SRB) (Item)






PIA Summary


Is this a new PIA 2008?: Yes

If this is an existing PIA, please provide a reason for revision: PIA Validation

1. Date of this Submission: Jul 2, 2007

2. OPDIV Name: NIH

3. Unique Project Identifier (UPI) Number: 009-25-01-09-02-8601-00-402-125

4. Privacy Act System of Records (SOR) Number: 09-25-0036

5. OMB Information Collection Approval Number: No

6. Other Identifying Number(s): No

7. System Name: Scientific Review Branch (SRB)

9. System Point of Contact (POC). The System POC is the person to whom questions about the system and the responses to this PIA may be addressed: Donna Stephenson

10. Provide an overview of the system: At several council meetings each year, research grants applications are pooled together and ranked according to their scientific merit. The National Institute for Neurological Disorders and Stroke (NINDS) SRB is responsible for coordinating the review of grant applications at each council. A core part of this process is to identify council participants who are best suited to review given grant applications. The SRB database allows a Scientific Review Administrator (SRA) to divide grant applications into discrete components. Peer reviewers can then be assigned to review components that best match their expertise.

13. Indicate if the system is new or an existing one being modified: Existing

17. Does/Will the system collect, maintain (store), disseminate and/or pass through IIF within any database(s), record(s), file(s) or website(s) hosted by this system?: Yes

Note: This question seeks to identify any, and all, personal information associated with the system. This includes any IIF, whether or not it is subject to the Privacy Act, whether the individuals are employees, the public, research subjects, or business partners, and whether provided voluntarily or collected by mandate. Later questions will try to understand the character of the data and its applicability to the requirements under the Privacy Act or other legislation

Note: If no IIF is contained in the system, please answer questions 21, 23, 30, 31, 37, 50 and 54, then promote the PIA to the Sr. Privacy Official who will authorize the PIA.

If this system contains IIF, all remaining questions on the PIA Form Tabs must be completed prior to signature and promotion.

21. Is the system subject to the Privacy Act?: Yes

23. If the system shares or discloses IIF please specify with whom and for what purpose(s): Information regarding IIF disclosure practices is further addressed in the NIH Privacy Act Systems of Record Notice 09-25-0036, published in the Federal Register, Volume 67, No. 187, September 26, 2002. This system does not share IIF.

30. Please describe in detail: (1) the information the agency will collect, maintain, or disseminate; (2) why and for what purpose the agency will use the information; (3) In this description, indicate whether the information contains IIF; and (4) whether submission of personal information is voluntary or mandatory: The following information is collected and stored in SRB: Name, Degree, Phone, Alternate Phone, Fax Number, Email Address, Web Address, Institution, Department, Academic Rank, Position Title, and Address. This information is collected when an individual volunteers to be a grant application reviewer. The information is mandatory for the individual to be considered for a reviewer position and is used to determine which grant applications are within the individual's area of expertise so they will only be assigned grants they are qualified to review.

31. Please describe in detail any processes in place to: (1) notify and obtain consent from the individuals whose IIF is in the system when major changes occur to the system (e.g., disclosure and/or data uses have changed since the notice at the time of the original collection); and (2) notify and obtain consent from individuals regarding what IIF is being collected from them and how the information will be used or shared: There are no specific processes in place to notify individuals when there are changes to the system or when they volunteer the information. All information collected by/for the SRB system is submitted voluntarily when an individual applies to become a reviewer.

32. Does the system host a website?: No

37. Does the website have any information or pages directed at children under the age of thirteen?: No

50. Are there policies or guidelines in place with regard to the retention and destruction of IIF?: Yes

54. Briefly describe in detail how the IIF will be secured on the system using administrative, technical, and physical controls.: The system's security controls are all network based. First, users must have access to the NINDS network via user ID and password. Then, the user must have been given access to the SRB system's network folder to access the system.

PIA Reviewer Approval: Promote


PIA Reviewer Name: Peter Soltys/Sue Titman (301) 496-9244

Sr. Official for Privacy Approval: Promote


Sr. Official for Privacy Name: Karen Plá

Sign-off Date: Jan 25, 2007

Date Published: Jun 26, 2008


06.3 HHS PIA Summary for Posting (Form) / NIH NINDS Special Project in Neuroscience (SPIN) (Item)






PIA Summary


Is this a new PIA 2008?: No

If this is an existing PIA, please provide a reason for revision: PIA Validation

1. Date of this Submission: Jul 2, 2007

2. OPDIV Name: NIH

3. Unique Project Identifier (UPI) Number: 009-25-01-09-02-8610-00-402-125

4. Privacy Act System of Records (SOR) Number: 09-25-0036

5. OMB Information Collection Approval Number: N/A

6. Other Identifying Number(s): N/A

7. System Name: Special Project in Neuroscience (SPIN)

9. System Point of Contact (POC). The System POC is the person to whom questions about the system and the responses to this PIA may be addressed: Donna Stephenson

10. Provide an overview of the system: SPIN allows staff to track PI's, fellow's, trainees' and supporters who have minority supplements. SPIN allows information on people not stored in IMPAC II to be associated with a particular grant application. PHS Act Section 301.

13. Indicate if the system is new or an existing one being modified: Existing

17. Does/Will the system collect, maintain (store), disseminate and/or pass through IIF within any database(s), record(s), file(s) or website(s) hosted by this system?: Yes

Note: This question seeks to identify any, and all, personal information associated with the system. This includes any IIF, whether or not it is subject to the Privacy Act, whether the individuals are employees, the public, research subjects, or business partners, and whether provided voluntarily or collected by mandate. Later questions will try to understand the character of the data and its applicability to the requirements under the Privacy Act or other legislation

Note: If no IIF is contained in the system, please answer questions 21, 23, 30, 31, 37, 50 and 54, then promote the PIA to the Sr. Privacy Official who will authorize the PIA.

If this system contains IIF, all remaining questions on the PIA Form Tabs must be completed prior to signature and promotion.

21. Is the system subject to the Privacy Act?: Yes

23. If the system shares or discloses IIF please specify with whom and for what purpose(s): See SOR# 09-25-0036. This information is further addressed in the NIH Privacy Act Systems of Record Notice 09-25-0036, published in the Federal Register, Volume 67, No. 187, September 26, 2002.

30. Please describe in detail: (1) the information the agency will collect, maintain, or disseminate; (2) why and for what purpose the agency will use the information; (3) In this description, indicate whether the information contains IIF; and (4) whether submission of personal information is voluntary or mandatory: Collected information includes, grantee's name, race, ethnicity, education level, and gender. The information is collected for grant application reporting purposes used only within the institute. The collected information is the minimum amount of information that is associated with the application. The information is used to monitor research programs, research capacity, building and training, and health disparities among underrepresented groups (e.g. racial/ethnic, gender, etc.). This information is voluntary within hte SPIN application.

31. Please describe in detail any processes in place to: (1) notify and obtain consent from the individuals whose IIF is in the system when major changes occur to the system (e.g., disclosure and/or data uses have changed since the notice at the time of the original collection); and (2) notify and obtain consent from individuals regarding what IIF is being collected from them and how the information will be used or shared: The data is collected from the grant applications that an individual submits for consideration in obtaining a grnat. Consent is assumed when an individual submits his/her grant application. Notification of major changes to the SPIN system is not made to individuals whose IIF was btained from their grant application submission. Notification of changes to the use of IIF and consent to collect IIF is handled through eRA and the grant application submission process.

32. Does the system host a website?: Yes

37. Does the website have any information or pages directed at children under the age of thirteen?: No

50. Are there policies or guidelines in place with regard to the retention and destruction of IIF?: Yes

54. Briefly describe in detail how the IIF will be secured on the system using administrative, technical, and physical controls.: See SOR# 09-25-0036. This information is further addressed in the NIH Privacy Act Systems of Record Notice 09-25-0036, published in the Federal Register, Volume 67, No. 187, September 26, 2002.

PIA Reviewer Approval: Promote


PIA Reviewer Name: Peter Soltys/Sue Titman (301) 496-9244

Sr. Official for Privacy Approval: Promote


Sr. Official for Privacy Name: Karen Plá

Sign-off Date: Aug 10, 2007

Date Published: Jun 26, 2008


06.3 HHS PIA Summary for Posting (Form) / NIH NINDS Specialized Center Cooperative Agreements/U54 (SCCA/U54) (Item)






PIA Summary


Is this a new PIA 2008?: Yes

If this is an existing PIA, please provide a reason for revision:

1. Date of this Submission: Apr 13, 2007

2. OPDIV Name: NIH

3. Unique Project Identifier (UPI) Number: 009-25-01-09-02-8601-00-402-125

4. Privacy Act System of Records (SOR) Number: No

5. OMB Information Collection Approval Number: No

6. Other Identifying Number(s): No

7. System Name: Specialized Center Cooperative Agreements/U54 (SCCA/U54)

9. System Point of Contact (POC). The System POC is the person to whom questions about the system and the responses to this PIA may be addressed: Donna Stephenson

10. Provide an overview of the system: The SCCA System allows participants in the Specialized Neuroscience Research Program (SNRP) to document their activity associated with U54 grant(s). Participating organizations can access the program over the Extranet and supply data about activities associated with the SNRP grant. Authorized personnel in OMHR can view and report on these activities.

13. Indicate if the system is new or an existing one being modified: Existing

17. Does/Will the system collect, maintain (store), disseminate and/or pass through IIF within any database(s), record(s), file(s) or website(s) hosted by this system?: Yes

Note: This question seeks to identify any, and all, personal information associated with the system. This includes any IIF, whether or not it is subject to the Privacy Act, whether the individuals are employees, the public, research subjects, or business partners, and whether provided voluntarily or collected by mandate. Later questions will try to understand the character of the data and its applicability to the requirements under the Privacy Act or other legislation

Note: If no IIF is contained in the system, please answer questions 21, 23, 30, 31, 37, 50 and 54, then promote the PIA to the Sr. Privacy Official who will authorize the PIA.

If this system contains IIF, all remaining questions on the PIA Form Tabs must be completed prior to signature and promotion.

21. Is the system subject to the Privacy Act?: No

23. If the system shares or discloses IIF please specify with whom and for what purpose(s): Information is not shared.

30. Please describe in detail: (1) the information the agency will collect, maintain, or disseminate; (2) why and for what purpose the agency will use the information; (3) In this description, indicate whether the information contains IIF; and (4) whether submission of personal information is voluntary or mandatory:

The system collects and stores the following information:





System Login Name

System Password

Email Address

IIF data is used for user login and to show who is associated with a U54 Grant and in what role. Login information is mandatory for system users. Information concerning personnel associated with a grant is voluntary.

31. Please describe in detail any processes in place to: (1) notify and obtain consent from the individuals whose IIF is in the system when major changes occur to the system (e.g., disclosure and/or data uses have changed since the notice at the time of the original collection); and (2) notify and obtain consent from individuals regarding what IIF is being collected from them and how the information will be used or shared: Users voluntarily enter their own data into the SCCA System. The users are aware of reason for collecting the information when they decide to enter their information by virtue of the fact they have requested and been granted authorization to use the system. Users are informed by email when major changes to the SCCA/U54 system are made.

32. Does the system host a website?: No

37. Does the website have any information or pages directed at children under the age of thirteen?: No

50. Are there policies or guidelines in place with regard to the retention and destruction of IIF?: Yes

54. Briefly describe in detail how the IIF will be secured on the system using administrative, technical, and physical controls.: The system has several administrative controls in place to secure the data. The NIH requires security training for all system users on an annual basis. Finally, the system maintains several user roles, and each system user is given the least privilege needed to perform his or her business function.

The system has several technical controls in place to secure the data. A user must also be an authorized system user, with a valid system username and password to access the system. The system is also protected by the Institute’s firewall and intrusion detection systems.

PIA Reviewer Approval: Promote

Comments: Peter Soltys; NINDS; Co-Acting CIO; 301-496-0583

PIA Reviewer Name: Peter Soltys; NINDS; Co-Acting CIO; 301-496-0583

Sr. Official for Privacy Approval: Promote


Sr. Official for Privacy Name: Karen Plá

Sign-off Date: Aug 10, 2007

Date Published: Jun 26, 2008


06.3 HHS PIA Summary for Posting (Form) / NIH NINDS Strategic Indicative Database (SID) (Item)






PIA Summary


Is this a new PIA 2008?: Yes

If this is an existing PIA, please provide a reason for revision: PIA Validation

1. Date of this Submission: Jul 2, 2007

2. OPDIV Name: NIH

3. Unique Project Identifier (UPI) Number: 009-25-01-09-02-8610-00-402-125

4. Privacy Act System of Records (SOR) Number: 09-25-0036

5. OMB Information Collection Approval Number: N/A

6. Other Identifying Number(s): N/A

7. System Name: NINDS Stratigic Inititaves Database (SID)

9. System Point of Contact (POC). The System POC is the person to whom questions about the system and the responses to this PIA may be addressed: Donna Stephenson

10. Provide an overview of the system: The new Strategic Initiatives Database (SID) provides a robust, scalable, and relational database environment that will store the data and business rules (procedures) required to maintain the strategic initiative budgetary information for forecasting and extensive reporting. It also includes a graphical user interface (GUI) that will be highly deployable by reducing the points of deployment to a single location – the Internet. The SID will allow NINDS FMB to access their workloads and will provide them with the tools to print standard and ad hoc reports that meet their daily requirements for financial grant information. The SID will allow budget officers across the enterprise to acquire data (via a secure GUI) for their own budgetary processes. Similarly, the SID controls user access to allow specific data to be viewed only by relevant Users by use of Active Directory (AD) and database security controls.

As a result, the NINDS FMB can expedite budgetary changes by applying the changes to the SID data, making forecasting and reporting data immediately reflect accurate, real-time modifications to grant financial information before the effects take place in the IMPACII or DataWarehouse databases. This step circumvents the time-costly need to wait for updates to IMPACII or DataWarehouse data, which often take several days or weeks to reconcile if the results there are incorrect. With the SID, the numbers are made available immediately (and later reconciled with the IMPACII and DataWarehouse databases) or immediately rectified when problems become apparent.

13. Indicate if the system is new or an existing one being modified: Existing

17. Does/Will the system collect, maintain (store), disseminate and/or pass through IIF within any database(s), record(s), file(s) or website(s) hosted by this system?: Yes

Note: This question seeks to identify any, and all, personal information associated with the system. This includes any IIF, whether or not it is subject to the Privacy Act, whether the individuals are employees, the public, research subjects, or business partners, and whether provided voluntarily or collected by mandate. Later questions will try to understand the character of the data and its applicability to the requirements under the Privacy Act or other legislation

Note: If no IIF is contained in the system, please answer questions 21, 23, 30, 31, 37, 50 and 54, then promote the PIA to the Sr. Privacy Official who will authorize the PIA.

If this system contains IIF, all remaining questions on the PIA Form Tabs must be completed prior to signature and promotion.

21. Is the system subject to the Privacy Act?: Yes

23. If the system shares or discloses IIF please specify with whom and for what purpose(s):

IIF is obtained from the eRA system and used in the administration of research grants IAW SOR# 09-25-0036.

30. Please describe in detail: (1) the information the agency will collect, maintain, or disseminate; (2) why and for what purpose the agency will use the information; (3) In this description, indicate whether the information contains IIF; and (4) whether submission of personal information is voluntary or mandatory: The new Strategic Initiatives Database (SID) provides a robust, scalable, and relational database environment that will store the data and business rules (procedures) required to maintain the strategic initiative budgetary information for forecasting and extensive reporting. It also includes a graphical user interface (GUI) that will be highly deployable by reducing the points of deployment to a single location – the Internet. The system contains IIF that is a required part of the grant application.

31. Please describe in detail any processes in place to: (1) notify and obtain consent from the individuals whose IIF is in the system when major changes occur to the system (e.g., disclosure and/or data uses have changed since the notice at the time of the original collection); and (2) notify and obtain consent from individuals regarding what IIF is being collected from them and how the information will be used or shared: IIF is submitted as a part of the grant application process. Information used by the NINDS Stratigic Inititaves Database (SID) is taken from the ERA grant application. Notification and consent from the individual is assumed when the grant application is submitted. All notification and consent is taken care of via the Grant application submission process.

32. Does the system host a website?: Yes

37. Does the website have any information or pages directed at children under the age of thirteen?: No

50. Are there policies or guidelines in place with regard to the retention and destruction of IIF?: Yes

54. Briefly describe in detail how the IIF will be secured on the system using administrative, technical, and physical controls.: Role base security, single sign-on using user name and password, system resides behind a firewall and is in a server room with no external access. All personal not having card key access are escorted.

PIA Reviewer Approval: Promote


PIA Reviewer Name: Peter Soltys/Sue Titman (301) 496-9244

Sr. Official for Privacy Approval: Promote


Sr. Official for Privacy Name: Karen Pla

Sign-off Date: Aug 10, 2007

Date Published: Jun 26, 2008


06.3 HHS PIA Summary for Posting (Form) / NIH NINDS Title 42 (Item)






PIA Summary


Is this a new PIA 2008?: Yes

If this is an existing PIA, please provide a reason for revision: PIA Validation

1. Date of this Submission: Jul 2, 2007

2. OPDIV Name: NIH

3. Unique Project Identifier (UPI) Number: 009-25-01-09-02-8601-00-402-125

4. Privacy Act System of Records (SOR) Number: 09-90-0018

5. OMB Information Collection Approval Number: No

6. Other Identifying Number(s): No

7. System Name: Title 42

9. System Point of Contact (POC). The System POC is the person to whom questions about the system and the responses to this PIA may be addressed: Donna Stephenson

10. Provide an overview of the system: The Title 42 (T-42) Database provides a central information repository on all Title 42 appointees. Authorized personnel can view all appointees’ current salary and their previous salary and award history. In addition, authorized personnel use the system to propose new salary and award actions for all appointees at the appropriate time.

13. Indicate if the system is new or an existing one being modified: New

17. Does/Will the system collect, maintain (store), disseminate and/or pass through IIF within any database(s), record(s), file(s) or website(s) hosted by this system?: Yes

Note: This question seeks to identify any, and all, personal information associated with the system. This includes any IIF, whether or not it is subject to the Privacy Act, whether the individuals are employees, the public, research subjects, or business partners, and whether provided voluntarily or collected by mandate. Later questions will try to understand the character of the data and its applicability to the requirements under the Privacy Act or other legislation

Note: If no IIF is contained in the system, please answer questions 21, 23, 30, 31, 37, 50 and 54, then promote the PIA to the Sr. Privacy Official who will authorize the PIA.

If this system contains IIF, all remaining questions on the PIA Form Tabs must be completed prior to signature and promotion.

21. Is the system subject to the Privacy Act?: Yes

23. If the system shares or discloses IIF please specify with whom and for what purpose(s): The system stores the name, position title, and salary and award history of all Title 42 employees within NINDS. System users can generate a report, which contains the Title 42 employee’s name, and salary and award history, as requested by NINDS management. See SOR # 09-90-0018

30. Please describe in detail: (1) the information the agency will collect, maintain, or disseminate; (2) why and for what purpose the agency will use the information; (3) In this description, indicate whether the information contains IIF; and (4) whether submission of personal information is voluntary or mandatory:

The system stores the following information:

Title 42 Employee Name.

Title 42 Employee Position Title.

Title 42 Employee Organization.

Administrative Officer Name.

Supervisor Name.

As a part of the NIH hiring process, Title 42 employees, Administrative Officers, and Supervisors are required to provide their personal information. The Title 42 Database downloads this information that the NIH Data Warehouse has already collected.

31. Please describe in detail any processes in place to: (1) notify and obtain consent from the individuals whose IIF is in the system when major changes occur to the system (e.g., disclosure and/or data uses have changed since the notice at the time of the original collection); and (2) notify and obtain consent from individuals regarding what IIF is being collected from them and how the information will be used or shared: As a part of the NIH hiring process, Title 42 employees, Administrative Officers, and Supervisors are required to provide their personal information. Notification is provided at this time that the information is being collected. The Title 42 Database downloads this information from the NIH Data Warehouse has already collected. SOR # 09-90-0018

Individuals are not notified when changes to the Title 42 application occur.

32. Does the system host a website?: No

37. Does the website have any information or pages directed at children under the age of thirteen?: No

50. Are there policies or guidelines in place with regard to the retention and destruction of IIF?: Yes

54. Briefly describe in detail how the IIF will be secured on the system using administrative, technical, and physical controls.: The system has several administrative controls in place to secure the data. The NIH requires security training for all system users on an annual basis. Also, the security controls and disaster recovery plan are documented as part of the Certification and Accreditation process. Finally, the system maintains several user roles, and each system user is given the least privilege needed to perform his or her business function.

The system has several technical controls in place to secure the data. A user must first provide a valid username and password to access the NINDS network. The user must also be a system user before he or she can log onto the system. The system is also protected by the Institute’s firewall and intrusion detection systems.

The system also has several physical controls in place to secure the data. The system is protected by guards, ID badge requirements, key card access, cipher locks, and closed-circuit television. Also see SOR # 09-90-0018

PIA Reviewer Approval: Promote

Comments: Peter Soltys; NINDS; Co-Acting CIO; 301-496-0583

PIA Reviewer Name: Peter Soltys; NINDS; Co-Acting CIO; 301-496-0583

Sr. Official for Privacy Approval: Promote


Sr. Official for Privacy Name: Karen Plá

Sign-off Date: Aug 10, 2007

Date Published: Jun 26, 2008


06.3 HHS PIA Summary for Posting (Form) / NIH NINR Developing Nurse Scientists On-Line Course (Item)






PIA Summary


Is this a new PIA 2008?: No

If this is an existing PIA, please provide a reason for revision: PIA Validation

1. Date of this Submission: Jul 16, 2007

2. OPDIV Name: NIH

3. Unique Project Identifier (UPI) Number: 009-25-02-00-01-3109-00-109-026

4. Privacy Act System of Records (SOR) Number: 09-25-0156

5. OMB Information Collection Approval Number: No

6. Other Identifying Number(s): No

7. System Name: Developing Nurse Scientists On-line Course

9. System Point of Contact (POC). The System POC is the person to whom questions about the system and the responses to this PIA may be addressed: Dr. Raymond Dionne

10. Provide an overview of the system: On-line course for nurses to develop skills in writing a grant.

13. Indicate if the system is new or an existing one being modified: Existing

17. Does/Will the system collect, maintain (store), disseminate and/or pass through IIF within any database(s), record(s), file(s) or website(s) hosted by this system?: Yes

Note: This question seeks to identify any, and all, personal information associated with the system. This includes any IIF, whether or not it is subject to the Privacy Act, whether the individuals are employees, the public, research subjects, or business partners, and whether provided voluntarily or collected by mandate. Later questions will try to understand the character of the data and its applicability to the requirements under the Privacy Act or other legislation

Note: If no IIF is contained in the system, please answer questions 21, 23, 30, 31, 37, 50 and 54, then promote the PIA to the Sr. Privacy Official who will authorize the PIA.

If this system contains IIF, all remaining questions on the PIA Form Tabs must be completed prior to signature and promotion.

21. Is the system subject to the Privacy Act?: Yes

23. If the system shares or discloses IIF please specify with whom and for what purpose(s): The system does not share, however, there is a SOR 09-25-0156 which contains provisions for potential disclosure of information practices.

30. Please describe in detail: (1) the information the agency will collect, maintain, or disseminate; (2) why and for what purpose the agency will use the information; (3) In this description, indicate whether the information contains IIF; and (4) whether submission of personal information is voluntary or mandatory: The name and address of individuals seeking continuing education credits is maintained for credentialing. The credentialing agency receives only the number of certificates that Cine-Med will need to mail to the registrants. The informaiton is mandatory by the credentialing agency.

31. Please describe in detail any processes in place to: (1) notify and obtain consent from the individuals whose IIF is in the system when major changes occur to the system (e.g., disclosure and/or data uses have changed since the notice at the time of the original collection); and (2) notify and obtain consent from individuals regarding what IIF is being collected from them and how the information will be used or shared: There is a privacy policy maintained by Cine-Med Inc. that has a statement concerning consent. This is a one time access to complete the course. Electronic notification is contained in the privacy statement.

32. Does the system host a website?: Yes

37. Does the website have any information or pages directed at children under the age of thirteen?: No

50. Are there policies or guidelines in place with regard to the retention and destruction of IIF?: Yes

54. Briefly describe in detail how the IIF will be secured on the system using administrative, technical, and physical controls.: Cine-Med has in place controls to safeguard and restore the data in case of data loss or catastrophe, to protect the data from unauthorized access or use electronically with passwords and biometrics, as well as prevent physical access to the data with a badging system.

PIA Reviewer Approval: Promote


PIA Reviewer Name: Brian Albertini 301.594.6869

Sr. Official for Privacy Approval: Promote


Sr. Official for Privacy Name: Karen Plá

Sign-off Date: Aug 10, 2007

Date Published: Jun 26, 2008


06.3 HHS PIA Summary for Posting (Form) / NIH NINR Internet Website (Item)




PIA Summary


Is this a new PIA 2008?: No

If this is an existing PIA, please provide a reason for revision: PIA Validation

1. Date of this Submission: Jul 16, 2007

2. OPDIV Name: NIH

3. Unique Project Identifier (UPI) Number: 009-25-02-00-01-3109-00-109-026

4. Privacy Act System of Records (SOR) Number: No

5. OMB Information Collection Approval Number: No

6. Other Identifying Number(s): No

7. System Name: NINR Internet Website

9. System Point of Contact (POC). The System POC is the person to whom questions about the system and the responses to this PIA may be addressed: Doug Hussey

10. Provide an overview of the system: It is the public face of NINR on the web to provide information about NINR and the research that it supports.

13. Indicate if the system is new or an existing one being modified: Existing

17. Does/Will the system collect, maintain (store), disseminate and/or pass through IIF within any database(s), record(s), file(s) or website(s) hosted by this system?: No

Note: This question seeks to identify any, and all, personal information associated with the system. This includes any IIF, whether or not it is subject to the Privacy Act, whether the individuals are employees, the public, research subjects, or business partners, and whether provided voluntarily or collected by mandate. Later questions will try to understand the character of the data and its applicability to the requirements under the Privacy Act or other legislation

Note: If no IIF is contained in the system, please answer questions 21, 23, 30, 31, 37, 50 and 54, then promote the PIA to the Sr. Privacy Official who will authorize the PIA.

If this system contains IIF, all remaining questions on the PIA Form Tabs must be completed prior to signature and promotion.

21. Is the system subject to the Privacy Act?: No

23. If the system shares or discloses IIF please specify with whom and for what purpose(s): No

30. Please describe in detail: (1) the information the agency will collect, maintain, or disseminate; (2) why and for what purpose the agency will use the information; (3) In this description, indicate whether the information contains IIF; and (4) whether submission of personal information is voluntary or mandatory: There is none.

31. Please describe in detail any processes in place to: (1) notify and obtain consent from the individuals whose IIF is in the system when major changes occur to the system (e.g., disclosure and/or data uses have changed since the notice at the time of the original collection); and (2) notify and obtain consent from individuals regarding what IIF is being collected from them and how the information will be used or shared: No

32. Does the system host a website?: Yes

37. Does the website have any information or pages directed at children under the age of thirteen?: No

50. Are there policies or guidelines in place with regard to the retention and destruction of IIF?: No

54. Briefly describe in detail how the IIF will be secured on the system using administrative, technical, and physical controls.: There is none to secure.

PIA Reviewer Approval: Promote


PIA Reviewer Name: Sandra L. Bond 301.496.9601

Sr. Official for Privacy Approval: Promote


Sr. Official for Privacy Name: Karen Plá

Sign-off Date: Aug 10, 2007

Date Published: Jun 26, 2008


06.3 HHS PIA Summary for Posting (Form) / NIH NINR Publication, Report Language, and Funding Opportunity Tracking Module (PLUTO) (Item)






PIA Summary


Is this a new PIA 2008?: No

If this is an existing PIA, please provide a reason for revision: PIA Validation

1. Date of this Submission: Jul 16, 2007

2. OPDIV Name: NIH

3. Unique Project Identifier (UPI) Number: No

4. Privacy Act System of Records (SOR) Number: No

5. OMB Information Collection Approval Number: No

6. Other Identifying Number(s): No

7. System Name: NINR Publication, Report Language, and Funding Opportunity Tracking Module (PLUTO)

9. System Point of Contact (POC). The System POC is the person to whom questions about the system and the responses to this PIA may be addressed: John Grason

10. Provide an overview of the system: The system collects lists of NINR-funded publications, funding opportunities, and NINR-relevant Congressional report language in a single location for use by NINR staff in analyzing NINR activities.

13. Indicate if the system is new or an existing one being modified: Existing

17. Does/Will the system collect, maintain (store), disseminate and/or pass through IIF within any database(s), record(s), file(s) or website(s) hosted by this system?: No

Note: This question seeks to identify any, and all, personal information associated with the system. This includes any IIF, whether or not it is subject to the Privacy Act, whether the individuals are employees, the public, research subjects, or business partners, and whether provided voluntarily or collected by mandate. Later questions will try to understand the character of the data and its applicability to the requirements under the Privacy Act or other legislation

Note: If no IIF is contained in the system, please answer questions 21, 23, 30, 31, 37, 50 and 54, then promote the PIA to the Sr. Privacy Official who will authorize the PIA.

If this system contains IIF, all remaining questions on the PIA Form Tabs must be completed prior to signature and promotion.

21. Is the system subject to the Privacy Act?: No

23. If the system shares or discloses IIF please specify with whom and for what purpose(s): The system does not collect, share, or disclose IIF.

30. Please describe in detail: (1) the information the agency will collect, maintain, or disseminate; (2) why and for what purpose the agency will use the information; (3) In this description, indicate whether the information contains IIF; and (4) whether submission of personal information is voluntary or mandatory: Publication data downloaded from publicly available databases such as PubMed, Congressional report language available in publicly available Congressional publications, and NINR funding announcements available on the NIH website are collected by the system. None of this information contains IIF.

31. Please describe in detail any processes in place to: (1) notify and obtain consent from the individuals whose IIF is in the system when major changes occur to the system (e.g., disclosure and/or data uses have changed since the notice at the time of the original collection); and (2) notify and obtain consent from individuals regarding what IIF is being collected from them and how the information will be used or shared: There are no such processes because the system does not handle IIF.

32. Does the system host a website?: No

37. Does the website have any information or pages directed at children under the age of thirteen?: No

50. Are there policies or guidelines in place with regard to the retention and destruction of IIF?: No

54. Briefly describe in detail how the IIF will be secured on the system using administrative, technical, and physical controls.: There is no IIF to secure.

PIA Reviewer Approval: Promote


PIA Reviewer Name: Sandra L. Bond 301.496.9601

Sr. Official for Privacy Approval: Promote


Sr. Official for Privacy Name: Karen Plá

Sign-off Date: Aug 10, 2007

Date Published: Jun 26, 2008


06.3 HHS PIA Summary for Posting (Form) / NIH NINR Status of Funds - Internet Edition (Item)






PIA Summary


Is this a new PIA 2008?: No

If this is an existing PIA, please provide a reason for revision: PIA Validation

1. Date of this Submission: Jul 9, 2007

2. OPDIV Name: NIH

3. Unique Project Identifier (UPI) Number: No

4. Privacy Act System of Records (SOR) Number: No

5. OMB Information Collection Approval Number: No

6. Other Identifying Number(s): No

7. System Name: Status of Funds - Internet Edition

9. System Point of Contact (POC). The System POC is the person to whom questions about the system and the responses to this PIA may be addressed: Rebecca Erickson

10. Provide an overview of the system: SOFie is a financial reporting/tracking system which is accessed via the web.

13. Indicate if the system is new or an existing one being modified: New

17. Does/Will the system collect, maintain (store), disseminate and/or pass through IIF within any database(s), record(s), file(s) or website(s) hosted by this system?: No

Note: This question seeks to identify any, and all, personal information associated with the system. This includes any IIF, whether or not it is subject to the Privacy Act, whether the individuals are employees, the public, research subjects, or business partners, and whether provided voluntarily or collected by mandate. Later questions will try to understand the character of the data and its applicability to the requirements under the Privacy Act or other legislation

Note: If no IIF is contained in the system, please answer questions 21, 23, 30, 31, 37, 50 and 54, then promote the PIA to the Sr. Privacy Official who will authorize the PIA.

If this system contains IIF, all remaining questions on the PIA Form Tabs must be completed prior to signature and promotion.

21. Is the system subject to the Privacy Act?: No

23. If the system shares or discloses IIF please specify with whom and for what purpose(s): No

30. Please describe in detail: (1) the information the agency will collect, maintain, or disseminate; (2) why and for what purpose the agency will use the information; (3) In this description, indicate whether the information contains IIF; and (4) whether submission of personal information is voluntary or mandatory: Financial data is downloaded from the Common Accounting System for reporting purposes. There is no IIF.

31. Please describe in detail any processes in place to: (1) notify and obtain consent from the individuals whose IIF is in the system when major changes occur to the system (e.g., disclosure and/or data uses have changed since the notice at the time of the original collection); and (2) notify and obtain consent from individuals regarding what IIF is being collected from them and how the information will be used or shared: There is none.

32. Does the system host a website?: No

37. Does the website have any information or pages directed at children under the age of thirteen?: No

50. Are there policies or guidelines in place with regard to the retention and destruction of IIF?: No

54. Briefly describe in detail how the IIF will be secured on the system using administrative, technical, and physical controls.: There is none to secure.

PIA Reviewer Approval: Promote


PIA Reviewer Name: Brian Albertini 301-594-6869

Sr. Official for Privacy Approval: Promote


Sr. Official for Privacy Name: Karen Plá

Sign-off Date: Aug 10, 2007

Date Published: Jun 26, 2008


06.3 HHS PIA Summary for Posting (Form) / NIH NINR Summer Genetics Institute (Item)






PIA Summary


Is this a new PIA 2008?: No

If this is an existing PIA, please provide a reason for revision: PIA Validation

1. Date of this Submission: Jul 16, 2007

2. OPDIV Name: NIH

3. Unique Project Identifier (UPI) Number: 009-25-02-00-01-3109-00-109-026

4. Privacy Act System of Records (SOR) Number: No

5. OMB Information Collection Approval Number: No

6. Other Identifying Number(s): No

7. System Name: Summer Genetics Institute

9. System Point of Contact (POC). The System POC is the person to whom questions about the system and the responses to this PIA may be addressed: Dr. Raymond Dionne

10. Provide an overview of the system: Provides information to the public about an intensive course for nurses given by NINR at NIH.

13. Indicate if the system is new or an existing one being modified: Existing

17. Does/Will the system collect, maintain (store), disseminate and/or pass through IIF within any database(s), record(s), file(s) or website(s) hosted by this system?: No

Note: This question seeks to identify any, and all, personal information associated with the system. This includes any IIF, whether or not it is subject to the Privacy Act, whether the individuals are employees, the public, research subjects, or business partners, and whether provided voluntarily or collected by mandate. Later questions will try to understand the character of the data and its applicability to the requirements under the Privacy Act or other legislation

Note: If no IIF is contained in the system, please answer questions 21, 23, 30, 31, 37, 50 and 54, then promote the PIA to the Sr. Privacy Official who will authorize the PIA.

If this system contains IIF, all remaining questions on the PIA Form Tabs must be completed prior to signature and promotion.

21. Is the system subject to the Privacy Act?: No

23. If the system shares or discloses IIF please specify with whom and for what purpose(s): No

30. Please describe in detail: (1) the information the agency will collect, maintain, or disseminate; (2) why and for what purpose the agency will use the information; (3) In this description, indicate whether the information contains IIF; and (4) whether submission of personal information is voluntary or mandatory: There is none.

31. Please describe in detail any processes in place to: (1) notify and obtain consent from the individuals whose IIF is in the system when major changes occur to the system (e.g., disclosure and/or data uses have changed since the notice at the time of the original collection); and (2) notify and obtain consent from individuals regarding what IIF is being collected from them and how the information will be used or shared: No

32. Does the system host a website?: Yes

37. Does the website have any information or pages directed at children under the age of thirteen?: No

50. Are there policies or guidelines in place with regard to the retention and destruction of IIF?: No

54. Briefly describe in detail how the IIF will be secured on the system using administrative, technical, and physical controls.: There is none.

PIA Reviewer Approval: Promote


PIA Reviewer Name: Brian Albertini 301-594-6869

Sr. Official for Privacy Approval: Promote


Sr. Official for Privacy Name: Karen Plá

Sign-off Date: Aug 10, 2007

Date Published: Jun 26, 2008


06.3 HHS PIA Summary for Posting (Form) / NIH NLM dbGaP (Database of Genotype and Phenotype) (Item)






PIA Summary


Is this a new PIA 2008?: Yes

If this is an existing PIA, please provide a reason for revision:

1. Date of this Submission: May 15, 2007

2. OPDIV Name: NIH

3. Unique Project Identifier (UPI) Number: New Project

4. Privacy Act System of Records (SOR) Number: No

5. OMB Information Collection Approval Number: No

6. Other Identifying Number(s): No

7. System Name: dbGaP - Database of Genotype and Phenotype

9. System Point of Contact (POC). The System POC is the person to whom questions about the system and the responses to this PIA may be addressed: Dar-Ning Kung

10. Provide an overview of the system: dbGaP, the database of Genotype and Phenotype, is a database designed to archive and distribute data from genome wide association (GWA) studies. GWA studies explore the association between specific genes (genotype information) and observable traits, such as blood pressure and weight, or the presence or absence of a disease or condition (phenotype information). Connecting phenotype and genotype data provides information about the genes that may be involved in a disease process or condition, which can be critical for better understanding the disease and for developing new diagnostic methods and treatments.

The database does not contain names, social security numbers, fingerprints, photographs or anything enabling facial recognition. The data is strictly de-identified patient data and does not fall under the category of IIF.

13. Indicate if the system is new or an existing one being modified: New

17. Does/Will the system collect, maintain (store), disseminate and/or pass through IIF within any database(s), record(s), file(s) or website(s) hosted by this system?: No

Note: This question seeks to identify any, and all, personal information associated with the system. This includes any IIF, whether or not it is subject to the Privacy Act, whether the individuals are employees, the public, research subjects, or business partners, and whether provided voluntarily or collected by mandate. Later questions will try to understand the character of the data and its applicability to the requirements under the Privacy Act or other legislation

Note: If no IIF is contained in the system, please answer questions 21, 23, 30, 31, 37, 50 and 54, then promote the PIA to the Sr. Privacy Official who will authorize the PIA.

If this system contains IIF, all remaining questions on the PIA Form Tabs must be completed prior to signature and promotion.

21. Is the system subject to the Privacy Act?: No

23. If the system shares or discloses IIF please specify with whom and for what purpose(s): No

30. Please describe in detail: (1) the information the agency will collect, maintain, or disseminate; (2) why and for what purpose the agency will use the information; (3) In this description, indicate whether the information contains IIF; and (4) whether submission of personal information is voluntary or mandatory: Data collected includes the researchers name and institutional information, a research abstract (reason for requesting the data) and co-investigator information. This is collected for further contact with the PI and to provide controlled access to the data requested and to provide public access to the research uses of the data.

The information collected from co-investigators is the same as that from Principal Investigators: name, business address, and email address. The submission of personal information is voluntary.

The dbGaP database contains phenotype and genotype data from researchers and from centers who are conducting genome-wide association studies. NLM/NCBI summarizes, reformats, and redistributes these data acting as a central repository for these types of studies.

The information collected is from studies sponsored by an NIH Institute and is sent from the principal investigator or the center conducting the study. All data received is certified as de-identified data. After NIH review of a request from an investigator and his/her sponsoring organization, the genotype and phenotype data is made available for that investigator to access.

Data are categorized by an accession number assigned by NLM/NCBI (not the investigator) to the dataset. Information is retrieved by the name of the study. The capability exists to search the public data for the name of the study, the protocols used, and the dataset summaries but the retrieval is by accession number.

No information in dbGaP is collected directly from patients. Data has not been collected from other NIH databases. If data were to be provided from other NIH databases, e.g., an intramural study, it would be provided under the same conditions as external data, i.e., all data would be de-identified.

There are no names or personal identifiers linked to the phenotype/genotype records. All data are de-identified prior to the time it is delivered to NLM/NCBI.

31. Please describe in detail any processes in place to: (1) notify and obtain consent from the individuals whose IIF is in the system when major changes occur to the system (e.g., disclosure and/or data uses have changed since the notice at the time of the original collection); and (2) notify and obtain consent from individuals regarding what IIF is being collected from them and how the information will be used or shared: No

32. Does the system host a website?: Yes

37. Does the website have any information or pages directed at children under the age of thirteen?: No

50. Are there policies or guidelines in place with regard to the retention and destruction of IIF?: No

54. Briefly describe in detail how the IIF will be secured on the system using administrative, technical, and physical controls.: No

PIA Reviewer Approval: Promote


PIA Reviewer Name: Dar-Ning Kung

Sr. Official for Privacy Approval: Promote


Sr. Official for Privacy Name: Karen Plá

Sign-off Date: Aug 10, 2007

Date Published: Jun 26, 2008


06.3 HHS PIA Summary for Posting (Form) / NIH NLM Genome Assembly and Annotation (GenBank) (Item)






PIA Summary


Is this a new PIA 2008?: Yes

If this is an existing PIA, please provide a reason for revision:

1. Date of this Submission: Jan 22, 2008

2. OPDIV Name: NIH

3. Unique Project Identifier (UPI) Number: 009-25-01-05-02-0733-00

4. Privacy Act System of Records (SOR) Number: No

5. OMB Information Collection Approval Number: No

6. Other Identifying Number(s): No

7. System Name: NIH NLM Genome Assembly and Annotation (GenBank)

9. System Point of Contact (POC). The System POC is the person to whom questions about the system and the responses to this PIA may be addressed: Jim Ostell, NCBI; Dennis Benson, NCBI

10. Provide an overview of the system: GenBank is a database of publicly available DNA sequence information. GenBank is an annotated collection of nucleotide sequences from over 200,000 different organisms obtained primarily from individual laboratories as well through batch submissions from large-scale sequencing centers. The data is exchanged with similar databases in the UK and in Japan. The database is accessible via the web and by File Transfer Protocol.

13. Indicate if the system is new or an existing one being modified: Existing

17. Does/Will the system collect, maintain (store), disseminate and/or pass through IIF within any database(s), record(s), file(s) or website(s) hosted by this system?: No

Note: This question seeks to identify any, and all, personal information associated with the system. This includes any IIF, whether or not it is subject to the Privacy Act, whether the individuals are employees, the public, research subjects, or business partners, and whether provided voluntarily or collected by mandate. Later questions will try to understand the character of the data and its applicability to the requirements under the Privacy Act or other legislation

Note: If no IIF is contained in the system, please answer questions 21, 23, 30, 31, 37, 50 and 54, then promote the PIA to the Sr. Privacy Official who will authorize the PIA.

If this system contains IIF, all remaining questions on the PIA Form Tabs must be completed prior to signature and promotion.

21. Is the system subject to the Privacy Act?: No

23. If the system shares or discloses IIF please specify with whom and for what purpose(s): No

30. Please describe in detail: (1) the information the agency will collect, maintain, or disseminate; (2) why and for what purpose the agency will use the information; (3) In this description, indicate whether the information contains IIF; and (4) whether submission of personal information is voluntary or mandatory: Data collected include nucleotide sequences and the name of the researcher or laboratory contributing the data, his institution, and a publicly available email address, as associated with the journal article. Submission of data is voluntary.

31. Please describe in detail any processes in place to: (1) notify and obtain consent from the individuals whose IIF is in the system when major changes occur to the system (e.g., disclosure and/or data uses have changed since the notice at the time of the original collection); and (2) notify and obtain consent from individuals regarding what IIF is being collected from them and how the information will be used or shared: No

32. Does the system host a website?: Yes

37. Does the website have any information or pages directed at children under the age of thirteen?: No

50. Are there policies or guidelines in place with regard to the retention and destruction of IIF?: No

54. Briefly describe in detail how the IIF will be secured on the system using administrative, technical, and physical controls.: No

PIA Reviewer Approval: Promote


PIA Reviewer Name: Dar-Ning Kung

Sr. Official for Privacy Approval: Promote


Sr. Official for Privacy Name: Karen Plá

Sign-off Date: Aug 10, 2007

Date Published: Jun 26, 2008


06.3 HHS PIA Summary for Posting (Form) / NIH NLM Medical Literature Analysis Retrieval System (MEDLARS) (Item)






PIA Summary


Is this a new PIA 2008?: No

If this is an existing PIA, please provide a reason for revision: PIA Validation

1. Date of this Submission: Jul 6, 2007

2. OPDIV Name: NIH

3. Unique Project Identifier (UPI) Number: 009-25-01-05-02-0705-00-110-219

4. Privacy Act System of Records (SOR) Number: No

5. OMB Information Collection Approval Number: No

6. Other Identifying Number(s): No

7. System Name: NIH NLM Medical Literature Analysis and Retrieval System (MEDLARS)

9. System Point of Contact (POC). The System POC is the person to whom questions about the system and the responses to this PIA may be addressed: Dar-Ning Kung

10. Provide an overview of the system: The Medical Literature Analysis and Retrieval System (MEDLARS) is a multi-purpose application system developed, maintained and operated by the National Library of Medicine (NLM) at the National Institutes of Health (NIH) and consists of various application modules to assist the National Library of Medicine in collecting, organizing, managing, and disseminating health related information.

13. Indicate if the system is new or an existing one being modified: The Medical Literature Analysis and Retrieval System (MEDLARS) is a multi-purpose application system developed, maintained and operated by the National Library of Medicine (NLM) at the National Institutes of Health (NIH) and consists of various application modules to assist the National Library of Medicine in collecting, organizing, managing, and disseminating health related information.

13. Indicate if the system is new or an existing one being modified: Existing

17. Does/Will the system collect, maintain (store), disseminate and/or pass through IIF within any database(s), record(s), file(s) or website(s) hosted by this system?: No

Note: This question seeks to identify any, and all, personal information associated with the system. This includes any IIF, whether or not it is subject to the Privacy Act, whether the individuals are employees, the public, research subjects, or business partners, and whether provided voluntarily or collected by mandate. Later questions will try to understand the character of the data and its applicability to the requirements under the Privacy Act or other legislation

Note: If no IIF is contained in the system, please answer questions 21, 23, 30, 31, 37, 50 and 54, then promote the PIA to the Sr. Privacy Official who will authorize the PIA.

If this system contains IIF, all remaining questions on the PIA Form Tabs must be completed prior to signature and promotion.

21. Is the system subject to the Privacy Act?: No

23. If the system shares or discloses IIF please specify with whom and for what purpose(s): No

30. Please describe in detail: (1) the information the agency will collect, maintain, or disseminate; (2) why and for what purpose the agency will use the information; (3) In this description, indicate whether the information contains IIF; and (4) whether submission of personal information is voluntary or mandatory: No

31. Please describe in detail any processes in place to: (1) notify and obtain consent from the individuals whose IIF is in the system when major changes occur to the system (e.g., disclosure and/or data uses have changed since the notice at the time of the original collection); and (2) notify and obtain consent from individuals regarding what IIF is being collected from them and how the information will be used or shared: No

32. Does the system host a website?: Yes

37. Does the website have any information or pages directed at children under the age of thirteen?: No

50. Are there policies or guidelines in place with regard to the retention and destruction of IIF?: No

54. Briefly describe in detail how the IIF will be secured on the system using administrative, technical, and physical controls.: No

PIA Reviewer Approval: Promote


PIA Reviewer Name: Dar-Ning Kung

Sr. Official for Privacy Approval: Promote


Sr. Official for Privacy Name: Karen Plá

Sign-off Date: Aug 10, 2007

Date Published: Jun 26, 2008


06.3 HHS PIA Summary for Posting (Form) / NIH NLM Open Source Independent Review and Interpretation System (OSIRIS) (Item)






PIA Summary


Is this a new PIA 2008?: No

If this is an existing PIA, please provide a reason for revision: PIA Validation

1. Date of this Submission: Jul 6, 2007

2. OPDIV Name: NIH

3. Unique Project Identifier (UPI) Number: No

4. Privacy Act System of Records (SOR) Number: No

5. OMB Information Collection Approval Number: No

6. Other Identifying Number(s): No

7. System Name: Open Source Independent Review and Interpretation System (OSIRIS)

9. System Point of Contact (POC). The System POC is the person to whom questions about the system and the responses to this PIA may be addressed: Stephen Sherry / Dennis Benson

10. Provide an overview of the system: The Open Source Independent Review and Interpretation System (OSIRIS) is a software tool for checking and validating DNA profile data for accuracy and quality. It is a data validation tool for use by local forensic laboratories to measure the conformance of raw data to quality control standards. NLM receives a limited number of DNA samples for the purpose of developing and improving the statistical methods used to validate the results; however, they are de-identified samples from state laboratories. NLM does not maintain any public or production database of the de-identified samples nor does NLM have any way of associating the DNA forensic data with a person or with any other identifying information.

13. Indicate if the system is new or an existing one being modified: New

17. Does/Will the system collect, maintain (store), disseminate and/or pass through IIF within any database(s), record(s), file(s) or website(s) hosted by this system?: No

Note: This question seeks to identify any, and all, personal information associated with the system. This includes any IIF, whether or not it is subject to the Privacy Act, whether the individuals are employees, the public, research subjects, or business partners, and whether provided voluntarily or collected by mandate. Later questions will try to understand the character of the data and its applicability to the requirements under the Privacy Act or other legislation

Note: If no IIF is contained in the system, please answer questions 21, 23, 30, 31, 37, 50 and 54, then promote the PIA to the Sr. Privacy Official who will authorize the PIA.

If this system contains IIF, all remaining questions on the PIA Form Tabs must be completed prior to signature and promotion.

21. Is the system subject to the Privacy Act?: No

23. If the system shares or discloses IIF please specify with whom and for what purpose(s): No

30. Please describe in detail: (1) the information the agency will collect, maintain, or disseminate; (2) why and for what purpose the agency will use the information; (3) In this description, indicate whether the information contains IIF; and (4) whether submission of personal information is voluntary or mandatory: The OSIRIS software tool is a data validation tool developed by NCBI/NLM for use by local forensic laboratories to determine how their data samples conform to quality control standards. The tool is distributed to local forensic laboratories for their own internal use. The tool itself does not collect, maintain, or disseminate data. In the process of developing the OSIRIS program, NCBI/NLM received a limited number of DNA samples to test the statistical methods used to validate the results. These samples were obtained solely for the purpose of developing the software algorithms and were de-identified samples, containing no individually identifiable information.

31. Please describe in detail any processes in place to: (1) notify and obtain consent from the individuals whose IIF is in the system when major changes occur to the system (e.g., disclosure and/or data uses have changed since the notice at the time of the original collection); and (2) notify and obtain consent from individuals regarding what IIF is being collected from them and how the information will be used or shared: No

32. Does the system host a website?: No

37. Does the website have any information or pages directed at children under the age of thirteen?: No

50. Are there policies or guidelines in place with regard to the retention and destruction of IIF?: No

54. Briefly describe in detail how the IIF will be secured on the system using administrative, technical, and physical controls.: No

PIA Reviewer Approval: Promote


PIA Reviewer Name: Dar-Ning Kung

Sr. Official for Privacy Approval: Promote


Sr. Official for Privacy Name: Karen Plá

Sign-off Date: Aug 10, 2007

Date Published: Jun 26, 2008


06.3 HHS PIA Summary for Posting (Form) / NIH NLM Toxicology Data Network (TOXNET) (Item)






PIA Summary


Is this a new PIA 2008?: No

If this is an existing PIA, please provide a reason for revision: PIA Validation

1. Date of this Submission: Jul 6, 2007

2. OPDIV Name: NIH

3. Unique Project Identifier (UPI) Number: 009-25-01-05-02-0703-00-110-219

4. Privacy Act System of Records (SOR) Number: No

5. OMB Information Collection Approval Number: No

6. Other Identifying Number(s): No

7. System Name: NIH NLM Toxicology Data Network (TOXNET)

9. System Point of Contact (POC). The System POC is the person to whom questions about the system and the responses to this PIA may be addressed: Dar-Ning Kung

10. Provide an overview of the system: TOXNET (Toxicology Data Network) is the National Library of Medicine’s extensive collection of online bibliographic information. It is a cluster of databases covering toxicology, hazardous chemicals, and environmental health and related areas.

13. Indicate if the system is new or an existing one being modified: Existing

17. Does/Will the system collect, maintain (store), disseminate and/or pass through IIF within any database(s), record(s), file(s) or website(s) hosted by this system?: No

Note: This question seeks to identify any, and all, personal information associated with the system. This includes any IIF, whether or not it is subject to the Privacy Act, whether the individuals are employees, the public, research subjects, or business partners, and whether provided voluntarily or collected by mandate. Later questions will try to understand the character of the data and its applicability to the requirements under the Privacy Act or other legislation

Note: If no IIF is contained in the system, please answer questions 21, 23, 30, 31, 37, 50 and 54, then promote the PIA to the Sr. Privacy Official who will authorize the PIA.

If this system contains IIF, all remaining questions on the PIA Form Tabs must be completed prior to signature and promotion.

21. Is the system subject to the Privacy Act?: No

23. If the system shares or discloses IIF please specify with whom and for what purpose(s): No

30. Please describe in detail: (1) the information the agency will collect, maintain, or disseminate; (2) why and for what purpose the agency will use the information; (3) In this description, indicate whether the information contains IIF; and (4) whether submission of personal information is voluntary or mandatory: No

31. Please describe in detail any processes in place to: (1) notify and obtain consent from the individuals whose IIF is in the system when major changes occur to the system (e.g., disclosure and/or data uses have changed since the notice at the time of the original collection); and (2) notify and obtain consent from individuals regarding what IIF is being collected from them and how the information will be used or shared: No

32. Does the system host a website?: Yes

37. Does the website have any information or pages directed at children under the age of thirteen?: No

50. Are there policies or guidelines in place with regard to the retention and destruction of IIF?: No

54. Briefly describe in detail how the IIF will be secured on the system using administrative, technical, and physical controls.: No

PIA Reviewer Approval: Promote


PIA Reviewer Name: Dar-Ning Kung

Sr. Official for Privacy Approval: Promote


Sr. Official for Privacy Name: Karen Plá

Sign-off Date: Aug 10, 2007

Date Published: Jun 26, 2008


06.3 HHS PIA Summary for Posting (Form) / NIH OD AIDS Research Information System (ARIS) (Item)






PIA Summary


Is this a new PIA 2008?: No

If this is an existing PIA, please provide a reason for revision: PIA Validation

1. Date of this Submission: Jul 3, 2007

2. OPDIV Name: NIH

3. Unique Project Identifier (UPI) Number: N/A

4. Privacy Act System of Records (SOR) Number: 09-25-0036

5. OMB Information Collection Approval Number: N/A

6. Other Identifying Number(s): FIC004-ARIScoding

7. System Name: Aids Research Information System (ARIS)

9. System Point of Contact (POC). The System POC is the person to whom questions about the system and the responses to this PIA may be addressed: Darlene Blocker

10. Provide an overview of the system: This system helps FIC staff code and report ARIS data. Legislation Authority PHS Act Section 482.

13. Indicate if the system is new or an existing one being modified: Existing

17. Does/Will the system collect, maintain (store), disseminate and/or pass through IIF within any database(s), record(s), file(s) or website(s) hosted by this system?: No

Note: This question seeks to identify any, and all, personal information associated with the system. This includes any IIF, whether or not it is subject to the Privacy Act, whether the individuals are employees, the public, research subjects, or business partners, and whether provided voluntarily or collected by mandate. Later questions will try to understand the character of the data and its applicability to the requirements under the Privacy Act or other legislation

Note: If no IIF is contained in the system, please answer questions 21, 23, 30, 31, 37, 50 and 54, then promote the PIA to the Sr. Privacy Official who will authorize the PIA.

If this system contains IIF, all remaining questions on the PIA Form Tabs must be completed prior to signature and promotion.

21. Is the system subject to the Privacy Act?: Yes

23. If the system shares or discloses IIF please specify with whom and for what purpose(s): Application is used internally by FIC staff and has user authentication. SOR #09-25-0036

30. Please describe in detail: (1) the information the agency will collect, maintain, or disseminate; (2) why and for what purpose the agency will use the information; (3) In this description, indicate whether the information contains IIF; and (4) whether submission of personal information is voluntary or mandatory: The ARIS II will contain information on all NIH-funded AIDS research including grants, contracts, and intramural project titles and numbers; names of principal investigators and their institutional affiliations; budget amounts for each project; funding ICs; and an abstract for each project. ARIS II will consist of three modules, consisting of Formulation, Execution and Actual Reporting. The new system will be cross-functional and utilized by all of the ICs that report AIDS funding. ARIS II will allow OAR to collect AIDS budget and project information using several coding systems, such as the Strategic Plan, Functional Category, and Special Interest Category (SIC) codes. ARIS II will also allow staff to develop reports for the Department of Health and Human Services, Office of Management and Budget, Congress, and the general public in a timely and efficient manner. ARIS II contains no IIF.

31. Please describe in detail any processes in place to: (1) notify and obtain consent from the individuals whose IIF is in the system when major changes occur to the system (e.g., disclosure and/or data uses have changed since the notice at the time of the original collection); and (2) notify and obtain consent from individuals regarding what IIF is being collected from them and how the information will be used or shared: N/A

32. Does the system host a website?: Yes

37. Does the website have any information or pages directed at children under the age of thirteen?: No

50. Are there policies or guidelines in place with regard to the retention and destruction of IIF?: No

54. Briefly describe in detail how the IIF will be secured on the system using administrative, technical, and physical controls.: The system contains no IIF.

PIA Reviewer Approval: Promote

Comments: Antoine D. Jones

PIA Reviewer Name: Darlene Blocker/Antoine D. Jones

Sr. Official for Privacy Approval: Promote


Sr. Official for Privacy Name: Karen Pla

Sign-off Date: Aug 10, 2007

Date Published: Jun 26, 2008


06.3 HHS PIA Summary for Posting (Form) / NIH OD Commercial Rate Agreement Distribution Services (C-RADS) (Item)






PIA Summary


Is this a new PIA 2008?: No

If this is an existing PIA, please provide a reason for revision: PIA Validation

1. Date of this Submission: Jul 3, 2007

2. OPDIV Name: NIH

3. Unique Project Identifier (UPI) Number: N/A

4. Privacy Act System of Records (SOR) Number: 09-90-0024

5. OMB Information Collection Approval Number: None

6. Other Identifying Number(s): None

7. System Name: Commercial Rate Agreement Distribution Services (C-RADS)

9. System Point of Contact (POC). The System POC is the person to whom questions about the system and the responses to this PIA may be addressed: Rose Farace

10. Provide an overview of the system: Secured Web based distribution of Indirect Cost Rate Agreements for commercial organizations

13. Indicate if the system is new or an existing one being modified: Existing

17. Does/Will the system collect, maintain (store), disseminate and/or pass through IIF within any database(s), record(s), file(s) or website(s) hosted by this system?: No

Note: This question seeks to identify any, and all, personal information associated with the system. This includes any IIF, whether or not it is subject to the Privacy Act, whether the individuals are employees, the public, research subjects, or business partners, and whether provided voluntarily or collected by mandate. Later questions will try to understand the character of the data and its applicability to the requirements under the Privacy Act or other legislation

Note: If no IIF is contained in the system, please answer questions 21, 23, 30, 31, 37, 50 and 54, then promote the PIA to the Sr. Privacy Official who will authorize the PIA.

If this system contains IIF, all remaining questions on the PIA Form Tabs must be completed prior to signature and promotion.

21. Is the system subject to the Privacy Act?: No

23. If the system shares or discloses IIF please specify with whom and for what purpose(s): N/A

30. Please describe in detail: (1) the information the agency will collect, maintain, or disseminate; (2) why and for what purpose the agency will use the information; (3) In this description, indicate whether the information contains IIF; and (4) whether submission of personal information is voluntary or mandatory: C-RADS is a secured web-based system used to disseminates indirect cost rate information from negotiated rate agreements between NIH and commercial companies that receive the preponderance of their Federal awards from HHS. Access to the system is limited to HHS employees with a bona fide need of the rate information for use in funding and administering HHS contracts and grants. The system does not contain any IIF.

31. Please describe in detail any processes in place to: (1) notify and obtain consent from the individuals whose IIF is in the system when major changes occur to the system (e.g., disclosure and/or data uses have changed since the notice at the time of the original collection); and (2) notify and obtain consent from individuals regarding what IIF is being collected from them and how the information will be used or shared: N/A

32. Does the system host a website?: Yes

37. Does the website have any information or pages directed at children under the age of thirteen?: No

50. Are there policies or guidelines in place with regard to the retention and destruction of IIF?: No

54. Briefly describe in detail how the IIF will be secured on the system using administrative, technical, and physical controls.: None

PIA Reviewer Approval: Promote

Comments: Antoine D. Jones

PIA Reviewer Name: Rose A. Farace

Sr. Official for Privacy Approval: Promote


Sr. Official for Privacy Name: Karen Plá

Sign-off Date: Aug 10, 2007

Date Published: Jun 26, 2008


06.3 HHS PIA Summary for Posting (Form) / NIH OD Complaint Tracking System (CTS) (Item)






PIA Summary


Is this a new PIA 2008?: No

If this is an existing PIA, please provide a reason for revision: PIA Validation

1. Date of this Submission: Jul 2, 2007

2. OPDIV Name: NIH

3. Unique Project Identifier (UPI) Number: 009-25-01-09-02-4692-00-403-226

4. Privacy Act System of Records (SOR) Number: 09-90-0018

5. OMB Information Collection Approval Number: None

6. Other Identifying Number(s): None

7. System Name: OEODM Complaints Tracking System (CTS)

9. System Point of Contact (POC). The System POC is the person to whom questions about the system and the responses to this PIA may be addressed: Patricia Ruben

10. Provide an overview of the system: The CTS supports OEODM business requirements from initial complaint intake and throughout the multiple levels of processes within the case’s life cycle. The CTS supports data inputs capturing, workflows management, reporting, and complaints status and information retrievals.

13. Indicate if the system is new or an existing one being modified: Existing

17. Does/Will the system collect, maintain (store), disseminate and/or pass through IIF within any database(s), record(s), file(s) or website(s) hosted by this system?: Yes

Note: This question seeks to identify any, and all, personal information associated with the system. This includes any IIF, whether or not it is subject to the Privacy Act, whether the individuals are employees, the public, research subjects, or business partners, and whether provided voluntarily or collected by mandate. Later questions will try to understand the character of the data and its applicability to the requirements under the Privacy Act or other legislation

Note: If no IIF is contained in the system, please answer questions 21, 23, 30, 31, 37, 50 and 54, then promote the PIA to the Sr. Privacy Official who will authorize the PIA.

If this system contains IIF, all remaining questions on the PIA Form Tabs must be completed prior to signature and promotion.

21. Is the system subject to the Privacy Act?: Yes

23. If the system shares or discloses IIF please specify with whom and for what purpose(s): eference SOR # 09-90-0018 “Personnel Records in Operating Offices, HHS/OS/ASPER”. IIF are shared and disclosed to OEODM Division of Complaints Management staff during cases management and reports generation. Only statistical information gathered from IIF are used in Federally mandated reports such as the EEOC 462 Report and the No Fear Act Report. The No Fear Act report is published to the OEODM website. The EEOC 462 Report is sent to the US Equal Employment Opportunity Commission (EEOC).

30. Please describe in detail: (1) the information the agency will collect, maintain, or disseminate; (2) why and for what purpose the agency will use the information; (3) In this description, indicate whether the information contains IIF; and (4) whether submission of personal information is voluntary or mandatory:

The CTS collects information significant to an EEO complaint case. The information can consist of the allegation, complaint bases (race, sex, religion, age, and/or disability) and claims, and recommended resolution, as well as the Aggrieved Person (AP)/Complainant­ and Responsible Management Official (RMO) contact information. Some information may be optional at the initial intake phase but will be further detailed at the later stages. The CTS will also captures important process dates throughout the case’s life cycle in order to assist the Case Managers and Counselors handling the complaints. The information gathered in the complaint process will also be used for both Federal and departmental reporting purposes.

The information collected by the CTS will be used to assist OEODM’s mission statement, by satisfying requirements for EEOC Management Directive 715 (MD-715), and EEO Policies and Regulations (Title VII – Section 717, and Rehabilitation Act – Section 501), as well as Federally mandated reporting requirements such as the EEOC 462 guidelines, and the No Fear Act.

31. Please describe in detail any processes in place to: (1) notify and obtain consent from the individuals whose IIF is in the system when major changes occur to the system (e.g., disclosure and/or data uses have changed since the notice at the time of the original collection); and (2) notify and obtain consent from individuals regarding what IIF is being collected from them and how the information will be used or shared: The information collected by the CTS will be obtained through an OEODM website accessible by NIH employees from which they can enter initial complaint intake information after viewing and accepting the system’s Privacy Act Statement.

Additional information can be reviewed by users from the following URL:

OEODM also accepts complaint intake information through the phone, postal mail, and/or fax after which will be entered into the system by the agency’s complaints management staff.

32. Does the system host a website?: Yes

37. Does the website have any information or pages directed at children under the age of thirteen?: No

50. Are there policies or guidelines in place with regard to the retention and destruction of IIF?: Yes

54. Briefly describe in detail how the IIF will be secured on the system using administrative, technical, and physical controls.: The CTS application is hosted at NIH OIT Data Center and therefore follows OIT technical and physical security restrictions.

Additionally, the system is in compliant with the DHHS Information Security Program Handbook in regards to the account and password restrictions policy. The website is accessed through HTTPS/SSL. All documents are encrypted when stored on the server.

PIA Reviewer Approval: Promote

Comments: Antoine D. Jones

PIA Reviewer Name: Patricia Ruben

Sr. Official for Privacy Approval: Promote


Sr. Official for Privacy Name: Karen Plá

Sign-off Date: Aug 10, 2007

Date Published: Jun 26, 2008


06.3 HHS PIA Summary for Posting (Form) / NIH OD Computer Access to Research on Dietary Supplements (CARDS) (Item)






PIA Summary


Is this a new PIA 2008?: No

If this is an existing PIA, please provide a reason for revision: PIA Validation

1. Date of this Submission: Jul 2, 2007

2. OPDIV Name: NIH

3. Unique Project Identifier (UPI) Number: N/A

4. Privacy Act System of Records (SOR) Number: 09-25-0036

5. OMB Information Collection Approval Number: N/A

6. Other Identifying Number(s): N/A

7. System Name: Computer Access to Research on Dietary Supplements (CARDS)

9. System Point of Contact (POC). The System POC is the person to whom questions about the system and the responses to this PIA may be addressed: Karen Regan

10. Provide an overview of the system: CARDS is a database of federally funded research projects pertaining to dietary supplements.

13. Indicate if the system is new or an existing one being modified: Existing

17. Does/Will the system collect, maintain (store), disseminate and/or pass through IIF within any database(s), record(s), file(s) or website(s) hosted by this system?: No

Note: This question seeks to identify any, and all, personal information associated with the system. This includes any IIF, whether or not it is subject to the Privacy Act, whether the individuals are employees, the public, research subjects, or business partners, and whether provided voluntarily or collected by mandate. Later questions will try to understand the character of the data and its applicability to the requirements under the Privacy Act or other legislation

Note: If no IIF is contained in the system, please answer questions 21, 23, 30, 31, 37, 50 and 54, then promote the PIA to the Sr. Privacy Official who will authorize the PIA.

If this system contains IIF, all remaining questions on the PIA Form Tabs must be completed prior to signature and promotion.

21. Is the system subject to the Privacy Act?: Yes

23. If the system shares or discloses IIF please specify with whom and for what purpose(s): SOR #09-25-0036. This information is further addressed in the NIH Privacy Act Systems of Record Notice 09-25-0036, published in the Federal Register, Volume 67, No. 187, September 26, 2002.

30. Please describe in detail: (1) the information the agency will collect, maintain, or disseminate; (2) why and for what purpose the agency will use the information; (3) In this description, indicate whether the information contains IIF; and (4) whether submission of personal information is voluntary or mandatory: CARDS stands for Computer Access to Research on Dietary Supplements. It is a database of federally funded research projects pertaining to dietary supplements. The ODS was directed by the U.S. Congress to "compile a database of scientific research on dietary supplements and individual nutrients" as part of the Dietary Supplement Health and Education Act (DSHEA) which was passed by Congress in 1994. The information in CARDS is useful to the U.S. Congress, agencies of the Federal government, and the NIH Institutes for budgetary considerations. In addition, CARDS will provide useful information for researchers, health care providers, industry and the general public. CARDS contains projects funded by the United States Department of Agriculture (USDA), the Department of Defense (DOD) and the Institutes and Centers (ICs) of the National Institutes of Health (NIH) beginning with fiscal year 1999, the first year that NIH ICs began reporting research related to dietary supplements. Projects funded by other Federal agencies will be added to CARDS as they become available. The data contained in CARDS is downloaded from the Human Nutrition Research and Information Management (HNRIM) system maintained by NIDDK. The data contained in HNRIM is downloaded from the NIH IMPAC database. CARDS includes the following information from IMPAC about each project: sponsoring organization, project identifier numbers, project title, principal investigator, organization name, address, project abstract, fiscal year and start date.CARDS contains no IIF.

31. Please describe in detail any processes in place to: (1) notify and obtain consent from the individuals whose IIF is in the system when major changes occur to the system (e.g., disclosure and/or data uses have changed since the notice at the time of the original collection); and (2) notify and obtain consent from individuals regarding what IIF is being collected from them and how the information will be used or shared: N/A

32. Does the system host a website?: Yes

37. Does the website have any information or pages directed at children under the age of thirteen?: No

50. Are there policies or guidelines in place with regard to the retention and destruction of IIF?: No

54. Briefly describe in detail how the IIF will be secured on the system using administrative, technical, and physical controls.: N/A

PIA Reviewer Approval: Promote

Comments: Antoine D. Jones

PIA Reviewer Name: Karen Regan

Sr. Official for Privacy Approval: Promote


Sr. Official for Privacy Name: Karen Pla

Sign-off Date: Aug 10, 2007

Date Published: Jun 26, 2008


06.3 HHS PIA Summary for Posting (Form) / NIH OD Continuing Medical Education (CME) (Item)






PIA Summary


Is this a new PIA 2008?: No

If this is an existing PIA, please provide a reason for revision: PIA Validation

1. Date of this Submission: Jul 2, 2007

2. OPDIV Name: NIH

3. Unique Project Identifier (UPI) Number: N/A

4. Privacy Act System of Records (SOR) Number: 09-25-0014

5. OMB Information Collection Approval Number: N/A

6. Other Identifying Number(s): N/A

7. System Name: Continuing Medical Education (CME)

9. System Point of Contact (POC). The System POC is the person to whom questions about the system and the responses to this PIA may be addressed: Ione Lagasse

10. Provide an overview of the system: The Office of Education is responsible for developing policies and procedures to ensure that programs meet the specific criteria prescribed by the Accreditation Council for Continuing Medical Education (ACCME). In this role, the OE oversees the development and implementation of high-quality educational programs to meet the needs of NIH physicians as well as the broader medical community that the NIH serves. To facilitate this process the OE has developed a website that collects and reviews and approves applications and then collects the post activity documents. The site also maintains a calendar of events, individual physician records, and a database that creates a variety of reports. The NIH is authorized to conduct research training for which fellowship support is not provided under Section 487 of the PHS Act and which is not residency training of physicians or other health professionals [42 U.S.C. 282(b)(13)]. Clinical Training is permitted under [42 U.S.C. Sections 209(g) and 209(h) and 42 C.F.R. Part 61B].

13. Indicate if the system is new or an existing one being modified: Existing

17. Does/Will the system collect, maintain (store), disseminate and/or pass through IIF within any database(s), record(s), file(s) or website(s) hosted by this system?: Yes

Note: This question seeks to identify any, and all, personal information associated with the system. This includes any IIF, whether or not it is subject to the Privacy Act, whether the individuals are employees, the public, research subjects, or business partners, and whether provided voluntarily or collected by mandate. Later questions will try to understand the character of the data and its applicability to the requirements under the Privacy Act or other legislation

Note: If no IIF is contained in the system, please answer questions 21, 23, 30, 31, 37, 50 and 54, then promote the PIA to the Sr. Privacy Official who will authorize the PIA.

If this system contains IIF, all remaining questions on the PIA Form Tabs must be completed prior to signature and promotion.

21. Is the system subject to the Privacy Act?: Yes

23. If the system shares or discloses IIF please specify with whom and for what purpose(s): Information will be shared with NIH staff authorized to review applications for continuing medical education credits. This information is further addressed in the NIH Privacy Act Systems of Record Notice 09-25-0014, published in the Federal Register, Volume 67, No. 187, September 26, 2002.

30. Please describe in detail: (1) the information the agency will collect, maintain, or disseminate; (2) why and for what purpose the agency will use the information; (3) In this description, indicate whether the information contains IIF; and (4) whether submission of personal information is voluntary or mandatory: Participants who attend an activity and request CME credit – record can be searched using last name, first name - we recently started collecting NIH badge numbers as our database is tied in with NED. For non-NIH employees, we ask for IIF to create a record in our CME database for that individual and CME credits are dynamically generated into individual records which are available for those folks to track their credit history.

To create a record for participants, the only required fields that fit your IIF are first and last name, and email.

Activity Directors physicians or scientists at NIH) registering on our site must provide IIF so we can verify that they meet specific criteria and also provide contact info for themselves and their staff that will be using the site.

To create an Activity Director profile, the only required fields that fit your IIF are first and last name, and email.

31. Please describe in detail any processes in place to: (1) notify and obtain consent from the individuals whose IIF is in the system when major changes occur to the system (e.g., disclosure and/or data uses have changed since the notice at the time of the original collection); and (2) notify and obtain consent from individuals regarding what IIF is being collected from them and how the information will be used or shared: Collection of this information is authorized under 42 USC 284(b)(1)(c); and 287c-1. The primary use of this information is to maintain records on physicians who are claiming or requesting CME credit and sponsors who are seeking approval of educational activities at the National Institutes of Health. Additional disclosures may be made to law enforcement agencies concerning violations of law or regulation. Application for this program is voluntary, however, in order for us to process your application, you must complete the required fields.”

32. Does the system host a website?: Yes

37. Does the website have any information or pages directed at children under the age of thirteen?: No

50. Are there policies or guidelines in place with regard to the retention and destruction of IIF?: Yes

54. Briefly describe in detail how the IIF will be secured on the system using administrative, technical, and physical controls.: Authorized users access to information is limited to authorized personnel in the performance of their duties. Physical Safeguards: Rooms where records are stored are locked when not in use. During regular business hours rooms are unlocked but are controlled by on-site personnel. Procedural and Technical Safeguards: Usernames and passwords are required to access the site, and a data set name controls the release of data to only authorized users. Passwords are changed periodically, and accounts are deleted when employees or contractors leave. These practices are in compliance with the standards of Chapter 45-13 of the HHS General Administration Manual, "Safeguarding Records Contained in Systems of Records," supplementary Chapter PHS 45-13, and the Department’s Automated Information System Security Handbook.

PIA Reviewer Approval: Promote


PIA Reviewer Name: Antoine Jones

Sr. Official for Privacy Approval: Promote


Sr. Official for Privacy Name: Karen Plá

Sign-off Date: Aug 10, 2007

Date Published: Jun 26, 2008


06.3 HHS PIA Summary for Posting (Form) / NIH OD Contractor Performance System (CPS) (Item)






PIA Summary


Is this a new PIA 2008?: No

If this is an existing PIA, please provide a reason for revision: PIA Validation

1. Date of this Submission: Jul 2, 2007

2. OPDIV Name: NIH

3. Unique Project Identifier (UPI) Number: 009-25-01-26-02-4633-00-401-119

4. Privacy Act System of Records (SOR) Number: None

5. OMB Information Collection Approval Number: None

6. Other Identifying Number(s): None

7. System Name: National Institutes of Health Contractor Performance System

9. System Point of Contact (POC). The System POC is the person to whom questions about the system and the responses to this PIA may be addressed: Renee Edwards

10. Provide an overview of the system: The Federal Acquisition Streamlining Act (1994) requires that a contractor’s past performance be considered in the source selection process of granting a Federal contract award. The National Institutes of Health (NIH) Contractor Performance System (CPS) is a multi-agency shared file used to collect, maintain, and disseminate contractor performance evaluations for Federal departments/agencies. The Office of Acquisition Management and Policy, Office of Administration, Office of the Director, NIH, is responsible for the design, development, and implementation of this system as well as its oversight and management. The NIH Center for Information Technology provides all technical support for the NIH CPS.

13. Indicate if the system is new or an existing one being modified: Existing

17. Does/Will the system collect, maintain (store), disseminate and/or pass through IIF within any database(s), record(s), file(s) or website(s) hosted by this system?: No

Note: This question seeks to identify any, and all, personal information associated with the system. This includes any IIF, whether or not it is subject to the Privacy Act, whether the individuals are employees, the public, research subjects, or business partners, and whether provided voluntarily or collected by mandate. Later questions will try to understand the character of the data and its applicability to the requirements under the Privacy Act or other legislation

Note: If no IIF is contained in the system, please answer questions 21, 23, 30, 31, 37, 50 and 54, then promote the PIA to the Sr. Privacy Official who will authorize the PIA

If this system contains IIF, all remaining questions on the PIA Form Tabs must be completed prior to signature and promotion.

21. Is the system subject to the Privacy Act?: No

23. If the system shares or discloses IIF please specify with whom and for what purpose(s): None

30. Please describe in detail: (1) the information the agency will collect, maintain, or disseminate; (2) why and for what purpose the agency will use the information; (3) In this description, indicate whether the information contains IIF; and (4) whether submission of personal information is voluntary or mandatory:

Information collected concerns a Contractor’s performance and includes ratings and comments on the following areas:

Quality of Product or Service, Cost Control, Timeliness of Performance and Business Relations.

The FAR mandates that all contracts greater than $100,000 and with a period of performance greater than one year, be reviewed at least twice - once during the life of the contract and again at the contract’s expiration. In fact, most agencies are performing annual evaluations. Each evaluation is maintained in the CPS until the contract has been expired. All standard evaluations are removed from the NIH CPS active file according to the FAR requirement. Three years after the contract has expired, all evaluations associated with that contract are automatically removed from the active file and are archived. For construction and A&E contracts, the period is extended to six years.

All Federal acquisition personnel authorized to use the NIH CPS have access to finalized/comple­ted evaluations for use in the contract award process. Federal contracting personnel are made aware that the NIH CPS is to be considered a tool only and is not the sole resource for obtaining contractor performance information.

All contact information submitted is business related information and no personal information is submitted into the system.

31. Please describe in detail any processes in place to: (1) notify and obtain consent from the individuals whose IIF is in the system when major changes occur to the system (e.g., disclosure and/or data uses have changed since the notice at the time of the original collection); and (2) notify and obtain consent from individuals regarding what IIF is being collected from them and how the information will be used or shared: N/A

32. Does the system host a website?: Yes

37. Does the website have any information or pages directed at children under the age of thirteen?: No

50. Are there policies or guidelines in place with regard to the retention and destruction of IIF?: No

54. Briefly describe in detail how the IIF will be secured on the system using administrative, technical, and physical controls.: N/A

PIA Reviewer Approval: Promote

Comments: Antoine D. Jones

PIA Reviewer Name: Renee Edwards

Sr. Official for Privacy Approval: Promote


Sr. Official for Privacy Name: Karen Plá

Sign-off Date: Aug 10, 2007

Date Published: Jun 26, 2008


06.3 HHS PIA Summary for Posting (Form) / NIH OD Delegations of Authority Database (DOA) (Item)






PIA Summary


Is this a new PIA 2008?: No

If this is an existing PIA, please provide a reason for revision: PIA Validation

1. Date of this Submission: Jul 2, 2007

2. OPDIV Name: NIH

3. Unique Project Identifier (UPI) Number: No

4. Privacy Act System of Records (SOR) Number: No

5. OMB Information Collection Approval Number: No

6. Other Identifying Number(s): No

7. System Name: NIH OD Delegations of Authority Database (DOA)

9. System Point of Contact (POC). The System POC is the person to whom questions about the system and the responses to this PIA may be addressed: Karen Plá, NIH Delegations of Authority Officer (301) 402-6201

10. Provide an overview of the system: The DOA Database provides authorized members of NIH with the ability to enter delegations of authority for their respective IC; edit data concerning IC-specific delegations they enter, and run reports, by IC, on authorities delegated to NIH officials. In addition, they can delegate redelegable authorities within NIH delegations, to another member of the NIH community authorized to receive the particular authority. A delegation of authority is the formal assignment or commitment of legal power, usually to a subordinate official, to make certain decisions and take certain actions that have legal significance. The OD Office of Management Assessment has a responsibility to coordinate and maintain NIH Delegations of Authority from the NIH Director to senior NIH officials. No IIF is contained within the DOA Database system.

13. Indicate if the system is new or an existing one being modified: New

17. Does/Will the system collect, maintain (store), disseminate and/or pass through IIF within any database(s), record(s), file(s) or website(s) hosted by this system?: No

Note: This question seeks to identify any, and all, personal information associated with the system. This includes any IIF, whether or not it is subject to the Privacy Act, whether the individuals are employees, the public, research subjects, or business partners, and whether provided voluntarily or collected by mandate. Later questions will try to understand the character of the data and its applicability to the requirements under the Privacy Act or other legislation

Note: If no IIF is contained in the system, please answer questions 21, 23, 30, 31, 37, 50 and 54, then promote the PIA to the Sr. Privacy Official who will authorize the PIA.

If this system contains IIF, all remaining questions on the PIA Form Tabs must be completed prior to signature and promotion.

21. Is the system subject to the Privacy Act?: No

23. If the system shares or discloses IIF please specify with whom and for what purpose(s): No

30. Please describe in detail: (1) the information the agency will collect, maintain, or disseminate; (2) why and for what purpose the agency will use the information; (3) In this description, indicate whether the information contains IIF; and (4) whether submission of personal information is voluntary or mandatory: The NIH Delegations of Authority (DOA) Database will mirror and track NIH and IC-specific delegations of authority. The database allows authorized IC and OD DOA Coordinators and OHR Subject Matter Experts to enter a copy of the actual DOA for which they are responsible and and manage it. The DOAs are not disseminated further than the IC responsible for the maintenance of its DOAs. The database is not used to redelegate authorities and does not contain the official record of the delegations of authority. A delegation of authority is the formal assignment or commitment of legal power, usually to a subordinate official, to make certain decisions and take certain actions that have legal significance. The Database is accessible to NIH employees only, via the OMA website but does not host its own website. User permissions are assigned on a need-to-know basis, as determined by the IC Executive Officers, OD Office Heads, and the DOA Database System Administrator. The database does not contain any IIF. There is no submission of personal information.

31. Please describe in detail any processes in place to: (1) notify and obtain consent from the individuals whose IIF is in the system when major changes occur to the system (e.g., disclosure and/or data uses have changed since the notice at the time of the original collection); and (2) notify and obtain consent from individuals regarding what IIF is being collected from them and how the information will be used or shared: No

32. Does the system host a website?: No

37. Does the website have any information or pages directed at children under the age of thirteen?: No

50. Are there policies or guidelines in place with regard to the retention and destruction of IIF?: No

54. Briefly describe in detail how the IIF will be secured on the system using administrative, technical, and physical controls.: No

PIA Reviewer Approval: Promote


PIA Reviewer Name: Karen Plá, NIH Delegations of Authority Officer (301) 402-6201

Sr. Official for Privacy Approval: Promote


Sr. Official for Privacy Name: Karen Plá

Sign-off Date: Aug 10, 2007

Date Published: Jun 26, 2008


06.3 HHS PIA Summary for Posting (Form) / NIH OD Disease Funding Tracking System (DFTS) (Item)






PIA Summary


Is this a new PIA 2008?: No

If this is an existing PIA, please provide a reason for revision: PIA Validation

1. Date of this Submission: Jul 2, 2007

2. OPDIV Name: NIH

3. Unique Project Identifier (UPI) Number: 009-25-01-09-02-4620-00-110-219

4. Privacy Act System of Records (SOR) Number: N/A

5. OMB Information Collection Approval Number: N/A

6. Other Identifying Number(s): N/A

7. System Name: Disease Funding Tracking System (DFTS)

9. System Point of Contact (POC). The System POC is the person to whom questions about the system and the responses to this PIA may be addressed: Sylvia Bennett

10. Provide an overview of the system: The NIH will implement the Management Planning and Control (MPC) software from Geac to replace the existing DFTS to enhance the system’s capabilities. The MPC implementation will provide the Office of Budget with an application to consolidate all data related to diseases, conditions and research areas for the NIH; use .NET technology instead of JAVA; save history more efficiently than the existing system; and provide better reporting capabilities both ad-hoc and production. The main MPC database will be in a Microsoft (MS) SQL Server that houses the web interface. The existing DFTS will be the main source of historic data. Approximately 18 years of history will be loaded: 1987-2004 with verification being the responsibility of NIH. The NIH will supply extracted and cleansed data in a format compatible with the Geac Data Loader Utility. DFTS data is available to the public.

13. Indicate if the system is new or an existing one being modified: Existing

17. Does/Will the system collect, maintain (store), disseminate and/or pass through IIF within any database(s), record(s), file(s) or website(s) hosted by this system?: No

Note: This question seeks to identify any, and all, personal information associated with the system. This includes any IIF, whether or not it is subject to the Privacy Act, whether the individuals are employees, the public, research subjects, or business partners, and whether provided voluntarily or collected by mandate. Later questions will try to understand the character of the data and its applicability to the requirements under the Privacy Act or other legislation

Note: If no IIF is contained in the system, please answer questions 21, 23, 30, 31, 37, 50 and 54, then promote the PIA to the Sr. Privacy Official who will authorize the PIA.

If this system contains IIF, all remaining questions on the PIA Form Tabs must be completed prior to signature and promotion.

21. Is the system subject to the Privacy Act?: No

23. If the system shares or discloses IIF please specify with whom and for what purpose(s): N/A

30. Please describe in detail: (1) the information the agency will collect, maintain, or disseminate; (2) why and for what purpose the agency will use the information; (3) In this description, indicate whether the information contains IIF; and (4) whether submission of personal information is voluntary or mandatory:

The system contains disease fund tracking. The information can be sorted into reports based on.

Disease By Year By IC

Disease By IC By FY

Disease Actual vs. Estimate

Disease Comparison By FY

Percentage Change By IC

Other reports/view may be created by NIH staff. DFTS contains no IIF.

31. Please describe in detail any processes in place to: (1) notify and obtain consent from the individuals whose IIF is in the system when major changes occur to the system (e.g., disclosure and/or data uses have changed since the notice at the time of the original collection); and (2) notify and obtain consent from individuals regarding what IIF is being collected from them and how the information will be used or shared: N/A

32. Does the system host a website?: Yes

37. Does the website have any information or pages directed at children under the age of thirteen?: No

50. Are there policies or guidelines in place with regard to the retention and destruction of IIF?: No

54. Briefly describe in detail how the IIF will be secured on the system using administrative, technical, and physical controls.: N/A

PIA Reviewer Approval: Promote

omments: Antoine D. Jones

PIA Reviewer Name: Sylvia Bennett

Sr. Official for Privacy Approval: Promote


Sr. Official for Privacy Name: Karen Pla

Sign-off Date: Aug 10, 2007

Date Published: Jun 26, 2008


06.3 HHS PIA Summary for Posting (Form) / NIH OD DocuShare (Item)






PIA Summary


Is this a new PIA 2008?: No

If this is an existing PIA, please provide a reason for revision: PIA Validation

1. Date of this Submission: Jul 2, 2007

2. OPDIV Name: NIH

3. Unique Project Identifier (UPI) Number: None

4. Privacy Act System of Records (SOR) Number: None

5. OMB Information Collection Approval Number: None

6. Other Identifying Number(s): None

7. System Name: DocuShare

9. System Point of Contact (POC). The System POC is the person to whom questions about the system and the responses to this PIA may be addressed: Kelly Fennington

10. Provide an overview of the system: DocuShare is a web-based content management system used by OBA designed to allow users to employ their Web browser to store, view, edit, and share information with other users across the Internet related to some of OBA’s activities. Anyone with access to the DocuShare site can download and upload documents, create, and manage repositories called collections, and create calendars, bulleting boards, and other site objects.

13. Indicate if the system is new or an existing one being modified: Existing

17. Does/Will the system collect, maintain (store), disseminate and/or pass through IIF within any database(s), record(s), file(s) or website(s) hosted by this system?: No

Note: This question seeks to identify any, and all, personal information associated with the system. This includes any IIF, whether or not it is subject to the Privacy Act, whether the individuals are employees, the public, research subjects, or business partners, and whether provided voluntarily or collected by mandate. Later questions will try to understand the character of the data and its applicability to the requirements under the Privacy Act or other legislation

Note: If no IIF is contained in the system, please answer questions 21, 23, 30, 31, 37, 50 and 54, then promote the PIA to the Sr. Privacy Official who will authorize the PIA.

If this system contains IIF, all remaining questions on the PIA Form Tabs must be completed prior to signature and promotion.

21. Is the system subject to the Privacy Act?: No

23. If the system shares or discloses IIF please specify with whom and for what purpose(s): None

30. Please describe in detail: (1) the information the agency will collect, maintain, or disseminate; (2) why and for what purpose the agency will use the information; (3) In this description, indicate whether the information contains IIF; and (4) whether submission of personal information is voluntary or mandatory: Contained within the docushare system is information pertaining to human gene transfer protocols including information pertaining to institutional review boards. Oba does not collect personal identifiable information, although such information may occasionally be contained within information submitted. If such information is inadvertently submitted, this data is redacted before downloading into the docushare system. Information of this nature, pertaining to institutional review boards, is only reviewed internally within oba and not shared with other individuals.

Information related to specific detail regarding adverse events associated with these protocols are not disseminated to the public or shared with other investigators and do not contain personal identifiable information. This information is collected in accordance with the NIH Guidelines and is used for in-house analysis of individual trials as well as across trials with similar products or methods. There is no information related to IBC members or rosters.

31. Please describe in detail any processes in place to: (1) notify and obtain consent from the individuals whose IIF is in the system when major changes occur to the system (e.g., disclosure and/or data uses have changed since the notice at the time of the original collection); and (2) notify and obtain consent from individuals regarding what IIF is being collected from them and how the information will be used or shared: N/A

32. Does the system host a website?: No

37. Does the website have any information or pages directed at children under the age of thirteen?: No

50. Are there policies or guidelines in place with regard to the retention and destruction of IIF?: No

54. Briefly describe in detail how the IIF will be secured on the system using administrative, technical, and physical controls.: N/A

PIA Reviewer Approval: Promote

Comments: Antoine D. Jones

PIA Reviewer Name: Kelly Fennington

Sr. Official for Privacy Approval: Promote


Sr. Official for Privacy Name: Karen Pla

Sign-off Date: Aug 10, 2007

Date Published: Jun 26, 2008


06.3 HHS PIA Summary for Posting (Form) / NIH OD Electronic Portals in Commerce (e-PIC) (Item)






PIA Summary


Is this a new PIA 2008?: No

If this is an existing PIA, please provide a reason for revision: PIA Validation

1. Date of this Submission: Jul 2, 2007

2. OPDIV Name: NIH

3. Unique Project Identifier (UPI) Number: 009-25-01-26-02-4633-00-401-119

4. Privacy Act System of Records (SOR) Number: 09-25-0156

5. OMB Information Collection Approval Number: none

6. Other Identifying Number(s): none

7. System Name: e-Portals in Commerce (e-PIC)

9. System Point of Contact (POC). The System POC is the person to whom questions about the system and the responses to this PIA may be addressed: Annette Owens-Scarboro

10. Provide an overview of the system: Federal Acquisition Regulations Subpart 13.102 Source list (a).

e-PIC is an e-business system designed to smartly capture the global marketplace and profile information about organizations providing products and services. NIH OAMP office, with contractor support, serves as system administrator. e-PIC resides on the NIH OD/OIT SQL and Web serves in the office that serves as the “System Technical Administrator”. e-PIC comports with Federal and International Web standards for design and development, including with “508” compliancy. e-PIC design was based on a modular and layered conceptual framework and is able to expand both horizontally and vertically through new design, bridges and plug-ins to other systems. e-PIC engages a simple user-friendly interface for system registration and searching. e-PIC links to the Federal Object Classification Code system to facilitate purchasing and to it’s own unique North American Industrial Classification System (NAICS) engine, which serves as an encyclopedic reference for acquisition classification and size information. e-PIC links to various contract vehicles and Federal past performance systems, it used ASP for its server side scripting and JavaScript for its client side validation. The Database is Microsoft SQL Server.

13. Indicate if the system is new or an existing one being modified: Existing

17. Does/Will the system collect, maintain (store), disseminate and/or pass through IIF within any database(s), record(s), file(s) or website(s) hosted by this system?: Yes

Note: This question seeks to identify any, and all, personal information associated with the system. This includes any IIF, whether or not it is subject to the Privacy Act, whether the individuals are employees, the public, research subjects, or business partners, and whether provided voluntarily or collected by mandate. Later questions will try to understand the character of the data and its applicability to the requirements under the Privacy Act or other legislation

Note: If no IIF is contained in the system, please answer questions 21, 23, 30, 31, 37, 50 and 54, then promote the PIA to the Sr. Privacy Official who will authorize the PIA.

If this system contains IIF, all remaining questions on the PIA Form Tabs must be completed prior to signature and promotion.

21. Is the system subject to the Privacy Act?: Yes

23. If the system shares or discloses IIF please specify with whom and for what purpose(s): SOR #09-25-0156. This information is further addressed in the NIH Privacy Act Systems of Record Notice 09-25-0156, published in the Federal Register, Volume 67, No. 187, September 26, 2002.

30. Please describe in detail: (1) the information the agency will collect, maintain, or disseminate; (2) why and for what purpose the agency will use the information; (3) In this description, indicate whether the information contains IIF; and (4) whether submission of personal information is voluntary or mandatory: Agency use e-PIC as a tool to collect organizational profile information, such as name, address, business description, etc., and pertinent NAICS codes and other related information. This information is smartly crossed with other secured data fields, e.g. “number of employees” and average annual sales to correctly size organizations for Federal acquisition purposes, and for market research or seeking sources of supplies and services purpose. Profile information is dynamic and portable. Sensitive IIF like TIN/EIN/SSN No. only used as User ID when individual create an account and login later. There are total 8 pages to collect individual information, but all of these pages don’t contain sensitive IIF information. Pages I through III of registrant collect mandatory information, client side JavaScript and server side ASP code will be executed if the individual miss the mandatory fields; while pages IV through VIII collect optional information. Completing optional information data fields is strongly recommended, since a more comprehensive and robust organizational profile will present itself when e-PIC is searched.

31. Please describe in detail any processes in place to: (1) notify and obtain consent from the individuals whose IIF is in the system when major changes occur to the system (e.g., disclosure and/or data uses have changed since the notice at the time of the original collection); and (2) notify and obtain consent from individuals regarding what IIF is being collected from them and how the information will be used or shared: Vendors input data, secure and maintain their own information.

When major changes occur to system and what IIF is being collected from individuals, both electronic notice and written mail will be sent out to the individuals, as well as making a phone call to notify individuals to double check the reception of electronic notice and written notice; A privacy policy was published on the e-PIC site home page to state the authority, the purpose to collect individual information, and only general no sensitive individual information can be viewed by the third party, which are independent users when they query the database, the sensitive data IIF is specified in the registration process as their User ID only, the sensitive IIF will not be used or shared.

32. Does the system host a website?: Yes

37. Does the website have any information or pages directed at children under the age of thirteen?: No

50. Are there policies or guidelines in place with regard to the retention and destruction of IIF?: Yes

54. Briefly describe in detail how the IIF will be secured on the system using administrative, technical, and physical controls.: Administrative controls include C&A, System Security Plan, Contingency Plan, system backups, policies, and procedures. Technical controls include User ID and Password to access system, as well as Firewalls, VPN, Encryption, and PKI. Physical Controls include guards, ID badges, Key Cards, and locked SAS 70 audited server room.

Reviewer Approval: Promote

Comments: Antoine D. Jones

PIA Reviewer Name: Annette Owens-Scarboro

Sr. Official for Privacy Approval: Promote


Sr. Official for Privacy Name: Karen Pla

Sign-off Date: Aug 10, 2007

Date Published: Jun 26, 2008


06.3 HHS PIA Summary for Posting (Form) / NIH OD Electronic Research Administration (eRA) (FISMA) (Item)






PIA Summary


Is this a new PIA 2008?: No

If this is an existing PIA, please provide a reason for revision: PIA Validation

1. Date of this Submission: Jun 25, 2007

2. OPDIV Name: NIH

3. Unique Project Identifier (UPI) Number: 009-25-04-00-01-4613-00-110-219

4. Privacy Act System of Records (SOR) Number: 09-25-0036

5. OMB Information Collection Approval Number: N/A

6. Other Identifying Number(s): N/A

7. System Name: NIH Electronic Research Administration (eRA)

9. System Point of Contact (POC). The System POC is the person to whom questions about the system and the responses to this PIA may be addressed: Carla Flora

10. Provide an overview of the system: The Electronic Research Administration (eRA) is a core service of the Office of Research Information Systems (ORIS) in the NIH Office of the Director. The eRA system provides grants administration support to the NIH institutes and centers, and to other Department of Health and Human Services (DHHS) agencies that fund extramural research. The integrated eRA system comprises two main interfaces: the internal system, IMPAC II, used by NIH staff, and the external system, the NIH eRA Commons, accessed by the grantee community through the Internet. eRA also supports system-to-system communications with research institutions and other federal organizations through eRA eXchange. Currently, ORIS is developing system-to-system connectivity with, the central federal Website for finding grant opportunities and for submitting applications. eRA's comprehensive electronic processing system facilitates the Department's end-to-end grant making functions from application receipt through grant closeout. The system helps DHHS achieve its missions of medical discovery and science management by: 1) electronically capturing, managing, and protecting research grant-related date, 2) reducing administrative overhead, 3) reporting research grant-related data as information to NIH and extramural communities, and 4) enabling the synthesis of the information into knowledge that can guide the management of the NIH research portfolio and improve the Nation's health.

13. Indicate if the system is new or an existing one being modified: Existing

17. Does/Will the system collect, maintain (store), disseminate and/or pass through IIF within any database(s), record(s), file(s) or website(s) hosted by this system?: Yes

Note: This question seeks to identify any, and all, personal information associated with the system. This includes any IIF, whether or not it is subject to the Privacy Act, whether the individuals are employees, the public, research subjects, or business partners, and whether provided voluntarily or collected by mandate. Later questions will try to understand the character of the data and its applicability to the requirements under the Privacy Act or other legislation

Note: If no IIF is contained in the system, please answer questions 21, 23, 30, 31, 37, 50 and 54, then promote the PIA to the Sr. Privacy Official who will authorize the PIA.

If this system contains IIF, all remaining questions on the PIA Form Tabs must be completed prior to signature and promotion.

21. Is the system subject to the Privacy Act?: Yes

23. If the system shares or discloses IIF please specify with whom and for what purpose(s): The system shares information with authorized users at NIH IC's as well as with authorized users at HHS OpDIVS

30. Please describe in detail: (1) the information the agency will collect, maintain, or disseminate; (2) why and for what purpose the agency will use the information; (3) In this description, indicate whether the information contains IIF; and (4) whether submission of personal information is voluntary or mandatory: Information includes Name, Date of Birth, Last 4 digits of the Social Security Number (voluntary), Mailing address, phone number, email address, education record, and employment status. Information is mandatory, and is used to create the database record for grant application.

31. Please describe in detail any processes in place to: (1) notify and obtain consent from the individuals whose IIF is in the system when major changes occur to the system (e.g., disclosure and/or data uses have changed since the notice at the time of the original collection); and (2) notify and obtain consent from individuals regarding what IIF is being collected from them and how the information will be used or shared: There is no process to notify or obtain consent when there is a major change to the system that effects disclosure and/or data uses since the notice at the time of the original collection.

Applicants are notified data is collected when they enter it into the system, or fill in the paper application.

32. Does the system host a website?: Yes

37. Does the website have any information or pages directed at children under the age of thirteen?: No

50. Are there policies or guidelines in place with regard to the retention and destruction of IIF?: No

54. Briefly describe in detail how the IIF will be secured on the system using administrative, technical, and physical controls.: Administrative controls include C&A, System Security Plan, Contingency Plan, system backups, policies, and procedures. Technical controls include User ID and Password to access system, as well as Firewalls, VPN, Encryption, and PKI. Physical Controls include guards, ID badges, Key Cards, and locked SAS 70 audited server room.

PIA Reviewer Approval: Promote

Comments: Reviewed and approved - T. Boyce

PIA Reviewer Name: Thomas Boyce

Sr. Official for Privacy Approval: Promote


Sr. Official for Privacy Name: Karen Plá

Sign-off Date: Aug 10, 2007

Date Published: Jun 26, 2008


06.3 HHS PIA Summary for Posting (Form) / NIH OD Employee Orientation Information Program (EOIP) (Item)






PIA Summary


Is this a new PIA 2008?: Yes

If this is an existing PIA, please provide a reason for revision:

1. Date of this Submission: Feb 15, 2008

2. OPDIV Name: NIH

3. Unique Project Identifier (UPI) Number: 009-25-01-06-02-4695

4. Privacy Act System of Records (SOR) Number: 09-25-0216

5. OMB Information Collection Approval Number: No

6. Other Identifying Number(s): No

7. System Name: Employee Orientation and Information Program (EOIP)

9. System Point of Contact (POC). The System POC is the person to whom questions about the system and the responses to this PIA may be addressed: Marisa Sheelor

10. Provide an overview of the system: The Employee Orientation and Information Program (EOIP) is a required training module for all new NIH staff members as of September 2, 2003 or later. EOIP provides employees with an overview of NIH including its mission, information on its history, information on employee compensation and benefits, and the rights and responsibilities of employees. Employees are required to complete this training within their first 3 weeks of becoming an NIH employee.

13. Indicate if the system is new or an existing one being modified: Existing

17. Does/Will the system collect, maintain (store), disseminate and/or pass through IIF within any database(s), record(s), file(s) or website(s) hosted by this system?: Yes

Note: This question seeks to identify any, and all, personal information associated with the system. This includes any IIF, whether or not it is subject to the Privacy Act, whether the individuals are employees, the public, research subjects, or business partners, and whether provided voluntarily or collected by mandate. Later questions will try to understand the character of the data and its applicability to the requirements under the Privacy Act or other legislation

Note: If no IIF is contained in the system, please answer questions 21, 23, 30, 31, 37, 50 and 54, then promote the PIA to the Sr. Privacy Official who will authorize the PIA.

If this system contains IIF, all remaining questions on the PIA Form Tabs must be completed prior to signature and promotion.

21. Is the system subject to the Privacy Act?: Yes

23. If the system shares or discloses IIF please specify with whom and for what purpose(s): EOIP will collect IIF through the Name (First, Last, Middle Initial) of employees within NIH, deemed appropriate by IC authorities at NIH. EOIP will also collect NED-ID, employee status, job category and science category for NIH employees. The information collected is required to be able to manage this mandatory training. Information may be used to respond to congressional inquiries regarding constituents who have applied for training programs. To maintain a permanent record of individuals that has taken this training for future reference uses. SOR# 09-25-0216

30. Please describe in detail: (1) the information the agency will collect, maintain, or disseminate; (2) why and for what purpose the agency will use the information; (3) In this description, indicate whether the information contains IIF; and (4) whether submission of personal information is voluntary or mandatory: EOIP will collect IIF through the Name (First, Last, Middle Initial) of employees within NIH, deemed appropriate by IC authorities at NIH. EOIP will also collect NED-ID, employee status, job category and science category for NIH employees. The information collected is required to be able to manage this mandatory training.

31. Please describe in detail any processes in place to: (1) notify and obtain consent from the individuals whose IIF is in the system when major changes occur to the system (e.g., disclosure and/or data uses have changed since the notice at the time of the original collection); and (2) notify and obtain consent from individuals regarding what IIF is being collected from them and how the information will be used or shared: EOIP imports Name and other information from the NIH Enterprise Directory (NED) for purposes of identifying the new employees that needs to take the EOIP training. Users are notified by email when changes are to occur in the system. Employees don't get directly notified when collecting information for EOIP because they should have been notified when the information was collected in NED. EOIP gets its data from NED.

32. Does the system host a website?: Yes

37. Does the website have any information or pages directed at children under the age of thirteen?: No

50. Are there policies or guidelines in place with regard to the retention and destruction of IIF?: Yes

54. Briefly describe in detail how the IIF will be secured on the system using administrative, technical, and physical controls.: Authorized Users: Staff in the Office of Education are instructed to disclose information only to NIH personnel who are involved in the evaluation and selection of candidates for intramural training programs. Physical Safeguards: Paper files and disks are stored in cabinets in a locked room that is under constant surveillance by security personnel. Electronic databases are accessible only with a password on secure web sites. Procedural safeguards: Access to the paper files is strictly controlled by the Office of Education staff. Files may be removed only with the approval of the system manager or other authorized official(s).

PIA Reviewer Approval: Promote

Comments: By Antoine D. Jones

PIA Reviewer Name:

Sr. Official for Privacy Approval: Promote


Sr. Official for Privacy Name: Karen Plá

Sign-off Date: May 5, 2008

Date Published: Jun 26, 2008


06.3 HHS PIA Summary for Posting (Form) / NIH OD Enterprise Ethics system (NEES) (Item)






PIA Summary


Is this a new PIA 2008?: Yes

If this is an existing PIA, please provide a reason for revision:

1. Date of this Submission: Mar 21, 2007

2. OPDIV Name: NIH

3. Unique Project Identifier (UPI) Number: 009-25-01-09-02-4678-00

4. Privacy Act System of Records (SOR) Number: OGE/GOVT-1 and OGE/GOVT-2

5. OMB Information Collection Approval Number: SF-278 approval form No. 3209-0001

6. Other Identifying Number(s): None

7. System Name: NIH OD Ethics NEES (NIH Enterprise Ethics System)

9. System Point of Contact (POC). The System POC is the person to whom questions about the system and the responses to this PIA may be addressed: Sandra Desautels

10. Provide an overview of the system: The NIH Enterprise Ethics System (NEES) was initiated as a secure web-based workflow management and information technology system in support of the NIH Ethics Program that assists NIH staff with meeting the required statutes and regulations governing the ethical behavior of Executive Branch employees of the Federal Government.

The objective of NEES is the comprehensive automation of the NIH Ethics Program that takes into account various business policies and processes at NIH, through the utilization of numerous related applications and data stores. Specifically, NEES will provide the means to:

· Electronically submit all ethics-related reports and requests along with supporting documentation

· Electronically review and approve all ethics-related reports and requests, along with supporting documentation

· Electronically track and report on all ethics-related reports and requests, submissions, reviews, and approvals as well as other related activities associated with the Ethics Program at NIH

13. Indicate if the system is new or an existing one being modified: New

17. Does/Will the system collect, maintain (store), disseminate and/or pass through IIF within any database(s), record(s), file(s) or website(s) hosted by this system?: Yes

Note: This question seeks to identify any, and all, personal information associated with the system. This includes any IIF, whether or not it is subject to the Privacy Act, whether the individuals are employees, the public, research subjects, or business partners, and whether provided voluntarily or collected by mandate. Later questions will try to understand the character of the data and its applicability to the requirements under the Privacy Act or other legislation

Note: If no IIF is contained in the system, please answer questions 21, 23, 30, 31, 37, 50 and 54, then promote the PIA to the Sr. Privacy Official who will authorize the PIA.

If this system contains IIF, all remaining questions on the PIA Form Tabs must be completed prior to signature and promotion.

21. Is the system subject to the Privacy Act?: Yes

23. If the system shares or discloses IIF please specify with whom and for what purpose(s): IIF contained in NEES is shared with users in HHS Office of General Counsel for the purpose of reviewing forms submitted by the senior staff at NIH.

This data is also available to two NMS technical staff contractors for the purpose of connecting the NEES production database with the development database.

30. Please describe in detail: (1) the information the agency will collect, maintain, or disseminate; (2) why and for what purpose the agency will use the information; (3) In this description, indicate whether the information contains IIF; and (4) whether submission of personal information is voluntary or mandatory: The system collects adn maintains all aspects of employees' personal finances, including assets, income, liabilities, transactions, gifts, outside positions, and financial agreements. All of this information is considered IFF. This information is reviewed by NIH Ethics Officials to ensure no actual or apparent Conflict of Interest (COI) exists that would breech the public trust. The reporting of this information is mandatory, required by several different statutes and regulations at various levels of government – Federal, HHS, and NIH.

Section 5301 of Title 5 of the U.S. Code authorizes collection of this information and includes actions to be taken when this information is not provided.

31. Please describe in detail any processes in place to: (1) notify and obtain consent from the individuals whose IIF is in the system when major changes occur to the system (e.g., disclosure and/or data uses have changed since the notice at the time of the original collection); and (2) notify and obtain consent from individuals regarding what IIF is being collected from them and how the information will be used or shared: The website publishes release notes to the site to notify users when major changes occur to the system. The website used to collect the data contains a Security and Privacy Notice detailing the authority for collection as well as the purposes and uses of the information.

Consent is not required as reporting of this information is required as a condition of employment and by Federal law.

32. Does the system host a website?: Yes

37. Does the website have any information or pages directed at children under the age of thirteen?: No

50. Are there policies or guidelines in place with regard to the retention and destruction of IIF?: Yes

54. Briefly describe in detail how the IIF will be secured on the system using administrative, technical, and physical controls.: Administrative: Access to financial data is limited to 3 people: the filer who enters and submits the data; the Ethics Coordinator assigned to review the data, and the Deputy Ethics Counselor who reviews the data and certifies the form. Only these 3 people have the ability to let anyone else view the data.

Technical: Access to the system is controlled by NIH SSO, which authenticates the user prior to granting access. Access level and permissions are controlled by the system and based on user, role, organizational unit, and status of the report. All servers have been configured to remove all unused applications and system files and all local account access except when necessary to manage the system and maintain integrity of data.

Physical controls: The servers reside in the CIT Computer Room where policies and procedures are in place to restrict access to the machines. This includes guards at the front door and entrance to the machine room as well as an IRIS scan.

PIA Reviewer Approval: Promote


PIA Reviewer Name: Antoine D. Jones

Sr. Official for Privacy Approval: Promote


Sr. Official for Privacy Name: Karen Plá

Sign-off Date: Apr 17, 2007

Date Published: Jun 26, 2008


06.3 HHS PIA Summary for Posting (Form) / NIH OD Ethics Management Information System (EMIS) (Item)






PIA Summary


Is this a new PIA 2008?: No

If this is an existing PIA, please provide a reason for revision: PIA Validation

1. Date of this Submission: Jul 2, 2007

2. OPDIV Name: NIH

3. Unique Project Identifier (UPI) Number: 09-25-01-09-02-4696-00-403-224

4. Privacy Act System of Records (SOR) Number: # OGE/GOVT-2

5. OMB Information Collection Approval Number: N/A

6. Other Identifying Number(s): N/A

7. System Name: Ethics Management Information System (EMIS)

9. System Point of Contact (POC). The System POC is the person to whom questions about the system and the responses to this PIA may be addressed: Traci Melvin

10. Provide an overview of the system: The NIH Ethics Management System (EMIS) is a web-based relational database that stores information on several types of ethics actions for employees, and permits authorized users to review and print specific reports developed by the staff of the NIH Ethics Office. The system stores NIH employees ethics forms and requests, including: financial disclosure, outside activities, awards, honorary degrees, official duty activities with outside organizations, widely attended gatherings, recusals, waivers, authorizations, ethics training, new employee ethics orientation, sponsored travel, advice, collaborative research agreements, and other ethics actions. Access is limited to NIH ethics staff with appropriate login and password protections.

13. Indicate if the system is new or an existing one being modified: Existing

17. Does/Will the system collect, maintain (store), disseminate and/or pass through IIF within any database(s), record(s), file(s) or website(s) hosted by this system?: Yes

Note: This question seeks to identify any, and all, personal information associated with the system. This includes any IIF, whether or not it is subject to the Privacy Act, whether the individuals are employees, the public, research subjects, or business partners, and whether provided voluntarily or collected by mandate. Later questions will try to understand the character of the data and its applicability to the requirements under the Privacy Act or other legislation

Note: If no IIF is contained in the system, please answer questions 21, 23, 30, 31, 37, 50 and 54, then promote the PIA to the Sr. Privacy Official who will authorize the PIA.

If this system contains IIF, all remaining questions on the PIA Form Tabs must be completed prior to signature and promotion.

21. Is the system subject to the Privacy Act?: Yes

23. If the system shares or discloses IIF please specify with whom and for what purpose(s): Users who manage the system SOR # OGE/GOVT-2. This information is further addressed in the NIH Privacy Act Systems of Record Notice OGE/GOVT-2, published in the Federal Register, Volume 55, No. 6630, February 22, 1990.

30. Please describe in detail: (1) the information the agency will collect, maintain, or disseminate; (2) why and for what purpose the agency will use the information; (3) In this description, indicate whether the information contains IIF; and (4) whether submission of personal information is voluntary or mandatory: Data in EMIS is only used by NIH ethics officials to track activities requiring ethics approval.

The SSN is collected and used as a unique identifier when retrieving records from the Human Resource Data Base System; the only way currently to ensure that the proper record is retrieved. The information collected in mandatory.

31. Please describe in detail any processes in place to: (1) notify and obtain consent from the individuals whose IIF is in the system when major changes occur to the system (e.g., disclosure and/or data uses have changed since the notice at the time of the original collection); and (2) notify and obtain consent from individuals regarding what IIF is being collected from them and how the information will be used or shared: Currently there is no documented process in place that addresses how users are informed incase of security breaches and or its usage. However we will document such a process.

32. Does the system host a website?: Yes

37. Does the website have any information or pages directed at children under the age of thirteen?: No

50. Are there policies or guidelines in place with regard to the retention and destruction of IIF?: Yes

54. Briefly describe in detail how the IIF will be secured on the system using administrative, technical, and physical controls.: The database is password protected, the server is stored in a gaurded building, and a key card is required for access.

PIA Reviewer Approval: Promote

Comments: Antoine D. Jones

PIA Reviewer Name: Traci Melvin

Sr. Official for Privacy Approval: Promote


Sr. Official for Privacy Name: Karen Pla

Sign-off Date: Aug 10, 2007

Date Published: Jun 26, 2008


06.3 HHS PIA Summary for Posting (Form) / NIH OD Executive Secretarial System for Enterprise Records and Correspondance Handling (SERCH) (Item)






PIA Summary


Is this a new PIA 2008?: No

If this is an existing PIA, please provide a reason for revision: PIA Validation

1. Date of this Submission: Jul 2, 2007

2. OPDIV Name: NIH

3. Unique Project Identifier (UPI) Number: 009-25-01-09-01-4647-00-404-142

4. Privacy Act System of Records (SOR) Number: 09-25-0106

5. OMB Information Collection Approval Number: None Assigned

6. Other Identifying Number(s): None

7. System Name: System for Enterprise Records and Correspondence Handling (SERCH)

9. System Point of Contact (POC). The System POC is the person to whom questions about the system and the responses to this PIA may be addressed: Danielle Kaczensky

10. Provide an overview of the system: To provide electronic records management and document management for the NIH Director's and NIH Deputy Director's official correspondence and files. To track and distribute all correspondence addressed or directed to the NIH Director and the NIH Deputy Director and documents initiated by them, to assure timely and appropriate response. To classify and maintain these incoming and response documents, briefing materials, and meeting folders as part of the NIH Director's official files until they are either purged and shredded or accessioned to the National Archives and Records Administration according to the NIH Records Control Schedule.

13. Indicate if the system is new or an existing one being modified: Existing

17. Does/Will the system collect, maintain (store), disseminate and/or pass through IIF within any database(s), record(s), file(s) or website(s) hosted by this system?: Yes

Note: This question seeks to identify any, and all, personal information associated with the system. This includes any IIF, whether or not it is subject to the Privacy Act, whether the individuals are employees, the public, research subjects, or business partners, and whether provided voluntarily or collected by mandate. Later questions will try to understand the character of the data and its applicability to the requirements under the Privacy Act or other legislation

Note: If no IIF is contained in the system, please answer questions 21, 23, 30, 31, 37, 50 and 54, then promote the PIA to the Sr. Privacy Official who will authorize the PIA.

If this system contains IIF, all remaining questions on the PIA Form Tabs must be completed prior to signature and promotion.

21. Is the system subject to the Privacy Act?: Yes

23. If the system shares or discloses IIF please specify with whom and for what purpose(s): SOR 09-25-0106 Correspondence recd may be forwarded to an IC for response or comment.

30. Please describe in detail: (1) the information the agency will collect, maintain, or disseminate; (2) why and for what purpose the agency will use the information; (3) In this description, indicate whether the information contains IIF; and (4) whether submission of personal information is voluntary or mandatory: The system tracks correspondence that is received into the Office of the Director of NIH. The system is an electronic records management and tracking system for internal use of NIH. The potential IIF may contain the following but not limited to: name and contact information as well as image of actual correspondence received.

31. Please describe in detail any processes in place to: (1) notify and obtain consent from the individuals whose IIF is in the system when major changes occur to the system (e.g., disclosure and/or data uses have changed since the notice at the time of the original collection); and (2) notify and obtain consent from individuals regarding what IIF is being collected from them and how the information will be used or shared: The IIF is voluntarily provided by the sender consequently there are no processes in place to notify, obtain additional or further consent after their correspondence has been received. The SERCH system for NIH does not solicit data or collect information for a database. The originator/correspondent voluntarily sends the correspondence to the NIH Director and NIH Deputy Director, SERCH contains only the information that the correspondent chooses to include and NIH does not manipulate the information for another use.

32. Does the system host a website?: Yes

37. Does the website have any information or pages directed at children under the age of thirteen?: No

50. Are there policies or guidelines in place with regard to the retention and destruction of IIF?: Yes

54. Briefly describe in detail how the IIF will be secured on the system using administrative, technical, and physical controls.: The system's Web site uses Secure Sockets Layer (SSL), and Security Logging is activated. The Web user interface provides 128-bit encryption and is PKI-enabled. The system keeps an audit trail for all functional areas. The system, in conjunction with its operating environment, uses identification and authentication measures that allow only authorized persons to access the system. The system provides multi-level, role-based system access controls, regularly updated by the Systems Administrator. Each user is required to login with user IDs and passwords, and users are locked out after 3 failed login attempts. Password construction adheres to NIH password policy, and passwords are encrypted when in storage and in transmission. The user's screen automatically locks after 30 minutes of inactivity. Physical records are stored in locked file cabinets. Deleted documents are shredded.

PIA Reviewer Approval: Promote

Comments: Antoine D. Jones

PIA Reviewer Name: Star A. Kline

Sr. Official for Privacy Approval: Promote


Sr. Official for Privacy Name: Karen Plá

Sign-off Date: Aug 10, 2007

Date Published: Jun 26, 2008


06.3 HHS PIA Summary for Posting (Form) / NIH OD Extramural Customer Assistance Request System (ECARES) (Item)






PIA Summary


Is this a new PIA 2008?: No

If this is an existing PIA, please provide a reason for revision: PIA Validation

1. Date of this Submission: Jul 2, 2007

2. OPDIV Name: NIH

3. Unique Project Identifier (UPI) Number: N/A

4. Privacy Act System of Records (SOR) Number: 09-25-0216

5. OMB Information Collection Approval Number: N/A

6. Other Identifying Number(s): N/A

7. System Name: Extramural Customer Assistance Request System (ECARES)

9. System Point of Contact (POC). The System POC is the person to whom questions about the system and the responses to this PIA may be addressed: Paul Jordan

10. Provide an overview of the system: The system is a modified COTS product (Sitescape) that is used in support of the new extramural MEO for the purpose of submitting and tracking work requests from extramural staff needing administrative support services.

13. Indicate if the system is new or an existing one being modified: Existing

17. Does/Will the system collect, maintain (store), disseminate and/or pass through IIF within any database(s), record(s), file(s) or website(s) hosted by this system?: No

Note: This question seeks to identify any, and all, personal information associated with the system. This includes any IIF, whether or not it is subject to the Privacy Act, whether the individuals are employees, the public, research subjects, or business partners, and whether provided voluntarily or collected by mandate. Later questions will try to understand the character of the data and its applicability to the requirements under the Privacy Act or other legislation

Note: If no IIF is contained in the system, please answer questions 21, 23, 30, 31, 37, 50 and 54, then promote the PIA to the Sr. Privacy Official who will authorize the PIA.

If this system contains IIF, all remaining questions on the PIA Form Tabs must be completed prior to signature and promotion.

21. Is the system subject to the Privacy Act?: Yes

23. If the system shares or discloses IIF please specify with whom and for what purpose(s): users, for lookup purposes when submitting work requests SOR# 09-25-0216

30. Please describe in detail: (1) the information the agency will collect, maintain, or disseminate; (2) why and for what purpose the agency will use the information; (3) In this description, indicate whether the information contains IIF; and (4) whether submission of personal information is voluntary or mandatory: This system is not collecting information, only using information that is available to the entire NIH enterprise via the NIH Enterprise Directory (NED) system.

31. Please describe in detail any processes in place to: (1) notify and obtain consent from the individuals whose IIF is in the system when major changes occur to the system (e.g., disclosure and/or data uses have changed since the notice at the time of the original collection); and (2) notify and obtain consent from individuals regarding what IIF is being collected from them and how the information will be used or shared: N/A - No IIF in the system

32. Does the system host a website?: Yes

37. Does the website have any information or pages directed at children under the age of thirteen?: No

50. Are there policies or guidelines in place with regard to the retention and destruction of IIF?: No

54. Briefly describe in detail how the IIF will be secured on the system using administrative, technical, and physical controls.: N/A - No IIF in the system

PIA Reviewer Approval: Promote

Comments: Antoine D. Jones

PIA Reviewer Name: Antoine D. Jones

Sr. Official for Privacy Approval: Promote


Sr. Official for Privacy Name: Karen Plá

Sign-off Date: Aug 10, 2007

Date Published: Jun 26, 2008


06.3 HHS PIA Summary for Posting (Form) / NIH OD General Support System (GSS) (Item)






PIA Summary


Is this a new PIA 2008?: No

If this is an existing PIA, please provide a reason for revision: PIA Validation

1. Date of this Submission: Jul 2, 2007

2. OPDIV Name: NIH

3. Unique Project Identifier (UPI) Number: N/A

4. Privacy Act System of Records (SOR) Number: N/A

5. OMB Information Collection Approval Number: N/A

6. Other Identifying Number(s): N/A

7. System Name: General Support System (GSS)

9. System Point of Contact (POC). The System POC is the person to whom questions about the system and the responses to this PIA may be addressed: Antoine Jones

10. Provide an overview of the system: Office of Information Technology LAN

13. Indicate if the system is new or an existing one being modified: Existing

17. Does/Will the system collect, maintain (store), disseminate and/or pass through IIF within any database(s), record(s), file(s) or website(s) hosted by this system?: No

Note: This question seeks to identify any, and all, personal information associated with the system. This includes any IIF, whether or not it is subject to the Privacy Act, whether the individuals are employees, the public, research subjects, or business partners, and whether provided voluntarily or collected by mandate. Later questions will try to understand the character of the data and its applicability to the requirements under the Privacy Act or other legislation

Note: If no IIF is contained in the system, please answer questions 21, 23, 30, 31, 37, 50 and 54, then promote the PIA to the Sr. Privacy Official who will authorize the PIA.

If this system contains IIF, all remaining questions on the PIA Form Tabs must be completed prior to signature and promotion.

21. Is the system subject to the Privacy Act?: No

23. If the system shares or discloses IIF please specify with whom and for what purpose(s): none

30. Please describe in detail: (1) the information the agency will collect, maintain, or disseminate; (2) why and for what purpose the agency will use the information; (3) In this description, indicate whether the information contains IIF; and (4) whether submission of personal information is voluntary or mandatory: There is no informatoin collected, maintained, or disseminated from this system.

31. Please describe in detail any processes in place to: (1) notify and obtain consent from the individuals whose IIF is in the system when major changes occur to the system (e.g., disclosure and/or data uses have changed since the notice at the time of the original collection); and (2) notify and obtain consent from individuals regarding what IIF is being collected from them and how the information will be used or shared: None

32. Does the system host a website?: No

37. Does the website have any information or pages directed at children under the age of thirteen?: No

50. Are there policies or guidelines in place with regard to the retention and destruction of IIF?: No

54. Briefly describe in detail how the IIF will be secured on the system using administrative, technical, and physical controls.: None

PIA Reviewer Approval: Promote

Comments: Antoine D. Jones

PIA Reviewer Name:

Sr. Official for Privacy Approval: Promote


Sr. Official for Privacy Name: Karen Plá

Sign-off Date: Aug 10, 2007

Date Published: Jun 26, 2008


06.3 HHS PIA Summary for Posting (Form) / NIH OD Integrated Time and Attendance System (ITAS) (Item)






PIA Summary


Is this a new PIA 2008?: No

If this is an existing PIA, please provide a reason for revision: PIA Validation

1. Date of this Submission: Jul 6, 2007

2. OPDIV Name: NIH

3. Unique Project Identifier (UPI) Number: 009-25-01-05-01-4605-00-403-132

4. Privacy Act System of Records (SOR) Number: 09-90-0018

5. OMB Information Collection Approval Number: N/A

6. Other Identifying Number(s): N/A

7. System Name: Integrated Time and Attendance System (ITAS)

9. System Point of Contact (POC). The System POC is the person to whom questions about the system and the responses to this PIA may be addressed: James Chung

10. Provide an overview of the system: ITAS is a federal timekeeping system that allows federal employees to report and track their work hours and leave activities.

The Integrated Time and Attendance System (ITAS) is an automated federal timekeeping system developed by the National Institutes of Health. It was modeled after a system developed at the National Science Foundation. ITAS provides a way for employees, timekeepers, administrative officers, and supervisors to record, track, and report time for work hours, leave activities and payroll purposes. Institute personnel such as Timekeepers and Administrative Officers edit the employee profile so it includes accurate time, leave, and tour of duty information. Once employee profiles are established, employees can use the system to record and track their time and attendance. The payroll circle is bi-weekly. Therefore, every two weeks, ITAS system processes are run to compute and accrue leave earned, generate timecards for the upcoming pay period, and produce an output file from the system to be transmitted to the DFAS payroll system via the Department of Health and Human Services (DHHS). Besides NIH, ITAS is also used by the OPDIVs under DHHS, with the exception of FDA and CDC. Authority for the maintenance of the system is 5 U.S.C. 1302, 2951, 4118, 4308, 4506, 7501, 7511, 7521 and Executive Order 10561.

13. Indicate if the system is new or an existing one being modified: Existing

17. Does/Will the system collect, maintain (store), disseminate and/or pass through IIF within any database(s), record(s), file(s) or website(s) hosted by this system?: Yes

Note: This question seeks to identify any, and all, personal information associated with the system. This includes any IIF, whether or not it is subject to the Privacy Act, whether the individuals are employees, the public, research subjects, or business partners, and whether provided voluntarily or collected by mandate. Later questions will try to understand the character of the data and its applicability to the requirements under the Privacy Act or other legislation

Note: If no IIF is contained in the system, please answer questions 21, 23, 30, 31, 37, 50 and 54, then promote the PIA to the Sr. Privacy Official who will authorize the PIA.

If this system contains IIF, all remaining questions on the PIA Form Tabs must be completed prior to signature and promotion.

21. Is the system subject to the Privacy Act?: Yes

23. If the system shares or discloses IIF please specify with whom and for what purpose(s): ITAS shares IIF information with DFAS Payroll System employed by DHHS for the purpose of payroll processing. SOR #: 09-90-0018

30. Please describe in detail: (1) the information the agency will collect, maintain, or disseminate; (2) why and for what purpose the agency will use the information; (3) In this description, indicate whether the information contains IIF; and (4) whether submission of personal information is voluntary or mandatory: ITAS contains user’s IIF information that is not collected from an individual user. The user’s PIA information such as username and SSN is gathered by HR and is being entered by an Administrative Officer to ITAS for setting up the employee’s profile. The submission of the users’ IIF along with their time and attendance information to DFAS (Payroll System) biweekly is mandatory for employees getting paid.31. Please describe in detail any processes in place to: (1) notify and obtain consent from the individuals whose IIF is in the system when major changes occur to the system (e.g., disclosure and/or data uses have changed since the notice at the time of the original collection); and (2) notify and obtain consent from individuals regarding what IIF is being collected from them and how the information will be used or shared: ITAS does not collect IIF from individual user. Any major changes in ITAS do not require to obtaining consent from users. No notification procedures are required.

32. Does the system host a website?: Yes

37. Does the website have any information or pages directed at children under the age of thirteen?: No

50. Are there policies or guidelines in place with regard to the retention and destruction of IIF?: Yes

54. Briefly describe in detail how the IIF will be secured on the system using administrative, technical, and physical controls.: General users access the system based on their roles. Application administrators are restricted to modifying the configuration options that are specific to application/web servers. Database Administrators have (R/W) access to the SQL database. System administrators are responsible for maintaining the hardware and operating system.

ITAS is integrated with NIH Login, SSO. Passwords expire after a set period of time. Accounts are locked after a set period of inactivity. Minimum length of passwords is seven characters. Passwords must be a combination of uppercase, lowercase, and special characters. Accounts are locked after a set number of incorrect attempts.

The servers are located in the CIT Computer Center. Access to the NIH Computer Center Building 12 complex is controlled. A security guard is stationed at the main entrance of the complex, 24 hours a day, seven days a week. Anyone entering the building must display a valid government ID showing a current identification photo, or register with the security guard to acquire a temporary visitor’s badge. These badges must be worn at all times. All entrance doors to the Building 12 complex, and the machine rooms are controlled by card-activated locks that restrict access 24 hours a day seven days a week.

PIA Reviewer Approval: Promote


PIA Reviewer Name: Marie Lagana, NIH/CIT/OPEC

Sr. Official for Privacy Approval: Promote


Sr. Official for Privacy Name: Karen Plá

Sign-off Date: Aug 10, 2007

Date Published: Jun 26, 2008


06.3 HHS PIA Summary for Posting (Form) / NIH OD Interagency Edision (iEdison) (Item)






PIA Summary


Is this a new PIA 2008?: NoIf this is an existing PIA, please provide a reason for revision: PIA Validation

1. Date of this Submission: Jun 25, 2007

2. OPDIV Name: NIH

3. Unique Project Identifier (UPI) Number: No

4. Privacy Act System of Records (SOR) Number: 09-25-0168

5. OMB Information Collection Approval Number: No

6. Other Identifying Number(s): No

7. System Name: Interagency Edison

9. System Point of Contact (POC). The System POC is the person to whom questions about the system and the responses to this PIA may be addressed: J. P. Kim

10. Provide an overview of the system: iEdison is a database repository for records on inventions conceived or reduced to practice using NIH extramural grant or contract funds. The database contains invention, patent, and utilization documents submitted by extramural grantees or contractors.

13. Indicate if the system is new or an existing one being modified: Existing

17. Does/Will the system collect, maintain (store), disseminate and/or pass through IIF within any database(s), record(s), file(s) or website(s) hosted by this system?: Yes

Note: This question seeks to identify any, and all, personal information associated with the system. This includes any IIF, whether or not it is subject to the Privacy Act, whether the individuals are employees, the public, research subjects, or business partners, and whether provided voluntarily or collected by mandate. Later questions will try to understand the character of the data and its applicability to the requirements under the Privacy Act or other legislation

Note: If no IIF is contained in the system, please answer questions 21, 23, 30, 31, 37, 50 and 54, then promote the PIA to the Sr. Privacy Official who will authorize the PIA.

If this system contains IIF, all remaining questions on the PIA Form Tabs must be completed prior to signature and promotion.

21. Is the system subject to the Privacy Act?: Yes

23. If the system shares or discloses IIF please specify with whom and for what purpose(s):

Other government agencies cooperating in the iEdison project. SOR#09-25-0168

GAO - as requested

OIG - as requested

Congressional Inquiry - as requested

NIH Intramural OTT - as appropriate

NIH IC Office of Technology Development - as appropriate

NIH extramural staff

30. Please describe in detail: (1) the information the agency will collect, maintain, or disseminate; (2) why and for what purpose the agency will use the information; (3) In this description, indicate whether the information contains IIF; and (4) whether submission of personal information is voluntary or mandatory: Information includes Name, Social Security Number, Mailing Address, Phone Number, legal documents, e-mail address, and employment records (not mandatory). The information is IIF (Information in Identifiable Form) and is required in order to identify inventors who have created discoveries in the course of work under Federal Funding Agreements. The IIF associates these inventors with the discoveries that they create for subsequent tracking, reporting, and compliance activities under 37 CFR 401, FAR 52.227-11, FAR 52.227-12, 35 USC 200-212, and other pertinent policies, laws and regulations affecting intellecutal property developed using federal funding.

31. Please describe in detail any processes in place to: (1) notify and obtain consent from the individuals whose IIF is in the system when major changes occur to the system (e.g., disclosure and/or data uses have changed since the notice at the time of the original collection); and (2) notify and obtain consent from individuals regarding what IIF is being collected from them and how the information will be used or shared: There is no process to notify or obtain consent when there is a major change to the system that effects disclosure and/or data uses since the notice at the time of the original collection.

Applicants are notified when data is collected and entered into the system or when they fill in the application.

32. Does the system host a website?: Yes

37. Does the website have any information or pages directed at children under the age of thirteen?: No

50. Are there policies or guidelines in place with regard to the retention and destruction of IIF?: Yes

54. Briefly describe in detail how the IIF will be secured on the system using administrative, technical, and physical controls.: Adminstrative controls include a system backups, policies and procedures. Technical controls include role based access, separation of duties, need to know access, user ID and passwords as well as firewalls, VPN, and encryption. Physical controls include guards, ID badges, key cards and a locked and audited server room.

PIA Reviewer Approval: Promote

Comments: I-Edison PIA reviewed and approved.

PIA Reviewer Name: Carla Flora

Sr. Official for Privacy Approval: Promote


Sr. Official for Privacy Name: Karen Plá

Sign-off Date: Aug 10, 2007

Date Published: Jun 26, 2008


06.3 HHS PIA Summary for Posting (Form) / NIH OD Intramural Database (NIDB) (Item)






PIA Summary


Is this a new PIA 2008?: No

If this is an existing PIA, please provide a reason for revision: PIA Validation

1. Date of this Submission: Jul 3, 2007

2. OPDIV Name: NIH

3. Unique Project Identifier (UPI) Number: 009-25-01-05-01-4615-00-110-219

4. Privacy Act System of Records (SOR) Number: No

5. OMB Information Collection Approval Number: No

6. Other Identifying Number(s): No

7. System Name: NIH Intramural DataBase (NIDB)

9. System Point of Contact (POC). The System POC is the person to whom questions about the system and the responses to this PIA may be addressed: Dale Graham

10. Provide an overview of the system: The NIH Intramural DataBase (NIDB) system collects data relating to oversight and evaluation of the NIH's Intramural Research Program. These data include names of researchers involved in particular projects and the publications they author, as well as which NIH organizations they are affiliated with. In addition, the names and organizational affiliations of extramural collaborators are also collected. For NIH researchers, the NIDB collects NIH email addresses and other data relating to their research position (e.g., their Intramural Professional Designation). All data collected directly relates to the NIH intramural research process. We collect no unique personal information.

13. Indicate if the system is new or an existing one being modified: Existing

17. Does/Will the system collect, maintain (store), disseminate and/or pass through IIF within any database(s), record(s), file(s) or website(s) hosted by this system?: No

Note: This question seeks to identify any, and all, personal information associated with the system. This includes any IIF, whether or not it is subject to the Privacy Act, whether the individuals are employees, the public, research subjects, or business partners, and whether provided voluntarily or collected by mandate. Later questions will try to understand the character of the data and its applicability to the requirements under the Privacy Act or other legislation

Note: If no IIF is contained in the system, please answer questions 21, 23, 30, 31, 37, 50 and 54, then promote the PIA to the Sr. Privacy Official who will authorize the PIA.

If this system contains IIF, all remaining questions on the PIA Form Tabs must be completed prior to signature and promotion.

21. Is the system subject to the Privacy Act?: No

23. If the system shares or discloses IIF please specify with whom and for what purpose(s): There is no IIF on this system.

30. Please describe in detail: (1) the information the agency will collect, maintain, or disseminate; (2) why and for what purpose the agency will use the information; (3) In this description, indicate whether the information contains IIF; and (4) whether submission of personal information is voluntary or mandatory: NIDB collects names, advanced degrees and NIH email addresses for NIH researchers. It also collects from NIH researchers the names and organizational affiliations of non-NIH researchers with whom they collaborate. No personal information (other than names) are collected. Most names for NIH staff are now collected directly from the NIH Enterprise Directory, rather than being entered by NIH staff. These data are used for oversight and evaluation of the NIH Intramural Research Program. The Annual Reports (after approval by Lab/Branch Chiefs and Scientific Directors) is available for searching by members of the public. This contains names, degrees, organizational affiliations for those shown as collaborating on the Reports. There is no submission of personal information.

31. Please describe in detail any processes in place to: (1) notify and obtain consent from the individuals whose IIF is in the system when major changes occur to the system (e.g., disclosure and/or data uses have changed since the notice at the time of the original collection); and (2) notify and obtain consent from individuals regarding what IIF is being collected from them and how the information will be used or shared: NIDB does not need consent on changes on major changes because it does not collect IIF. NIDB does not need to notify or obtain consent from individuals as no IIF is collected.

32. Does the system host a website?: Yes

37. Does the website have any information or pages directed at children under the age of thirteen?: No

50. Are there policies or guidelines in place with regard to the retention and destruction of IIF?: No

54. Briefly describe in detail how the IIF will be secured on the system using administrative, technical, and physical controls.: There is no IIF in this system to be secured.

PIA Reviewer Approval: Promote


PIA Reviewer Name: Marie Lagana NIH/CIT/OPEC

Sr. Official for Privacy Approval: Promote


Sr. Official for Privacy Name: Karen Plá

Sign-off Date: Aug 10, 2007

Date Published: Jun 26, 2008


06.3 HHS PIA Summary for Posting (Form) / NIH OD IP Track System (IPTRACK) (Item)






PIA Summary


Is this a new PIA 2008?: No

If this is an existing PIA, please provide a reason for revision: PIA Validation

1. Date of this Submission: Jul 2, 2007

2. OPDIV Name: NIH

3. Unique Project Identifier (UPI) Number: N/A

4. Privacy Act System of Records (SOR) Number: N/A

5. OMB Information Collection Approval Number: N/A

6. Other Identifying Number(s): N/A

7. System Name: IP Track System (IPTRACK)

9. System Point of Contact (POC). The System POC is the person to whom questions about the system and the responses to this PIA may be addressed: Charlie Jones

10. Provide an overview of the system: Database to track IP addresses of computer systems, and locations of the computers, no IIF collected. Only machine names and room numbers are included in the database.

13. Indicate if the system is new or an existing one being modified: Existing

17. Does/Will the system collect, maintain (store), disseminate and/or pass through IIF within any database(s), record(s), file(s) or website(s) hosted by this system?: No

Note: This question seeks to identify any, and all, personal information associated with the system. This includes any IIF, whether or not it is subject to the Privacy Act, whether the individuals are employees, the public, research subjects, or business partners, and whether provided voluntarily or collected by mandate. Later questions will try to understand the character of the data and its applicability to the requirements under the Privacy Act or other legislation

Note: If no IIF is contained in the system, please answer questions 21, 23, 30, 31, 37, 50 and 54, then promote the PIA to the Sr. Privacy Official who will authorize the PIA.

If this system contains IIF, all remaining questions on the PIA Form Tabs must be completed prior to signature and promotion.

21. Is the system subject to the Privacy Act?: No

23. If the system shares or discloses IIF please specify with whom and for what purpose(s): None

30. Please describe in detail: (1) the information the agency will collect, maintain, or disseminate; (2) why and for what purpose the agency will use the information; (3) In this description, indicate whether the information contains IIF; and (4) whether submission of personal information is voluntary or mandatory: Database to track IP addresses of computer systems, and locations of the computers, no IIF collected. Only machine names and room numbers are included in the database.

31. Please describe in detail any processes in place to: (1) notify and obtain consent from the individuals whose IIF is in the system when major changes occur to the system (e.g., disclosure and/or data uses have changed since the notice at the time of the original collection); and (2) notify and obtain consent from individuals regarding what IIF is being collected from them and how the information will be used or shared: None

32. Does the system host a website?: Yes

37. Does the website have any information or pages directed at children under the age of thirteen?: No

50. Are there policies or guidelines in place with regard to the retention and destruction of IIF?: No

54. Briefly describe in detail how the IIF will be secured on the system using administrative, technical, and physical controls.: None

PIA Reviewer Approval: Promote

Comments: Antoine D. Jones

PIA Reviewer Name:

Sr. Official for Privacy Approval: Promote


Sr. Official for Privacy Name: Karen Pla

Sign-off Date: Aug 10, 2007

Date Published: Jun 26, 2008


06.3 HHS PIA Summary for Posting (Form) / NIH OD Loan Repayment Program (formerly OLRS) (Item)






PIA Summary


Is this a new PIA 2008?: No

If this is an existing PIA, please provide a reason for revision: PIA Validation

1. Date of this Submission: Jul 2, 2007

2. OPDIV Name: NIH

3. Unique Project Identifier (UPI) Number: 009-25-01-06-01-4619-00-110-219

4. Privacy Act System of Records (SOR) Number: 09-25-0165

6. Other Identifying Number(s): NIH/OER/DLR – LRP System

7. System Name: National Institutes of Health (NIH) Division of Loan Repayment (DLR) - Loan Repayment Program (LRP) System

9. System Point of Contact (POC). The System POC is the person to whom questions about the system and the responses to this PIA may be addressed: Steve Boehlert

10. Provide an overview of the system: The NIH Loan Repayment Programs (LRPs) are a vital component of our nation's efforts to attract health professionals to careers in clinical, pediatric, health disparity, or contraceptive and infertility research. In exchange for a two-year commitment to a research career, NIH will repay up to $35,000 per year of qualified educational debt, and covers Federal and state taxes that result from these benefits. The NIH LRP Website and Electronic Application System provides a web-based interface for individuals to obtain information, such as eligibility requirements and conditions for participating in the NIH loan repayment programs. The website also provides an electronic application system. Applicants log in to a secure website and provide all required documents, and can view the status of all forms they have submitted, as well as the status of forms submitted on their behalf by their supervisors, recommenders, and institutional officials. The NIH LRP system support the NIH strategic goal to foster highly skilled and diverse workforce focused on research goals. As this investment allows applicants to apply for loan repayment online and submit forms electronically, therefore it supports the E-Gov initiatives. The program manages and complies with the NIH Privacy Act System of Record # 09-25-0165, entitled "National Institutes of Health Office of Loan Repayment and Scholarship (OLRS) Records System, HHS/NIH/OD."

13. Indicate if the system is new or an existing one being modified: Existing

17. Does/Will the system collect, maintain (store), disseminate and/or pass through IIF within any database(s), record(s), file(s) or website(s) hosted by this system?: Yes

Note: This question seeks to identify any, and all, personal information associated with the system. This includes any IIF, whether or not it is subject to the Privacy Act, whether the individuals are employees, the public, research subjects, or business partners, and whether provided voluntarily or collected by mandate. Later questions will try to understand the character of the data and its applicability to the requirements under the Privacy Act or other legislation

Note: If no IIF is contained in the system, please answer questions 21, 23, 30, 31, 37, 50 and 54, then promote the PIA to the Sr. Privacy Official who will authorize the PIA.

If this system contains IIF, all remaining questions on the PIA Form Tabs must be completed prior to signature and promotion.

21. Is the system subject to the Privacy Act?: Yes

23. If the system shares or discloses IIF please specify with whom and for what purpose(s): NIH DLR has established a limited data exchange with major student lenders (Sallie Mae, AES, and the US Department of Education) to request information on student loans and provides information to Institutional Officials and Non-NIH Scientists.

The LRP system interfaces with IMPAC II (Information for Management, Planning, Analysis and Coordination). IMPAC II is the successor to NIH's original IMPAC information management system. Its firewalls and user access controls ensure the security of confidential grant, contract, and personal data. NIH staff and authorized users from other U.S. Government agencies involved in health research have access to IMPAC II on a need-to-know basis.

The NIH DLR administers the application and disbursement processes for all of the LRPs, which includes information dissemination, conducting the application receipt and referral process, referring qualified applications to the NIH Institutes and Centers (ICs), evaluating educational debt, reviewing basic eligibility, administering individual LRP contracts, establishing repayment schedules with lending institutions, and obligating funds. Participating NIH ICs convene panels consisting of non-NIH scientists to review, score, and rank applications. The ICs make funding decisions and notify NIH DLR of the results of these decisions. Staff within the ICs coordinate with the NIH DLR to ensure funds are available and that they are charged to the appropriate CAN. These NIH staff also help guide applicants and participants who have questions about the research component of their applications or about other aspects of the application process, such as the peer review process.

The NIH DLR maintains and complies with the NIH Privacy Act System of Record # 09-25-0165, entitled "National Institutes of Health Office of Loan Repayment and Scholarship (OLRS) Records System, HHS/NIH/OD."

30. Please describe in detail: (1) the information the agency will collect, maintain, or disseminate; (2) why and for what purpose the agency will use the information; (3) In this description, indicate whether the information contains IIF; and (4) whether submission of personal information is voluntary or mandatory: The information collected in the application forms is: name, social security number (SSN), grant number, program application and associated forms, service pay-back obligations, employment data, professional performance and credentialing history of licensed health professionals; personal, professional, and (voluntary) demographic background information; financial data including loan balances, deferment, forbearance, and repayment/delinq­uent/default status information; educational data including academic program; employment status and salary verification (which includes certifications and verifications of continuing participation in qualified research); credit reports; and Federal, State and county tax related information, including copies of tax returns.

LRP awards are competitive. The information collected during the LRP application process is used to make basic eligibility determinations and to provide the scientific reviewers the information necessary to assess the potential of the applicant to pursue a career in research and to measure the quality of the overall environment to prepare the applicant for a research career.

Major changes are posted in the Federal Register and public comment is requested.

User consent is implicit in the act of providing the information. Providing the information is voluntary; however, in most circumstances failing to provide the information precludes the applicant from qualifying for the program or precludes the participant from receiving benefits of the program.

The information provided is not disclosed without the applicant/partic­ipant's consent to anyone outside of NIH in a manner that identifies the applicant/partic­ipant, except as permitted by the Privacy Act.

31. Please describe in detail any processes in place to: (1) notify and obtain consent from the individuals whose IIF is in the system when major changes occur to the system (e.g., disclosure and/or data uses have changed since the notice at the time of the original collection); and (2) notify and obtain consent from individuals regarding what IIF is being collected from them and how the information will be used or shared: A copy of our Privacy Act Notification is posted on our Web site ( ) and is available to all individuals providing IIF. The Privacy Act Notification lists the purposes for collecting the information, as well as the routine uses permitted by the Privacy Act.

Major changes are posted in the Federal Register and public comment is requested.

User consent is implicit in the act of providing the information. Providing the information is voluntary; however, in most circumstances failing to provide the information precludes the applicant from qualifying for the program or precludes the participant from receiving benefits of the program.

The information provided is not disclosed without the applicant/partic­ipant's consent to anyone outside of HHS in a manner that identifies the applicant/partic­ipant, except as permitted by the NIH Privacy Act System of Record # 09-25-0165, entitled "National Institutes of Health Office of Loan Repayment and Scholarship (OLRS) Records System, HHS/NIH/OD."

32. Does the system host a website?: Yes

37. Does the website have any information or pages directed at children under the age of thirteen?: No

50. Are there policies or guidelines in place with regard to the retention and destruction of IIF?: Yes

54. Briefly describe in detail how the IIF will be secured on the system using administrative, technical, and physical controls.: The DLR LRP system permits only authorized and authenticated user access. Additionally, there are Federal (NIST, FIPS, OMB, GAO, agency-level HHS/NIH guidelines and directives compliant) and industry-best practices security measures in place to ensure the system utilizes and ensures the effective use of security controls and authentication tools to protect privacy to the extent feasible. Access to the LRP system user's records is restricted to authorized users behind the NIH CIT firewall. Risk of unauthorized access is, therefore, considered low. The DLR LRP system is maintained in strict compliance with the NIH Privacy Act System of Record # 09-25-0165, entitled "National Institutes of Health Office of Loan Repayment and Scholarship (OLRS) Records System, HHS/NIH/OD."

Authorized user access to information is limited to authorized personnel in the performance of their duties. Authorized personnel include system managers and their staffs, financial, fiscal and records management personnel, legal personnel, computer personnel, and NIH contractors and subcontractors, all of whom are responsible for administering the NIH LRPs.

Physical safeguards: Rooms where records are stored are locked when not in use. During regular business hours, rooms are unlocked but all controlled by on-site personnel. Security guards perform random checks on the physical security of the storage locations after duty hours, including weekends and holidays.

Procedural and Technical Safeguards: A password is required to access the terminal and a data set name controls the release of data to only authorized users. All users of personal information in connection with the performance of their jobs protect information from public view and from unauthorized personnel entering an unsupervised office. Data on local area network computer files is accessed by keyword known only to authorized personnel. Codes by which automated files may be accessed are changed periodically. This procedure also includes deletion of access codes when employees or contractors leave. New employees and contractors are briefed and the security department is notified of all staff members and contractors authorized to be in secured areas during working and nonworking hours. Individuals remotely accessing the secured areas of the DLR Internet sites have separate accounts and passwords, and all data transmitted between the server and workstations is encrypted.

NIH requires the completion of a computer-based training (CBT) course entitled ‘Computer Security and Awareness’ for NIH staff and contractors. This CBT provides an overview of basic IT security practices and the awareness that knowing or willful disclosure of the sensitive information processed in the LRP system can result in criminal penalties associated with the Privacy Act, Computer Security Act, and other federal laws that apply. This CBT can be found at http://irtsectra­ User access may be requested only by personnel authorized by the Executive Officer. Users are not permitted system access until the required system training prerequisites are completed and they demonstrate the competencies required to fulfill their work responsibilities­. Users are certified as having fulfilled the requirements by their Executive Officer or his or her appointed representative who requests access for the user.

It should also be noted that the DLR LRP system runs as a part of the NIH (CIT/OIT) infrastructure, which also supports policy enforcement to validate security requirements and privacy requirements are being satisfied. Incident handling guidelines are detailed in the Office of the Director (OD) standard operating procedures “OD/EO/OIT Standard Operating Procedures for Malicious Code Attacks, Intrusions, and Offensive Emails” (at­h.go­v/pubs/SOP_­ISSO.pdf) and the NIH Incident Handling Guidelines (at http://irm.cit.n­­­ml) are consistent with guidance issued by HHS.

The NIH ISSO and Incident Response Team (IRT) (along with the Security Team Network Operations Team, Web Development Teams, Server Administrator Teams) help assure the security of NIH systems, data, and biomedical research information while maintaining connectivity and interoperability­ throughout NIH. The IRT responds to computer security incidents, characterizes the nature and severity of incidents, and when appropriate, provides immediate diagnostic and corrective actions. When real or probable malicious activity is detected, the IRT acts quickly and effectively to prevent unauthorized access to NIH systems and networks and to minimize the impact of each incident. The IRT works to ensure that needed, up-to-date, accurate and complete intrusion detection and malicious code warnings can be disseminated throughout NIH and those vulnerabilities are remediate commensurate with risk. Intrusion incidents identified by the DLR system personnel are required to be reported to the NIH IRT. Audit logs are reviewed by appropriate staff to ensure that browsing of the database does not take place. NIH infrastructure that DLR uses support policy enforcement through scan testing and penetration testing to validate security requirements and privacy requirements are being satisfied. SARA Scans are proactive scans run by CIT to check all systems for vulnerabilities.­ CIT sends the results of these scans to OD monthly. Possible Hacker Intrusion Incidents are usually reported by CIT’s Intrusion Detection System, e.g., pre-attack probes, unauthorized access attempts, denial of service attempts, or vulnerabilities identified as a result of a SARA scan. This could also include notification by an outside source that they are being attacked from a NIH IP address.

These practices are in compliance with the standards of Chapter 45-13 of the HHS General Administration Manual, "Safeguarding Records Contained in Systems of Records," supplementary Chapter PHS 45-13, and the Department's Automated Information System Security Handbook.

PIA Reviewer Approval: Promote

Comments: Antoine D. Jones

PIA Reviewer Name: Steve Boehlert

Sr. Official for Privacy Approval: Promote


Sr. Official for Privacy Name: Karen Plá

Sign-off Date: Aug 10, 2007

Date Published: Jun 26, 2008


06.3 HHS PIA Summary for Posting (Form) / NIH OD NIH Business System (NBS) [formerly NBRSS] (Item)






PIA Summary


Is this a new PIA 2008?: No

If this is an existing PIA, please provide a reason for revision: PIA Validation

1. Date of this Submission: Jul 2, 2007

2. OPDIV Name: NIH

3. Unique Project Identifier (UPI) Number: 009-25-01-01-01-4601-24-402-125

4. Privacy Act System of Records (SOR) Number: 09-25-0217

5. OMB Information Collection Approval Number: No

6. Other Identifying Number(s): No

7. System Name: NIH Business System (NBS)

9. System Point of Contact (POC). The System POC is the person to whom questions about the system and the responses to this PIA may be addressed: Eric Cole

10. Provide an overview of the system: The overall objective of the NBS is to enable administrative/scientific support that is cost effective, provides more accurate and timely information, modernizes hardware and software components, and facilitates the scientific mission of the NIH. The scope of the NBS includes seven business or "functional" areas currently included in the ADB: Financial Management Property Management Accounts Payable (Commercial Accounts) Acquisition Service and Supply Funds Operations Supply Management Travel Management. Legal authority for maintenance of the NBS may be found in 5 U.S.C. 301 and 302, 44 U.S.C. 3101 and 3102, Executive Order 9397.

13. Indicate if the system is new or an existing one being modified: Existing

17. Does/Will the system collect, maintain (store), disseminate and/or pass through IIF within any database(s), record(s), file(s) or website(s) hosted by this system?: Yes

Note: This question seeks to identify any, and all, personal information associated with the system. This includes any IIF, whether or not it is subject to the Privacy Act, whether the individuals are employees, the public, research subjects, or business partners, and whether provided voluntarily or collected by mandate. Later questions will try to understand the character of the data and its applicability to the requirements under the Privacy Act or other legislation

Note: If no IIF is contained in the system, please answer questions 21, 23, 30, 31, 37, 50 and 54, then promote the PIA to the Sr. Privacy Official who will authorize the PIA.

If this system contains IIF, all remaining questions on the PIA Form Tabs must be completed prior to signature and promotion.

21. Is the system subject to the Privacy Act?: Yes

23. If the system shares or discloses IIF please specify with whom and for what purpose(s): The agency will share the IIF as indicated by the routine use disclosures listed in the Privacy Act System of Record 09-25-0217, entitled "NIH Business System (NBS), HHS/NIH." This information is further addressed in the NIH Privacy Act Systems of Record Notice 09-25-0217, published in the Federal Register, Volume 67, No. 187, September 26, 2002.

30. Please describe in detail: (1) the information the agency will collect, maintain, or disseminate; (2) why and for what purpose the agency will use the information; (3) In this description, indicate whether the information contains IIF; and (4) whether submission of personal information is voluntary or mandatory: Name, Social Security Number (SSN) or EIN/TID, address, email addres, phone number, purpose of payment or request for payment, bank account and routing numbers, accounting classification and the amount paid or billed. Also, in the event of an overpayment and for outstanding charges, fees, loans, grants, or scholarships, the amount of the indebtedness, the repayment status and the amount to be collected. In the event of an administrative wage garnishment, information about the debtor's employment status and disposable pay available for withholding will be maintained. The IIF contained in the system is mandatory to fulfill the requirements of the system.

31. Please describe in detail any processes in place to: (1) notify and obtain consent from the individuals whose IIF is in the system when major changes occur to the system (e.g., disclosure and/or data uses have changed since the notice at the time of the original collection); and (2) notify and obtain consent from individuals regarding what IIF is being collected from them and how the information will be used or shared: If major changes occur to the system a Systems of Records (SOR) will be filed as appropriate.


To determine if a record exists, individuals may write to the System Manager listed in SOR 09-25-0217. A written request must contain the name, address and social security number of the requestor and his or her signature that either is notarized to verify his or her identity or contain a written certification that the requestor is who he or she claims to be and understands that the knowing and willful request for acquisition of a record pertaining to an individual under false pretenses is a criminal offense subject to a five thousand dollar fine.


Same as notification procedures. Requestors should also specify the record contents being sought. Individuals may also request an accounting of disclosures of their records, if any.


Contact the official at the address specified under notification procedure in the SOR identified above, identify the record, and specify the information being contested, the corrective action sought, and the reasons for requesting the correction, along with supporting information to show how the record is inaccurate, incomplete, untimely, or irrelevant.

All notices will be published in accordance with the Privacy Act System Notices - Systems of Records (SORs) at NIH as required.

32. Does the system host a website?: No

37. Does the website have any information or pages directed at children under the age of thirteen?: No

50. Are there policies or guidelines in place with regard to the retention and destruction of IIF?: Yes

54. Briefly describe in detail how the IIF will be secured on the system using administrative, technical, and physical controls.: The NBS will conform to applicable law and policy governing the privacy and security of Federal automated information systems. These include but are not limited to the Privacy Act of 1974, Computer Security Act of 1987, Paperwork Reduction Act of 1995, Clinger-Cohen Act of 1996, and the Office of Management and Budget (OMB) Circular A-130, Appendix III, "Security of Federal Automated Information Resources." The IIF will be secured in accordance with Privacy Act System of Record 09-25-0217, entitled "NIH Business System (NBS), HHS/NIH."

PIA Reviewer Approval: Promote


PIA Reviewer Name: Jeff Linden

Sr. Official for Privacy Approval: Promote


Sr. Official for Privacy Name: Karen Pla

Sign-off Date: Aug 10, 2007

Date Published: Jun 26, 2008


06.3 HHS PIA Summary for Posting (Form) / NIH OD NIH Certification and Accreditation Tool (NCAT) (Item)






PIA Summary


Is this a new PIA 2008?: Yes

If this is an existing PIA, please provide a reason for revision:

1. Date of this Submission: Mar 5, 2007

2. OPDIV Name: NIH

3. Unique Project Identifier (UPI) Number: No

4. Privacy Act System of Records (SOR) Number: No

5. OMB Information Collection Approval Number: No

6. Other Identifying Number(s): No

7. System Name: NIH Certification and Accreditation Tool (NCAT)

9. System Point of Contact (POC). The System POC is the person to whom questions about the system and the responses to this PIA may be addressed: Kathleen Coupe

10. Provide an overview of the system: NIH Certification and Accreditation Tool (NCAT) is a COTS product that tracks FISMA information for NIH systems and also collects the necessary data to develop and maintain Certification and Accrediation documentation and POA&M data. It is hosted on the NIH Data Center and covered by the Data Center C&A except for those controls which are application specific.

The program also gives Management an overview of the security status at NIH via the reporting tools

13. Indicate if the system is new or an existing one being modified: New

17. Does/Will the system collect, maintain (store), disseminate and/or pass through IIF within any database(s), record(s), file(s) or website(s) hosted by this system?: No

Note: This question seeks to identify any, and all, personal information associated with the system. This includes any IIF, whether or not it is subject to the Privacy Act, whether the individuals are employees, the public, research subjects, or business partners, and whether provided voluntarily or collected by mandate. Later questions will try to understand the character of the data and its applicability to the requirements under the Privacy Act or other legislation

Note: If no IIF is contained in the system, please answer questions 21, 23, 30, 31, 37, 50 and 54, then promote the PIA to the Sr. Privacy Official who will authorize the PIA.

If this system contains IIF, all remaining questions on the PIA Form Tabs must be completed prior to signature and promotion.

21. Is the system subject to the Privacy Act?: No

23. If the system shares or discloses IIF please specify with whom and for what purpose(s): No

30. Please describe in detail: (1) the information the agency will collect, maintain, or disseminate; (2) why and for what purpose the agency will use the information; (3) In this description, indicate whether the information contains IIF; and (4) whether submission of personal information is voluntary or mandatory: Trusted Agent does not collect, maintain or disseminate IIF. It contains security control information for NIH systems per FISMA requirements. This include C&A dates, FIPS 199 categorizations, security control implementation, etc., that are used to evaluate system security status. There is no submission of personal information.

31. Please describe in detail any processes in place to: (1) notify and obtain consent from the individuals whose IIF is in the system when major changes occur to the system (e.g., disclosure and/or data uses have changed since the notice at the time of the original collection); and (2) notify and obtain consent from individuals regarding what IIF is being collected from them and how the information will be used or shared: IIF is not collected.

32. Does the system host a website?: Yes

37. Does the website have any information or pages directed at children under the age of thirteen?: No

50. Are there policies or guidelines in place with regard to the retention and destruction of IIF?: No

54. Briefly describe in detail how the IIF will be secured on the system using administrative, technical, and physical controls.: No IIF is collected on the system.

PIA Reviewer Approval: Promote


PIA Reviewer Name: Marie Lagana

Sr. Official for Privacy Approval: Promote


Sr. Official for Privacy Name: Karen Plá

Sign-off Date: Aug 10, 2007

Date Published: Jun 26, 2008


06.3 HHS PIA Summary for Posting (Form) / NIH OD NIH Integrated Training System (NIHITS) (Item)






PIA Summary


Is this a new PIA 2008?: No

If this is an existing PIA, please provide a reason for revision: PIA Validation

1. Date of this Submission: Jul 2, 2007

2. OPDIV Name: NIH

3. Unique Project Identifier (UPI) Number: 009-25-01-09-02-4610-00-403-224

4. Privacy Act System of Records (SOR) Number: 09-90-0018

5. OMB Information Collection Approval Number: N/A

6. Other Identifying Number(s): N/A

7. System Name: NIH Integrated Training System II (NIHITS)

9. System Point of Contact (POC). The System POC is the person to whom questions about the system and the responses to this PIA may be addressed: Debbie Butcher

10. Provide an overview of the system: The NIH Integrated Training System, version 2 (NIHITS II) is a Web-based training nomination system used at the National Institutes of Health (NIH). NIHITS II allows for the creation, approval and tracking of employee training nominations.

13. Indicate if the system is new or an existing one being modified: Existing

17. Does/Will the system collect, maintain (store), disseminate and/or pass through IIF within any database(s), record(s), file(s) or website(s) hosted by this system?: Yes

Note: This question seeks to identify any, and all, personal information associated with the system. This includes any IIF, whether or not it is subject to the Privacy Act, whether the individuals are employees, the public, research subjects, or business partners, and whether provided voluntarily or collected by mandate. Later questions will try to understand the character of the data and its applicability to the requirements under the Privacy Act or other legislation

Note: If no IIF is contained in the system, please answer questions 21, 23, 30, 31, 37, 50 and 54, then promote the PIA to the Sr. Privacy Official who will authorize the PIA.

If this system contains IIF, all remaining questions on the PIA Form Tabs must be completed prior to signature and promotion.

21. Is the system subject to the Privacy Act?: Yes

23. If the system shares or discloses IIF please specify with whom and for what purpose(s): NIH Administrative DataBase (ADB) for purposes of funds obligation for training nominations. This information is further addressed in the HHS Privacy Act Systems of Record Notice 09-90-0018, published in the Federal Register, Volume 59, November 9, 1994.

30. Please describe in detail: (1) the information the agency will collect, maintain, or disseminate; (2) why and for what purpose the agency will use the information; (3) In this description, indicate whether the information contains IIF; and (4) whether submission of personal information is voluntary or mandatory: The NIHITS system will collect the Name (First, Last, Middle Initial) of employees within NIH, as well as contractors and other assignments as deemed appropriate by IC authorities at NIH. NIHITS will also collect SSNs for NIH employees, contractors, and other assignments as deemed appropriate.

The NIHITS system will use the above IIF information to carry out it’s purpose as defined. The Name and SSN

information is required to interface with NIH enterprise HR systems, as well as carryout the system’s core functionality.

Submission of Name and SSN is voluntary in that the system does not have to be used to satisfy its function. It is possible for users to not use the system, and accomplish the same end result in manual steps. The system can not perform its required functions without Name and SSN information, so if using the system, submission of such information is not voluntary.

31. Please describe in detail any processes in place to: (1) notify and obtain consent from the individuals whose IIF is in the system when major changes occur to the system (e.g., disclosure and/or data uses have changed since the notice at the time of the original collection); and (2) notify and obtain consent from individuals regarding what IIF is being collected from them and how the information will be used or shared: The NIHITS system imports Name and SSN information from the NIH Employee Database for purposes of updating list of employees and keeping information up-to-date. The authorized users of NIHITS are also able to enter Name and SSN of new employees, contractors and other assignments.

Employee information is sourced from the NIH enterprise HR systems, which would have majority responsibility in disclosing such changes to employees, since they do not directly use NIHITS.

NIHITS can display notes to users on its web site to inform them of such changes. Also, users’ government email addresses can be used to send out notices. Additionally, each Institute/Center has a one or more NIHITS administrative contact, whom can inform all of their users of such changes to the system.

32. Does the system host a website?: Yes

37. Does the website have any information or pages directed at children under the age of thirteen?: No

50. Are there policies or guidelines in place with regard to the retention and destruction of IIF?: Yes

54. Briefly describe in detail how the IIF will be secured on the system using administrative, technical, and physical controls.: Data is retained indefinitely, for historical purposes, and is not scheduled to be disposed of.

PIA Reviewer Approval: Promote

Comments: Antoine D. Jones

PIA Reviewer Name: Debbie Butcher

Sr. Official for Privacy Approval: Promote


Sr. Official for Privacy Name: Karen Pla

Sign-off Date: Aug 10, 2007

Date Published: Jun 26, 2008


06.3 HHS PIA Summary for Posting (Form) / NIH OD NIH Integrated Training System II (NIHITS II) (Item)






PIA Summary


Is this a new PIA 2008?: Yes

If this is an existing PIA, please provide a reason for revision:

1. Date of this Submission: Feb 15, 2008

2. OPDIV Name: NIH

3. Unique Project Identifier (UPI) Number: 009-25-01-09-02-­4610-00-403-224

4. Privacy Act System of Records (SOR) Number: 09-25-0216

5. OMB Information Collection Approval Number: No

6. Other Identifying Number(s): No

7. System Name: NIH Integrated Training System II (NIHITS)

9. System Point of Contact (POC). The System POC is the person to whom questions about the system and the responses to this PIA may be addressed: Marisa Sheelor

10. Provide an overview of the system: The NIH Integrated Training System II (NIHITS II) is a Web-based training nomination system used at the National Institutes of Health (NIH). NIHITS II allows for the creation, approval and tracking of employee training nominations.

13. Indicate if the system is new or an existing one being modified: Existing

17. Does/Will the system collect, maintain (store), disseminate and/or pass through IIF within any database(s), record(s), file(s) or website(s) hosted by this system?: Yes

Note: This question seeks to identify any, and all, personal information associated with the system. This includes any IIF, whether or not it is subject to the Privacy Act, whether the individuals are employees, the public, research subjects, or business partners, and whether provided voluntarily or collected by mandate. Later questions will try to understand the character of the data and its applicability to the requirements under the Privacy Act or other legislation

Note: If no IIF is contained in the system, please answer questions 21, 23, 30, 31, 37, 50 and 54, then promote the PIA to the Sr. Privacy Official who will authorize the PIA.

If this system contains IIF, all remaining questions on the PIA Form Tabs must be completed prior to signature and promotion.

21. Is the system subject to the Privacy Act?: Yes

23. If the system shares or discloses IIF please specify with whom and for what purpose(s): NIH Business System (NBS) for purposes of funds obligation for training nominations. SOR# 09-25-0216

30. Please describe in detail: (1) the information the agency will collect, maintain, or disseminate; (2) why and for what purpose the agency will use the information; (3) In this description, indicate whether the information contains IIF; and (4) whether submission of personal information is voluntary or mandatory: The NIHITS system will collect IIF through the Name (First, Last, Middle Initial) of employees within NIH, as well as contractors and other assignments as deemed appropriate by IC authorities at NIH. NIHITS will also collect SSNs for NIH employees, contractors, and other assignments as deemed appropriate. The information collected is required to be able to procure and track training for employees.

31. Please describe in detail any processes in place to: (1) notify and obtain consent from the individuals whose IIF is in the system when major changes occur to the system (e.g., disclosure and/or data uses have changed since the notice at the time of the original collection); and (2) notify and obtain consent from individuals regarding what IIF is being collected from them and how the information will be used or shared: The NIHITS system imports Name and SSN information from the NIH Employee Database for purposes of updating list of employees and keeping information up-to-date. Users are notified by email when changes are to occur in the system. Employees don't get directly notified when collecting information from HRDB because they should have been notified when the information was collected in HRDB.

32. Does the system host a website?: Yes

37. Does the website have any information or pages directed at children under the age of thirteen?: No

50. Are there policies or guidelines in place with regard to the retention and destruction of IIF?: Yes

54. Briefly describe in detail how the IIF will be secured on the system using administrative, technical, and physical controls.: IIF date is secured by using user identifiers, passwords, firewalls, IDS, backups, ID badges and physical security (guards) in location. Users are restricted to viewing only the data needed to fulfill their duties.

PIA Reviewer Approval: Promote


PIA Reviewer Name: Antoine D. Jones

Sr. Official for Privacy Approval: Promote


Sr. Official for Privacy Name: Karen Plá

Sign-off Date: May 5, 2008

Date Published: Jun 26, 2008


06.3 HHS PIA Summary for Posting (Form) / NIH OD OACU Training Website (Item)






PIA Summary


Is this a new PIA 2008?: No

If this is an existing PIA, please provide a reason for revision: PIA Validation

1. Date of this Submission: Jul 2, 2007

2. OPDIV Name: NIH

3. Unique Project Identifier (UPI) Number: 009-25-01-27-02-4617-00

4. Privacy Act System of Records (SOR) Number: 09-90-0018

5. OMB Information Collection Approval Number: N/A

6. Other Identifying Number(s): N/A

7. System Name: Office of Animal Care & Use Training Website

9. System Point of Contact (POC). The System POC is the person to whom questions about the system and the responses to this PIA may be addressed: Michael Gottesman

10. Provide an overview of the system: Support federally mandated training of NIH staff on animal care and use regulations and policies. Training is required by 7 U.S.C. 2131-2159 and C.F.R. 9, Ch 1, Subch. A, Parts 1-3.

13. Indicate if the system is new or an existing one being modified: Existing

17. Does/Will the system collect, maintain (store), disseminate and/or pass through IIF within any database(s), record(s), file(s) or website(s) hosted by this system?: Yes

Note: This question seeks to identify any, and all, personal information associated with the system. This includes any IIF, whether or not it is subject to the Privacy Act, whether the individuals are employees, the public, research subjects, or business partners, and whether provided voluntarily or collected by mandate. Later questions will try to understand the character of the data and its applicability to the requirements under the Privacy Act or other legislation

Note: If no IIF is contained in the system, please answer questions 21, 23, 30, 31, 37, 50 and 54, then promote the PIA to the Sr. Privacy Official who will authorize the PIA.

If this system contains IIF, all remaining questions on the PIA Form Tabs must be completed prior to signature and promotion.

21. Is the system subject to the Privacy Act?: Yes

23. If the system shares or discloses IIF please specify with whom and for what purpose(s): Information is collected to record who has been trained and the courses completed. SOR#09-90-0018

30. Please describe in detail: (1) the information the agency will collect, maintain, or disseminate; (2) why and for what purpose the agency will use the information; (3) In this description, indicate whether the information contains IIF; and (4) whether submission of personal information is voluntary or mandatory: Name, last 4 digits of SSN , mailing and e-mail address, phone and fax number are collected from NIH staff who are required to be trained in humane animal care and use principles and practices. Information is collected to record who has been trained and the courses completed. Information collected is minimum necessary to allow notification of training completion and maintain training history as recurrent training is a necessary part of the training requirement. Submission of information is voluntary.31. Please describe in detail any processes in place to: (1) notify and obtain consent from the individuals whose IIF is in the system when major changes occur to the system (e.g., disclosure and/or data uses have changed since the notice at the time of the original collection); and (2) notify and obtain consent from individuals regarding what IIF is being collected from them and how the information will be used or shared: Information is collected through intranet web-based registration form from NIH staff members who are required to be trained in humane animal care and use principles and practices. NIH staff members are informed through a privacy statement on the registration page that the registration page information is voluntary but must be completed for them to proceed with the training course and to notify them of course completion. There is currently no process in place to notify users of security breaches however such a process is being documented.

32. Does the system host a website?: Yes

37. Does the website have any information or pages directed at children under the age of thirteen?: No

50. Are there policies or guidelines in place with regard to the retention and destruction of IIF?: Yes

54. Briefly describe in detail how the IIF will be secured on the system using administrative, technical, and physical controls.: The System is hosted by the Office of the Director, Office of Information Technology. Role Base Access is granted. User authentication is required consisting of userid and password. Firewalls, Intrusion Detection & Prevention System are in place patch management, antivirus management, and ID Badges needed to enter the building.

PIA Reviewer Approval: Promote

Comments: Antoine D. Jones

PIA Reviewer Name: Michael Gottsman

Sr. Official for Privacy Approval: Promote


Sr. Official for Privacy Name: Karen Pla

Sign-off Date: Aug 10, 2007

Date Published: Jun 26, 2008


06.3 HHS PIA Summary for Posting (Form) / NIH OD Office of Science Education Website (OSE) (Item)






PIA Summary


Is this a new PIA 2008?: No

If this is an existing PIA, please provide a reason for revision: PIA Validation

1. Date of this Submission: Jul 2, 2007

2. OPDIV Name: NIH

3. Unique Project Identifier (UPI) Number: 009-25-01-09-02-4681-00-305-109

4. Privacy Act System of Records (SOR) Number: 09-25-01065. OMB Information Collection Approval Number: N/A

6. Other Identifying Number(s): N/A

7. System Name: OSE Website

9. System Point of Contact (POC). The System POC is the person to whom questions about the system and the responses to this PIA may be addressed: Bruce Fuchs

10. Provide an overview of the system: The Office of Science Education (OSE) creates and distributes educational materials to teachers (public, private, and home school) and the public. OSE also offers educational programs for the public and conducts professional development training sessions for teachers around the nation. In order to better serve this customer base, the OSE has constructed a correspondence database. This information has been used to fulfill the initial request for supplements and then to inform teachers about supplement updates, new educational resources (e.g., websites), and professional development opportunities in their area of the country. OSE also has a curriculum supplements database. Here data from students who perform web-based activities from curriculum supplement lessons is stored. The database does not contain any personally identifiable information and is used exclusively to calculate averages. 5 U.S. 301 and 44 U.S. 3101 authorizes collection of this information. All this information can be accessed, as needed, by NIH staff in the course of their duties, and may be disclosed to other Government agencies or courts if determined to be relevant and necessary to litigation involving the Department of Health and Human Services. This information may also be used by NIH to document, track, monitor and evaluate NIH programs and activities.

13. Indicate if the system is new or an existing one being modified: Existing

17. Does/Will the system collect, maintain (store), disseminate and/or pass through IIF within any database(s), record(s), file(s) or website(s) hosted by this system?: Yes

Note: This question seeks to identify any, and all, personal information associated with the system. This includes any IIF, whether or not it is subject to the Privacy Act, whether the individuals are employees, the public, research subjects, or business partners, and whether provided voluntarily or collected by mandate. Later questions will try to understand the character of the data and its applicability to the requirements under the Privacy Act or other legislation

Note: If no IIF is contained in the system, please answer questions 21, 23, 30, 31, 37, 50 and 54, then promote the PIA to the Sr. Privacy Official who will authorize the PIA.

If this system contains IIF, all remaining questions on the PIA Form Tabs must be completed prior to signature and promotion.

21. Is the system subject to the Privacy Act?: Yes

23. If the system shares or discloses IIF please specify with whom and for what purpose(s): Mailing information sent to fulfillment center to distribute print materials. SOR#09-25-0106

30. Please describe in detail: (1) the information the agency will collect, maintain, or disseminate; (2) why and for what purpose the agency will use the information; (3) In this description, indicate whether the information contains IIF; and (4) whether submission of personal information is voluntary or mandatory: The agency will collect the name, mailing address, phone number, and e-mail address of people requesting educational materials from the website. The Office of Science Education (OSE) creates and distributes educational materials to teachers (public, private, and home school) and the public. OSE also offers educational programs for the public and conducts professional development training sessions for teachers around the nation. In order to better serve this customer base, the OSE has constructed a correspondence database. This information has been used to fulfill the initial request for supplements and then to inform teachers about supplement updates, new educational resources (e.g., websites), and professional development opportunities in their area of the country. OSE also has a curriculum supplements database. Here data from students who perform web-based activities from curriculum supplement lessons is stored. The database does not contain any personally identifiable information and is used exclusively to calculate averages. 5 U.S. 301 and 44 U.S. 3101 authorizes collection of this information. All this information can be accessed, as needed, by NIH staff in the course of their duties, and may be disclosed to other Government agencies or courts if determined to be relevant and necessary to litigation involving the Department of Health and Human Services. This information may also be used by NIH to document, track, monitor and evaluate NIH programs and activities

31. Please describe in detail any processes in place to: (1) notify and obtain consent from the individuals whose IIF is in the system when major changes occur to the system (e.g., disclosure and/or data uses have changed since the notice at the time of the original collection); and (2) notify and obtain consent from individuals regarding what IIF is being collected from them and how the information will be used or shared:

A) E-mail notification is sent to the respective data managers when changes occur to the PII contained in their respective systems.

B) Individuals may contact the office via e-mail, phone, mail, etc., to notify us of their privacy concerns. Each request is reviewed and/or forwarded to the appropriate party to resolve the privacy concerns.

32. Does the system host a website?: Yes

37. Does the website have any information or pages directed at children under the age of thirteen?: No

50. Are there policies or guidelines in place with regard to the retention and destruction of IIF?: Yes

54. Briefly describe in detail how the IIF will be secured on the system using administrative, technical, and physical controls.: The information will be stored in Lotus Domino databases and will be secured by the high security mechanisms in place in the Domino server environment. Access Control Lists (ACL), Execution Control Lists (ECL), hierarchical certification, password protected with challenge and response authentication, built-in integrated private/public key encryption, are all used as necessary. Physical access to records and to computer servers containing records is restricted to authorized personnel

PIA Reviewer Approval: Promote

Comments: Antoine D. Jones

PIA Reviewer Name: Bruce Fuchs

Sr. Official for Privacy Approval: Promote


Sr. Official for Privacy Name: Karen Pla

Sign-off Date: Aug 10, 2007

Date Published: Jn 26, 2008


06.3 HHS PIA Summary for Posting (Form) / NIH OD OMA Database (Item)






PIA Summary


Is this a new PIA 2008?: No

If this is an existing PIA, please provide a reason for revision: PIA Validation

1. Date of this Submission: Jul 2, 2007

2. OPDIV Name: NIH

3. Unique Project Identifier (UPI) Number: 009-25-01-09-02-4699-00-404-142

4. Privacy Act System of Records (SOR) Number: 09-25-0213

5. OMB Information Collection Approval Number: none

6. Other Identifying Number(s): none

7. System Name: Office of Management Assessment (OMA) Database

9. System Point of Contact (POC). The System POC is the person to whom questions about the system and the responses to this PIA may be addressed: Jim Hicks

10. Provide an overview of the system: The Office of Management Assessment, Office of Management, provides NIH-wide management of activities/oversight and advice to the NIH Institutes and Centers on management reviews/corrective actions involving program integrity (fraud/waste/abuse/mismanagement reviews), OIG/GAO/Outside review liaison, management control, quality management, best practices, continuous improvement, regulations, delegations of authority, A-76/FAIR Act and Privacy Act requirements, records and forms management, organizational and functional analysis, NIH manual chapters, and guidance and oversight on the control and safeguarding of classified national security information.

The OMA Database application provides functionality to collect, manage, report, and query information pertaining to management issues at the NIH, and their associated recommendations and outcomes. This information is directly related to the OMA mission of providing review, oversight, and advice concerning management issues at the NIH. This is offered through a state-of-the-art web-based system that is accessible by authorized OMA staff. The OMA Database system provides data entry and editing capabilities, and reporting and query functions.

13. Indicate if the system is new or an existing one being modified: Existing

17. Does/Will the system collect, maintain (store), disseminate and/or pass through IIF within any database(s), record(s), file(s) or website(s) hosted by this system?: Yes

Note: This question seeks to identify any, and all, personal information associated with the system. This includes any IIF, whether or not it is subject to the Privacy Act, whether the individuals are employees, the public, research subjects, or business partners, and whether provided voluntarily or collected by mandate. Later questions will try to understand the character of the data and its applicability to the requirements under the Privacy Act or other legislation

Note: If no IIF is contained in the system, please answer questions 21, 23, 30, 31, 37, 50 and 54, then promote the PIA to the Sr. Privacy Official who will authorize the PIA.

If this system contains IIF, all remaining questions on the PIA Form Tabs must be completed prior to signature and promotion.

21. Is the system subject to the Privacy Act?: Yes

23. If the system shares or discloses IIF please specify with whom and for what purpose(s): Refer to SOR #09-25-0213. This information is further addressed in the NIH Privacy Act Systems of Record Notice 09-25-0213, published in the Federal Register, Volume 67, No. 187, September 26, 2002.

30. Please describe in detail: (1) the information the agency will collect, maintain, or disseminate; (2) why and for what purpose the agency will use the information; (3) In this description, indicate whether the information contains IIF; and (4) whether submission of personal information is voluntary or mandatory: The OMA Database application provides functionality to collect, manage, report, and query information pertaining to management issues at the NIH, and their associated recommendations and outcomes. Information can include name, date of birth, social security number and contact information associated with accuser, accused, and principal investigators. This information is directly related to the OMA mission of providing review, oversight, and advice concerning management issues at the NIH through investigations, queries, and generateing reports. This is offered through a state-of-the-art­ web-based system that is accessible by authorized OMA staff. The database contains IIF, and information is mandatory.

31. Please describe in detail any processes in place to: (1) notify and obtain consent from the individuals whose IIF is in the system when major changes occur to the system (e.g., disclosure and/or data uses have changed since the notice at the time of the original collection); and (2) notify and obtain consent from individuals regarding what IIF is being collected from them and how the information will be used or shared: There are currently no processes in place to notify and obtain consent from individuals in the event of a major change to the system.

Notification is provided and consent obtained regarding what information is collected from individuals, and how information will be used or shared. Please refer to NIH Manual Chapter 1754 for these practices.

32. Does the system host a website?: Yes

37. Does the website have any information or pages directed at children under the age of thirteen?: No

50. Are there policies or guidelines in place with regard to the retention and destruction of IIF?: Yes

54. Briefly describe in detail how the IIF will be secured on the system using administrative, technical, and physical controls.: Authorized users access to information is limited to authorized personnel in the performance of their duties. Physical Safeguards: Rooms where records are stored are locked when not in use. During regular business hours rooms are unlocked but are controlled by on-site personnel. Procedural and Technical Safeguards: Usernames and passwords are required to access the site, and a data set name controls the release of data to only authorized users. Passwords are changed periodically, and accounts are deleted when employees or contractors leave. These practices are in compliance with the standards of Chapter 45-13 of the HHS General Administration Manual, "Safeguarding Records Contained in Systems of Records," supplementary Chapter PHS 45-13, and the Department’s Automated Information System Security Handbook.

PIA Reviewer Approval: Promote

Comments: Antoine D. Jones

PIA Reviewer Name: Suzanne Servis

Sr. Official for Privacy Approval: Promote


Sr. Official for Privacy Name: Karen Pla

Sign-off Date: Aug 10, 2007

Date Published: Jun 26, 2008


06.3 HHS PIA Summary for Posting (Form) / NIH OD OSE SciMentorNet (SMN) (Item)






PIA Summary


Is this a new PIA 2008?: No

If this is an existing PIA, please provide a reason for revision: Alteration in Character of Data

1. Date of this Submission: Sep 14, 2007

2. OPDIV Name: NIH

3. Unique Project Identifier (UPI) Number: No; included in existing mentoring project by OBSSR

4. Privacy Act System of Records (SOR) Number: 09-25-0014

5. OMB Information Collection Approval Number: 0925-0475

6. Other Identifying Number(s): None

7. System Name: SciMentorNet

9. System Point of Contact (POC). The System POC is the person to whom questions about the system and the responses to this PIA may be addressed: Elaine Chaklos

10. Provide an overview of the system: SciMentorNet is an NIH e-mentoring program that extends existing efforts by the NIH Office of Behavioral and Social Science Research (OBSSR) to nurture and sustain career interests by high school students in biomedical, behavioral and social science research and in their health-allied fields. Development and maintenance of the supporting e-communication system and database will occur through the NIH Office of Science Education, in partnership with OBSSR. Through this e-mentoring program, 11-12th grade high school student “protégés” are linked via e-mail communication with e-mentors who provide them with relevant information, guidance and support. E-mentoring takes place on the Internet and requires regular access to a computer and internet connection.

This e-mentoring program will link area high school students aged 16 and older with a selected adult mentor through processes listed below:


- Mentor completes and signs the registration form and conditions of service agreement. Failure to abide by the terms will result in removal from the program.

- Mentor registration involves multiple background checks: a comprehensive screen of the applicant against the National Sex Offender Registry at U.S. Dept of Justice’ Dru Sjodin National Sex Offender website (, and a personal reference check.

- Protégé and parent/guardian complete and sign the registration form and conditions of service agreement. Failure to abide by these terms will result in removal from the e-mentoring program.


E-communication is firewalled and pass-word protected on a server that is managed by the NIH Office of Information Technology.

Privacy and Internet Safety

Participants are instructed that all communication between mentor and protégé is restricted to the designated NIH e-communication platform (no contact by phone or direct personal e-mail permitted). To minimize alternative communication channels, the sender’s email address are automatically deleted from messages.


To promote safe internet practices, Mentor and protégé receive separate guidelines that provide information and website links on appropriate internet safety and conduct in e-mentoring.

13. Indicate if the system is new or an existing one being modified: Existing

17. Does/Will the system collect, maintain (store), disseminate and/or pass through IIF within any database(s), record(s), file(s) or website(s) hosted by this system?: YesNote: This question seeks to identify any, and all, personal information associated with the system. This includes any IIF, whether or not it is subject to the Privacy Act, whether the individuals are employees, the public, research subjects, or business partners, and whether provided voluntarily or collected by mandate. Later questions will try to understand the character of the data and its applicability to the requirements under the Privacy Act or other legislation

Note: If no IIF is contained in the system, please answer questions 21, 23, 30, 31, 37, 50 and 54, then promote the PIA to the Sr. Privacy Official who will authorize the PIA.

If this system contains IIF, all remaining questions on the PIA Form Tabs must be completed prior to signature and promotion.

21. Is the system subject to the Privacy Act?: Yes

23. If the system shares or discloses IIF please specify with whom and for what purpose(s): rsonal information collected by SciMentorNet will be shared with NIH administrator at the Office of Science Education, and with IT support administrators of same, to archive in database for the direct purpose of matching protegees with mentors. This information will not be shared with third parties unless specifically authorized by legal authorities under existing statutes. IIF data will be retained on the system for the projected life cycle (12 months) of proposed activity (e-mentoring). These files will be deleted from the database upon direct request

30. Please describe in detail: (1) the information the agency will collect, maintain, or disseminate; (2) why and for what purpose the agency will use the information; (3) In this description, indicate whether the information contains IIF; and (4) whether submission of personal information is voluntary or mandatory: For protegees:

Through E-mentoring, SciMentorNet will link participants with qualified mentors to provide information, guidance and support for developing a career in biomedical research, health or medicine. Internet-based communication will occur between area high school students and pre-screened postdoctoral fellows, scientists or health-care personnel who are determined to be well-suited to serve as E-mentors. Submission of all IIF information is strictly voluntary; however in order for participants to access this E-mentoring service all non-optional IIF questions must be answered.

For Mentors:

Submission of all IIF information is strictly voluntary; however in order for individuals to participant in this E-mentoring service all non-optional IIF questions must be answered. Professional information on each mentor will be posted on an internal NIH website so that protegees can use this information in selecting a mentor. In addition, the NIH administrator at the NIH Office of Science Education assigned to manage SciMentorNet will have access to all IIF collected for the purpose of periodically validating its accuracy or deleting this information from the database upon the participant's request.

31. Please describe in detail any processes in place to: (1) notify and obtain consent from the individuals whose IIF is in the system when major changes occur to the system (e.g., disclosure and/or data uses have changed since the notice at the time of the original collection); and (2) notify and obtain consent from individuals regarding what IIF is being collected from them and how the information will be used or shared: SciMentorNet participants will be notified by regular mail or electronic communication of any changes to the system that are covered by provisions of the privacy act. Consent for collecting and releasing IIF that fall outside the scope of the original notice will be made through similar channels.

32. Does the system host a website?: Yes

37. Does the website have any information or pages directed at children under the age of thirteen?: No

50. Are there policies or guidelines in place with regard to the retention and destruction of IIF?: Yes

54. Briefly describe in detail how the IIF will be secured on the system using administrative, technical, and physical controls.: Access to the SciMentorNet users database will be restricted to the designated NIH administrator at OSE. Unauthorized access will be restricted as indicated below.

There will be two completely different databases to this application. The first database will be available to the general public. It is where general information about the program is available. It is also where individuals can go to register as participants. The other database is where the actual communication resides. It will only be available to eligible participants. This is security at the database level.

Individuals will be required to complete an application, by which they will be given access authority. This is the point at which matches will occur. When a match is formed, mentor and student will be provided ID and password access to the second database. This is security by ID and password authentication.

Although all participants will have access to a common communication database, each person will only have access to his/her own relevant documents. Each document will have limited access characteristics that (a) limit readability to mentor, student, and NIH administration, (b) prohibit modification after it is created, and (c) internally/invisibly track whom has created the document.

In adfdition, all E-communication is firewalled and pass-word protected on a server that is managed by the NIH Office of Information Technology.

PIA Reviewer Approval: Promote


PIA Reviewer Name: Antoine D. Jones

Sr. Official for Privacy Approval: Promote


Sr. Official for Privacy Name: Karen Plá

Sign-off Date: Apr 2, 2008

Date Published: Jun 26, 2008


06.3 HHS PIA Summary for Posting (Form) / NIH OD Project Performance Monitoring System (PPMS) (Item)






PIA Summary


Is this a new PIA 2008?: Yes

If this is an existing PIA, please provide a reason for revision: PIA Validation

1. Date of this Submission: Jul 2, 2007

2. OPDIV Name: NIH

3. Unique Project Identifier (UPI) Number: 009-25-01-09-02-4694-00-301-092

4. Privacy Act System of Records (SOR) Number: None

5. OMB Information Collection Approval Number: None

6. Other Identifying Number(s): None

7. System Name: NIH Program Performance Monitoring System (PPMS)

9. System Point of Contact (POC). The System POC is the person to whom questions about the system and the responses to this PIA may be addressed: Dr. Deborah G. Duran

10. Provide an overview of the system: The NIH Program Performance Monitoring System (PPMS) is a web-enabled centralized performance reporting system. The major component of the PPMS is the home page of the Program Performance Monitoring/GPRA website which is the interface for all components of the system. For the public viewer, the home page provides general performance information, published performance documents, and released performance highlights about NIH. For the NIH Partner User and Special Case user, it provides the portal into the PPMS data management feature of the system. This feature of the PPMS is a secured, password protected, customized software application designed to collect NIH GPRA Goal, OMB-PART, DECIDER (program/project performance monitoring tool), and GPRA Budget data.

13. Indicate if the system is new or an existing one being modified: New

17. Does/Will the system collect, maintain (store), disseminate and/or pass through IIF within any database(s), record(s), file(s) or website(s) hosted by this system?: No

Note: This question seeks to identify any, and all, personal information associated with the system. This includes any IIF, whether or not it is subject to the Privacy Act, whether the individuals are employees, the public, research subjects, or business partners, and whether provided voluntarily or collected by mandate. Later questions will try to understand the character of the data and its applicability to the requirements under the Privacy Act or other legislation

Note: If no IIF is contained in the system, please answer questions 21, 23, 30, 31, 37, 50 and 54, then promote the PIA to the Sr. Privacy Official who will authorize the PIA.

If this system contains IIF, all remaining questions on the PIA Form Tabs must be completed prior to signature and promotion.

21. Is the system subject to the Privacy Act?: No

23. If the system shares or discloses IIF please specify with whom and for what purpose(s): No

30. Please describe in detail: (1) the information the agency will collect, maintain, or disseminate; (2) why and for what purpose the agency will use the information; (3) In this description, indicate whether the information contains IIF; and (4) whether submission of personal information is voluntary or mandatory:

The system collects NIH Performance Information for:

- Government Performance Results Act (GPRA)

The information collected and maintained in VPS does not contain IIF.

31. Please describe in detail any processes in place to: (1) notify and obtain consent from the individuals whose IIF is in the system when major changes occur to the system (e.g., disclosure and/or data uses have changed since the notice at the time of the original collection); and (2) notify and obtain consent from individuals regarding what IIF is being collected from them and how the information will be used or shared: None

32. Does the system host a website?: Yes

37. Does the website have any information or pages directed at children under the age of thirteen?: No

50. Are there policies or guidelines in place with regard to the retention and destruction of IIF?: No

54. Briefly describe in detail how the IIF will be secured on the system using administrative, technical, and physical controls.: None

PIA Reviewer Approval: Promote

Comments: Antoine D. Jones

PIA Reviewer Name: Dr. Deborah G. Duran

Sr. Official for Privacy Approval: Promote


Sr. Official for Privacy Name: Karen Pla

Sign-off Date: Aug 10, 2007

Date Published: Jun 26, 2008


06.3 HHS PIA Summary for Posting (Form) / NIH OD Research and Training Opportunities System (RTO) (Item)






PIA Summary


Is this a new PIA 2008?: No

If this is an existing PIA, please provide a reason for revision: PIA Validation

1. Date of this Submission: Jul 2, 2007

2. OPDIV Name: NIH

3. Unique Project Identifier (UPI) Number: 009-25-01-26-02-4688-00-401-119 and 009-25-01-27-02-4616-00-305-109

4. Privacy Act System of Records (SOR) Number: 09-25-0014 and 09-25-0158

5. OMB Information Collection Approval Number: 0925-0299

6. Other Identifying Number(s): N/A

7. System Name: NIH OD Research and Training Opportunities System (RTO)

9. System Point of Contact (POC). The System POC is the person to whom questions about the system and the responses to this PIA may be addressed: Steve Alves

10. Provide an overview of the system: The Office of Intramural Training and Education (OITE) is engaged in recruitment, placement, retention, support and tracking of trainees at all levels. The linchpin for the receipt of applications is an electronic application that is connected to a website describing a range of intramural training opportunities. The NIH is authorized to conduct research training for which fellowship support is not provided under Section 487 of the PHS Act and which is not residency training of physicians or other health professionals [42 U.S.C. 282(b)(13)]. Clinical training is permitted under [42 U.S.C. Sections 209(g) and 209(h) and 42 C.F.R. Part 61B].

13. Indicate if the system is new or an existing one being modified: Existing

17. Does/Will the system collect, maintain (store), disseminate and/or pass through IIF within any database(s), record(s), file(s) or website(s) hosted by this system?: Yes

Note: This question seeks to identify any, and all, personal information associated with the system. This includes any IIF, whether or not it is subject to the Privacy Act, whether the individuals are employees, the public, research subjects, or business partners, and whether provided voluntarily or collected by mandate. Later questions will try to understand the character of the data and its applicability to the requirements under the Privacy Act or other legislation

Note: If no IIF is contained in the system, please answer questions 21, 23, 30, 31, 37, 50 and 54, then promote the PIA to the Sr. Privacy Official who will authorize the PIA.

If this system contains IIF, all remaining questions on the PIA Form Tabs must be completed prior to signature and promotion.

21. Is the system subject to the Privacy Act?: Yes

23. If the system shares or discloses IIF please specify with whom and for what purpose(s): Applicants whose citizenship status is Permanent resident are required to provide their Country of Citizenship and Alien Registration Number.

30. Please describe in detail: (1) the information the agency will collect, maintain, or disseminate; (2) why and for what purpose the agency will use the information; (3) In this description, indicate whether the information contains IIF; and (4) whether submission of personal information is voluntary or mandatory: The electronic application system collects information necessary to evaluate the qualifications of individuals who seek intramural research training opportunities at the NIH. These fields include the following: name, month and day of birth, email address, permanent address, telephone number, veteran status, citizenship status, institutional affiliations, courses completed and grades earned, grade point average (GPA), academic major and a resume or curriculum vitae. In addition, applicants are asked to submit a cover letter outlining their research interests and career goals as well as reasons for applying for training at the NIH. Also, applicants are asked to indicate their preferences regarding scientific interests and medical entity or disease categories. Letters of Reference are entered electronically. Candidates also have the option of voluntarily responding to questions regarding Race and National Origin (RNO). This data is collected in aggregate.

Information is collected in order to match candidates for intramural training with research opportunities in NIH intramural programs.

31. Please describe in detail any processes in place to: (1) notify and obtain consent from the individuals whose IIF is in the system when major changes occur to the system (e.g., disclosure and/or data uses have changed since the notice at the time of the original collection); and (2) notify and obtain consent from individuals regarding what IIF is being collected from them and how the information will be used or shared: Information will be collected through a web-based electronic application system. Applicants are provided with a link to the following Privacy Act Notification Act Statement.

“Collection of this information is authorized under 42 USC 284(b)(1)(c); and 287c-1. The primary use of this information is to evaluate your qualifications for research training at the National Institutes of Health. Additional disclosures may be made to law enforcement agencies concerning violations of law or regulation. Application for this program is voluntary, however, in order for us to process your application, you must complete the required fields.”

Applicants are also informed that responses to questions regarding the collection of Race and National Origin (RNO) data are strictly voluntary. (Electronic Notice)

There is no process in place currently to notify and obtain consent from the individuals whose IIF is in the system when major changes occur to the system.

32. Does the system host a website?: Yes

37. Does the website have any information or pages directed at children under the age of thirteen?: No

50. Are there policies or guidelines in place with regard to the retention and destruction of IIF?: Yes

54. Briefly describe in detail how the IIF will be secured on the system using administrative, technical, and physical controls.: Methods are in place to ensure least privilege (i.e., "need to know" and accountability). Accounts to access application data are issued by authorized representatives from the individual ICs. Access to accounts that give the user greater access (to create "read only" accounts and to accept applicants electronically) is controlled by OITE staff. Also, OITE’s Web contractors do not have full administrative rights on development and production servers, and only access specific folders on these servers. Technical Controls in place to minimize the possibility of unauthorized access, use, or dissemination of the data in the system include User Identification, Passwords, Firewall, Virtual Private Network (VPN), Encryption, and Intrusion Detection System (IDS). Regarding physical access controls that are currently on the system, the Web, e-mail, and database servers that are maintained in secure NIH buildings at which security guards are posted. Access to the servers is restricted to authorized CIT/OIT individuals with valid Identification Badges.

In addition, the IT contractor is required to adhere to the security guidelines contained in the DHHS Automated Information Systems Security Program (AISSP) Handbook. Software development is performed on a shared NIH server residing inside the NIH firewall. Development will occur on specific servers maintained by the NIH Office of Information Technology. All contract employees are subject to a National Agency Check and Inquiry Investigation plus a Credit Check (NACIC).

PIA Reviewer Approval: Promote

Comments: Antoine D. Jones

PIA Reviewer Name:

Sr. Official for Privacy Approval: Promote


Sr. Official for Privacy Name: Karen Plá

Sign-off Date: Aug 10, 2007

Date Published: Jun 26, 2008


06.3 HHS PIA Summary for Posting (Form) / NIH OD Roadmap Coding (Item)






PIA Summary


Is this a new PIA 2008?: Yes

If this is an existing PIA, please provide a reason for revision: PIA Validation

1. Date of this Submission: Jul 2, 2007

2. OPDIV Name: NIH

3. Unique Project Identifier (UPI) Number: 009-25-01-09-02-8601-00-402-125

4. Privacy Act System of Records (SOR) Number: 09-25-0036

5. OMB Information Collection Approval Number: No

6. Other Identifying Number(s): No

7. System Name: Roadmap Coding

9. System Point of Contact (POC). The System POC is the person to whom questions about the system and the responses to this PIA may be addressed: Donna Stephenson

10. Provide an overview of the system: The Roadmap Coding System is a database application that enables NIH Office of the Director (OD) Office of Budget personnel to assign codes to grants. These code values denote the relationship between the NIH’s expenditure and an area of science, disease, or disorder. The system also enables Scientific and Budget Analysts to analyze expenditures by fiscal year and generate reports. Using this system, analysts generate budgetary and scientific year-end reports that are used to respond to internal and external requests for information. The data is also available earlier in the fiscal year so that the burden on program and budget staff to code grants and generate reports in a timely manner is greatly reduced. Additionally, the ability of the institute to respond to external queries is greatly enhanced.

13. Indicate if the system is new or an existing one being modified: Existing

17. Does/Will the system collect, maintain (store), disseminate and/or pass through IIF within any database(s), record(s), file(s) or website(s) hosted by this system?: Yes

Note: This question seeks to identify any, and all, personal information associated with the system. This includes any IIF, whether or not it is subject to the Privacy Act, whether the individuals are employees, the public, research subjects, or business partners, and whether provided voluntarily or collected by mandate. Later questions will try to understand the character of the data and its applicability to the requirements under the Privacy Act or other legislation

Note: If no IIF is contained in the system, please answer questions 21, 23, 30, 31, 37, 50 and 54, then promote the PIA to the Sr. Privacy Official who will authorize the PIA.

If this system contains IIF, all remaining questions on the PIA Form Tabs must be completed prior to signature and promotion.

21. Is the system subject to the Privacy Act?: Yes

23. If the system shares or discloses IIF please specify with whom and for what purpose(s): The system maintains the names of Pincipal Investigators who receive grants from the NIH, Roadmap Coding System Users, and Program Directors. System users can generate reports that display the name and institution of the Principal Investigators and the name of the grant’s Program Director. These reports are provided to NINDS and NIH management as requested. See SOR # 09-25-0036

30. Please describe in detail: (1) the information the agency will collect, maintain, or disseminate; (2) why and for what purpose the agency will use the information; (3) In this description, indicate whether the information contains IIF; and (4) whether submission of personal information is voluntary or mandatory:

The system stores the following information:

Principal Investigator Name.

System User Name.

Program Director Name.

Principal Investigator Institution Name.

System User Email Address.

As a part of the NIH grant application process, Principal Investigators are required to provide their name and institution name. The Roadmap Coding System downloads this information that the IMPAC II database has already collected.

Grants are assigned to Program Directors (PDs), and the PD names are stored to record these assignments.

31. Please describe in detail any processes in place to: (1) notify and obtain consent from the individuals whose IIF is in the system when major changes occur to the system (e.g., disclosure and/or data uses have changed since the notice at the time of the original collection); and (2) notify and obtain consent from individuals regarding what IIF is being collected from them and how the information will be used or shared: Individuals are notified of the requirement to collect the IIF in the grant application process. They are informed their grant application cannot be processed without it and their consent is assumed when they submit a signed application. The NINDS Roadmap Coding system obtains this information and any changes from the IMPACII database. Notification is provided by the IMPACII system. Individuals are not notified when major changes occur to the NINDS Roadmap Coding system. Changes to the NINDS Roadmap Coding system that affect IIF would only be made if major changes were made to the IMPACII system. If that were to happen those individuals would be informed through the IMPACII system.

32. Does the system host a website?: No

37. Does the website have any information or pages directed at children under the age of thirteen?: No

50. Are there policies or guidelines in place with regard to the retention and destruction of IIF?: Yes

54. Briefly describe in detail how the IIF will be secured on the system using administrative, technical, and physical controls.: The system has several administrative controls in place to secure the data. The NIH requires security training for all system users on an annual basis. Also, the security controls and disaster recovery plan are documented as part of the Certification and Accreditation process. Finally, the system maintains several user roles, and each system user is given the least privilege needed to perform his or her business function.

The system has several technical controls in place to secure the data. A user must first provide a valid username and password to access the NINDS network. The user must also be a system user before he or she can log onto the system. The system is also protected by the Institute’s firewall and intrusion detection systems.

The system also has several physical controls in place to secure the data. The system is protected by guards, ID badge requirements, key card access, cipher locks, and closed-circuit television. See SOR # 09-25-0036

PIA Reviewer Approval: Promote

Comments: Peter Soltys; NINDS; Co-Acting CIO; 301-496-0583

PIA Reviewer Name:

Peter Soltys; NINDS; Co-Acting CIO; 301-496-0583

Peter Soltys; NINDS; Co-Acting CIO; 301-496-0583

Peter Soltys; NINDS; Co-Acting CIO; 301-496-0583

Sr. Official for Privacy Approval: Promote


Sr. Official for Privacy Name: Karen Plá

Sign-off Date: Aug 10, 2007

Date Published: Jun 26, 2008


06.3 HHS PIA Summary for Posting (Form) / NIH OD Technology Tracking System (TechTracs) (Item)






PIA Summary


Is this a new PIA 2008?: No

If this is an existing PIA, please provide a reason for revision: PIA Validation

1. Date of this Submission: Jul 3, 2007

2. OPDIV Name: NIH

3. Unique Project Identifier (UPI) Number: 009-25-01-09-02-4621-00-110-219

4. Privacy Act System of Records (SOR) Number: 09-25-01685. OMB Information Collection Approval Number: N/A

6. Other Identifying Number(s): N/A

7. System Name: TechTracS

9. System Point of Contact (POC). The System POC is the person to whom questions about the system and the responses to this PIA may be addressed: Jason Plummer

10. Provide an overview of the system: NIH TechTracS is a relational database management system that manages and monitors all aspects of the technology transfer process; i.e., CRADAs, invention disclosures, U.S. and foreign patent prosecution, license applications and agreements, technology, marketing, royalties’ collection, technology abstracts, statistics, and financial management.

13. Indicate if the system is new or an existing one being modified: Existing

17. Does/Will the system collect, maintain (store), disseminate and/or pass through IIF within any database(s), record(s), file(s) or website(s) hosted by this system?: Yes

Note: This question seeks to identify any, and all, personal information associated with the system. This includes any IIF, whether or not it is subject to the Privacy Act, whether the individuals are employees, the public, research subjects, or business partners, and whether provided voluntarily or collected by mandate. Later questions will try to understand the character of the data and its applicability to the requirements under the Privacy Act or other legislation

Note: If no IIF is contained in the system, please answer questions 21, 23, 30, 31, 37, 50 and 54, then promote the PIA to the Sr. Privacy Official who will authorize the PIA.

If this system contains IIF, all remaining questions on the PIA Form Tabs must be completed prior to signature and promotion.

21. Is the system subject to the Privacy Act?: Yes

23. If the system shares or discloses IIF please specify with whom and for what purpose(s): Disclosure may be made to a congressional office from the record of an individual in response to an inquiry from the congressional office made at the request of that individual.

Disclosure may be made to the Department of Justice or to a court or other tribunal from this system of records, when (a) HHS, or any component thereof; or (b) any HHS employee in his or her official capacity; or (c) any HHS employee in his or her individual capacity where the Department of Justice (or HHS, where it is authorized to do so) has agreed to represent the employee; or (d) the United States or any agency thereof where HHS determines that the litigation is likely to affect HHS or any of its components, is a party to litigation or has an interest in such litigation, and HHS determines that the use of such records by the Department of Justice, court or other tribunal is relevant and necessary to the litigation and would help in the effective representation of the governmental party, provided, however, that in each case HHS determines that such disclosure is compatible with the purpose for which the records were collected. Disclosure may also be made to the Department of Justice to obtain legal advice concerning issues raised by the records in this system.

In the event that a system of records maintained by this agency to carry out its functions indicates a violation or potential violation of law, whether civil, criminal, or regulatory in nature, and whether arising by general statute or particular program statute, or by regulation, rule or order issued pursuant thereto, the relevant records in the system of records may be referred to the appropriate agency, whether Federal, State, or local, charged with enforcing or implementing the statute or rule, regulation or order issued pursuant thereto.

d. NIH may disclose records to Department contractors and subcontractors for the purpose of collecting, compiling, aggregating, analyzing, or refining records in the system. Contractors maintain, and are also required to ensure that subcontractors maintain, Privacy Act safeguards with respect to such records.

e. NIH may disclose information from this system of records for the purpose of obtaining patent protection for PHS inventions and licenses for these patents to: (a) scientific personnel, both in this agency and other Government agencies, and in non-Governmental organizations such as universities, who possess the expertise to understand the invention and evaluate its importance as a scientific advance; (b) contract patent counsel and their employees and foreign contract personnel retained by the Department for patent searching and prosecution in both the United States and foreign patent offices; (c) all other Government agencies whom PHS contacts regarding the possible use, interest in, or ownership rights in PHS inventions; (d) prospective licensees or technology finders who may further make the invention available to the public through sale or use; (e) parties, such as supervisors of inventors, whom PHS contacts to determine ownership rights, and those parties contacting PHS to determine the Government's ownership; and (f) the United States and foreign patent offices involved in the filing of PHS patent applications.

f. NIH will report to the Treasury Department, Internal Revenue Service (IRS), as taxable income, the amount of royalty payment paid to PHS inventors.

30. Please describe in detail: (1) the information the agency will collect, maintain, or disseminate; (2) why and for what purpose the agency will use the information; (3) In this description, indicate whether the information contains IIF; and (4) whether submission of personal information is voluntary or mandatory: The OTT will collect and store inventor name, address, social security number (required if inventor is receiving royalties, otherwise optional), title and description of the invention, Employee Invention Report (EIR) number, Case/Serial Number, prior art related to the invention, evaluation of the commercial potential of the invention, prospective licensees intended development of the invention, associated patent prosecution and licensing documents and royalty payment information.

31. Please describe in detail any processes in place to: (1) notify and obtain consent from the individuals whose IIF is in the system when major changes occur to the system (e.g., disclosure and/or data uses have changed since the notice at the time of the original collection); and (2) notify and obtain consent from individuals regarding what IIF is being collected from them and how the information will be used or shared: Any changes that are made to the information collected would be provided via our website and on any updated EIR. We also have the capability to send e-mails directly to individuals from TechTracS. We have not had any changes to this data since TechTracS was launched and have not had to do this.

32. Does the system host a website?: No

37. Does the website have any information or pages directed at children under the age of thirteen?: No

50. Are there policies or guidelines in place with regard to the retention and destruction of IIF?: Yes

54. Briefly describe in detail how the IIF will be secured on the system using administrative, technical, and physical controls.: Through the use of Limited field access to specific groups of users, and user id, passwords, the NIH firewall, and Intrusion detection systems. Also physical security such as guards, that require employees to display their id when entering the building. Along with doors to the computer room which require key cards to access them.

PIA Reviewer Approval: Promote

Comments: Antoine D. Jones

PIA Reviewer Name: Susan Bruff

Sr. Official for Privacy Approval: Promote


Sr. Official for Privacy Name: Karen Plá

Sign-off Date: Aug 10, 2007

Date Published: Jun 26, 2008


06.3 HHS PIA Summary for Posting (Form) / NIH OD The Genetic Modification Clinical Research Information System (GemCRIS) (Item)






PIA Summary


Is this a new PIA 2008?: No

If this is an existing PIA, please provide a reason for revision: PIA Validation

1. Date of this Submission: Jul 2, 2007

2. OPDIV Name: NIH

3. Unique Project Identifier (UPI) Number: 009-25-01-05-01-4630-00-110-219

4. Privacy Act System of Records (SOR) Number: N/A

5. OMB Information Collection Approval Number: N/A

6. Other Identifying Number(s): N/A

7. System Name: Genetic Modification Clinical Research Information System (GeMCRIS)

9. System Point of Contact (POC). The System POC is the person to whom questions about the system and the responses to this PIA may be addressed: Kelly Fennington

10. Provide an overview of the system: To enhance the collection, analysis, and application of safety information related to human gene transfer clinical trials.

NIH is a major focal point within the U.S. Department of Health and Human Services (DHHS) for addressing the scientific, ethical, legal, and societal issues raised by advances in biotechnical research. A critical objective in NIH's mission is to gather, evaluate, and disseminate information regarding developments in biomedical research programs. NIH provides the information to the general public, which includes patients and their families, physicians, advocacy groups, researchers, biosafety experts, and industry representatives. NIH is sponsoring several initiatives aimed at enhancing the systematic collection, analysis, and application of safety information from gene therapy clinical trials. One of these initiatives is the Genetic Modification Clinical Research Information System (GeMCRIS). GeMCRIS is a data system developed by the Office of Biotechnology Activities (OBA) in collaboration with the Food and Drug Administration (FDA) to manage information about the conduct of gene transfer clinical trials. A key contribution of GeMCRIS is that it will permit access to information in a form that enhances the types of review and analyses critical for optimizing patient safety, identifying critical information gaps, and facilitating scientific collaboration and progress.

13. Indicate if the system is new or an existing one being modified: Existing

17. Does/Will the system collect, maintain (store), disseminate and/or pass through IIF within any database(s), record(s), file(s) or website(s) hosted by this system?: No

Note: This question seeks to identify any, and all, personal information associated with the system. This includes any IIF, whether or not it is subject to the Privacy Act, whether the individuals are employees, the public, research subjects, or business partners, and whether provided voluntarily or collected by mandate. Later questions will try to understand the character of the data and its applicability to the requirements under the Privacy Act or other legislation

Note: If no IIF is contained in the system, please answer questions 21, 23, 30, 31, 37, 50 and 54, then promote the PIA to the Sr. Privacy Official who will authorize the PIA.

If this system contains IIF, all remaining questions on the PIA Form Tabs must be completed prior to signature and promotion.

21. Is the system subject to the Privacy Act?: No

23. If the system shares or discloses IIF please specify with whom and for what purpose(s): N/A

30. Please describe in detail: (1) the information the agency will collect, maintain, or disseminate; (2) why and for what purpose the agency will use the information; (3) In this description, indicate whether the information contains IIF; and (4) whether submission of personal information is voluntary or mandatory: GeMCRIS is a data system developed by OBA in collaboration with the Food and Drug Administration (FDA) to manage informaiton about the conduct of gene transfer clinical trials. The database will enable diverse users - investigators, patients, administrators, and government officials - to search for and conduct analyses on any number of specific variables pertinent to gene transfer trials. A key contribution of GeMCRIS is that it will facilitate efforts to optimize patient safety, identify critical information gaps, and promote scientific collaboration and progress. The value of a generic GeMCRIS to the NIH Community would be several-fold. The rich data sets and query tools that a generic GeMCRIS would contain would augment the ability of all Institutes and their grantees to conduct analyses pertinent to the science, safety, and oversight of the research for which they are responsible. The use of standardized vocabularies facilitates the exchange, compilation, and analysis of data, thereby permitting meta-analysis and communication between Institutes about research activities they are supporting. The electronic adverse event reporting module would facilitate adverse event reporting for all NIH grantees, allowing NIH to gather necessary information in a more timely and consistent way while alleviating a measure of burden on the research community. The enhanced understanding of the science and safety of clinical research that GeMCRIS will benefit current and future trial participants through improved oversight and informed consent. GeMCRIS does not collect IFF and submission to this system is voluntary.

31. Please describe in detail any processes in place to: (1) notify and obtain consent from the individuals whose IIF is in the system when major changes occur to the system (e.g., disclosure and/or data uses have changed since the notice at the time of the original collection); and (2) notify and obtain consent from individuals regarding what IIF is being collected from them and how the information will be used or shared: N/A

32. Does the system host a website?: Yes37. Does the website have any information or pages directed at children under the age of thirteen?: No

50. Are there policies or guidelines in place with regard to the retention and destruction of IIF?: No

54. Briefly describe in detail how the IIF will be secured on the system using administrative, technical, and physical controls.: N/A

PIA Reviewer Approval: Promote


PIA Reviewer Name: Kelly Fennington

Sr. Official for Privacy Approval: Promote


Sr. Official for Privacy Name: Karen Pla

Sign-off Date: Aug 10, 2007

Date Published: Jun 26, 2008


06.3 HHS PIA Summary for Posting (Form) / NIH OD Undergraduate Scholarship Program (UGSP) (Item)






PIA Summary


Is this a new PIA 2008?: No

If this is an existing PIA, please provide a reason for revision: PIA Validation

1. Date of this Submission: Jul 2, 2007

2. OPDIV Name: NIH

3. Unique Project Identifier (UPI) Number: 009-25-01-27-02-4619-00-305-109

4. Privacy Act System of Records (SOR) Number: 09-25-0165

5. OMB Information Collection Approval Number: OMB No. 0925-0361, 12/31/2004

6. Other Identifying Number(s): OIR/ILRSP – UGSP

7. System Name: National Institutes of Health Undergraduate Scholarship Program

9. System Point of Contact (POC). The System POC is the person to whom questions about the system and the responses to this PIA may be addressed: Alfred C. Johnson, Ph.D.

10. Provide an overview of the system: The NIH UGSP Web site and Electronic Application System provides a Web-based interface for individuals to obtain information, such as eligibility requirements and conditions for participating in the NIH Undergraduate Scholarship Program (UGSP). The Web site also provides an electronic application system. Apply online or download and print application forms

13. Indicate if the system is new or an existing one being modified: Existing

17. Does/Will the system collect, maintain (store), disseminate and/or pass through IIF within any database(s), record(s), file(s) or website(s) hosted by this system?: Yes

Note: This question seeks to identify any, and all, personal information associated with the system. This includes any IIF, whether or not it is subject to the Privacy Act, whether the individuals are employees, the public, research subjects, or business partners, and whether provided voluntarily or collected by mandate. Later questions will try to understand the character of the data and its applicability to the requirements under the Privacy Act or other legislation

Note: If no IIF is contained in the system, please answer questions 21, 23, 30, 31, 37, 50 and 54, then promote the PIA to the Sr. Privacy Official who will authorize the PIA.

If this system contains IIF, all remaining questions on the PIA Form Tabs must be completed prior to signature and promotion.

21. Is the system subject to the Privacy Act?: Yes

23. If the system shares or discloses IIF please specify with whom and for what purpose(s): NIH Institutes/Centers, NIH Office of Financial Management, Academic Institutions SOR: 09-25-0165. This information is further addressed in the NIH Privacy Act Systems of Record Notice 09-25-0165, published in the Federal Register, Volume 67, No. 187, September 26, 2002.

30. Please describe in detail: (1) the information the agency will collect, maintain, or disseminate; (2) why and for what purpose the agency will use the information; (3) In this description, indicate whether the information contains IIF; and (4) whether submission of personal information is voluntary or mandatory:

Applicant: name, social security number, contact information, citizenship status, academic institution, college level, certification of non-delinquent status, names of recommenders, responses to essay questions

Recommenders: name, contact information, and applicant evaluation

Participants: name, contact information, program evaluation/feedback, travel requests

The information is collected to determine eligibility for the program, evaluate applicants, administer the program, collect feedback regarding the program, and process travel requests.

User consent is implicit in the act of providing the information. Providing the information is voluntary; however, in most circumstances failing to provide the information precludes applicants from qualifying for the program or precludes participants from receiving benefits of the program.

31. Please describe in detail any processes in place to: (1) notify and obtain consent from the individuals whose IIF is in the system when major changes occur to the system (e.g., disclosure and/or data uses have changed since the notice at the time of the original collection); and (2) notify and obtain consent from individuals regarding what IIF is being collected from them and how the information will be used or shared:

There is currently no process in place to notify individuals whose IIF is in the system when a major change occurs to the system; however, the system records users’ contact information, so notice could be provided if needed.

A copy of our Privacy Act Notification is posted on our Web site and is available to all individuals providing IIF. The Privacy Act Notification lists the purposes for collecting the information, as well as the routine uses permitted by the Privacy Act.

User consent is implicit in the act of providing the information. Providing the information is voluntary; however, in most circumstances failing to provide the information precludes the applicant from qualifying for the program or precludes the participant from receiving benefits of the program.

32. Does the system host a website?: Yes

37. Does the website have any information or pages directed at children under the age of thirteen?: No

50. Are there policies or guidelines in place with regard to the retention and destruction of IIF?: Yes

54. Briefly describe in detail how the IIF will be secured on the system using administrative, technical, and physical controls.: Authorized users access to information is limited to authorized personnel in the performance of their duties. Physical Safeguards: Rooms where records are stored are locked when not in use. During regular business hours rooms are unlocked but are controlled by on-site personnel. Procedural and Technical Safeguards: Usernames and passwords are required to access the site, and a data set name controls the release of data to only authorized users. Passwords are changed periodically, and accounts are deleted when employees or contractors leave. These practices are in compliance with the standards of Chapter 45-13 of the HHS General Administration Manual, "Safeguarding Records Contained in Systems of Records," supplementary Chapter PHS 45-13, and the Department’s Automated Information System Security Handbook.

PIA Reviewer Approval: Promote

Comments: Antoine D. Jones

PIA Reviewer Name: Alfred C. Johnson, Ph.D.

Sr. Official for Privacy Approval: Promote


Sr. Official for Privacy Name: Karen Plá

Sign-off Date: Aug 10, 2007

Date Published: Jun 26, 2008


06.3 HHS PIA Summary for Posting (Form) / NIH OD ViewStar (Item)






PIA Summary


Is this a new PIA 2008?: No

If this is an existing PIA, please provide a reason for revision: PIA Validation

1. Date of this Submission: Jul 2, 2007

2. OPDIV Name: NIH

3. Unique Project Identifier (UPI) Number: N/A

4. Privacy Act System of Records (SOR) Number: N/A

5. OMB Information Collection Approval Number: N/A

6. Other Identifying Number(s): N/A

7. System Name: OD View Star

9. System Point of Contact (POC). The System POC is the person to whom questions about the system and the responses to this PIA may be addressed: Paul Haynes

10. Provide an overview of the system: The Viewstar is an accounting imaging and workflow automation system used to scan NIH invoices. Viewstar involves a front-end process through which invoices are imaged and data is attached to support OFM staff as they interface with the NIH’s invoice payment functions. The application is used to edit and store digital copies of payable invoices. The primary user is the Commercial Accounts office within OFM. Viewstar was placed into production in April 1997

13. Indicate if the system is new or an existing one being modified: Existing

17. Does/Will the system collect, maintain (store), disseminate and/or pass through IIF within any database(s), record(s), file(s) or website(s) hosted by this system?: No

Note: This question seeks to identify any, and all, personal information associated with the system. This includes any IIF, whether or not it is subject to the Privacy Act, whether the individuals are employees, the public, research subjects, or business partners, and whether provided voluntarily or collected by mandate. Later questions will try to understand the character of the data and its applicability to the requirements under the Privacy Act or other legislation

Note: If no IIF is contained in the system, please answer questions 21, 23, 30, 31, 37, 50 and 54, then promote the PIA to the Sr. Privacy Official who will authorize the PIA.

If this system contains IIF, all remaining questions on the PIA Form Tabs must be completed prior to signature and promotion.

21. Is the system subject to the Privacy Act?: No

23. If the system shares or discloses IIF please specify with whom and for what purpose(s): N/A

30. Please describe in detail: (1) the information the agency will collect, maintain, or disseminate; (2) why and for what purpose the agency will use the information; (3) In this description, indicate whether the information contains IIF; and (4) whether submission of personal information is voluntary or mandatory: The Viewstar is an accounting imaging and workflow automation system used to scan NIH invoices. Viewstar involves a front-end process through which invoices are imaged and data is attached to support OFM staff as they interface with the NIH’s invoice payment functions. The application is used to edit and store digital copies of payable invoices. The primary user is the Commercial Accounts office within OFM. Viewstar does not contain any IIF.

31. Please describe in detail any processes in place to: (1) notify and obtain consent from the individuals whose IIF is in the system when major changes occur to the system (e.g., disclosure and/or data uses have changed since the notice at the time of the original collection); and (2) notify and obtain consent from individuals regarding what IIF is being collected from them and how the information will be used or shared: N/A

32. Does the system host a website?: No

37. Does the website have any information or pages directed at children under the age of thirteen?: No

50. Are there policies or guidelines in place with regard to the retention and destruction of IIF?: No

54. Briefly describe in detail how the IIF will be secured on the system using administrative, technical, and physical controls.: N/A

PIA Reviewer Approval: Promote

Comments: Antoine D. Jones

PIA Reviewer Name: Paul Haynes

Sr. Official for Privacy Approval: Promote


Sr. Official for Privacy Name: Karen Pla

Sign-off Date: Aug 10, 2007

Date Published: Jun 26, 2008


06.3 HHS PIA Summary for Posting (Form) / NIH OD Vulnerability Tracking System (VTS) (Item)






PIA Summary


Is this a new PIA 2008?: Yes

If this is an existing PIA, please provide a reason for revision: PIA Validation

1. Date of this Submission: Jul 6, 2007

2. OPDIV Name: NIH

3. Unique Project Identifier (UPI) Number: No

4. Privacy Act System of Records (SOR) Number: No

5. OMB Information Collection Approval Number: No

6. Other Identifying Number(s): No

7. System Name: Vulnerability Tracking System (VTS)

9. System Point of Contact (POC). The System POC is the person to whom questions about the system and the responses to this PIA may be addressed: Christopher Todd

10. Provide an overview of the system: The VTS is used by the NIH Incident Response Team to track network vulnerability scans of NIH.

13. Indicate if the system is new or an existing one being modified: New

17. Does/Will the system collect, maintain (store), disseminate and/or pass through IIF within any database(s), record(s), file(s) or website(s) hosted by this system?: No

Note: This question seeks to identify any, and all, personal information associated with the system. This includes any IIF, whether or not it is subject to the Privacy Act, whether the individuals are employees, the public, research subjects, or business partners, and whether provided voluntarily or collected by mandate. Later questions will try to understand the character of the data and its applicability to the requirements under the Privacy Act or other legislation

Note: If no IIF is contained in the system, please answer questions 21, 23, 30, 31, 37, 50 and 54, then promote the PIA to the Sr. Privacy Official who will authorize the PIA.

If this system contains IIF, all remaining questions on the PIA Form Tabs must be completed prior to signature and promotion.

21. Is the system subject to the Privacy Act?: No

23. If the system shares or discloses IIF please specify with whom and for what purpose(s): No

30. Please describe in detail: (1) the information the agency will collect, maintain, or disseminate; (2) why and for what purpose the agency will use the information; (3) In this description, indicate whether the information contains IIF; and (4) whether submission of personal information is voluntary or mandatory: The system does not collect information in identifiable form. The VTS is used to store data from vulnerability scans of NIH IP space. The information is accessible by authorized personal for the purposes of corrective action.

31. Please describe in detail any processes in place to: (1) notify and obtain consent from the individuals whose IIF is in the system when major changes occur to the system (e.g., disclosure and/or data uses have changed since the notice at the time of the original collection); and (2) notify and obtain consent from individuals regarding what IIF is being collected from them and how the information will be used or shared: No

32. Does the system host a website?: No

37. Does the website have any information or pages directed at children under the age of thirteen?: No

50. Are there policies or guidelines in place with regard to the retention and destruction of IIF?: No

54. Briefly describe in detail how the IIF will be secured on the system using administrative, technical, and physical controls.: There is no IIF in this system.

PIA Reviewer Approval: Promote


PIA Reviewer Name: Marie Lagana, NIH/CIT/OPEC

Sr. Official for Privacy Approval: Promote


Sr. Official for Privacy Name: Karen Plá

Sign-off Date: Aug 10, 2007

Date Published: Jun 26, 2008


06.3 HHS PIA Summary for Posting (Form) / NIH OD Workflow Information Tracking System (WiTS) (Item)






PIA Summary


Is this a new PIA 2008?: Yes

If this is an existing PIA, please provide a reason for revision: PIA Validation

1. Date of this Submission: Jul 2, 2007

2. OPDIV Name: NIH

3. Unique Project Identifier (UPI) Number: 009-25-01-09-02-4698-00-403-232

4. Privacy Act System of Records (SOR) Number: 09-90-0018

5. OMB Information Collection Approval Number: N/A

6. Other Identifying Number(s): N/A

7. System Name: Workflow Information Tracking System (WiTS)

9. System Point of Contact (POC). The System POC is the person to whom questions about the system and the responses to this PIA may be addressed: Sharon Reed

10. Provide an overview of the system: WiTS is a workflow management system that will provide corporate consistency through business process management and automated workflows. This automated workflow system enables HR to monitor and track the status of a vast array of actions, correspondence and approvals. It enables the HR to track the location, responsible person/body, action status, action effective/due date, etc., of personnel and other HR actions (i.e., awards, employee relations, correspondence, FOIA requests, etc.); with system access, WiTS can communicate status of actions to administrative staff and management officials through its monitoring views; allow for the measuring of performance of HR staff (trend analysis); identify improvement areas; identify staff skill and competency in HR areas; provide a variety of reports (i.e. workload, gain/loss); and promote/facilitate the provision of customer service through improved communication and timeliness in completing actions. WiTS is secure and web-enabled, and with appropriate remote privileges, can be accessed over the Internet from anywhere.

13. Indicate if the system is new or an existing one being modified: Existing

17. Does/Will the system collect, maintain (store), disseminate and/or pass through IIF within any database(s), record(s), file(s) or website(s) hosted by this system?: Yes

Note: This question seeks to identify any, and all, personal information associated with the system. This includes any IIF, whether or not it is subject to the Privacy Act, whether the individuals are employees, the public, research subjects, or business partners, and whether provided voluntarily or collected by mandate. Later questions will try to understand the character of the data and its applicability to the requirements under the Privacy Act or other legislation

Note: If no IIF is contained in the system, please answer questions 21, 23, 30, 31, 37, 50 and 54, then promote the PIA to the Sr. Privacy Official who will authorize the PIA.

If this system contains IIF, all remaining questions on the PIA Form Tabs must be completed prior to signature and promotion.

21. Is the system subject to the Privacy Act?: Yes

23. If the system shares or discloses IIF please specify with whom and for what purpose(s): HR management & staff and IC management officials. SOR#09-90-0018. This information is further addressed in the HHS Privacy Act Systems of Record Notice 09-90-0018, published in the Federal Register, Volume 59, November 9, 1994.

30. Please describe in detail: (1) the information the agency will collect, maintain, or disseminate; (2) why and for what purpose the agency will use the information; (3) In this description, indicate whether the information contains IIF; and (4) whether submission of personal information is voluntary or mandatory: Information provided in HR status/informati­onal/metric/performance reports. PIA is mandatory for metric reporting purposes. No personal information (other than name) is captured in the reports – only metrics associated with the HR action.

WiTS collects data on personnel actions processed within HR (e.g., action type, employee name, Empl ID, effective date, IC). The agency uses the data to provide performance metrics to HR and NIH management. The collection of minimal personal data is mandatory for reporting.

31. Please describe in detail any processes in place to: (1) notify and obtain consent from the individuals whose IIF is in the system when major changes occur to the system (e.g., disclosure and/or data uses have changed since the notice at the time of the original collection); and (2) notify and obtain consent from individuals regarding what IIF is being collected from them and how the information will be used or shared: WiTS collects minimal personal data, e.g., name, Empl ID, organization, etc. It does not collect SSN, DOBs; therefore, no employee consent is obtained. WiTS sends emails to supervisors and users and when changes in profiles/account­s are requested by supervisors and made in WITS. Send all users notice via LiSTSERV when changes in system occur. Notices are in the form of electronic mail.

32. Does the system host a website?: Yes

37. Does the website have any information or pages directed at children under the age of thirteen?: No

50. Are there policies or guidelines in place with regard to the retention and destruction of IIF?: Yes

54. Briefly describe in detail how the IIF will be secured on the system using administrative, technical, and physical controls.: System uses NIH Single Sign On to manage access and remaining security via the GSS.

PIA Reviewer Approval: Promote

Comments: Antoine D. Jones

PIA Reviewer Name:

Sr. Official for Privacy Approval: Promote


Sr. Official for Privacy Name: Karen Pla

Sign-off Date: Aug 10, 2007

Date Published: Jun 26, 2008


06.3 HHS PIA Summary for Posting (Form) / NIH OD/ORF 58000 (Item)






PIA Summary


Is this a new PIA 2008?: No

If this is an existing PIA, please provide a reason for revision: PIA Validation

1. Date of this Submission: Jul 6, 2007

2. OPDIV Name: NIH

3. Unique Project Identifier (UPI) Number: NO

4. Privacy Act System of Records (SOR) Number: NO

5. OMB Information Collection Approval Number: NO

6. Other Identifying Number(s): NO

7. System Name: 58000

9. System Point of Contact (POC). The System POC is the person to whom questions about the system and the responses to this PIA may be addressed: Tom Myers

10. Provide an overview of the system: This application provides a means to allow individuals to make maintenance requests.

13. Indicate if the system is new or an existing one being modified: Existing

17. Does/Will the system collect, maintain (store), disseminate and/or pass through IIF within any database(s), record(s), file(s) or website(s) hosted by this system?: No

Note: This question seeks to identify any, and all, personal information associated with the system. This includes any IIF, whether or not it is subject to the Privacy Act, whether the individuals are employees, the public, research subjects, or business partners, and whether provided voluntarily or collected by mandate. Later questions will try to understand the character of the data and its applicability to the requirements under the Privacy Act or other legislation

Note: If no IIF is contained in the system, please answer questions 21, 23, 30, 31, 37, 50 and 54, then promote the PIA to the Sr. Privacy Official who will authorize the PIA.

If this system contains IIF, all remaining questions on the PIA Form Tabs must be completed prior to signature and promotion.

21. Is the system subject to the Privacy Act?: No

23. If the system shares or discloses IIF please specify with whom and for what purpose(s): No

30. Please describe in detail: (1) the information the agency will collect, maintain, or disseminate; (2) why and for what purpose the agency will use the information; (3) In this description, indicate whether the information contains IIF; and (4) whether submission of personal information is voluntary or mandatory: The system collects and maintains building location information, and maintenance problems. It also helps to track the status of work orders. No IIF is contained, and submission is voluntary.

31. Please describe in detail any processes in place to: (1) notify and obtain consent from the individuals whose IIF is in the system when major changes occur to the system (e.g., disclosure and/or data uses have changed since the notice at the time of the original collection); and (2) notify and obtain consent from individuals regarding what IIF is being collected from them and how the information will be used or shared: No

32. Does the system host a website?: Yes

37. Does the website have any information or pages directed at children under the age of thirteen?: No

50. Are there policies or guidelines in place with regard to the retention and destruction of IIF?: No

54. Briefly describe in detail how the IIF will be secured on the system using administrative, technical, and physical controls.: No

PIA Reviewer Approval: Promote


PIA Reviewer Name: Genia H. Bohrer - 301-496-9923

Sr. Official for Privacy Approval: Promote


Sr. Official for Privacy Name: Karen Pla

Sign-off Date: Aug 10, 2007

Date Published: Jun 26, 2008


06.3 HHS PIA Summary for Posting (Form) / NIH OD/ORF Andover Continuum (Item)






PIA Summary


Is this a new PIA 2008?: No

If this is an existing PIA, please provide a reason for revision: PIA Validation

1. Date of this Submission: Jul 6, 2007

2. OPDIV Name: NIH

3. Unique Project Identifier (UPI) Number: TBD

4. Privacy Act System of Records (SOR) Number: 09-25-0054

5. OMB Information Collection Approval Number: No

6. Other Identifying Number(s): No

7. System Name: Andover Continuum

9. System Point of Contact (POC). The System POC is the person to whom questions about the system and the responses to this PIA may be addressed: Alex Salah

10. Provide an overview of the system: This system provides physical access control to the NIH Bethedsa campus and the Rocky Mountain Lab Location.

13. Indicate if the system is new or an existing one being modified: Existing

17. Does/Will the system collect, maintain (store), disseminate and/or pass through IIF within any database(s), record(s), file(s) or website(s) hosted by this system?: Yes

Note: This question seeks to identify any, and all, personal information associated with the system. This includes any IIF, whether or not it is subject to the Privacy Act, whether the individuals are employees, the public, research subjects, or business partners, and whether provided voluntarily or collected by mandate. Later questions will try to understand the character of the data and its applicability to the requirements under the Privacy Act or other legislation

Note: If no IIF is contained in the system, please answer questions 21, 23, 30, 31, 37, 50 and 54, then promote the PIA to the Sr. Privacy Official who will authorize the PIA.

If this system contains IIF, all remaining questions on the PIA Form Tabs must be completed prior to signature and promotion.

21. Is the system subject to the Privacy Act?: Yes

23. If the system shares or discloses IIF please specify with whom and for what purpose(s): Reference SOR # 09-25-0054. Disclosure to congressional office in response to a congressional inquiry. To law enforcement officers when there is an indication of violation or potential violation of law. In the event of litigation when the defendant is the Department or employee of the Department acting in his/her official capacity.

30. Please describe in detail: (1) the information the agency will collect, maintain, or disseminate; (2) why and for what purpose the agency will use the information; (3) In this description, indicate whether the information contains IIF; and (4) whether submission of personal information is voluntary or mandatory: See SOR # 09-25-0054 for details. Records on employees and contractors of NIH who are issued card keys are maintained the system. IIF data including name, address, photo, and date of birth are maintained in the system. Submission of this information is voluntary. However, failure to voluntarily provide the information could impact employment opportunities within NIH facilities.

31. Please describe in detail any processes in place to: (1) notify and obtain consent from the individuals whose IIF is in the system when major changes occur to the system (e.g., disclosure and/or data uses have changed since the notice at the time of the original collection); and (2) notify and obtain consent from individuals regarding what IIF is being collected from them and how the information will be used or shared: This process is interactive with employees/contra­ctors at NIH. The information collected is with full acknowledgment of the individual. Notification of major system changes regarding data use and/or disclosure would come through modification of Privacy Act Statements and a required revision of the SOR # 09-25-0054. An email request is planned for use to obtain individual consent. As such the NIH global email system is in place and capable of reaching NIH badge holders.

32. Does the system host a website?: No

37. Does the website have any information or pages directed at children under the age of thirteen?: No

50. Are there policies or guidelines in place with regard to the retention and destruction of IIF?: Yes

54. Briefly describe in detail how the IIF will be secured on the system using administrative, technical, and physical controls.: The system is protected by a number of different controls that can be viewed in detail in the system C&A package. Some of the major controls that help to secure the IIF are firewalls, IDSs, VPN for remote access, the use of user names and passwords, and role based access. For physical protection, the NIH campus is protected by guards and police, in addition the server itself is kept behind locked door. Administratively procedures are in place to only allow individuals job related necessity to access IIF.

PIA Reviewer Approval: Promote


PIA Reviewer Name: Genia H. Bohrer -- 301-496-9923

Sr. Official for Privacy Approval: Promote


Sr. Official for Privacy Name: Karen Plá

Sign-off Date: Aug 10, 2007

Date Published: Jun 26, 2008


06.3 HHS PIA Summary for Posting (Form) / NIH OD/ORF Archibus (Item)






PIA Summary


Is this a new PIA 2008?: No

If this is an existing PIA, please provide a reason for revision: PIA Validation

1. Date of this Submission: Jul 6, 2007

2. OPDIV Name: NIH

3. Unique Project Identifier (UPI) Number: No

4. Privacy Act System of Records (SOR) Number: No

5. OMB Information Collection Approval Number: No

6. Other Identifying Number(s): No

7. System Name: Archibus

9. System Point of Contact (POC). The System POC is the person to whom questions about the system and the responses to this PIA may be addressed: Nat Hargraves

10. Provide an overview of the system: Archibus is an integrated suite of applications that addresses all aspects of facilities and infrastructure management. It stores, maintains and reports on NIH owned and leased space. The tracking and reporting of the portfolio is not associated with any personal identifiers.

13. Indicate if the system is new or an existing one being modified: Existing

17. Does/Will the system collect, maintain (store), disseminate and/or pass through IIF within any database(s), record(s), file(s) or website(s) hosted by this system?: No

Note: This question seeks to identify any, and all, personal information associated with the system. This includes any IIF, whether or not it is subject to the Privacy Act, whether the individuals are employees, the public, research subjects, or business partners, and whether provided voluntarily or collected by mandate. Later questions will try to understand the character of the data and its applicability to the requirements under the Privacy Act or other legislation

Note: If no IIF is contained in the system, please answer questions 21, 23, 30, 31, 37, 50 and 54, then promote the PIA to the Sr. Privacy Official who will authorize the PIA.

If this system contains IIF, all remaining questions on the PIA Form Tabs must be completed prior to signature and promotion.

21. Is the system subject to the Privacy Act?: No

23. If the system shares or discloses IIF please specify with whom and for what purpose(s): No

30. Please describe in detail: (1) the information the agency will collect, maintain, or disseminate; (2) why and for what purpose the agency will use the information; (3) In this description, indicate whether the information contains IIF; and (4) whether submission of personal information is voluntary or mandatory: The information the agency will collect is the location and square footage of all owned and leased space and the IC/organization occupying the space. This information is used to calculate rent, provide information to ICs/organizations on the space they occupy and to plan moves and renovations. The collected information does not contain any personal information in identifiable form.

31. Please describe in detail any processes in place to: (1) notify and obtain consent from the individuals whose IIF is in the system when major changes occur to the system (e.g., disclosure and/or data uses have changed since the notice at the time of the original collection); and (2) notify and obtain consent from individuals regarding what IIF is being collected from them and how the information will be used or shared: No

32. Does the system host a website?: No

37. Does the website have any information or pages directed at children under the age of thirteen?: No

50. Are there policies or guidelines in place with regard to the retention and destruction of IIF?: No

54. Briefly describe in detail how the IIF will be secured on the system using administrative, technical, and physical controls.: The system is protected by a number of different controls that can be viewed in detail in the system C&A package. Some of the major controls that help to secure the IIF are firewalls, IDSs, VPN for remote access, the use of user names and passwords, and role based access. For physical protection, the NIH campus is protected by guards and police, in addition the server itself is kept behind locked door. Administratively procedures are in place to only allow individuals job related necessity to access IIF.

PIA Reviewer Approval: Promote


PIA Reviewer Name: Genia H. Bohrer -- 301-496-9923

Sr. Official for Privacy Approval: Promote


Sr. Official for Privacy Name: Karen Plá

Sign-off Date: Aug 10, 2007

Date Published: Jun 26, 2008


06.3 HHS PIA Summary for Posting (Form) / NIH OD/ORF Calendar Module for ORF (Item)






PIA Summary


Is this a new PIA 2008?: No

If this is an existing PIA, please provide a reason for revision: PIA Validation

1. Date of this Submission: Jul 12, 2007

2. OPDIV Name: NIH

3. Unique Project Identifier (UPI) Number: No

4. Privacy Act System of Records (SOR) Number: No

5. OMB Information Collection Approval Number: No

6. Other Identifying Number(s): No

7. System Name: Calendar Module for ORF

9. System Point of Contact (POC). The System POC is the person to whom questions about the system and the responses to this PIA may be addressed: Lavern James

10. Provide an overview of the system: This system allows users to view a training class or events through an online calendar.

13. Indicate if the system is new or an existing one being modified: Existing

17. Does/Will the system collect, maintain (store), disseminate and/or pass through IIF within any database(s), record(s), file(s) or website(s) hosted by this system?: Yes

Note: This question seeks to identify any, and all, personal information associated with the system. This includes any IIF, whether or not it is subject to the Privacy Act, whether the individuals are employees, the public, research subjects, or business partners, and whether provided voluntarily or collected by mandate. Later questions will try to understand the character of the data and its applicability to the requirements under the Privacy Act or other legislation

Note: If no IIF is contained in the system, please answer questions 21, 23, 30, 31, 37, 50 and 54, then promote the PIA to the Sr. Privacy Official who will authorize the PIA.

If this system contains IIF, all remaining questions on the PIA Form Tabs must be completed prior to signature and promotion.

21. Is the system subject to the Privacy Act?: No

23. If the system shares or discloses IIF please specify with whom and for what purpose(s): No

30. Please describe in detail: (1) the information the agency will collect, maintain, or disseminate; (2) why and for what purpose the agency will use the information; (3) In this description, indicate whether the information contains IIF; and (4) whether submission of personal information is voluntary or mandatory: The system contains contact information for individuals responsible for events being advertised on the calendar. Some of these individuals are contractors. The site does not collect information. This system does contain IIF. Individuals that add items to the calendar have the option to put their contact information with the item if the PoC for the event requires that their information be available. This is voluntary.

31. Please describe in detail any processes in place to: (1) notify and obtain consent from the individuals whose IIF is in the system when major changes occur to the system (e.g., disclosure and/or data uses have changed since the notice at the time of the original collection); and (2) notify and obtain consent from individuals regarding what IIF is being collected from them and how the information will be used or shared: Individuals who are designated contacts for events are notified that they will be presented as point of contacts for that particular event. There are not any processes in place to notify individuals if system changes are being performed.

32. Does the system host a website?: Yes

37. Does the website have any information or pages directed at children under the age of thirteen?: No

50. Are there policies or guidelines in place with regard to the retention and destruction of IIF?: No

54. Briefly describe in detail how the IIF will be secured on the system using administrative, technical, and physical controls.: The system is protected by a number of different controls that can be viewed in detail in the system C&A package. Some of the major controls that help to secure the IIF are firewalls, IDSs, VPN for remote access, the use of user names and passwords, and role based access. For physical protection, the NIH campus is protected by guards and police, in addition the server itself is kept behind locked door. Administratively procedures are in place to only allow individuals job related necessity to access IIF.

PIA Reviewer Approval: Promote


PIA Reviewer Name: Genia H. Bohrer

Sr. Official for Privacy Approval: Promote


Sr. Official for Privacy Name: Karen Plá

Sign-off Date: Aug 10, 2007

Date Published: Jun 26, 2008


06.3 HHS PIA Summary for Posting (Form) / NIH OD/ORF Chemical Log (Item)






PIA Summary


Is this a new PIA 2008?: No

If this is an existing PIA, please provide a reason for revision: PIA Validation

1. Date of this Submission: Jul 11, 2007

2. OPDIV Name: NIH

3. Unique Project Identifier (UPI) Number: No

4. Privacy Act System of Records (SOR) Number: No

5. OMB Information Collection Approval Number: No

6. Other Identifying Number(s): No

7. System Name: Chemical Log

9. System Point of Contact (POC). The System POC is the person to whom questions about the system and the responses to this PIA may be addressed: Percival Brereton

10. Provide an overview of the system: This application is used by building engineers to add/update/delete the chemicals for their building.

13. Indicate if the system is new or an existing one being modified: Existing

17. Does/Will the system collect, maintain (store), disseminate and/or pass through IIF within any database(s), record(s), file(s) or website(s) hosted by this system?: No

Note: This question seeks to identify any, and all, personal information associated with the system. This includes any IIF, whether or not it is subject to the Privacy Act, whether the individuals are employees, the public, research subjects, or business partners, and whether provided voluntarily or collected by mandate. Later questions will try to understand the character of the data and its applicability to the requirements under the Privacy Act or other legislation

Note: If no IIF is contained in the system, please answer questions 21, 23, 30, 31, 37, 50 and 54, then promote the PIA to the Sr. Privacy Official who will authorize the PIA.

If this system contains IIF, all remaining questions on the PIA Form Tabs must be completed prior to signature and promotion.

21. Is the system subject to the Privacy Act?: No

23. If the system shares or discloses IIF please specify with whom and for what purpose(s): no

30. Please describe in detail: (1) the information the agency will collect, maintain, or disseminate; (2) why and for what purpose the agency will use the information; (3) In this description, indicate whether the information contains IIF; and (4) whether submission of personal information is voluntary or mandatory: There is no IIF that is collected, maintained, or shared in this system. Data on chemicals or rather listing of chemicals, their amounts, and locations are done by Supervisors or designated individuals for safety reasons. This information is not designated to anyone but rather is a log that should be accessible to the Fire Dept., Safety Inspectors or any authorized individual. The information is to enable one to locate a listed chemical and its amount. Particularly, in the event of an emergency or crisis, one can know what kinds of chemicals would have to be dealt with, or in the event of a fire, the potential chemical hazard will be known. It is intended to be basically a tracking mechanism.

31. Please describe in detail any processes in place to: (1) notify and obtain consent from the individuals whose IIF is in the system when major changes occur to the system (e.g., disclosure and/or data uses have changed since the notice at the time of the original collection); and (2) notify and obtain consent from individuals regarding what IIF is being collected from them and how the information will be used or shared: No IIF collected

32. Does the system host a website?: No

37. Does the website have any information or pages directed at children under the age of thirteen?: No

50. Are there policies or guidelines in place with regard to the retention and destruction of IIF?: No

54. Briefly describe in detail how the IIF will be secured on the system using administrative, technical, and physical controls.: No IIF collected

PIA Reviewer Approval: Promote

Comments: I am promoting this based on IT comments that the system owner has reviewed and attests to accuracy; not all questions answered, but question 17 indicates that this is not a PIA system.

PIA Reviewer Name: Genia H. Bohrer

Sr. Official for Privacy Approval: Promote


Sr. Official for Privacy Name: Karen Plá

Sign-off Date: Aug 10, 2007

Date Published: Jun 26, 2008


06.3 HHS PIA Summary for Posting (Form) / NIH OD/ORF EDMS (Item)






PIA Summary


Is this a new PIA 2008?: No

If this is an existing PIA, please provide a reason for revision: PIA Validation

1. Date of this Submission: May 15, 2006

2. OPDIV Name: NIH

3. Unique Project Identifier (UPI) Number: No

4. Privacy Act System of Records (SOR) Number: No

5. OMB Information Collection Approval Number: No

6. Other Identifying Number(s): No

7. System Name: EDMS

9. System Point of Contact (POC). The System POC is the person to whom questions about the system and the responses to this PIA may be addressed: Tom Myers

10. Provide an overview of the system: The EDMS system is responsible for storing, manipulating, and reporting on NIH facilities data.

13. Indicate if the system is new or an existing one being modified: Existing

17. Does/Will the system collect, maintain (store), disseminate and/or pass through IIF within any database(s), record(s), file(s) or website(s) hosted by this system?: Yes

Note: This question seeks to identify any, and all, personal information associated with the system. This includes any IIF, whether or not it is subject to the Privacy Act, whether the individuals are employees, the public, research subjects, or business partners, and whether provided voluntarily or collected by mandate. Later questions will try to understand the character of the data and its applicability to the requirements under the Privacy Act or other legislation

Note: If no IIF is contained in the system, please answer questions 21, 23, 30, 31, 37, 50 and 54, then promote the PIA to the Sr. Privacy Official who will authorize the PIA.

If this system contains IIF, all remaining questions on the PIA Form Tabs must be completed prior to signature and promotion.

21. Is the system subject to the Privacy Act?: No

23. If the system shares or discloses IIF please specify with whom and for what purpose(s): The system does not share or disclose IIF with any other individuals ororganizations.

30. Please describe in detail: (1) the information the agency will collect, maintain, or disseminate; (2) why and for what purpose the agency will use the information; (3) In this description, indicate whether the information contains IIF; and (4) whether submission of personal information is voluntary or mandatory:

The EDMS stores information about NIH facilities. The majority of the information is in the form of engineering drawings. Some information is in the form of Excel worksheets and Word documents. NIH uses this information to support facility operation and maintenance or renovation.

EDMS users must have access to the NIH Domain to view the EDMS homepage. From the homepage, they must supply a valid username and password to gain access. Access is controlled so users access only the facilities they need to see. Information required for a user account is the username and password (which is stored in an encrypted format). If a user requests to be notified when information in the EDMS changes, they must store an email address with their user account. An email address is not mandatory information. It is voluntary information that individuals can provide if they choose to do so.

31. Please describe in detail any processes in place to: (1) notify and obtain consent from the individuals whose IIF is in the system when major changes occur to the system (e.g., disclosure and/or data uses have changed since the notice at the time of the original collection); and (2) notify and obtain consent from individuals regarding what IIF is being collected from them and how the information will be used or shared: There are not any processes.

32. Does the system host a website?: Yes

37. Does the website have any information or pages directed at children under the age of thirteen?: No

50. Are there policies or guidelines in place with regard to the retention and destruction of IIF?: No

54. Briefly describe in detail how the IIF will be secured on the system using administrative, technical, and physical controls.: The system is protected by a number of different controls that can be viewed in detail in the system C&A package. Some of the major controls that help to secure the IIF are firewalls, IDSs, VPN for remote access, the use of user names and passwords, and role based access. For physical protection, the NIH campus is protected by guards and police, in addition the server itself is kept behind locked door. Administratively procedures are in place to only allow individuals job related necessity to access IIF.

PIA Reviewer Approval: Promote


PIA Reviewer Name: Genia H. Bohrer

Sr. Official for Privacy Approval: Promote


Sr. Official for Privacy Name: Karen Plá

Sign-off Date: Aug 10, 2007

Date Published: Jun 26, 2008


06.3 HHS PIA Summary for Posting (Form) / NIH OD/ORS Background Investigation Tracking System (Item)






PIA Summary


Is this a new PIA 2008?: No

If this is an existing PIA, please provide a reason for revision: PIA Validation

1. Date of this Submission: Jul 6, 2007

2. OPDIV Name: NIH

3. Unique Project Identifier (UPI) Number: no

4. Privacy Act System of Records (SOR) Number: 09-90-0020

5. OMB Information Collection Approval Number: No

6. Other Identifying Number(s): No

7. System Name: Background Investigation Tracking System II

9. System Point of Contact (POC). The System POC is the person to whom questions about the system and the responses to this PIA may be addressed: Alex Salah

10. Provide an overview of the system: BITS II tracks the background investigation status of potential employees of NIH.

13. Indicate if the system is new or an existing one being modified: Existing

17. Does/Will the system collect, maintain (store), disseminate and/or pass through IIF within any database(s), record(s), file(s) or website(s) hosted by this system?: Yes

Note: This question seeks to identify any, and all, personal information associated with the system. This includes any IIF, whether or not it is subject to the Privacy Act, whether the individuals are employees, the public, research subjects, or business partners, and whether provided voluntarily or collected by mandate. Later questions will try to understand the character of the data and its applicability to the requirements under the Privacy Act or other legislation

Note: If no IIF is contained in the system, please answer questions 21, 23, 30, 31, 37, 50 and 54, then promote the PIA to the Sr. Privacy Official who will authorize the PIA.

If this system contains IIF, all remaining questions on the PIA Form Tabs must be completed prior to signature and promotion.

21. Is the system subject to the Privacy Act?: Yes

23. If the system shares or discloses IIF please specify with whom and for what purpose(s): The system shares the investigation status (pending, ongoing, complete).

Investigation status information is shared with HSPD-12 Issuers and Adjudicators who are designated in writing and personnel security staff who must interface with Applicants. Information is shared as part of the PIV card issuing process, e.g. investigation status must be verified prior to PIV card issue or revoking PIV card.

This information is further addressed in the NIH Privacy Act Systems of Record Notice 09-90-0020, published in the Federal Register, Volume 60, January 20, 1995.

30. Please describe in detail: (1) the information the agency will collect, maintain, or disseminate; (2) why and for what purpose the agency will use the information; (3) In this description, indicate whether the information contains IIF; and (4) whether submission of personal information is voluntary or mandatory: Yes the information contains IIF. Submission of the personal information is voluntary. However, the absence of required information may impact position selection decisions.

The agency collects information needed to track the background investigation status of potential NIH employees. Additionally, the system can be used by FTEs to pre-register visitors to the NIH Bethesda campus.

The information contains IIF. Submission of the personal information is voluntary. However, the absence of required information may impact position selection decisions.

31. Please describe in detail any processes in place to: (1) notify and obtain consent from the individuals whose IIF is in the system when major changes occur to the system (e.g., disclosure and/or data uses have changed since the notice at the time of the original collection); and (2) notify and obtain consent from individuals regarding what IIF is being collected from them and how the information will be used or shared: The information collected is obtained from the actual individuals. Information is not obtained through observation.

Processes are being put into place, to notify and obtain consent from individuals whose IFF is in the system, with the HHS HSPD-12 System of Records for the HSPD-12 systems. Name, SSAN are being collected and this information is shared only with officially designated HSPD-12 Sponsors, Adjudicators and Issuers.

Processes are being put into place, to notify and obtain consent from individuals whose IFF is in the system, with the HHS HSPD-12 System of Records for the HSPD-12 systems when major system changes have occured.

Name, SSAN are being collected and this information is shared only with officially designated HSPD-12 Sponsors, Adjudicators and Issuers.

32. Does the system host a website?: Yes

37. Does the website have any information or pages directed at children under the age of thirteen?: No

50. Are there policies or guidelines in place with regard to the retention and destruction of IIF?: No

54. Briefly describe in detail how the IIF will be secured on the system using administrative, technical, and physical controls.: The system is protected by a number of different controls that can be viewed in detail in the system C&A package; some of the major controls that help to secure the IIF are firewalls, IDSs, VPN for remote access, the use of user names and passwords, and role based access. For physical protection, the NIH campus is protected by guards and police, in addition the server itself is kept behind locked door. Administratively procedures are in place to only allow individuals job related necessity to access IIF.

Hard copy of IIF data is stored in locked file cabinets inside key card controlled spaces. File cabinet key control is maintained through a key control locker with written log out records. Access is controlled based on officially designated Role assignments which are in writing. System data is protected by dual authentication log on while data base systems are maintained in the NIH CIT security controlled computer facility which has special key card entry controls, guards, and CCTV security cameras. In addition the system network includes an intrusion detection system and firewalls to detect and limit access respectively.

PIA Reviewer Approval: Promote


PIA Reviewer Name: Genia H. Bohrer

Sr. Official for Privacy Approval: Promote


Sr. Official for Privacy Name: Karen Plá

Sign-off Date: Aug 10, 2007

Date Published: Jun 26, 2008


06.3 HHS PIA Summary for Posting (Form) / NIH OD/ORS Facilities Risk Management Application (RMA) (Item)






PIA Summary


Is this a new PIA 2008?: No

If this is an existing PIA, please provide a reason for revision:PIA Validation

1. Date of this Submission: Jul 6, 2007

2. OPDIV Name: NIH

3. Unique Project Identifier (UPI) Number: No

4. Privacy Act System of Records (SOR) Number: No

5. OMB Information Collection Approval Number: No

6. Other Identifying Number(s): No

7. System Name: Facilities Risk Management Application

9. System Point of Contact (POC). The System POC is the person to whom questions about the system and the responses to this PIA may be addressed: James Williams

10. Provide an overview of the system: The Facilities Management system provides the Division of Physical Security Management the ability to perform security assessments facilities leased or owned by NIH. The main reason for moving this into Remedy was to get it in an on-line form removing the paper trail.

13. Indicate if the system is new or an existing one being modified: Existing

17. Does/Will the system collect, maintain (store), disseminate and/or pass through IIF within any database(s), record(s), file(s) or website(s) hosted by this system?: No

Note: This question seeks to identify any, and all, personal information associated with the system. This includes any IIF, whether or not it is subject to the Privacy Act, whether the individuals are employees, the public, research subjects, or business partners, and whether provided voluntarily or collected by mandate. Later questions will try to understand the character of the data and its applicability to the requirements under the Privacy Act or other legislation

Note: If no IIF is contained in the system, please answer questions 21, 23, 30, 31, 37, 50 and 54, then promote the PIA to the Sr. Privacy Official who will authorize the PIA.

If this system contains IIF, all remaining questions on the PIA Form Tabs must be completed prior to signature and promotion.

21. Is the system subject to the Privacy Act?: No

23. If the system shares or discloses IIF please specify with whom and for what purpose(s): No

30. Please describe in detail: (1) the information the agency will collect, maintain, or disseminate; (2) why and for what purpose the agency will use the information; (3) In this description, indicate whether the information contains IIF; and (4) whether submission of personal information is voluntary or mandatory: Our agency SER/DPSM (Security Emergency Response/Division of Physical Security Management) use the application only to collect NIH Facility information such as square footage, population, alarms systems, access controls such as card readers, etc. to allow our Physical Security Specialist to maintain a record base of the periodic security surveys they perform on NIH government facilities. The data that we collect does not contain any personal information nor do we disseminate any person information. The information that is maintained for our records is used also to provide periodic security reports when needed to the Department of Homeland Security, it is all data pertaining to the security of government buildings.

2. The information does not contain data in identifiable form (IIF).

3. There is no personal information submitted that would fall into a voluntary or mandatory category.

31. Please describe in detail any processes in place to: (1) notify and obtain consent from the individuals whose IIF is in the system when major changes occur to the system (e.g., disclosure and/or data uses have changed since the notice at the time of the original collection); and (2) notify and obtain consent from individuals regarding what IIF is being collected from them and how the information will be used or shared: There are none.

32. Does the system host a website?: Yes

37. Does the website have any information or pages directed at children under the age of thirteen?: No

50. Are there policies or guidelines in place with regard to the retention and destruction of IIF?: No

54. Briefly describe in detail how the IIF will be secured on the system using administrative, technical, and physical controls.: The system is protected by a number of different controls that can be viewed in detail in the system C&A package. Some of the major controls that help to secure the IIF are firewalls, IDSs, VPN for remote access, the use of user names and passwords, and role based access. For physical protection, the NIH campus is protected by guards and police, in addition the server itself is kept behind locked door. Administratively procedures are in place to only allow individuals job related necessity to access IIF.

PIA Reviewer Approval: Promote


PIA Reviewer Name: Genia H. Bohrer -- 301-496-9923

Sr. Official for Privacy Approval: Promote


Sr. Official for Privacy Name: Karen Plá

Sign-off Date: Aug 10, 2007

Date Published: Jun 26, 2008


06.3 HHS PIA Summary for Posting (Form) / NIH OD/ORS FACnet (Item)






PIA Summary


Is this a new PIA 2008?: Yes

If this is an existing PIA, please provide a reason for revision:

1. Date of this Submission: Jan 9, 2007

2. OPDIV Name: NIH

3. Unique Project Identifier (UPI) Number: n/a

4. Privacy Act System of Records (SOR) Number: n/a

5. OMB Information Collection Approval Number: n/a

6. Other Identifying Number(s): n/a

7. System Name: Facilities Access Control Network

9. System Point of Contact (POC). The System POC is the person to whom questions about the system and the responses to this PIA may be addressed: Ben Ashtiani

10. Provide an overview of the system: The Facilities Access Control Network or FACnet is the underlying network infrastructure supporting several applications including Building Automation Systems (BAS), Visitor Badging System (VBS), Telvent SCADA Sysyems, Access Control Systems (card access controls for physical access), DVR/DVX (video security monitors), IDS (physical security intrusion detection systems), and Elevator systems (elevator system controls). FACnet is a non-routable network using private IP addressing and access is limited to authorized individuals only - it is not a public network.

13. Indicate if the system is new or an existing one being modified: Existing

17. Does/Will the system collect, maintain (store), disseminate and/or pass through IIF within any database(s), record(s), file(s) or website(s) hosted by this system?: No

Note: This question seeks to identify any, and all, personal information associated with the system. This includes any IIF, whether or not it is subject to the Privacy Act, whether the individuals are employees, the public, research subjects, or business partners, and whether provided voluntarily or collected by mandate. Later questions will try to understand the character of the data and its applicability to the requirements under the Privacy Act or other legislation

Note: If no IIF is contained in the system, please answer questions 21, 23, 30, 31, 37, 50 and 54, then promote the PIA to the Sr. Privacy Official who will authorize the PIA.

If this system contains IIF, all remaining questions on the PIA Form Tabs must be completed prior to signature and promotion.

21. Is the system subject to the Privacy Act?: No

23. If the system shares or discloses IIF please specify with whom and for what purpose(s): n/a

30. Please describe in detail: (1) the information the agency will collect, maintain, or disseminate; (2) why and for what purpose the agency will use the information; (3) In this description, indicate whether the information contains IIF; and (4) whether submission of personal information is voluntary or mandatory: This system collects no information; no IIF is collected by this system.

31. Please describe in detail any processes in place to: (1) notify and obtain consent from the individuals whose IIF is in the system when major changes occur to the system (e.g., disclosure and/or data uses have changed since the notice at the time of the original collection); and (2) notify and obtain consent from individuals regarding what IIF is being collected from them and how the information will be used or shared: n/a

32. Does the system host a website?: No

37. Does the website have any information or pages directed at children under the age of thirteen?: No

50. Are there policies or guidelines in place with regard to the retention and destruction of IIF?: No

54. Briefly describe in detail how the IIF will be secured on the system using administrative, technical, and physical controls.: n/a

PIA Reviewer Approval: Promote


PIA Reviewer Name: Genia H. Bohrer -- 301-496-9923

Sr. Official for Privacy Approval: Promote


Sr. Official for Privacy Name: Karen Plá

Sign-off Date: Aug 10, 2007

Date Published: Jun 26, 2008


06.3 HHS PIA Summary for Posting (Form) / NIH OD/ORS FSA ATLAS (Item)






PIA Summary


Is this a new PIA 2008?: No

If this is an existing PIA, please provide a reason for revision: PIA Validation

1. Date of this Submission: Jul 5, 2007

2. OPDIV Name: NIH

3. Unique Project Identifier (UPI) Number: No

4. Privacy Act System of Records (SOR) Number: 09-25-0140

5. OMB Information Collection Approval Number: No

6. Other Identifying Number(s): No

7. System Name: FSA Atlas

9. System Point of Contact (POC). The System POC is the person to whom questions about the system and the responses to this PIA may be addressed: Candelario Zapata

10. Provide an overview of the system: Monitors and tracks foreign scientist immigration information.

13. Indicate if the system is new or an existing one being modified: Existing

17. Does/Will the system collect, maintain (store), disseminate and/or pass through IIF within any database(s), record(s), file(s) or website(s) hosted by this system?: Yes

Note: This question seeks to identify any, and all, personal information associated with the system. This includes any IIF, whether or not it is subject to the Privacy Act, whether the individuals are employees, the public, research subjects, or business partners, and whether provided voluntarily or collected by mandate. Later questions will try to understand the character of the data and its applicability to the requirements under the Privacy Act or other legislation

Note: If no IIF is contained in the system, please answer questions 21, 23, 30, 31, 37, 50 and 54, then promote the PIA to the Sr. Privacy Official who will authorize the PIA.

If this system contains IIF, all remaining questions on the PIA Form Tabs must be completed prior to signature and promotion.

21. Is the system subject to the Privacy Act?: No

23. If the system shares or discloses IIF please specify with whom and for what purpose(s): IIF is shared with internal NIH systems—NED and Data Warehouse. Such information verifies the validity of the foreign scientist’s stay in the U.S. and allows the individual to obtain an NIH badge.

30. Please describe in detail: (1) the information the agency will collect, maintain, or disseminate; (2) why and for what purpose the agency will use the information; (3) In this description, indicate whether the information contains IIF; and (4) whether submission of personal information is voluntary or mandatory: Monitor immigration compliance of foreign nationals at NIH. Information collected contains IIF and submission is mandatory. The IIF collected only pertains to foreign nationals. Such information is necessary to document the individual’s presence at the NIH, to record immigration history of the individual in order to verify continued eligibility in NIH research programs, and to meet requirements in the code of Federal Regulations (8 CFR, Aliens and Nationality, and 22 CFR, Foreign Relations) and other applicable immigration laws, including Public Law 107-173, Enhanced Border Security and Visa Entry Reform Act of 2002 and Public Law 107-56, USA PATRIOT ACT.

Contact information collected from individuals are their NIH work address; permanent address in the home country; residential address in the U.S.; and mailing address in the U.S. (if different from residential address). In addition, telephone and fax numbers are collected for each address, as well as email addresses.

31. Please describe in detail any processes in place to: (1) notify and obtain consent from the individuals whose IIF is in the system when major changes occur to the system (e.g., disclosure and/or data uses have changed since the notice at the time of the original collection); and (2) notify and obtain consent from individuals regarding what IIF is being collected from them and how the information will be used or shared: IIF is collected by the NIH administrative or personnel offices. The IIF collected only pertains to foreign nationals. That information is then sent to the DIS to request immigration assistance. Based on the IIF collected by the IC, the DIS issues the appropriate immigration document and sends it to the individual foreign scientist. The immigration document itself contains notification and consent information. By signing and/or using the immigration document, the foreign scientist automatically consents by using the immigration document to enter the U.S. Different federal agencies (including the Department of Homeland Security and Department of State) issue Federal Register notices when major changes to data collection occur, such as with the USA PATRIOT ACT (Public Law 107-56).

32. Does the system host a website?: Yes

37. Does the website have any information or pages directed at children under the age of thirteen?: No

50. Are there policies or guidelines in place with regard to the retention and destruction of IIF?: No

54. Briefly describe in detail how the IIF will be secured on the system using administrative, technical, and physical controls.: The application is protected through the use of security controls implemented by CIT and ORS. These controls include intrusion detection systems as well as firewalls. The application is also hosted by ORS which helps to secure the information being stored.

PIA Reviewer Approval: Promote


PIA Reviewer Name: Genia H. Bohrer -- 301-496-9923

Sr. Official for Privacy Approval: Promote


Sr. Official for Privacy Name: Karen Plá

Sign-off Date: Aug 10, 2007

Date Published: Jun 26, 2008


06.3 HHS PIA Summary for Posting (Form) / NIH OD/ORS GRANITE (Item)






PIA Summary


Is this a new PIA 2008?: No

If this is an existing PIA, please provide a reason for revision: PIA Validation

1. Date of this Submission: Jul 5, 2007

2. OPDIV Name: NIH

3. Unique Project Identifier (UPI) Number: 009-25-02-01-02-3301-00

4. Privacy Act System of Records (SOR) Number: No

5. OMB Information Collection Approval Number: No

6. Other Identifying Number(s): No

7. System Name: Granite Enterprise

9. System Point of Contact (POC). The System POC is the person to whom questions about the system and the responses to this PIA may be addressed: Rob Debellis

10. Provide an overview of the system: This system is used to collect information on the animal resources provided by DVR.

13. Indicate if the system is new or an existing one being modified: Existing

17. Does/Will the system collect, maintain (store), disseminate and/or pass through IIF within any database(s), record(s), file(s) or website(s) hosted by this system?: Yes

Note: This question seeks to identify any, and all, personal information associated with the system. This includes any IIF, whether or not it is subject to the Privacy Act, whether the individuals are employees, the public, research subjects, or business partners, and whether provided voluntarily or collected by mandate. Later questions will try to understand the character of the data and its applicability to the requirements under the Privacy Act or other legislation

Note: If no IIF is contained in the system, please answer questions 21, 23, 30, 31, 37, 50 and 54, then promote the PIA to the Sr. Privacy Official who will authorize the PIA.

If this system contains IIF, all remaining questions on the PIA Form Tabs must be completed prior to signature and promotion.

21. Is the system subject to the Privacy Act?: No

23. If the system shares or discloses IIF please specify with whom and for what purpose(s): No

30. Please describe in detail: (1) the information the agency will collect, maintain, or disseminate; (2) why and for what purpose the agency will use the information; (3) In this description, indicate whether the information contains IIF; and (4) whether submission of personal information is voluntary or mandatory: The Granite Enterprise System collects Full Name, NIH contact telephone number and NIH e-mail address. The Full Name is required for both users and Study Protocols. The NIH contact telephone number and or the NIH e-mail address is used for emergency contact information only.

The Full name is the only mandatory information collected.

31. Please describe in detail any processes in place to: (1) notify and obtain consent from the individuals whose IIF is in the system when major changes occur to the system (e.g., disclosure and/or data uses have changed since the notice at the time of the original collection); and (2) notify and obtain consent from individuals regarding what IIF is being collected from them and how the information will be used or shared: There are none.

32. Does the system host a website?: No

37. Does the website have any information or pages directed at children under the age of thirteen?: No

50. Are there policies or guidelines in place with regard to the retention and destruction of IIF?: No

54. Briefly describe in detail how the IIF will be secured on the system using administrative, technical, and physical controls.: The system is protected by a number of different controls that can be viewed in detail in the system C&A package. Some of the major controls that help to secure the IIF are firewalls, IDSs, VPN for remote access, the use of user names and passwords, and role based access. For physical protection, the NIH campus is protected by guards and police, in addition the server itself is kept behind locked door. Administratively procedures are in place to only allow individuals job related necessity to access IIF.

PIA Reviewer Approval: Promote


PIA Reviewer Name: Genia H. Bohrer -- 301-496-9923

Sr. Official for Privacy Approval: Promote


Sr. Official for Privacy Name: Karen Plá

Sign-off Date: Aug 10, 2007

Date Published: Jun 26, 2008


06.3 HHS PIA Summary for Posting (Form) / NIH OD/ORS INNOPAC (Item)






PIA Summary


Is this a new PIA 2008?: No

If this is an existing PIA, please provide a reason for revision: PIA Validation

1. Date of this Submission: Jul 3, 2007

2. OPDIV Name: NIH

3. Unique Project Identifier (UPI) Number: No

4. Privacy Act System of Records (SOR) Number: 09-25-0217

5. OMB Information Collection Approval Number: No

6. Other Identifying Number(s): No

7. System Name: Innopac

9. System Point of Contact (POC). The System POC is the person to whom questions about the system and the responses to this PIA may be addressed: Ben Hope

10. Provide an overview of the system: Innopac is the Integrated Library system that runs the Division of Library Services catalog, their web interface to the DLS catalog, the patron file with public NED information, the acquisitions information for book and journal purchases, and the catalogs for 5 other Libraries.

13. Indicate if the system is new or an existing one being modified: Existing

17. Does/Will the system collect, maintain (store), disseminate and/or pass through IIF within any database(s), record(s), file(s) or website(s) hosted by this system?: Yes

Note: This question seeks to identify any, and all, personal information associated with the system. This includes any IIF, whether or not it is subject to the Privacy Act, whether the individuals are employees, the public, research subjects, or business partners, and whether provided voluntarily or collected by mandate. Later questions will try to understand the character of the data and its applicability to the requirements under the Privacy Act or other legislation

Note: If no IIF is contained in the system, please answer questions 21, 23, 30, 31, 37, 50 and 54, then promote the PIA to the Sr. Privacy Official who will authorize the PIA.

If this system contains IIF, all remaining questions on the PIA Form Tabs must be completed prior to signature and promotion.

21. Is the system subject to the Privacy Act?: Yes

23. If the system shares or discloses IIF please specify with whom and for what purpose(s): The system does not normally disclose IIF with other groups. However under particular circumstances, the following reasons can cause information to be released (SOR# 09-25-0217):

Records will be routinely disclosed to the Treasury Department in order to effect payment.

Records may be disclosed to Members of Congress concerning a Federal financial assistance program in order for members to make informed opinions on programs and/or activities impacting on legislative decisions. Also, disclosure may be made to a Member of Congress or to a Congressional staff member in response to an inquiry from the Congressional office made at the written request of the individual.

Disclosure may be made to the Department of Justice for the purpose of obtaining its advice regarding whether particular records are required to be disclosed under the Freedom of Information Act.

A record from this system may be disclosed to a Federal, State or local agency maintaining civil, criminal or other relevant enforcement records or other pertinent records, such as current licenses, if necessary to obtain a record relevant to an agency decision concerning the hiring or retention of an employee, the issuance of a security clearance, the reporting of an investigation of an employee, the letting of a contract or the issuance of a license, grant or other benefit by the requesting agency, to the extent that the record is relevant and necessary to its decision on the matter.

Where Federal agencies having the power to subpoena other Federal agencies’ records, such as the Internal Revenue Service (IRS) or the Civil Rights Commission, issue a subpoena to the NIH for records in this system of records, the NIH will make such records available, provided however, that in each case, the NIH determines that such disclosure is compatible with the purpose for which the records were collected.

Where a contract between a component of HHS and a labor organization recognized under E.O. 11491 provides that the agency will disclose personal records relevant to the organization’s mission, records in the system of records may be disclosed to such an organization.

A record may be disclosed to the Department of Justice, to a court, or other tribunal, or to another party before such tribunal, when: (1) HHS, or any component thereof; (2) any HHS employee in his or her official capacity; (3) any HHS employee in his or her individual capacity where the Department of Justice (or HHS, where it is authorized to do so) has agreed to represent the employee; or (4) the United States or any agency thereof where HHS determines that the litigation is likely to affect HHS or any of its components, is a party to the litigation or has an interest in the litigation, and HHS determines that the use of such records by the Department of Justice, the tribunal, or the other party is relevant and necessary to the litigation and would help in the effective representation of the government party, provided however, that in each case, HHS determines that such disclosure is compatible with the purpose for which the records were collected.

A record about a loan applicant or potential contractor or grantee may be disclosed from the system of records to credit reporting agencies to obtain a credit report in order to assess and verify the person’s ability to repay debts owed to the Federal Government.

When a person applies for a loan under a loan program as to which the OMB has made a determination under I.R.C. 6103(a)(3), a record about his or her application may be disclosed to the Treasury Department to find out whether he or she has a delinquent tax account, or the sole purpose of determining the person’s creditworthiness.

A record from this system may be disclosed to the following entities in order to help collect a debt owed the United States:

a. To another Federal agency so that agency can effect a salary offset;

b. To the Treasury Department or another Federal agency in order to effect an administrative offset under common law or under 31 U.S.C. 3716 (withholding from money payable to, or held on behalf of the individual);

c. To the Treasury Department to request the person’s mailing address under I.R.C. 6103(m)(2) in order to help locate the person or to have a credit report prepared;

d. To agents of HHS and to other third parties, including credit reporting agencies, to help locate the person or to obtain a credit report on him or her, in order to help collect or compromise a debt;

e. To debt collection agents or contractors under 31 U.S.C. 3718 or under common law to help collect a past due amount or locate or recover a debtor’s assets;

f. To the Justice Department for litigation or for further administrative action; and

g. To the public, as provided by 31 U.S.C. 3720E, in order to publish or otherwise publicly disseminate information regarding the identify of the person and the existence of a non-tax debt.

Disclosure under parts (d) and (g) is limited to the individual’s name, address, social security number, and other information necessary to identify the person. Disclosure under parts (a)-(c) and (e) is limited to those items; the amount, status, and history of the claim; and the agency or program under which the claim arose. An address obtained from the IRS may be disclosed to a credit reporting agency under part (d) only for the purpose of preparing a credit report on the individual.

11. A record from this system may be disclosed to another Federal agency that has asked HHS to effect an administrative offset under common law or under 31 U.S.C. 3716 to help collect a debt owed the United States. Disclosure is limited to name and address, Social Security number, and other information necessary to identify the individual; information about the money payable to or held for the individual; and other information concerning the administrative offset.

12. Disclosure with regard to claims or debts arising under or payable under the Social Security Act may be made from this system to "consumer reporting agencies" as defined in the Fair Credit Reporting Act (15 U.S.C. 1681a(f)) of the Federal Claims Collection Act of 1966(31 U.S.C. 3701(a)(3)). The purpose of this disclosure is to aid in the collection of outstanding debts owed to the Federal Government. Disclosure is limited to the individual’s name, address, Social Security number, and other information necessary to establish the individual’s identify; the amount, status and history of the claim; and the agency or program under which the claim arose.

13. Information in this system of records is used to prepare W-2s and 1099 Forms to submit to the Internal Revenue Service and to applicable State and local governments. Items considered to be included as income to a person: certain travel related payments to employees, all payments made to persons not treated as employees (e.g., fees to consultants and experts), and amounts written-off as legally or administratively uncollectible, in whole or in part.

14. A record may be disclosed to banks enrolled in the Treasury Credit Card Network to collect a payment or debt when the person has given his or her credit card number for this purpose.

15. Records may be disclosed to a contractor (and/or to its subcontractor) who has been engaged to perform services on an automated data processing (ADP) system used in processing financial transactions. The contractor may have been engaged to develop, modify and test a new ADP system, including both software and hardware upgrades or enhancements to such a system; perform periodic or major maintenance on an existing ADP system; audit or otherwise evaluate the performance of such an ADP system; and/or operate such a system.

16. Records may be disclosed to student volunteers, individuals working under a personal services contract, and other individuals performing functions for the NIH but technically not having the status of agency employees, if they need access to the records in order to perform their assigned agency functions.

17. A record from this system may be disclosed to any Federal agency or its agents in order to participate in a computer matching of a list of debtors against a list of Federal employees. Disclosure of records is limited to debtors’ names, names of employers, taxpayers’ identifying numbers, address (including addresses of employers), dates of birth, and other information necessary to establish the person’s identity.

18. A record of a person responsible for a current claim may be disclosed to a commercial reporting agency in order to aid in the collection of claims, typically by providing an incentive to the person to repay the claim or a debt timely. Disclosure of records is limited to information about a person that is relevant and necessary to meet the principal purpose(s) for which it is intended to be used under the law.

19. A record from this system may be disclosed to the Treasury Department or to an agency operating a Debt Collection Center designated by the Treasury in order to effect a collection of past due amounts.

20. If HHS decides to sell a debt pursuant to 31 U.S.C. 3711(I), a record from the system may be disclosed to purchasers, potential purchasers, and contractors engaged to assist in the sale or to obtain information necessary for potential purchasers to formulate bids and information necessary for purchasers to pursue collection remedies.

21. If HHS decides to administratively garnish wages of a delinquent debtor under the wage garnishment provision in 31 U.S.C. 3720D, a record from the system may be disclosed to the debtor’s employer. This disclosure will take the form of a wage garnishment order directing that the employer pay a portion of the employee/debtor’s wages to the Federal Government. Disclosure of records is limited to the debtor’s name, address, and social security number.

30. Please describe in detail: (1) the information the agency will collect, maintain, or disseminate; (2) why and for what purpose the agency will use the information; (3) In this description, indicate whether the information contains IIF; and (4) whether submission of personal information is voluntary or mandatory: The information system does not collect any IIF from individuals. IIF is contained within the application however, the only IIF that is contained in the system is received from NIH Enterprise Directory (NED) through nightly updates. Specifically, they receive:



NIH email

Office Location

Mail Stop

Office Phone Number

All of this information is public information which can be viewed at The information is used to identify the patron list for the Division of Library Services.

31. Please describe in detail any processes in place to: (1) notify and obtain consent from the individuals whose IIF is in the system when major changes occur to the system (e.g., disclosure and/or data uses have changed since the notice at the time of the original collection); and (2) notify and obtain consent from individuals regarding what IIF is being collected from them and how the information will be used or shared: Contact the official at the address specified under notification procedure above, identify the record, and specify the information being contested, the corrective action sought, and the reasons for requesting the correction, along with supporting information to show how the record is inaccurate, incomplete, untimely, or irrelevant.

32. Does the system host a website?: Yes

37. Does the website have any information or pages directed at children under the age of thirteen?: No

50. Are there policies or guidelines in place with regard to the retention and destruction of IIF?: Yes

54. Briefly describe in detail how the IIF will be secured on the system using administrative, technical, and physical controls.: The system is protected by a number of different controls that can be viewed in detail in the system C&A package. Some of the major controls that help to secure the IIF are firewalls, IDSs, VPN for remote access, the use of user names and passwords, and role based access. For physical protection, the NIH campus is protected by guards and police, in addition the server itself is kept behind locked door. Administratively procedures are in place to only allow individuals job related necessity to access IIF.

PIA Reviewer Approval: Promote


PIA Reviewer Name: Genia H. Bohrer -- 301-496-9923

Sr. Official for Privacy Approval: Promote


Sr. Official for Privacy Name: Karen Plá

Sign-off Date: Aug 10, 2007

Date Published: Jun 26, 2008


06.3 HHS PIA Summary for Posting (Form) / NIH OD/ORS Interfaced Integrated Business Tool (Item)






PIA Summary


Is this a new PIA 2008?: No

If this is an existing PIA, please provide a reason for revision: PIA Validation

1. Date of this Submission: Jul 3, 2007

2. OPDIV Name: NIH

3. Unique Project Identifier (UPI) Number: TBD

4. Privacy Act System of Records (SOR) Number: #09-25-0216

5. OMB Information Collection Approval Number: No

6. Other Identifying Number(s): No

7. System Name: Integrated Interfaced Business Tool

9. System Point of Contact (POC). The System POC is the person to whom questions about the system and the responses to this PIA may be addressed: Abe Brauner

10. Provide an overview of the system: The IIBT is a data collection and retrieval system that provides management in OBF and division directors in ORS/ORF with budget cost data, some of which includes employee and salary data extracted and compiled from the NIH data warehouse (DW).

13. Indicate if the system is new or an existing one being modified: Existing

17. Does/Will the system collect, maintain (store), disseminate and/or pass through IIF within any database(s), record(s), file(s) or website(s) hosted by this system?: Yes

Note: This question seeks to identify any, and all, personal information associated with the system. This includes any IIF, whether or not it is subject to the Privacy Act, whether the individuals are employees, the public, research subjects, or business partners, and whether provided voluntarily or collected by mandate. Later questions will try to understand the character of the data and its applicability to the requirements under the Privacy Act or other legislation

Note: If no IIF is contained in the system, please answer questions 21, 23, 30, 31, 37, 50 and 54, then promote the PIA to the Sr. Privacy Official who will authorize the PIA.

If this system contains IIF, all remaining questions on the PIA Form Tabs must be completed prior to signature and promotion.

21. Is the system subject to the Privacy Act?: Yes

23. If the system shares or discloses IIF please specify with whom and for what purpose(s): Disclosure may be made to a congressional office from the records of an individual in response to an inquiry from the congressional office made at the request of that individual.

Disclosure may be made to representatives of the General Services Administration or the National Archives and Records Administration who are conducting records management inspections under the authority of 44 U.S.C. 2904 and 2906.

Disclosure may be made to agency contractors, experts, consultants, or volunteers who have been engaged by the agency to assist in the performance of a service related to this system of records and who need to have access to the records in order to perform the activity. Recipients are required to maintain Privacy Act safeguards with respect to these records.

Disclosure may be made to respond to a Federal agency's request made in connection with the hiring or retention of an employee, the letting of a contract or issuance of a security clearance, grant, license, or other benefit by the requesting agency, but only to the extent that the information disclosed is relevant and necessary to the requesting agency's decision on the matter.

Disclosure may be made to the Department of Justice, or to a court or other adjudicative body, from this system of records when (a) HHS, or any component thereof; or (b) any HHS officer or employee in his or her official capacity; or (c) any HHS officer or employee in his or her individual capacity where the Department of Justice (or HHS, where it is authorized to do so) has agreed to represent the officer or employee; or (d) the United States or any agency thereof where HHS determines that the proceeding is likely to affect HHS or any of its components, is a party to the proceeding or has any interest in the proceeding, and HHS determines that the records are relevant and necessary to the proceeding and would help in the effective representation of the governmental party.

The IIF contained within the system is disclosed to contractors engaged in system enhancements and maintenance.

30. Please describe in detail: (1) the information the agency will collect, maintain, or disseminate; (2) why and for what purpose the agency will use the information; (3) In this description, indicate whether the information contains IIF; and (4) whether submission of personal information is voluntary or mandatory: The IIBT collects and compiles budget cost data sorted by object class, division, and period in order to assemble the ORS and ORF annual budget submissions. Management and budget analysts are able to query the data directly and via pre-determined reports. Inclusion of all employee data such as first name, last name, grade, pay scale, and IC is accomplished by involuntarily extracting records from the NIH data warehouse (DW).

31. Please describe in detail any processes in place to: (1) notify and obtain consent from the individuals whose IIF is in the system when major changes occur to the system (e.g., disclosure and/or data uses have changed since the notice at the time of the original collection); and (2) notify and obtain consent from individuals regarding what IIF is being collected from them and how the information will be used or shared: There are none specifically for IIBT

32. Does the system host a website?: Yes

37. Does the website have any information or pages directed at children under the age of thirteen?: No

50. Are there policies or guidelines in place with regard to the retention and destruction of IIF?: Yes

54. Briefly describe in detail how the IIF will be secured on the system using administrative, technical, and physical controls.: The system is protected by a number of different controls that can be viewed in detail in the system C&A package. Some of the major controls that help to secure the IIF are firewalls, IDSs, VPN for remote access, the use of user names and passwords, and role based access. For physical protection, the NIH campus is protected by guards and police, in addition the server itself is kept behind locked door. Administratively procedures are in place to only allow individuals job related necessity to access IIF.

All IIF data is secured with a combination of administrative, technical, and physical controls. These are detailed in response to questions #49, #51, and #53.

PIA Reviewer Approval: Promote


PIA Reviewer Name: Genia H. Bohrer -- 301-496-9923

Sr. Official for Privacy Approval: Promote


Sr. Official for Privacy Name: Karen Plá

Sign-off Date: Aug 10, 2007

Date Published: Jun 26, 2008


06.3 HHS PIA Summary for Posting (Form) / NIH OD/ORS MAXIMO (Item)






PIA Summary


Is this a new PIA 2008?: No

If this is an existing PIA, please provide a reason for revision: PIA Validation

1. Date of this Submission: Jul 5, 2007

2. OPDIV Name: NIH

3. Unique Project Identifier (UPI) Number: TBD

4. Privacy Act System of Records (SOR) Number: no

5. OMB Information Collection Approval Number: no

6. Other Identifying Number(s): no

7. System Name: Maximo

9. System Point of Contact (POC). The System POC is the person to whom questions about the system and the responses to this PIA may be addressed: Ken Deng

10. Provide an overview of the system: The MAXIMO system tracks work orders, equipment information, stock room items, purchase/rental equipment and billing information.

13. Indicate if the system is new or an existing one being modified: Existing

17. Does/Will the system collect, maintain (store), disseminate and/or pass through IIF within any database(s), record(s), file(s) or website(s) hosted by this system?: Yes

Note: This question seeks to identify any, and all, personal information associated with the system. This includes any IIF, whether or not it is subject to the Privacy Act, whether the individuals are employees, the public, research subjects, or business partners, and whether provided voluntarily or collected by mandate. Later questions will try to understand the character of the data and its applicability to the requirements under the Privacy Act or other legislation

Note: If no IIF is contained in the system, please answer questions 21, 23, 30, 31, 37, 50 and 54, then promote the PIA to the Sr. Privacy Official who will authorize the PIA.

If this system contains IIF, all remaining questions on the PIA Form Tabs must be completed prior to signature and promotion.

21. Is the system subject to the Privacy Act?: No

23. If the system shares or discloses IIF please specify with whom and for what purpose(s): No

30. Please describe in detail: (1) the information the agency will collect, maintain, or disseminate; (2) why and for what purpose the agency will use the information; (3) In this description, indicate whether the information contains IIF; and (4) whether submission of personal information is voluntary or mandatory: The systems collects contact information for individuals that requests a work order(s). We collect only the requesters name, phone, building, room and email address. All are public information and the information is used only to identify the requester; the technician needs the information to locate the customer and the equipment. The name and office phone number are mandatory.

31. Please describe in detail any processes in place to: (1) notify and obtain consent from the individuals whose IIF is in the system when major changes occur to the system (e.g., disclosure and/or data uses have changed since the notice at the time of the original collection); and (2) notify and obtain consent from individuals regarding what IIF is being collected from them and how the information will be used or shared: There are none.

32. Does the system host a website?: No

37. Does the website have any information or pages directed at children under the age of thirteen?: No

50. Are there policies or guidelines in place with regard to the retention and destruction of IIF?: No

54. Briefly describe in detail how the IIF will be secured on the system using administrative, technical, and physical controls.: The system is protected by a number of different controls that can be viewed in detail in the system C&A package. Some of the major controls that help to secure the IIF are firewalls, IDSs, VPN for remote access, the use of user names and passwords, and role based access. For physical protection, the NIH campus is protected by guards and police, in addition the server itself is kept behind locked door. Administratively procedures are in place to only allow individuals job related necessity to access IIF.

PIA Reviewer Approval: Promote


PIA Reviewer Name: Genia H. Bohrer -- 301-496-9923

Sr. Official for Privacy Approval: Promote


Sr. Official for Privacy Name: Karen Plá

Sign-off Date: Aug 10, 2007

Date Published: Jun 26, 2008


06.3 HHS PIA Summary for Posting (Form) / NIH OD/ORS Micromain (Item)






PIA Summary


Is this a new PIA 2008?: No

If this is an existing PIA, please provide a reason for revision: PIA Validation

1. Date of this Submission: Jul 6, 2007

2. OPDIV Name: NIH

3. Unique Project Identifier (UPI) Number: TBD

4. Privacy Act System of Records (SOR) Number: No

5. OMB Information Collection Approval Number: No

6. Other Identifying Number(s): No

7. System Name: Micromain

9. System Point of Contact (POC). The System POC is the person to whom questions about the system and the responses to this PIA may be addressed: Tom Myers

10. Provide an overview of the system: MICROMAIN is used to track trouble calls for maintenance; and creates prescribed maintenance work orders.

13. Indicate if the system is new or an existing one being modified: Existing

17. Does/Will the system collect, maintain (store), disseminate and/or pass through IIF within any database(s), record(s), file(s) or website(s) hosted by this system?: Yes

Note: This question seeks to identify any, and all, personal information associated with the system. This includes any IIF, whether or not it is subject to the Privacy Act, whether the individuals are employees, the public, research subjects, or business partners, and whether provided voluntarily or collected by mandate. Later questions will try to understand the character of the data and its applicability to the requirements under the Privacy Act or other legislation

Note: If no IIF is contained in the system, please answer questions 21, 23, 30, 31, 37, 50 and 54, then promote the PIA to the Sr. Privacy Official who will authorize the PIA.

If this system contains IIF, all remaining questions on the PIA Form Tabs must be completed prior to signature and promotion.

21. Is the system subject to the Privacy Act?: No

23. If the system shares or discloses IIF please specify with whom and for what purpose(s): No

30. Please describe in detail: (1) the information the agency will collect, maintain, or disseminate; (2) why and for what purpose the agency will use the information; (3) In this description, indicate whether the information contains IIF; and (4) whether submission of personal information is voluntary or mandatory: MICROMAIN is used to track trouble calls for maintenance; and creates prescribed maintenance work orders. The system specifically collects Name, telephone, building, room. The purpose of collecting this informaation is to identify where a maintenance issue is. All of the information is voluntarily entered by the indivdual making the request.

31. Please describe in detail any processes in place to: (1) notify and obtain consent from the individuals whose IIF is in the system when major changes occur to the system (e.g., disclosure and/or data uses have changed since the notice at the time of the original collection); and (2) notify and obtain consent from individuals regarding what IIF is being collected from them and how the information will be used or shared: There currently is none.

32. Does the system host a website?: Yes

37. Does the website have any information or pages directed at children under the age of thirteen?: No

50. Are there policies or guidelines in place with regard to the retention and destruction of IIF?: No

54. Briefly describe in detail how the IIF will be secured on the system using administrative, technical, and physical controls.: The system is protected by a number of different controls that can be viewed in detail in the system C&A package. Some of the major controls that help to secure the IIF are firewalls, IDSs, VPN for remote access, the use of user names and passwords, and role based access. For physical protection, the NIH campus is protected by guards and police, in addition the server itself is kept behind locked door. Administratively procedures are in place to only allow individuals job related necessity to access IIF.

PIA Reviewer Approval: Promote


PIA Reviewer Name: Genia H. Bohrer -- 301-496-9923

Sr. Official for Privacy Approval: Promote


Sr. Official for Privacy Name: Karen Plá

Sign-off Date: Aug 10, 2007

Date Published: Jun 26, 2008


06.3 HHS PIA Summary for Posting (Form) / NIH OD/ORS ORS/ORFnet (Item)






PIA Summary


Is this a new PIA 2008?: Yes

If this is an existing PIA, please provide a reason for revision:

1. Date of this Submission: Jan 9, 2007

2. OPDIV Name: NIH

3. Unique Project Identifier (UPI) Number: n/a

4. Privacy Act System of Records (SOR) Number: n/a

5. OMB Information Collection Approval Number: n/a

6. Other Identifying Number(s): n/a

7. System Name: ORS/ORFnet Network Enclave

9. System Point of Contact (POC). The System POC is the person to whom questions about the system and the responses to this PIA may be addressed: Ben Ashtiani

10. Provide an overview of the system: The ORS/ORFnet is the network infrastructure consisting of routers, switches and other supporting network infrastructure; this also includes the IT security safeguards such as the PIX firewalls, Intrusion Detection Systems (IDS) and other security devices.

13. Indicate if the system is new or an existing one being modified: Existing

17. Does/Will the system collect, maintain (store), disseminate and/or pass through IIF within any database(s), record(s), file(s) or website(s) hosted by this system?: No

Note: This question seeks to identify any, and all, personal information associated with the system. This includes any IIF, whether or not it is subject to the Privacy Act, whether the individuals are employees, the public, research subjects, or business partners, and whether provided voluntarily or collected by mandate. Later questions will try to understand the character of the data and its applicability to the requirements under the Privacy Act or other legislation

Note: If no IIF is contained in the system, please answer questions 21, 23, 30, 31, 37, 50 and 54, then promote the PIA to the Sr. Privacy Official who will authorize the PIA.

If this system contains IIF, all remaining questions on the PIA Form Tabs must be completed prior to signature and promotion.

21. Is the system subject to the Privacy Act?: No

23. If the system shares or discloses IIF please specify with whom and for what purpose(s): n/a

30. Please describe in detail: (1) the information the agency will collect, maintain, or disseminate; (2) why and for what purpose the agency will use the information; (3) In this description, indicate whether the information contains IIF; and (4) whether submission of personal information is voluntary or mandatory: This system collects no information; no IIF is collected by this system.

31. Please describe in detail any processes in place to: (1) notify and obtain consent from the individuals whose IIF is in the system when major changes occur to the system (e.g., disclosure and/or data uses have changed since the notice at the time of the original collection); and (2) notify and obtain consent from individuals regarding what IIF is being collected from them and how the information will be used or shared: n/a

32. Does the system host a website?: No

37. Does the website have any information or pages directed at children under the age of thirteen?: No

50. Are there policies or guidelines in place with regard to the retention and destruction of IIF?: No

54. Briefly describe in detail how the IIF will be secured on the system using administrative, technical, and physical controls.: n/a

PIA Reviewer Approval: Promote


PIA Reviewer Name: Genia H. Bohrer -- 301-496-9923

Sr. Official for Privacy Approval: Promote


Sr. Official for Privacy Name: Karen Plá

Sign-off Date: Aug 10, 2007

Date Published: Jun 26, 2008


06.3 HHS PIA Summary for Posting (Form) / NIH OD/ORS Parking and Transhare System (PARTS) (Item)






PIA Summary


Is this a new PIA 2008?: No

If this is an existing PIA, please provide a reason for revision: PIA Validation

1. Date of this Submission: Jul 3, 2007

2. OPDIV Name: NIH

3. Unique Project Identifier (UPI) Number: No

4. Privacy Act System of Records (SOR) Number: SOR# 09-25-0167

5. OMB Information Collection Approval Number: No

6. Other Identifying Number(s): No

7. System Name: Parking and Transhare System

9. System Point of Contact (POC). The System POC is the person to whom questions about the system and the responses to this PIA may be addressed: Thomas Hayden

10. Provide an overview of the system: PARTS is the system that manages enrollment in NIH Transportation programs, including the parking enrollment system and the public transportation subsidy distribution system.

13. Indicate if the system is new or an existing one being modified: Existing

17. Does/Will the system collect, maintain (store), disseminate and/or pass through IIF within any database(s), record(s), file(s) or website(s) hosted by this system?: Yes

Note: This question seeks to identify any, and all, personal information associated with the system. This includes any IIF, whether or not it is subject to the Privacy Act, whether the individuals are employees, the public, research subjects, or business partners, and whether provided voluntarily or collected by mandate. Later questions will try to understand the character of the data and its applicability to the requirements under the Privacy Act or other legislation

Note: If no IIF is contained in the system, please answer questions 21, 23, 30, 31, 37, 50 and 54, then promote the PIA to the Sr. Privacy Official who will authorize the PIA.

If this system contains IIF, all remaining questions on the PIA Form Tabs must be completed prior to signature and promotion.

21. Is the system subject to the Privacy Act?: Yes

23. If the system shares or discloses IIF please specify with whom and for what purpose(s): The system shares information with individuals within the Division of Travel and Transportation, Division of Police, and the Division of Employee Services for the purpose of providing transportation services to NIH. Per SOR #09-25-0167,

Disclosure may be made to a congressional office from the record of an individual in response to an inquiry from the congressional office made at the request of that individual.

The Department of Health and Human Services (HHS) may disclose information from this system of records to the Department of Justice, or to a court or other tribunal, when (a) HHS, or any component thereof; or (b) any HHS employee in his or her official capacity; or (c) any HHS employee in his or her individual capacity where the Department of Justice (or HHS, where it is authorized to do so) has agreed to represent the employee; or (d) the United States or any agency thereof where HHS determines that the litigation is likely to affect HHS or any of its components, is a party to litigation, and HHS determines that the use of such records by the Department of Justice, court or other tribunal is relevant and necessary to the litigation and would help in the effective representation of the governmental party, provided, however, that in each case HHS determines that such disclosure is compatible with the purpose for which the records were collected.

NIH may disclose applicant's name, unique computer identification number, NIH TRANSHARE commuter card number, and type of participant's fare media to be disbursed to cashiers of the Recreation and Welfare Association of the National Institutes of Health, Inc. (R&W Association) who are responsible for distribution of fare media. Cashiers are required to maintain Privacy Act safeguards with respect to such records.

Disclosure may be made to organizations deemed qualified by the Secretary to carry out quality assessments or utilization review.

NIH may disclose statistical reports containing information from this system of records to city, county, State, and Federal Government agencies (including the General Accounting Office).

30. Please describe in detail: (1) the information the agency will collect, maintain, or disseminate; (2) why and for what purpose the agency will use the information; (3) In this description, indicate whether the information contains IIF; and (4) whether submission of personal information is voluntary or mandatory: The system shares information with individuals within the Division of Travel and Transportation, Division of Police, and the Division of Employee Services for the purpose of providing transportation services to NIH. PARTS collects, maintains, or disseminates the following information: name, NIH identifier, and work location information (from the NIH Directory); and vehicle, parking permit, facial image, and commuting information. The information contains the NIH UID (identifier) from the NIH Enterprise Directory (NED). Personal NED and vehicle information is mandatory if Transportation privileges are requested by the individual. 31. Please describe in detail any processes in place to: (1) notify and obtain consent from the individuals whose IIF is in the system when major changes occur to the system (e.g., disclosure and/or data uses have changed since the notice at the time of the original collection); and (2) notify and obtain consent from individuals regarding what IIF is being collected from them and how the information will be used or shared: There currently are none.

32. Does the system host a website?: Yes

37. Does the website have any information or pages directed at children under the age of thirteen?: No

50. Are there policies or guidelines in place with regard to the retention and destruction of IIF?: No

54. Briefly describe in detail how the IIF will be secured on the system using administrative, technical, and physical controls.: The system is protected by a number of different controls that can be viewed in detail in the system C&A package. Some of the major controls that help to secure the IIF are firewalls, IDSs, VPN for remote access, the use of user names and passwords, and role based access. For physical protection, the NIH campus is protected by guards and police, in addition the server itself is kept behind locked door. Administratively procedures are in place to only allow individuals job related necessity to access IIF.

PIA Reviewer Approval: Promote


PIA Reviewer Name: Genia H. Bohrer -- 301-496-9923

Sr. Official for Privacy Approval: Promote


Sr. Official for Privacy Name: Karen Plá

Sign-off Date: Aug 10, 2007

Date Published: Jun 26, 2008


06.3 HHS PIA Summary for Posting (Form) / NIH OD/ORS PassagePoint (Item)






PIA Summary


Is this a new PIA 2008?: No

If this is an existing PIA, please provide a reason for revision: PIA Validation

1. Date of this Submission: Jul 10, 2007

2. OPDIV Name: NIH

3. Unique Project Identifier (UPI) Number: n/a - UPI has never been assigned.

4. Privacy Act System of Records (SOR) Number: 09-25-0054

5. OMB Information Collection Approval Number: n/a

6. Other Identifying Number(s): n/a

7. System Name: PassagePoint Visitor Badging System

9. System Point of Contact (POC). The System POC is the person to whom questions about the system and the responses to this PIA may be addressed: Major Patricia Haynes

10. Provide an overview of the system: The PassagePoint application acts as a badge issuance system for visitors to the NIH Bethesda campus. When a visitor arrives on campus, their IDs are scanned into the system as a .jpg file; the .jpg along with other IIF are stored in a back-end Microsoft SQL database; identity of the individual is validated through a photo on ID; name and photo of the visitor is checked against a "Do Not Admit/No Entry" list; once approved, the visitor is issued a temporary badge.

13. Indicate if the system is new or an existing one being modified: Existing

17. Does/Will the system collect, maintain (store), disseminate and/or pass through IIF within any database(s), record(s), file(s) or website(s) hosted by this system?: Yes

Note: This question seeks to identify any, and all, personal information associated with the system. This includes any IIF, whether or not it is subject to the Privacy Act, whether the individuals are employees, the public, research subjects, or business partners, and whether provided voluntarily or collected by mandate. Later questions will try to understand the character of the data and its applicability to the requirements under the Privacy Act or other legislation

Note: If no IIF is contained in the system, please answer questions 21, 23, 30, 31, 37, 50 and 54, then promote the PIA to the Sr. Privacy Official who will authorize the PIA.

If this system contains IIF, all remaining questions on the PIA Form Tabs must be completed prior to signature and promotion.

21. Is the system subject to the Privacy Act?: Yes

23. If the system shares or discloses IIF please specify with whom and for what purpose(s): Disclosure may be made to a congressional office from the record of an individual in response to an inquiry from the congressional office made at the request of that individual.

In the event that a system of records maintained by this agency to carry out its functions indicates a violation or potential violation of law, whether civil, criminal or regulatory in nature, and whether arising by general statute or particular program statute, or by regulation, rule or order issued pursuant thereto, the relevant records in the system of records may be referred, as a routine use, to the appropriate agency, whether Federal, or foreign, charged with the responsibility of investigating or prosecuting such violation or charged with enforcing or implementing the statute, or rule, regulation or order issued pursuant thereto

In the event of litigation where the defendant is (a) the Department, any component of the Department, or any employee of the Department in his or her official capacity; (b) the United States where the Department determines that the claim, if successful, is likely to directly affect the operations of the Department or any of its components; or (c) any Department employee in his or her individual capacity where the Justice Department has agreed to represent such employee, the Department may disclose such records as it deems desirable or necessary to the Department of Justice to enable that Department to present an effective defense, provided that such disclosure is compatible with the purpose for which the records were collected.

30. Please describe in detail: (1) the information the agency will collect, maintain, or disseminate; (2) why and for what purpose the agency will use the information; (3) In this description, indicate whether the information contains IIF; and (4) whether submission of personal information is voluntary or mandatory: The system collects information that is stored on a normal form of identification. That could include Name, address, place of birth, birthdate, passport number, license number, photo identification, as well as other identification type info. Collection of personal information is mandatory based on NIH ORS SER DP Policy and Procedures.

31. Please describe in detail any processes in place to: (1) notify and obtain consent from the individuals whose IIF is in the system when major changes occur to the system (e.g., disclosure and/or data uses have changed since the notice at the time of the original collection); and (2) notify and obtain consent from individuals regarding what IIF is being collected from them and how the information will be used or shared: Write to the System Manager to determine if a record exists. The requester must also verify his or her identity by providing either a notarization of the request or a written certification that the requester is who he or she claims to be and understands that the knowing and willful request for acquisition of a record pertaining to an individual under false pretenses is a criminal offense under the Act, subject to a five thousand dollar fine. The system records visitors to the NIH; there is no mechanism in place to notify these people when a major upgrade to the system occurs; in this case, due to the purpose of this applicaition, it should be exempt from the aforementioned requirement; individuals are providing the IIF, at the time of visitor registration - therefore, they do not need to be informed as to the information that is being collected.

32. Does the system host a website?: No

37. Does the website have any information or pages directed at children under the age of thirteen?: No

50. Are there policies or guidelines in place with regard to the retention and destruction of IIF?: Yes

54. Briefly describe in detail how the IIF will be secured on the system using administrative, technical, and physical controls.: The system is located on a separate VLAN of a secure NIH network. The network is protected by firewall and IDS devices. Only authorized individuals are allowed access to the system both physically and remotely.

PIA Reviewer Approval: Promote


PIA Reviewer Name: Genia H. Bohrer -- 301-496-9923

Sr. Official for Privacy Approval: Promote


Sr. Official for Privacy Name: Karen Plá

Sign-off Date: Aug 10, 2007

Date Published: Jun 26, 2008


06.3 HHS PIA Summary for Posting (Form) / NIH OD/ORS Point of Sale System (POS) (Item)






PIA Summary


Is this a new PIA 2008?: No

If this is an existing PIA, please provide a reason for revision: PIA Validation

1. Date of this Submission: Jul 6, 2007

2. OPDIV Name: NIH

3. Unique Project Identifier (UPI) Number: No

4. Privacy Act System of Records (SOR) Number: No

5. OMB Information Collection Approval Number: No

6. Other Identifying Number(s): No

7. System Name: Point of Sale System

9. System Point of Contact (POC). The System POC is the person to whom questions about the system and the responses to this PIA may be addressed: Chris Gaines

10. Provide an overview of the system: The POS system provides the functionality for maintaining records of cashier functions and cafeteria purchases. The system handles cash exchanges, but does not deal with any credit card transactions.

13. Indicate if the system is new or an existing one being modified: Existing

17. Does/Will the system collect, maintain (store), disseminate and/or pass through IIF within any database(s), record(s), file(s) or website(s) hosted by this system?: No

Note: This question seeks to identify any, and all, personal information associated with the system. This includes any IIF, whether or not it is subject to the Privacy Act, whether the individuals are employees, the public, research subjects, or business partners, and whether provided voluntarily or collected by mandate. Later questions will try to understand the character of the data and its applicability to the requirements under the Privacy Act or other legislation

Note: If no IIF is contained in the system, please answer questions 21, 23, 30, 31, 37, 50 and 54, then promote the PIA to the Sr. Privacy Official who will authorize the PIA.

If this system contains IIF, all remaining questions on the PIA Form Tabs must be completed prior to signature and promotion.

21. Is the system subject to the Privacy Act?: No

23. If the system shares or discloses IIF please specify with whom and for what purpose(s): This system does not deal with any IIF

30. Please describe in detail: (1) the information the agency will collect, maintain, or disseminate; (2) why and for what purpose the agency will use the information; (3) In this description, indicate whether the information contains IIF; and (4) whether submission of personal information is voluntary or mandatory: The agency processes purchase information to complete the sale of items on the NIH campus. The Division of Employee Services will view individual transactions made in the retail and food service operations not transactions by individuals. There is no specific personal data on individuals that will be collected. These transactions are simple cash/credit card transactions handled at typical retail and food service operations. Howeve the credit card portion is done externally to this system. The quantitative measure of these transactions will be used for analysis and gathering of trends to better give us a snap shot of what our customers are purchasing, how much is being purchased, and what services we can provide to maximize customer satisfaction. Submission of personal information by customers is not required to gather transaction data.

31. Please describe in detail any processes in place to: (1) notify and obtain consent from the individuals whose IIF is in the system when major changes occur to the system (e.g., disclosure and/or data uses have changed since the notice at the time of the original collection); and (2) notify and obtain consent from individuals regarding what IIF is being collected from them and how the information will be used or shared: None; since we are only using this as an automated cash register system. There would be no circumstances where personal information about anyone would be required for use of the system and to make transactions on the system. No individual would have to consent to provide personal data. The data that would be collected would be financial transactions and are not tied to any one individual.

32. Does the system host a website?: No

37. Does the website have any information or pages directed at children under the age of thirteen?: No

50. Are there policies or guidelines in place with regard to the retention and destruction of IIF?: No

54. Briefly describe in detail how the IIF will be secured on the system using administrative, technical, and physical controls.: The system is protected by a number of different controls that can be viewed in detail in the system C&A package. Some of the major controls that help to secure the IIF are firewalls, IDSs, VPN for remote access, the use of user names and passwords, and role based access. For physical protection, the NIH campus is protected by guards and police, in addition the server itself is kept behind locked door. Administratively procedures are in place to only allow individuals job related necessity to access IIF.

Administration of this system is currently be researched by ORS IT to relocate server to building 13 under the umbrella of the ORS server team. System access is password protected and can only be accessed via specific passwords. Once again the server does not store any personal data on individuals and only certain individuals will have access to the server.

PIA Reviewer Approval: Promote


PIA Reviewer Name: Genia H. Bohrer -- 301-496-9923

Sr. Official for Privacy Approval: Promote


Sr. Official for Privacy Name: Karen Plá

Sign-off Date: Aug 10, 2007

Date Published: Jun 26, 2008


06.3 HHS PIA Summary for Posting (Form) / NIH OD/ORS Potentially Hazardous Materials Information System Database (PHMIS) (Item)






PIA Summary


Is this a new PIA 2008?: No

If this is an existing PIA, please provide a reason for revision: PIA Validation

1. Date of this Submission: Jul 9, 2007

2. OPDIV Name: NIH

3. Unique Project Identifier (UPI) Number: TBD

4. Privacy Act System of Records (SOR) Number: 09-25-0105

5. OMB Information Collection Approval Number: No

6. Other Identifying Number(s): No

7. System Name: Potentially Hazardous Materials Information System Database

9. System Point of Contact (POC). The System POC is the person to whom questions about the system and the responses to this PIA may be addressed: Toan Nguyen/Polly McCarty

10. Provide an overview of the system: The PHMIS system tracks the use of infectious agents within NIH.

13. Indicate if the system is new or an existing one being modified: Existing

17. Does/Will the system collect, maintain (store), disseminate and/or pass through IIF within any database(s), record(s), file(s) or website(s) hosted by this system?: Yes

Note: This question seeks to identify any, and all, personal information associated with the system. This includes any IIF, whether or not it is subject to the Privacy Act, whether the individuals are employees, the public, research subjects, or business partners, and whether provided voluntarily or collected by mandate. Later questions will try to understand the character of the data and its applicability to the requirements under the Privacy Act or other legislation

Note: If no IIF is contained in the system, please answer questions 21, 23, 30, 31, 37, 50 and 54, then promote the PIA to the Sr. Privacy Official who will authorize the PIA.

If this system contains IIF, all remaining questions on the PIA Form Tabs must be completed prior to signature and promotion.

21. Is the system subject to the Privacy Act?: Yes

23. If the system shares or discloses IIF please specify with whom and for what purpose(s): None: SOR # 09-25-0105. This information is further addressed in the NIH Privacy Act Systems of Record Notice 09-25-0105, published in the Federal Register, Volume 67, No. 187, September 26, 2002.

30. Please describe in detail: (1) the information the agency will collect, maintain, or disseminate; (2) why and for what purpose the agency will use the information; (3) In this description, indicate whether the information contains IIF; and (4) whether submission of personal information is voluntary or mandatory: The system collects contact and identifying information from individuals to determine what infectious materials are used in research at the NIH and by whom. Provision of the necessary information is required to work with specific hazardous materials.

31. Please describe in detail any processes in place to: (1) notify and obtain consent from the individuals whose IIF is in the system when major changes occur to the system (e.g., disclosure and/or data uses have changed since the notice at the time of the original collection); and (2) notify and obtain consent from individuals regarding what IIF is being collected from them and how the information will be used or shared: None presently, however, were the situation to occur for either these concerns, all contributors to the system would be notified electronically with the appropriate information.

32. Does the system host a website?: No

37. Does the website have any information or pages directed at children under the age of thirteen?: No

50. Are there policies or guidelines in place with regard to the retention and destruction of IIF?: Yes

54. Briefly describe in detail how the IIF will be secured on the system using administrative, technical, and physical controls.: The system is protected by a number of different controls that can be viewed in detail in the system C&A package. Some of the major controls that help to secure the IIF are firewalls, IDSs, VPN for remote access, the use of user names and passwords, and role based access. For physical protection, the NIH campus is protected by guards and police, in addition the server itself is kept behind locked door. Administratively procedures are in place to only allow individuals job related necessity to access IIF.

PIA Reviewer Approval: Promote


PIA Reviewer Name: Genia H. Bohrer -- 301-496-9923

Sr. Official for Privacy Approval: Promote


Sr. Official for Privacy Name: Karen Plá

Sign-off Date: Aug 10, 2007

Date Published: Jun 26, 2008


06.3 HHS PIA Summary for Posting (Form) / NIH OD/ORS Radiation Safety Comprehensive Database (RSCD) (Item)






PIA Summary


Is this a new PIA 2008?: No

If this is an existing PIA, please provide a reason for revision: PIA Validation

1. Date of this Submission: Jul 5, 2007

2. OPDIV Name: NIH

3. Unique Project Identifier (UPI) Number: TBD

4. Privacy Act System of Records (SOR) Number: 09-25-0166

5. OMB Information Collection Approval Number: No

6. Other Identifying Number(s): No

7. System Name: Radiation Safety Comprehensive Database

9. System Point of Contact (POC). The System POC is the person to whom questions about the system and the responses to this PIA may be addressed: Bob Zoon

10. Provide an overview of the system: The Radiation Safety Comprehensive Database System (RSCDS) supports the NIH Radiation Safety Program and its information and record keeping needs. As a multiple licensee of the U.S. Nuclear Regulatory Commission, the NIH Program is required to maintain extensive detailed records on the use of licensed radioactive materials and on the training, performance and radiation exposure of employees, as well as radiation exposure of research patients, visitors and the public. The RSCDS is an essential tool for efficiently facilitating these information collection, storage and retrieval needs.

13. Indicate if the system is new or an existing one being modified: Existing

17. Does/Will the system collect, maintain (store), disseminate and/or pass through IIF within any database(s), record(s), file(s) or website(s) hosted by this system?: No

Note: This question seeks to identify any, and all, personal information associated with the system. This includes any IIF, whether or not it is subject to the Privacy Act, whether the individuals are employees, the public, research subjects, or business partners, and whether provided voluntarily or collected by mandate. Later questions will try to understand the character of the data and its applicability to the requirements under the Privacy Act or other legislation

Note: If no IIF is contained in the system, please answer questions 21, 23, 30, 31, 37, 50 and 54, then promote the PIA to the Sr. Privacy Official who will authorize the PIA.

If this system contains IIF, all remaining questions on the PIA Form Tabs must be completed prior to signature and promotion.

21. Is the system subject to the Privacy Act?: Yes

23. If the system shares or discloses IIF please specify with whom and for what purpose(s): Per SOR# 09-25-0166, Routine uses of Record:

Disclosure may be made to a congressional office from the record of an individual in response to an inquiry from the congressional office made at the request of that individual.

Disclosure may be made to the Department of Justice or to a court or other tribunal from this system of records, when (a) HHS, or any component thereof; or (b) any HHS employee in his or her official capacity; or (c) any HHS employee in his or her individual capacity where the Department of Justice (or HHS, where it is authorized to do so) has agreed to represent the employee; or (d) the United States of any agency thereof where HHS determines that the litigation is likely to affect HHS or any of its components, is a party to litigation or has an interest in such litigation, and HHS determines that the use of such records by the Department of Justice, court or other tribunal is relevant and necessary to the litigation and would help in the effective representation of the governmental party, provided, however, that in each case HHS determines that such disclosure is compatible with the purpose for which the records were collected.

Disclosure may be made to contractors for the purpose of processing or refining the records. Contracted services may include monitoring, testing, sampling, surveying, evaluating, transcription, collation, computer input, and other records processing. The contractor shall be required to maintain Privacy Act safeguards with respect to such records.

Disclosure may be made to: a) officials of the United States Nuclear Regulatory Commission which, by Federal regulation, licenses, inspects and enforces the regulations governing the use of radioactive materials; and b) OSHA, which provides oversight to ensure that safe and healthful work conditions are maintained for employees. Disclosure will also be permitted to other Federal and/or State agencies which may establish health and safety requirements or standards.

Radiation exposure and/or training and experience history may be transferred to new employer.

A record may be disclosed for a research purpose, when the Department: (A) has determined that the use or disclosure does not violate legal or policy limitations under which the record was provided, collected, or obtained; (B) has determined that the research purpose (1) cannot be reasonably accomplished unless the record is provided in individually identifiable form, and (2) warrants the risk to the privacy of the individual that additional exposure of the record might bring; (C) has required the recipient to (1) establish reasonable administrative, technical, and physical safeguards to prevent unauthorized use or disclosure of the record, (2) remove or destroy the information that identifies the individual at the earliest time at which removal or destruction can be accomplished consistent with the purpose of the research project, unless the recipient has presented adequate justification of a research or health nature for retaining such information, and (3) make no further use or disclosure of the record except (a) in emergency circumstances affecting the health or safety of any individual, (b) for use in another research project, under these same conditions, and with written authorization of the Department, (c) for disclosure to a properly identified person for the purpose of an audit related to the research project, if information that would enable research subjects to be identified is removed or destroyed at the earliest opportunity consistent with the purpose of the audit, or (d) when required by law; (D) has secured a written statement attesting to the recipient's understanding of, and willingness to abide by these provisions.

from the congressional office made at the request of that individual.

30. Please describe in detail: (1) the information the agency will collect, maintain, or disseminate; (2) why and for what purpose the agency will use the information; (3) In this description, indicate whether the information contains IIF; and (4) whether submission of personal information is voluntary or mandatory: The Radiation Safety Database System tracks exposure badges, compliance surveys, radioactive isotopes, radiation sources, radioactive waste disposal, and radioactive waste discharges (WSSC). In addition the Radiation Safety System tracks the location of radioactive materials and the personnel who are permitted to work with those materials. Personal information collected are Name, NIH Employee ID number, Date of Birth, SSN, work location(s), work mailing address, IC affiliation, work phone number and work email address.

This information is collected for employees, researchers, contractors and any other appointment types that could use or have exposure to radioactive materials. This information is mandatory to operate a Radiation Safety Program which is in compliance with U.S. Nuclear Regulatory Commission licenses, regulations and the regulations of the Occupational Safety and Health Administration, DOL and to protect the health and safety of NIH personnel, patients, visitors and the general public.

31. Please describe in detail any processes in place to: (1) notify and obtain consent from the individuals whose IIF is in the system when major changes occur to the system (e.g., disclosure and/or data uses have changed since the notice at the time of the original collection); and (2) notify and obtain consent from individuals regarding what IIF is being collected from them and how the information will be used or shared: None

32. Does the system host a website?: Yes

37. Does the website have any information or pages directed at children under the age of thirteen?: No

50. Are there policies or guidelines in place with regard to the retention and destruction of IIF?: No

54. Briefly describe in detail how the IIF will be secured on the system using administrative, technical, and physical controls.: No

PIA Reviewer Approval: Promote


PIA Reviewer Name: Genia H. Bohrer -- 301-496-9923

Sr. Official for Privacy Approval: Promote


Sr. Official for Privacy Name: Karen Plá

Sign-off Date: Aug 10, 2007

Date Published: Jun 26, 2008


06.3 HHS PIA Summary for Posting (Form) / NIH OD/ORS RELAIS (Item)






PIA Summary


Is this a new PIA 2008?: No

If this is an existing PIA, please provide a reason for revision: PIA Validation

1. Date of this Submission: Jul 3, 2007

2. OPDIV Name: NIH

3. Unique Project Identifier (UPI) Number: TBD

4. Privacy Act System of Records (SOR) Number: No

5. OMB Information Collection Approval Number: No

6. Other Identifying Number(s): No

7. System Name: RELAIS

9. System Point of Contact (POC). The System POC is the person to whom questions about the system and the responses to this PIA may be addressed: Ben Hope

10. Provide an overview of the system: Relais is a document delivery system that allows library customers to request articles that are not readily available on-line. Relais stores user information that is available publicly in NED and tracks what has been requested.

13. Indicate if the system is new or an existing one being modified: Existing

17. Does/Will the system collect, maintain (store), disseminate and/or pass through IIF within any database(s), record(s), file(s) or website(s) hosted by this system?: Yes

Note: This question seeks to identify any, and all, personal information associated with the system. This includes any IIF, whether or not it is subject to the Privacy Act, whether the individuals are employees, the public, research subjects, or business partners, and whether provided voluntarily or collected by mandate. Later questions will try to understand the character of the data and its applicability to the requirements under the Privacy Act or other legislation

Note: If no IIF is contained in the system, please answer questions 21, 23, 30, 31, 37, 50 and 54, then promote the PIA to the Sr. Privacy Official who will authorize the PIA.

If this system contains IIF, all remaining questions on the PIA Form Tabs must be completed prior to signature and promotion.

21. Is the system subject to the Privacy Act?: No

23. If the system shares or discloses IIF please specify with whom and for what purpose(s): The system does not share or disclose information.

30. Please describe in detail: (1) the information the agency will collect, maintain, or disseminate; (2) why and for what purpose the agency will use the information; (3) In this description, indicate whether the information contains IIF; and (4) whether submission of personal information is voluntary or mandatory: The organization uses the information to correctly deliver documents to individuals who request them.

The system itself does not collect IIF or disperse IIF to other system. The only IIF that is contained in the system is received from NIH Enterprise Database (NED) through nightly updates. Specifically, they receive:



NIH email

Office Location

Mail Stop

Office Phone Number

31. Please describe in detail any processes in place to: (1) notify and obtain consent from the individuals whose IIF is in the system when major changes occur to the system (e.g., disclosure and/or data uses have changed since the notice at the time of the original collection); and (2) notify and obtain consent from individuals regarding what IIF is being collected from them and how the information will be used or shared: There are none.

32. Does the system host a website?: Yes

37. Does the website have any information or pages directed at children under the age of thirteen?: No

50. Are there policies or guidelines in place with regard to the retention and destruction of IIF?: No

54. Briefly describe in detail how the IIF will be secured on the system using administrative, technical, and physical controls.: The system is protected by a number of different controls that can be viewed in detail in the system C&A package. Some of the major controls that help to secure the IIF are firewalls, IDSs, VPN for remote access, the use of user names and passwords, and role based access. For physical protection, the NIH campus is protected by guards and police, in addition the server itself is kept behind locked door. Administratively procedures are in place to only allow individuals job related necessity to access IIF.

PIA Reviewer Approval: Promote


PIA Reviewer Name: Genia H. Bohrer

Sr. Official for Privacy Approval: Promote


Sr. Official for Privacy Name: Karen Plá

Sign-off Date: Aug 10, 2007

Date Published: Jun 26, 2008


06.3 HHS PIA Summary for Posting (Form) / NIH OD/ORS ScheduAll (Item)






PIA Summary


Is this a new PIA 2008?: No

If this is an existing PIA, please provide a reason for revision: PIA Validation

1. Date of this Submission: Jul 5, 2007

2. OPDIV Name: NIH

3. Unique Project Identifier (UPI) Number: No

4. Privacy Act System of Records (SOR) Number: #09-25-0106

5. OMB Information Collection Approval Number: No

6. Other Identifying Number(s): No

7. System Name: ScheduALL

9. System Point of Contact (POC). The System POC is the person to whom questions about the system and the responses to this PIA may be addressed: Karla Terney

10. Provide an overview of the system: Resource scheduling and business management software designed to handle the conference services, multimedia services, and medical arts services needs of the NIH/ORS/Division of Medical Arts.

13. Indicate if the system is new or an existing one being modified: Existing

17. Does/Will the system collect, maintain (store), disseminate and/or pass through IIF within any database(s), record(s), file(s) or website(s) hosted by this system?: Yes

Note: This question seeks to identify any, and all, personal information associated with the system. This includes any IIF, whether or not it is subject to the Privacy Act, whether the individuals are employees, the public, research subjects, or business partners, and whether provided voluntarily or collected by mandate. Later questions will try to understand the character of the data and its applicability to the requirements under the Privacy Act or other legislation

Note: If no IIF is contained in the system, please answer questions 21, 23, 30, 31, 37, 50 and 54, then promote the PIA to the Sr. Privacy Official who will authorize the PIA.

If this system contains IIF, all remaining questions on the PIA Form Tabs must be completed prior to signature and promotion.

21. Is the system subject to the Privacy Act?: Yes

23. If the system shares or discloses IIF please specify with whom and for what purpose(s): Information is not shared outside the Division of Medical Arts (DMA). Reference SOR #09-25-0106. This information is further addressed in the NIH Privacy Act Systems of Record Notice 09-25-0106, published in the Federal Register, Volume 67, No. 187, September 26, 2002

30. Please describe in detail: (1) the information the agency will collect, maintain, or disseminate; (2) why and for what purpose the agency will use the information; (3) In this description, indicate whether the information contains IIF; and (4) whether submission of personal information is voluntary or mandatory: This system records contact information for those individuals that request services managed by DMA. The IIF information will be used to reserve services and for correspondence to confirm bookings. The limited IIF that is captured is mandatory for booking and reservation services.

31. Please describe in detail any processes in place to: (1) notify and obtain consent from the individuals whose IIF is in the system when major changes occur to the system (e.g., disclosure and/or data uses have changed since the notice at the time of the original collection); and (2) notify and obtain consent from individuals regarding what IIF is being collected from them and how the information will be used or shared: There are none

32. Does the system host a website?: Yes

37. Does the website have any information or pages directed at children under the age of thirteen?: No

50. Are there policies or guidelines in place with regard to the retention and destruction of IIF?: Yes

54. Briefly describe in detail how the IIF will be secured on the system using administrative, technical, and physical controls.: The system is protected by a number of different controls that can be viewed in detail in the system C&A package. Some of the major controls that help to secure the IIF are firewalls, IDSs, VPN for remote access, the use of user names and passwords, and role based access. For physical protection, the NIH campus is protected by guards and police, in addition the server itself is kept behind locked door. Administratively procedures are in place to only allow individuals job related necessity to access IIF.

PIA Reviewer Approval: Promote


PIA Reviewer Name: Genia H. Bohrer

Sr. Official for Privacy Approval: Promote


Sr. Official for Privacy Name: Karen Plá

Sign-off Date: Aug 10, 2007

Date Published: Jun 26, 2008


06.3 HHS PIA Summary for Posting (Form) / NIH OD/ORS Visual Status of Funds (VSOF) (Item)






PIA Summary


Is this a new PIA 2008?: No

If this is an existing PIA, please provide a reason for revision: PIA Validation

1. Date of this Submission: Jul 3, 2007

3. Unique Project Identifier (UPI) Number: TBD

4. Privacy Act System of Records (SOR) Number: No

5. OMB Information Collection Approval Number: no

6. Other Identifying Number(s): no

7. System Name: Visual Status of Funds

9. System Point of Contact (POC). The System POC is the person to whom questions about the system and the responses to this PIA may be addressed: Belinda Ancarrow/Rebecca Uberall

10. Provide an overview of the system: VSOF is an organizational reporting tool that allows users to manipulate and report on financial transactions downloaded from the NIH Central Accounting System.

13. Indicate if the system is new or an existing one being modified: Existing

17. Does/Will the system collect, maintain (store), disseminate and/or pass through IIF within any database(s), record(s), file(s) or website(s) hosted by this system?: No

Note: This question seeks to identify any, and all, personal information associated with the system. This includes any IIF, whether or not it is subject to the Privacy Act, whether the individuals are employees, the public, research subjects, or business partners, and whether provided voluntarily or collected by mandate. Later questions will try to understand the character of the data and its applicability to the requirements under the Privacy Act or other legislation

Note: If no IIF is contained in the system, please answer questions 21, 23, 30, 31, 37, 50 and 54, then promote the PIA to the Sr. Privacy Official who will authorize the PIA.

If this system contains IIF, all remaining questions on the PIA Form Tabs must be completed prior to signature and promotion.

21. Is the system subject to the Privacy Act?: No

23. If the system shares or discloses IIF please specify with whom and for what purpose(s): No

30. Please describe in detail: (1) the information the agency will collect, maintain, or disseminate; (2) why and for what purpose the agency will use the information; (3) In this description, indicate whether the information contains IIF; and (4) whether submission of personal information is voluntary or mandatory: Accounting data and related document information is downloaded from the Central Accounting System (CAS) and is relevant or specific to the Office of Research Services (ORS) and the Office of Research Facilities Development and Operations (ORFDO) for its fiscal year operations. The system contains no IIF."

31. Please describe in detail any processes in place to: (1) notify and obtain consent from the individuals whose IIF is in the system when major changes occur to the system (e.g., disclosure and/or data uses have changed since the notice at the time of the original collection); and (2) notify and obtain consent from individuals regarding what IIF is being collected from them and how the information will be used or shared: No

32. Does the system host a website?: No

37. Does the website have any information or pages directed at children under the age of thirteen?: No

50. Are there policies or guidelines in place with regard to the retention and destruction of IIF?: No

54. Briefly describe in detail how the IIF will be secured on the system using administrative, technical, and physical controls.: No

PIA Reviewer Approval: Promote


PIA Reviewer Name: Genia H. Bohrer

Sr. Official for Privacy Approval: Promote


Sr. Official for Privacy Name: Karen Plá

Sign-off Date: Aug 10, 2007

Date Published: Jun 26, 2008


06.3 HHS PIA Summary for Posting (Form) / NIH ORS Application Hosting Environment (Item)






PIA Summary


Is this a new PIA 2008?: Yes

If this is an existing PIA, please provide a reason for revision:

1. Date of this Submission: Jan 9, 2007

2. OPDIV Name: NIH

3. Unique Project Identifier (UPI) Number: n/a

4. Privacy Act System of Records (SOR) Number: n/a

5. OMB Information Collection Approval Number: n/a

6. Other Identifying Number(s): n/a

7. System Name: ORS/ORF Application Hosting Environment

9. System Point of Contact (POC). The System POC is the person to whom questions about the system and the responses to this PIA may be addressed: Ben Ashtiani

10. Provide an overview of the system: The ORS/ORF Application Hosting Environment is the underlying server and security infrastructure that provides the hosting capability for ORS/ORF applications. It consists of physical servers, network routing and switching systems, firewalls, IDS, and network backbone infrastructure. The majority of the applications hosted in this environment are hosted on VMWare ESX virtual servers; a small number of applications are hosted on their own dedicated servers.

13. Indicate if the system is new or an existing one being modified: Existing

17. Does/Will the system collect, maintain (store), disseminate and/or pass through IIF within any database(s), record(s), file(s) or website(s) hosted by this system?: No

Note: This question seeks to identify any, and all, personal information associated with the system. This includes any IIF, whether or not it is subject to the Privacy Act, whether the individuals are employees, the public, research subjects, or business partners, and whether provided voluntarily or collected by mandate. Later questions will try to understand the character of the data and its applicability to the requirements under the Privacy Act or other legislation

Note: If no IIF is contained in the system, please answer questions 21, 23, 30, 31, 37, 50 and 54, then promote the PIA to the Sr. Privacy Official who will authorize the PIA.

If this system contains IIF, all remaining questions on the PIA Form Tabs must be completed prior to signature and promotion.

21. Is the system subject to the Privacy Act?: No

23. If the system shares or discloses IIF please specify with whom and for what purpose(s): n/a

30. Please describe in detail: (1) the information the agency will collect, maintain, or disseminate; (2) why and for what purpose the agency will use the information; (3) In this description, indicate whether the information contains IIF; and (4) whether submission of personal information is voluntary or mandatory: This system collects no information; no IIF is collected by this system.

31. Please describe in detail any processes in place to: (1) notify and obtain consent from the individuals whose IIF is in the system when major changes occur to the system (e.g., disclosure and/or data uses have changed since the notice at the time of the original collection); and (2) notify and obtain consent from individuals regarding what IIF is being collected from them and how the information will be used or shared: n/a

32. Does the system host a website?: No

37. Does the website have any information or pages directed at children under the age of thirteen?: No

50. Are there policies or guidelines in place with regard to the retention and destruction of IIF?: No

54. Briefly describe in detail how the IIF will be secured on the system using administrative, technical, and physical controls.: n/a

PIA Reviewer Approval: Promote


PIA Reviewer Name: Genia H. Bohrer

Sr. Official for Privacy Approval: Promote


Sr. Official for Privacy Name: Karen Plá

Sign-off Date: Aug 10, 2007

Date Published: Jun 26, 2008


06.3 HHS PIA Summary for Posting (Form) / NIH CC ProVation (Item)






PIA Summary


Is this a new PIA 2008?: No

If this is an existing PIA, please provide a reason for revision: Significant System Management Changes

1. Date of this Submission: Sep 7, 2007

2. OPDIV Name: NIH

3. Unique Project Identifier (UPI) Number: No

4. Privacy Act System of Records (SOR) Number: 09-25-0200

5. OMB Information Collection Approval Number: No

6. Other Identifying Number(s): No

7. System Name: GI Docs

9. System Point of Contact (POC). The System POC is the person to whom questions about the system and the responses to this PIA may be addressed: Tahir Rameez

10. Provide an overview of the system: GI DOCS is a Major Application whose mission is to digitally report findings from gastroenterological endoscopic exams of the upper and lower gastrointestinal tract, including the ability to record digital pictures. It is part of modern clinical practice in gastroenterology and considered a part of routine clinical care. Procedures are recorded as they are done and the information for each procedure is collected from a particular patient for a particular procedure.

13. Indicate if the system is new or an existing one being modified: Existing

17. Does/Will the system collect, maintain (store), disseminate and/or pass through IIF within any database(s), record(s), file(s) or website(s) hosted by this system?: Yes

Note: This question seeks to identify any, and all, personal information associated with the system. This includes any IIF, whether or not it is subject to the Privacy Act, whether the individuals are employees, the public, research subjects, or business partners, and whether provided voluntarily or collected by mandate. Later questions will try to understand the character of the data and its applicability to the requirements under the Privacy Act or other legislation

Note: If no IIF is contained in the system, please answer questions 21, 23, 30, 31, 37, 50 and 54, then promote the PIA to the Sr. Privacy Official who will authorize the PIA.

If this system contains IIF, all remaining questions on the PIA Form Tabs must be completed prior to signature and promotion.

21. Is the system subject to the Privacy Act?: Yes

23. If the system shares or discloses IIF please specify with whom and for what purpose(s): No

30. Please describe in detail: (1) the information the agency will collect, maintain, or disseminate; (2) why and for what purpose the agency will use the information; (3) In this description, indicate whether the information contains IIF; and (4) whether submission of personal information is voluntary or mandatory: GI DOCS is a Major Application whose mission is to digitally report findings from gastroenterologi­cal endoscopic exams of the upper and lower gastrointestinal­ tract, including the ability to record digital pictures. It is part of modern clinical practice in gastroenterology­ and considered a part of routine clinical care. Procedures are recorded as they are done and the information for each procedure is collected from a particular patient for a particular procedure.

The submission of the personal information is voluntary. SSNs are not entered into the GIDOCS database here at NIH although there is a field that could be used. Instead, we identify and track patients by their medical record #, name and dates. We have no plans to use SSNs

31. Please describe in detail any processes in place to: (1) notify and obtain consent from the individuals whose IIF is in the system when major changes occur to the system (e.g., disclosure and/or data uses have changed since the notice at the time of the original collection); and (2) notify and obtain consent from individuals regarding what IIF is being collected from them and how the information will be used or shared: GI DOCS is a Major Application whose mission is to digitally report findings from gastroenterologi­cal endoscopic exams of the upper and lower gastrointestinal­ tract, including the ability to record digital pictures. It is part of modern clinical practice in gastroenterology­ and considered a part of routine clinical care. Procedures are recorded as they are done and the information for each procedure is collected from a particular patient for a particular procedure.

Consent is usually not obtained from patients to maintain medical records. Data is retained on servers maintained by NIDDK, and a hard copy is printed which is inserted into the patient’s medical chart. This is kept in medical records.

32. Does the system host a website?: No

37. Does the website have any information or pages directed at children under the age of thirteen?: No

50. Are there policies or guidelines in place with regard to the retention and destruction of IIF?: No

54. Briefly describe in detail how the IIF will be secured on the system using administrative, technical, and physical controls.: Technical, Physical and administrative controls are in place to ensure the security of the information. These include an up to date System Security Plan, Contingency Plan, regular offsite backup of the data, and yearly security awareness training for all personnel. The system is certified and accredited.

The information is secured through multiple levels of security and access controls have been established to authenticate the user and to determine if the user has the authorization to perform actions requested. The access controls are supplemented with a secure network at both NIH and NIDDK.

PIA Reviewer Approval: Promote


PIA Reviewer Name: Cyrus Karimian

Sr. Official for Privacy Approval: Promote


Sr. Official for Privacy Name: Karen Pla

Sign-off Date: Aug 10, 2007

Date Published: Sept 8, 2008


06.3 HHS PIA Summary for Posting (Form) / NIH CIT Constellation (Item)






PIA Summary


Is this a new PIA 2008?: Yes

If this is an existing PIA, please provide a reason for revision: Initial PIA Migration to ProSight

1. Date of this Submission: May 19, 2008

2. OPDIV Name: NIH

3. Unique Project Identifier (UPI) Number: 009-25-02-00-01-3109-00

4. Privacy Act System of Records (SOR) Number: 09-25-0216

5. OMB Information Collection Approval Number: No

6. Other Identifying Number(s): None

7. System Name: Constellation

9. System Point of Contact (POC). The System POC is the person to whom questions about the system and the responses to this PIA may be addressed: Bill Jones, NIH/OD/OCITA

10. Provide an overview of the system: The purpose of Constellation is to serve as an intermediate system between the NIH Enterprise Directory (NED) and the NIH Active Directory (AD) system. Every person represented by an AD account has a NED record, which serves as the authoritative source of person data. When data is changed in NED, the change flows through Constellation into AD. This data flow takes place for people in all NIH ICs. For a smaller number of voluntarily provisioned ICs, Constellation also created AD accounts and mailboxes based on NED authorizations from Administrative Officers, and deletes AD accounts when people in those ICs leave NIH.

13. Indicate if the system is new or an existing one being modified: Existing

17. Does/Will the system collect, maintain (store), disseminate and/or pass through IIF within any database(s), record(s), file(s) or website(s) hosted by this system?: Yes

Note: This question seeks to identify any, and all, personal information associated with the system. This includes any IIF, whether or not it is subject to the Privacy Act, whether the individuals are employees, the public, research subjects, or business partners, and whether provided voluntarily or collected by mandate. Later questions will try to understand the character of the data and its applicability to the requirements under the Privacy Act or other legislation

Note: If no IIF is contained in the system, please answer questions 21, 23, 30, 31, 37, 50 and 54, then promote the PIA to the Sr. Privacy Official who will authorize the PIA.

If this system contains IIF, all remaining questions on the PIA Form Tabs must be completed prior to signature and promotion.

21. Is the system subject to the Privacy Act?: Yes

23. If the system shares or discloses IIF please specify with whom and for what purpose(s): The purpose of Constellation is to serve as an intermediate system between the NIH Enterprise Directory (NED) and the NIH Active Directory (AD) system. Every person represented by an AD account has a NED record, which serves as the authoritative source of person data. When data is changed in NED, the change flows through Constellation into AD. This data flow takes place for people in all NIH ICs. For a smaller number of voluntarily provisioned ICs, Constellation also created AD accounts and mailboxes based on NED authorizations from Administrative Officers, and deletes AD accounts when people in those ICs leave NIH. NED submits public information to the HHS Directory. SORN 09-25-0216

30. Please describe in detail: (1) the information the agency will collect, maintain, or disseminate; (2) why and for what purpose the agency will use the information; (3) In this description, indicate whether the information contains IIF; and (4) whether submission of personal information is voluntary or mandatory: The system maintains an intermediate copy of non-privacy information in a meta directory. The purpose of that information is populate Active Directory attributes when creating AD accounts, updating the personal information attributes in AD, and deleting AD accounts based on NED actions. The sole purpose of maintaining data in Constellation is to flow person data from NED into AD and to allow Constellation to create AD accounts and mailboxes. Its data is not available to any system or person outside of Constellation. Data is entered into NED and the data entered by the user is voluntary. The data fields (and corresponding NED column names) in the Constellation system are:

· businessCategory (NIHORGACRONYM)


· co (C)


· costCenter (NIHORGPATH)

· departmentNumber (NIHSAC)

· Description (DESCRIPTION)

· employeeStatus (NIHPERSONSTATUS)


· Facsimile Telephone Number (FACSIMILETELEPHONE)

· Full Name (derived) IIF

· Generational Qualifier (GENERATIONQUALIF)

· Given Name (GIVENNAME) IIF

· Initials (INITIALS) IIF


· Login Disabled (transformed)

· mailstop (NIHMAILSTOP)

· middleName (MIDDLENAME)




· nihCommonGenerationQualifier (NIHCOMMONGENQUALIF)

· nihCommonMiddleName (NIHCOMMONMIDDLENAM)


· nihMailboxLocation (MAILBOX_LOCATION)

· nihSuffixQualifier (NIHSUFFIXQUALIFIER)

· filtered out (NIHSSODOMAIN)

· nihWhenDate (DATETIME)



· personalTitle (PERSONALTITLE)

· Physical Delivery Office Name (L)

· Postal Code (POSTALCODE)


· roomNumber (ROOMNUMBER)

· S (ST)


· siteLocation (BUILDINGNAME)


· Telephone Number (TELEPHONENUMBER) IIF

31. Please describe in detail any processes in place to: (1) notify and obtain consent from the individuals whose IIF is in the system when major changes occur to the system (e.g., disclosure and/or data uses have changed since the notice at the time of the original collection); and (2) notify and obtain consent from individuals regarding what IIF is being collected from them and how the information will be used or shared: The sole purpose of maintaining data in Constellation is to flow person data from NED into AD and to allow Constellation to create AD accounts and mailboxes. Its data is not available to any system or person outside of Constellation. (see question 30) Notice of consent, etc. is handled by NED.

32. Does the system host a website?: No

37. Does the website have any information or pages directed at children under the age of thirteen?: No

50. Are there policies or guidelines in place with regard to the retention and destruction of IIF?: Yes

54. Briefly describe in detail how the IIF will be secured on the system using administrative, technical, and physical controls.: The system restricts access based on role (sys admins and developers). The system is located in the NIH Data Center and utilizes the physical controls already in place; biometrics, guards, etc. The system is behind the NIH perimeter firewall and is monitored by the NIH IDS. Any anomalies are examined by the system administrator and ISSO and are sent to the NIH IRT for review if necessary.

PIA Reviewer Approval: Promote

Comments: updated by ISSO 6/26/07

updated by PECO 7/14/08

PIA Reviewer Name: Marie Lagana, NIH/CIT

Sr. Official for Privacy Approval: Promote

Comments: Sr. Official for Privacy Name: Karen Plá

Sign-off Date: Jul 14, 2008

Date Published: Sept 8, 2008


06.3 HHS PIA Summary for Posting (Form) / NIH CIT Democracy Server Room (Item)






PIA Summary


Is this a new PIA 2008?: Yes

If this is an existing PIA, please provide a reason for revision:

1. Date of this Submission: Jun 3, 2008

2. OPDIV Name: NIH

3. Unique Project Identifier (UPI) Number: 009-25-02-00-01-3109-00

4. Privacy Act System of Records (SOR) Number: There is no PII - this is for a server room

5. OMB Information Collection Approval Number: There is no OMB ICA Number - this is for a server room

7. System Name: Democracy II Server Room

9. System Point of Contact (POC). The System POC is the person to whom questions about the system and the responses to this PIA may be addressed: Deborah Bucci

10. Provide an overview of the system: This is a development and test environment used by the Division of Enterprise and Custom Applications.

13. Indicate if the system is new or an existing one being modified: Existing

17. Does/Will the system collect, maintain (store), disseminate and/or pass through IIF within any database(s), record(s), file(s) or website(s) hosted by this system?: No

Note: This question seeks to identify any, and all, personal information associated with the system. This includes any IIF, whether or not it is subject to the Privacy Act, whether the individuals are employees, the public, research subjects, or business partners, and whether provided voluntarily or collected by mandate. Later questions will try to understand the character of the data and its applicability to the requirements under the Privacy Act or other legislation

Note: If no IIF is contained in the system, please answer questions 21, 23, 30, 31, 37, 50 and 54, then promote the PIA to the Sr. Privacy Official who will authorize the PIA.

If this system contains IIF, all remaining questions on the PIA Form Tabs must be completed prior to signature and promotion.

21. Is the system subject to the Privacy Act?: No

23. If the system shares or discloses IIF please specify with whom and for what purpose(s): Not applicable

30. Please describe in detail: (1) the information the agency will collect, maintain, or disseminate; (2) why and for what purpose the agency will use the information; (3) In this description, indicate whether the information contains IIF; and (4) whether submission of personal information is voluntary or mandatory: There is no PII - this is for a server room

31. Please describe in detail any processes in place to: (1) notify and obtain consent from the individuals whose IIF is in the system when major changes occur to the system (e.g., disclosure and/or data uses have changed since the notice at the time of the original collection); and (2) notify and obtain consent from individuals regarding what IIF is being collected from them and how the information will be used or shared: There is no PII - this is for a server room

32. Does the system host a website?: No

37. Does the website have any information or pages directed at children under the age of thirteen?: No

50. Are there policies or guidelines in place with regard to the retention and destruction of IIF?: No

54. Briefly describe in detail how the IIF will be secured on the system using administrative, technical, and physical controls.: There is no PII - this is for a server room

PIA Reviewer Approval: Promote


PIA Reviewer Name: Michele Mulholland France, CIT

Sr. Official for Privacy Approval: Promote


Sr. Official for Privacy Name: Karen Plá

Sign-off Date: Aug 19, 2008

Date Published: Sept 8, 2008


06.3 HHS PIA Summary for Posting (Form) / NIH CIT ePolicy Orchestrator (ePO) (Item)






PIA Summary


Is this a new PIA 2008?: Yes

If this is an existing PIA, please provide a reason for revision:

1. Date of this Submission: Jun 3, 2008

2. OPDIV Name: NIH

3. Unique Project Identifier (UPI) Number: 009-25-02-00-01-3109-00

4. Privacy Act System of Records (SOR) Number: There is no SOR for this application.

5. OMB Information Collection Approval Number: There is no PII in this application.

6. Other Identifying Number(s): There are no other identifying numbers.

7. System Name: ePolicy Orchestrator

9. System Point of Contact (POC). The System POC is the person to whom questions about the system and the responses to this PIA may be addressed: Connie Latzko

10. Provide an overview of the system: This is a COTS product used for antivirus protection, tracking, removal and reporting for CIT systems.

13. Indicate if the system is new or an existing one being modified: Existing

17. Does/Will the system collect, maintain (store), disseminate and/or pass through IIF within any database(s), record(s), file(s) or website(s) hosted by this system?: No

Note: This question seeks to identify any, and all, personal information associated with the system. This includes any IIF, whether or not it is subject to the Privacy Act, whether the individuals are employees, the public, research subjects, or business partners, and whether provided voluntarily or collected by mandate. Later questions will try to understand the character of the data and its applicability to the requirements under the Privacy Act or other legislation

Note: If no IIF is contained in the system, please answer questions 21, 23, 30, 31, 37, 50 and 54, then promote the PIA to the Sr. Privacy Official who will authorize the PIA.

If this system contains IIF, all remaining questions on the PIA Form Tabs must be completed prior to signature and promotion.

21. Is the system subject to the Privacy Act?: No

23. If the system shares or discloses IIF please specify with whom and for what purpose(s): The system does not contain any IIF.

30. Please describe in detail: (1) the information the agency will collect, maintain, or disseminate; (2) why and for what purpose the agency will use the information; (3) In this description, indicate whether the information contains IIF; and (4) whether submission of personal information is voluntary or mandatory: The system does not contain any IIF.

31. Please describe in detail any processes in place to: (1) notify and obtain consent from the individuals whose IIF is in the system when major changes occur to the system (e.g., disclosure and/or data uses have changed since the notice at the time of the original collection); and (2) notify and obtain consent from individuals regarding what IIF is being collected from them and how the information will be used or shared: The system does not contain any IIF.

32. Does the system host a website?: No

37. Does the website have any information or pages directed at children under the age of thirteen?: No

50. Are there policies or guidelines in place with regard to the retention and destruction of IIF?: No

54. Briefly describe in detail how the IIF will be secured on the system using administrative, technical, and physical controls.: The system does not contain any IIF.

PIA Reviewer Approval: Promote


PIA Reviewer Name: Michele Mulholland France CIT/EO/PECO

Sr. Official for Privacy Approval: Promote


Sr. Official for Privacy Name: Karen Plá

Sign-off Date: Aug 19, 2008

Date Published: Sept 8,2008


06.3 HHS PIA Summary for Posting (Form) / NIH CIT Fernwood Server Room (Item)






PIA Summary


Is this a new PIA 2008?: Yes

If this is an existing PIA, please provide a reason for revision:

1. Date of this Submission: Jun 3, 2008

2. OPDIV Name: NIH

3. Unique Project Identifier (UPI) Number: 009-25-02-00-01-3109-00

4. Privacy Act System of Records (SOR) Number: There is no PII - this is for a server room.

5. OMB Information Collection Approval Number: There is no OMB information collection approval number

6. Other Identifying Number(s): There are no other identifying numbers.

7. System Name: Fernwood Server Room

9. System Point of Contact (POC). The System POC is the person to whom questions about the system and the responses to this PIA may be addressed: Adrian Burton

10. Provide an overview of the system: The Fernwood Server Room, located on the first floor of the Fernwood building, houses development, test, and file servers for various organizations including the Office of the Chief IT Architect, Office of the Chief Information Officer, CIT Division of Enterprise and Custom Applications, and CIT Division of Customer Support Training Division.

13. Indicate if the system is new or an existing one being modified: Existing

17. Does/Will the system collect, maintain (store), disseminate and/or pass through IIF within any database(s), record(s), file(s) or website(s) hosted by this system?: No

Note: This question seeks to identify any, and all, personal information associated with the system. This includes any IIF, whether or not it is subject to the Privacy Act, whether the individuals are employees, the public, research subjects, or business partners, and whether provided voluntarily or collected by mandate. Later questions will try to understand the character of the data and its applicability to the requirements under the Privacy Act or other legislation

Note: If no IIF is contained in the system, please answer questions 21, 23, 30, 31, 37, 50 and 54, then promote the PIA to the Sr. Privacy Official who will authorize the PIA.

If this system contains IIF, all remaining questions on the PIA Form Tabs must be completed prior to signature and promotion.

21. Is the system subject to the Privacy Act?: No

23. If the system shares or discloses IIF please specify with whom and for what purpose(s): This is a server room; the informaton contained on the servers is covered by the application C&A.

30. Please describe in detail: (1) the information the agency will collect, maintain, or disseminate; (2) why and for what purpose the agency will use the information; (3) In this description, indicate whether the information contains IIF; and (4) whether submission of personal information is voluntary or mandatory: This is a server room; the information contained on the servers is covered by the application C&A.

31. Please describe in detail any processes in place to: (1) notify and obtain consent from the individuals whose IIF is in the system when major changes occur to the system (e.g., disclosure and/or data uses have changed since the notice at the time of the original collection); and (2) notify and obtain consent from individuals regarding what IIF is being collected from them and how the information will be used or shared: This is a server room; the informaton contained on the servers is covered by the application C&A.

32. Does the system host a website?: No

37. Does the website have any information or pages directed at children under the age of thirteen?: No

50. Are there policies or guidelines in place with regard to the retention and destruction of IIF?: No

54. Briefly describe in detail how the IIF will be secured on the system using administrative, technical, and physical controls.: This is a server room; the informaton contained on the servers is covered by the application C&A.

PIA Reviewer Approval: Promote


PIA Reviewer Name: Marie Lagana

Sr. Official for Privacy Approval: Promote


Sr. Official for Privacy Name: Karen Plá

Sign-off Date: Aug 19, 2008

Date Published: Sept 8, 2008


06.3 HHS PIA Summary for Posting (Form) / NIH CSR National Registry of Volunteer Reviewers (Item)






PIA Summary


Is this a new PIA 2008?: Yes

If this is an existing PIA, please provide a reason for revision:

1. Date of this Submission: Jul 28, 2008

2. OPDIV Name: NIH

3. Unique Project Identifier (UPI) Number: No

4. Privacy Act System of Records (SOR) Number: 09-25-0036

5. OMB Information Collection Approval Number: No

6. Other Identifying Number(s): No

7. System Name: CSR National Registry of Volunteer Reviewers

9. System Point of Contact (POC). The System POC is the person to whom questions about the system and the responses to this PIA may be addressed: Diane Stassi, Weijia Ni

10. Provide an overview of the system: The CSR National Registry of Volunteer Reviewers is an Access-based database that contains information provided by volunteer scientists who are interested in serving on CSR grant review panels. Information provided includes: Name, Degree, Title, Institution, Department, Email, Web Address(es), Area of Expertise/Keywords, Study Section or IRG, Recent funding sources, Referring Society, QVR Person ID, NIH review and grant history, Geographical Region, Date Registered, SRO Contact Records (check boxes for “Contacted” and “Served” as well as date and SRO name), and an SRO Reviewer Evaluation field (check boxes 1-5 – for scientific expertise and review performance). The database is available to everyone in CSR who has access to the CSR share drive. The database is searchable by Keyword, IRG, and Region.

13. Indicate if the system is new or an existing one being modified: New

17. Does/Will the system collect, maintain (store), disseminate and/or pass through IIF within any database(s), record(s), file(s) or website(s) hosted by this system?: Yes

Note: This question seeks to identify any, and all, personal information associated with the system. This includes any IIF, whether or not it is subject to the Privacy Act, whether the individuals are employees, the public, research subjects, or business partners, and whether provided voluntarily or collected by mandate. Later questions will try to understand the character of the data and its applicability to the requirements under the Privacy Act or other legislation

Note: If no IIF is contained in the system, please answer questions 21, 23, 30, 31, 37, 50 and 54, then promote the PIA to the Sr. Privacy Official who will authorize the PIA.

If this system contains IIF, all remaining questions on the PIA Form Tabs must be completed prior to signature and promotion.

21. Is the system subject to the Privacy Act?: Yes

23. If the system shares or discloses IIF please specify with whom and for what purpose(s): Information is disclosed to anyone in CSR with access to the Share Drive, including, Scientific Review Officers, IRG Chiefs, Division Directors, personnel in the Director’s Office. The information will be used to 1) identify highly qualified reviewers who are willing to serve on study sections and 2) report back to the referring societies on how many of their recommended reviewers have served on panels.

30. Please describe in detail: (1) the information the agency will collect, maintain, or disseminate; (2) why and for what purpose the agency will use the information; (3) In this description, indicate whether the information contains IIF; and (4) whether submission of personal information is voluntary or mandatory: The information collected for the CSR National Registry of Volunteer Reviewers contains IIF. The following information is voluntarily provided by scientists who are interested in serving on CSR grant review panels: Name, Degree, Title, Institution, Department, Email, Web Address(es), Area of Expertise/Keywords, Study Section or IRG, Recent funding sources, and Referring Society. In addition to this information, the developers of the database add the volunteer’s QVR Person ID and NIH Review history (if they are in the system), Geographical Region, Date Registered, and Reviewer Evaluation (check boxes 1-5 – for scientific expertise and review performance). Individuals using the database (primarily Scientific Review Officers) may add Contact Records (check boxes for “Contacted” and “Served”, date and SRO name) as well as reviewer evaluation. The information will be used to identify highly qualified reviewers to serve on study section panels and to provide feedback to societies on whether their members are serving on panels.

31. Please describe in detail any processes in place to: (1) notify and obtain consent from the individuals whose IIF is in the system when major changes occur to the system (e.g., disclosure and/or data uses have changed since the notice at the time of the original collection); and (2) notify and obtain consent from individuals regarding what IIF is being collected from them and how the information will be used or shared: No major changes are expected to occur to the database. If any changes are made, we will notify all individuals via email. We will be collecting the following IIF: Name, Mailing Address, Phone Numbers, Device Identifiers, Web Uniform Resource Locator(s) (URL), Email Address, and QVR Identifier. Individuals will be notified via email describing the IIF obtained and that we will use this information to identify highly qualified reviewers who are willing to serve on study sections. This information is stored in a database that is available to CSR employees, and specifically created for Scientific Review Officer use. The email notification will also give the individual the option of rescinding their information, at which point the system developers will destroy (permanently delete) the IIF provided.

32. Does the system host a website?: No

37. Does the website have any information or pages directed at children under the age of thirteen?: No

50. Are there policies or guidelines in place with regard to the retention and destruction of IIF?: Yes

54. Briefly describe in detail how the IIF will be secured on the system using administrative, technical, and physical controls.: Administrative controls. To run the database, SROs download it to their C-Drives from Share drive. Access to the CSR Share drive is limited. Personnel with access to the database have been trained and are aware of their responsibilities for protecting IIF.

Physical controls. Rockledge 2 is secured by guards, employee identification badges and keycards.

Technical controls: All CSR laptop computers are protected by encryption. User identification, passwords, firewall, VPN are currently in place. Security patches for servers and laptops are always kept current.

The NIH incident response team will notify the CSR ISSO of any security incidents detected. Users will notify the CSR ISSO of any security incidents.

PIA Reviewer Approval: Promote


PIA Reviewer Name: Asghar Noor, IMB Chief, 301-435-0967

Sr. Official for Privacy Approval: Promote


Sr. Official for Privacy Name: Karen Plá

Sign-off Date: Aug 19, 2008

Date Published: Sept 8, 2008


06.3 HHS PIA Summary for Posting (Form) / NIH NCI Agricultural Health Study- Iowa (AHSI) (Item)






PIA Summary


Is this a new PIA 2008?: Yes

If this is an existing PIA, please provide a reason for revision: Initial PIA Migration to ProSight

1. Date of this Submission: Jul 28, 2008

2. OPDIV Name: NIH

3. Unique Project Identifier (UPI) Number: No

4. Privacy Act System of Records (SOR) Number: 09-25-0200

5. OMB Information Collection Approval Number: 0925-0406

6. Other Identifying Number(s): AHSI

7. System Name: NIH NCI Agricultural Health Study - Iowa (AHSI)

9. System Point of Contact (POC). The System POC is the person to whom questions about the system and the responses to this PIA may be addressed: Michael Alavanja/Charles Lynch

10. Provide an overview of the system: The Agricultural Health Study is a collaborative effort involving the National Cancer Institute (NCI), the National Institute of Environmental Health Sciences (NIEHS), and the U.S. Environmental Protection Agency (EPA). The study has four major components:

1. The main prospective cohort study - cancer and non-cancer outcomes

a. linkage with cancer registries, vital statistics, United States Renal Data

System (USRDS)

b. ongoing data collection (i.e., telephone interview, food frequency

questionnaire and cheek cell collection

2. Cross-sectional studies - including questionnaire data, functional

measures, biomarkers, and GIS

3. Nested case-control studies

4. Exposure assessment and validation studies

The cohort includes 58,564 private pesticide applicators, spouses of private applicators, and commercial pesticide applicators recruited within Iowa. Phase I, initial cohort recruitment, began in 1993 and concluded in 1997. Phase II follow-up began in 1999 and concluded in 2003. The phase III follow-up began in 2005. Phase I observation involved administration of a questionnaire to obtain information on pesticide use, other agricultural exposures, work practices that modify exposures, and other activities that may affect either exposure or disease risks (e.g. diet, exercise, alcohol consumption, medical conditions, family history of cancer, other occupations, and smoking history). Phase II had three data collection components: a computer assisted telephone interview (CATI), buccal cell collection, and a mailed dietary questionnaire. Phase II interviews are designed to record updated information on pesticide use since enrollment, current farming and work practices, and changes in health status. In addition, the Dietary Health Questionnaire in phase II makes a detailed evaluation of subjects' cooking practices and dietary intake. The buccal cell collection of phase II was implemented to assess the impact of genetic risk factors on epidemiologic outcomes. Phase III interviews are designed to record updated information on pesticide use since Phase II, current farming and work practices, and changes in health status. In addition to phase II and phase III data collection activities that include the whole cohort, a series of sub-studies involving a small number of study participants will directly measure applicator and family member exposures to selected pesticides and/or focus in greater detail on subgroups with specific diseases or exposures.

13. Indicate if the system is new or an existing one being modified: Existing

17. Does/Will the system collect, maintain (store), disseminate and/or pass through IIF within any database(s), record(s), file(s) or website(s) hosted by this system?: Yes

Note: This question seeks to identify any, and all, personal information associated with the system. This includes any IIF, whether or not it is subject to the Privacy Act, whether the individuals are employees, the public, research subjects, or business partners, and whether provided voluntarily or collected by mandate. Later questions will try to understand the character of the data and its applicability to the requirements under the Privacy Act or other legislation

Note: If no IIF is contained in the system, please answer questions 21, 23, 30, 31, 37, 50 and 54, then promote the PIA to the Sr. Privacy Official who will authorize the PIA.

If this system contains IIF, all remaining questions on the PIA Form Tabs must be completed prior to signature and promotion.

21. Is the system subject to the Privacy Act?: Yes

23. If the system shares or discloses IIF please specify with whom and for what purpose(s): Agricultural Health Study Coordinating Center for data analysis and annual linkages to the National Death Index and the Internal Revenue Service. Designated sub-contractors within the AHS for the purpose of completing sub studies. The State Health Registry of Iowa for the purpose of completing linkages for Iowa Cancer outcomes and Iowa mortality. The system is also covered under the Privacy Act System of Records Notice 09-25-0200.

30. Please describe in detail: (1) the information the agency will collect, maintain, or disseminate; (2) why and for what purpose the agency will use the information; (3) In this description, indicate whether the information contains IIF; and (4) whether submission of personal information is voluntary or mandatory: We share IIF with sub-studies or other designated sub-contractors with the Ag Health Study to allow them to complete their contract within the study. In all cases we contact the participant to inform them of the release and allow them to refuse. We share IIF with the State Health Registry of Iowa to complete linkages to determine cancer outcomes and deaths within our cohort. We share IIF with the Ag Health Study Coordinating Center to complete linkages with the National Death Index for additional deaths that didn't occur in Iowa and the Internal Revenue Service for updated addresses of participants who have moved out of state.

Phase I involved questionnaire to obtain information on pesticide use, other agricultural exposures, work practices that modify exposures, and other activities that may affect either exposure or disease risks. Phase II had three data collection components: a computer-assisted telephone interview (CATI), buccal cell collection, and a mailed dietary questionnaire. Phase II and Phase III include data collection activities that include the whole cohort. There are also a series of sub-studies involving a small number of study participants that will directly measure applicator and family member exposures to selected pesticides and/or focus in greater detail on subgroups with specific diseases or exposures.

Participation is voluntary.

31. Please describe in detail any processes in place to: (1) notify and obtain consent from the individuals whose IIF is in the system when major changes occur to the system (e.g., disclosure and/or data uses have changed since the notice at the time of the original collection); and (2) notify and obtain consent from individuals regarding what IIF is being collected from them and how the information will be used or shared: There have been no major changes in the system and none are contemplated. Our IRB would review any major changes prior to implementation and provide us with guidance on any needed notification and consent requirements.

32. Does the system host a website?: No

37. Does the website have any information or pages directed at children under the age of thirteen?: No

50. Are there policies or guidelines in place with regard to the retention and destruction of IIF?: Yes

54. Briefly describe in detail how the IIF will be secured on the system using administrative, technical, and physical controls.: Several layers of passwords exist to ensure unauthorized access to the electronically stored data is not permitted. Long term backups on tape or external hard disk are stored in a locked fireproof safe in a locked room at the Iowa Field Station. Transient backups are written to encrypted hard drive until they can be written to long term media. Hard copies of contact sheets, questionnaire identifier pages, and consent forms are stored in locked file cabinets in locked rooms at the Iowa Field Station. User ID, passwords, firewalls and encryption is used. All personnel involved with the project have signed confidentiality agreements.

PIA Reviewer Approval: Promote

Comments: PIA Reviewer Name: Suzy Milliard

Sr. Official for Privacy Approval: Promote


Sr. Official for Privacy Name: Karen Plá

Sign-off Date: Aug 19, 2008

Date Published: Sept 8, 2008


06.3 HHS PIA Summary for Posting (Form) / NIH NCI Agricultural Health Study- North Carolina (AHSNC) (Item)






PIA Summary


Is this a new PIA 2008?: Yes

If this is an existing PIA, please provide a reason for revision: Initial PIA Migration to ProSight

1. Date of this Submission: Jul 28, 2008

2. OPDIV Name: NIH

3. Unique Project Identifier (UPI) Number: No

4. Privacy Act System of Records (SOR) Number: 09-25-0200

5. OMB Information Collection Approval Number: 0925-0406

6. Other Identifying Number(s): AHSNC

7. System Name: AHSNC

9. System Point of Contact (POC). The System POC is the person to whom questions about the system and the responses to this PIA may be addressed: Michael Alavanja / Charles Knott

10. Provide an overview of the system: The Agricultural Health Study is a collaborative effort involving the National Cancer Institute (NCI), the National Institute of Environmental Health Sciences (NIEHS), and the U.S. Environmental Protection Agency (EPA). The study has four major components:

1. The main prospective cohort study - cancer and non-cancer outcomes

a. linkage with cancer registries, vital statistics, United States Renal Data System (USRDS)

b. ongoing data collection (i.e., telephone interview, food frequency questionnaire and cheek cell collection

2. Cross-sectional studies - including questionnaire data, functional measures, biomarkers, and GIS

3. Nested case-control studies

4. Exposure assessment and validation studies

The cohort includes 89,658 private pesticide applicators, spouses of private applicators, and commercial pesticide applicators recruited within Iowa and North Carolina. Phase I, initial cohort recruitment, began in 1993 and concluded in 1997. Phase II follow-up began in 1999 and concluded in 2003. The phase III follow up began in 2005. Phase I observation involved admininstration of a questionnaire to obtain information on pesticide use, other agricultural exposures, work practices that modify exposures, and other activities that may affect either exposure or disease risks (e.g., diet exercise, alcohol consumption, medical conditions, family history of cancer, other occupations, and smoking history.) Phase II had three data collection components: a computer-assisted telephone interview (CATI), buccal cell collection, and a mailed dietary questionnaire. Phase II interviews were designed to record updated information on pesticide use since enrollment, current farming and work practices, and changes in health status. In addition, the Dietary Health Questionnaire in phase II makes a detailed evaluation of subjects' cooking practices and dietary intake. The buccal cell collection of Phase II was implemented to assess the impact of genetic risk factors on epidemiologic outcomes. Phase III activities are in the planning stage. In addition to phase II and phase III data collection activities that include the whole cohort, a series of sub-studies involving a small number of study participants will directly measure applicator and family member exposures to selected pesticides and/or focus in greater detail on subgroups with specific diseases or exposures.

13. Indicate if the system is new or an existing one being modified: Existing

17. Does/Will the system collect, maintain (store), disseminate and/or pass through IIF within any database(s), record(s), file(s) or website(s) hosted by this system?: Yes

Note: This question seeks to identify any, and all, personal information associated with the system. This includes any IIF, whether or not it is subject to the Privacy Act, whether the individuals are employees, the public, research subjects, or business partners, and whether provided voluntarily or collected by mandate. Later questions will try to understand the character of the data and its applicability to the requirements under the Privacy Act or other legislation

Note: If no IIF is contained in the system, please answer questions 21, 23, 30, 31, 37, 50 and 54, then promote the PIA to the Sr. Privacy Official who will authorize the PIA.

If this system contains IIF, all remaining questions on the PIA Form Tabs must be completed prior to signature and promotion.

21. Is the system subject to the Privacy Act?: Yes

23. If the system shares or discloses IIF please specify with whom and for what purpose(s): North Carolina Field Station (Battelle CPRHE, Durham, NC - separately contracted by NCI - handles all direct interactions with NC participants.) National Death Index (NDI) - Annual match with NDI Plus files; initiated by the Coordinating Center but processed by Battelle. Internal Revenue Service - to obtain updated address information which is stored at field stations; initiated by the Coordinating Center but processed by Battelle North Carolina Central Cancer Registry (NCCCR) - Battelle CPHRE, Durham, NC - separately contracted by NCI - annual match with NCCCR incidence files. North Carolina Decedent Database (NCDD) - Battelle CPHRE, Durham, NC - Annual matches with NCDD files. The system is also covered by under the Privacy Act System of Records Notice 09-25-0200.

30. Please describe in detail: (1) the information the agency will collect, maintain, or disseminate; (2) why and for what purpose the agency will use the information; (3) In this description, indicate whether the information contains IIF; and (4) whether submission of personal information is voluntary or mandatory: Battelle's North Carolina Field Station maintains all identifiers in a separate and secure database from other AHS data. This information is critical for active and passive follow-up of the cohort. This is a requirement and adheres to AHS' Certificate of Confidentiality.

There are four major components:

1. Main prospective cohort study - cancer and non-cancer outcomes

a. linkage with cancer registries, vital statistics, United States Renal Data System (USRDS)

b. ongoing data collection (i.e., telephone interviews, food frequency questionnaire and cheek cell collection)

2. Cross-sectional studies - including questionnaire data, functional measures, biomarkers, and GIS

3. Nested case-control studies

4. Exposure assessment and validation studies

Phase I involved questionnaire to obtain information on pesticide use, other agricultural exposures, work practices that modify exposures, and other activities that may affect either exposure or disease risks. Phase II had three data collection components: a computer-assisted telephone interview (CATI), buccal cell collection, and a mailed dietary questionnaire. Phase II and Phase III include data collection activities that include the whole cohort. There are also a series of sub-studies involving a small number of study participants that will directly measure applicator and family member exposures to selected pesticides and/or focus in greater detail on subgroups with specific diseases or exposures.

Participation is voluntary

31. Please describe in detail any processes in place to: (1) notify and obtain consent from the individuals whose IIF is in the system when major changes occur to the system (e.g., disclosure and/or data uses have changed since the notice at the time of the original collection); and (2) notify and obtain consent from individuals regarding what IIF is being collected from them and how the information will be used or shared: There have been no major changes in the system and none are contemplated. Battelle's CPHRE IRB reviews any major changes prior to implementation and provides us with guidance on any needed notification and consent requirements.

32. Does the system host a website?: No

37. Does the website have any information or pages directed at children under the age of thirteen?: No

50. Are there policies or guidelines in place with regard to the retention and destruction of IIF?: Yes

54. Briefly describe in detail how the IIF will be secured on the system using administrative, technical, and physical controls.: Extensive safeguards are in place to ensure the confidentiality of each subject is protected. Each subject is assigned a six-digit number; these IDs are used for any references to subjects on an individual basis. Names and other identifying information are kept in separate databases maintained by Battelle. These data files are joined only for performing necessary active and passive follow-up activities. Contact of subjects occurs only through the Field stations. Several layers of passwords exist to ensure unauthorized access to the electronically stored data is not permitted. Hard copies of consents and questionnaires that contain any personal information are stored in locked rooms at Battelle.

User IDs, passwords, firewalls, VPN, encryption, intrusion detection system, and smart cards in use.

All personnel involved with the project have signed confidentiality agreements and adhere to the project's Certificate of Confidentiality. Access to physical and electronic records are limited to authorized AHS Field Station staff and appropriate physical, administrative, and technical controls are in place.

PIA Reviewer Approval: Promote


PIA Reviewer Name: Suzy Milliard

Sr. Official for Privacy Approval: Promote


Sr. Official for Privacy Name: Karen Plá

Sign-off Date: Aug 19, 2008

Date Published: Sept 8, 2008


06.3 HHS PIA Summary for Posting (Form) / NIH NCI Agricultural Health Study --Westat (AHSW) (Item)






PIA Summary


Is this a new PIA 2008?: Yes

If this is an existing PIA, please provide a reason for revision: Initial PIA Migration to ProSight

1. Date of this Submission: Jun 3, 2008

2. OPDIV Name: NIH

3. Unique Project Identifier (UPI) Number: No

4. Privacy Act System of Records (SOR) Number: 09-25-0200

5. OMB Information Collection Approval Number: 0925-0406

6. Other Identifying Number(s): AHSW

7. System Name: NIH NCI Agricultural Health Study - Westat (AHSW)

9. System Point of Contact (POC). The System POC is the person to whom questions about the system and the responses to this PIA may be addressed: Michael Alavanja / Stanley Legum

10. Provide an overview of the system: The Agricultural Health Study is a collaborative effort involving the National Cancer Institute (NCI), the National Institute of Environmental Health Sciences (NIEHS), and the U.S. Environmental Protection Agency (EPA). The study has four major components:

1. The main prospective cohort study - cancer and non-cancer outcomes

a. linkage with cancer registries, vital statistics, United States Renal Data

System (USRDS)

b. ongoing data collection (i.e., telephone interview, food frequency

questionnaire and cheek cell collection

2. Cross-sectional studies - including questionnaire data, functional measures,

biomarkers, and GIS

3. Nested case-control studies

4. Exposure assessment and validation studies

The cohort includes 89,658 private pesticide applicators, spouses of private applicators, and commercial pesticide applicators recruited within Iowa and North Carolina. Phase I, initial cohort recruitment, began in 1993 and concluded in 1997. Phase II follow-up began in 1999 and concluded in 2003. The Phase III follow-up began in 2005. Phase I observation involved administration of a questionnaire to obtain information on pesticide use, other agricultural exposures, work practices that modify exposures, and other activities that may affect either exposure or disease risks (e.g. diet, exercise, alcohol consumption, medical conditions, family history of cancer, other occupations, and smoking history). Phase II had three data collection components: a computer-assisted telephone interview (CATI), buccal cell collection, and a mailed dietary questionnaire. Phase II interviews are designed to record updated information on pesticide use since enrollment, current farming and work practices, and changes in health status. In addition, the Dietary Health Questionnaire in Phase II makes a detailed evaluation of subjects' cooking practices and dietary intake. The buccal cell collection of Phase II was implemented to assess the impact of genetic risk factors on epidemiologic outcomes. In addition to Phase II and Phase III data collection activities that include the whole cohort, a series of sub-studies involving a small number of study participants will directly measure applicator and family member exposures to selected pesticides and/or focus in greater detail on subgroups with specific diseases or exposures.

13. Indicate if the system is new or an existing one being modified: Existing

17. Does/Will the system collect, maintain (store), disseminate and/or pass through IIF within any database(s), record(s), file(s) or website(s) hosted by this system?: Yes

Note: This question seeks to identify any, and all, personal information associated with the system. This includes any IIF, whether or not it is subject to the Privacy Act, whether the individuals are employees, the public, research subjects, or business partners, and whether provided voluntarily or collected by mandate. Later questions will try to understand the character of the data and its applicability to the requirements under the Privacy Act or other legislation

Note: If no IIF is contained in the system, please answer questions 21, 23, 30, 31, 37, 50 and 54, then promote the PIA to the Sr. Privacy Official who will authorize the PIA.

If this system contains IIF, all remaining questions on the PIA Form Tabs must be completed prior to signature and promotion.

21. Is the system subject to the Privacy Act?: Yes

23. If the system shares or discloses IIF please specify with whom and for what purpose(s): Iowa Field Station (University of Iowa - separately contracted by NCI - handles all direct interactions with Iowa participants) North Carolina Field Station (Battelle CPRHE, Durham, NC - separately contracted by NCI - handles all direct interactions with NC participants) Information Management Services (IMS - separately contracted by NCI - performs data analyses for NCI) National Death Index (NDI) - Annual match with NDI Plus files. Internal Revenue Service - to obtain updated address information which is stored at the field stations. This system is also covered under the Privacy Act System of Records Notice 09-25-0200.

30. Please describe in detail: (1) the information the agency will collect, maintain, or disseminate; (2) why and for what purpose the agency will use the information; (3) In this description, indicate whether the information contains IIF; and (4) whether submission of personal information is voluntary or mandatory: The data do not contain direct identifiers such as name, address, or SSNs except for the periods when we are performing matches to NDI and IRS files.

The AHS has four major components:

1. Main prospective cohort study - cancer and non-cancer outcomes

a. linkage with cancer registries, vital statistics, United States Renal Data

System (USRDS)

b. ongoing data collection (i.e., telephone interview, food frequeny

questionnaire and cheek cell collection

2. Cross-sectional studies - including quesitonnaire data, functional measures,

biomarkers, and GIS

3. Nested case-control studies

4. Exposure assessment and validation studies

Phase I involved questionnaire to obtain information on pesticide use, other agricultural exposures, work practices that modify exposures, and other activities that may affect either exposure or disease risks. Phase II had three data collection components: a computer-assisted telephone interview (CATI), buccal cell collection, and a mailed dietary questionnaire. Phase II and Phase III include data collection activities that include the whole cohort. Three are also a series of sub-studies involving a small number of study participants that will directly measure applicator and family member exposures to selected pesticides and/or focus in greater detail on subgroups with specific diseases or exposures.

Participation is voluntary.

31. Please describe in detail any processes in place to: (1) notify and obtain consent from the individuals whose IIF is in the system when major changes occur to the system (e.g., disclosure and/or data uses have changed since the notice at the time of the original collection); and (2) notify and obtain consent from individuals regarding what IIF is being collected from them and how the information will be used or shared: There have been no major changes in the system and none are contemplated. Our IRB would review any major changes prior to implementation and provide us with guidance on any needed notification and consent requirements.

32. Does the system host a website?: No

37. Does the website have any information or pages directed at children under the age of thirteen?: No

50. Are there policies or guidelines in place with regard to the retention and destruction of IIF?: Yes

54. Briefly describe in detail how the IIF will be secured on the system using administrative, technical, and physical controls.: Extensive safeguards are in place to ensure the confidentiality of each subject is protected. Each subject is assigned a six-digit number; these IDs are used for any references to subjects on an individual basis. Names and other identifying information are kept in separate databases maintained by the Field Stations. These data files are joined only for performing linkages to the mortality and cancer incidences databases. Contact of subjects occurs only through the Field Stations. Several layers of passwords exist to ensure unauthorized access to electronically stored data is not permitted. Hard copies of questionnaires that contain any personal information (primarily the female/family health questionnaires and selected follow-up questionnaires) are stored in locked rooms at the Coordinating Center. All personnel involved with the project have signed confidentiality agreements.

For a few weeks each year, Westat also has names, social security numbers, and other identifying information when we consolidate files from the field stations for submission to NDI Plus for matching to death records and to IRS to obtain current address data. Once the matched records are returned from these sources they are sent to the originating field station and the files are deleted from Westat servers. While at Westat, these files are stored in a directory accessible only to the project's lead systems manager and one programmer. They are also encrypted when not in use and the encryption key is known only by the same two staff members. The files are never left in unencrypted form over night so that automatic backups contain only encrypted versions. After the field stations confirm receipt of readable files, the copies at Westat are deleted.

The system is protected by firewalls, intrusion detection systems, and passwords. There are comprehensive system security and contingency plans in place. An Incident Response capability is maintained.

PIA Reviewer Approval: Promote


PIA Reviewer Name: Suzy Milliard

Sr. Official for Privacy Approval: Promote


Sr. Official for Privacy Name: Karen Plá

Sign-off Date: Jul 14, 2008

Date Published: Sept 8, 2008


06.3 HHS PIA Summary for Posting (Form) / NIH NCRR Clinical & Translational Science Awards (CTSA) (Item)






PIA Summary


Is this a new PIA 2008?: No

If this is an existing PIA, please provide a reason for revision: PIA Validation

1. Date of this Submission: Aug 21, 2008

2. OPDIV Name: NIH

3. Unique Project Identifier (UPI) Number: No

4. Privacy Act System of Records (SOR) Number: N/A

5. OMB Information Collection Approval Number: No

6. Other Identifying Number(s): No

7. System Name: Clinical and Translational Science Awards (CTSA)

9. System Point of Contact (POC). The System POC is the person to whom questions about the system and the responses to this PIA may be addressed: Sean Hagan

10. Provide an overview of the system: CTSA is a collaborative web site facilitating robust communications among clinical and translational science communities, which enables multi-way discussions about the important new national effort to develop clinical and translational research. The CTSA system consists of the CTSA public website, the CTSA Management System (for managing data and funds from the budget office; tracking the NIH allowances, internal approval process, and subsequent budget standing for any given fiscal year; reporting; and, repository for contracts, inter-agency agreements, administrative, supplements, etc.), and the CTSA-Wiki (for information sharing among grantees funded under the CTSA program).

13. Indicate if the system is new or an existing one being modified: Existing

17. Does/Will the system collect, maintain (store), disseminate and/or pass through IIF within any database(s), record(s), file(s) or website(s) hosted by this system?: No

Note: This question seeks to identify any, and all, personal information associated with the system. This includes any IIF, whether or not it is subject to the Privacy Act, whether the individuals are employees, the public, research subjects, or business partners, and whether provided voluntarily or collected by mandate. Later questions will try to understand the character of the data and its applicability to the requirements under the Privacy Act or other legislation

Note: If no IIF is contained in the system, please answer questions 21, 23, 30, 31, 37, 50 and 54, then promote the PIA to the Sr. Privacy Official who will authorize the PIA.

If this system contains IIF, all remaining questions on the PIA Form Tabs must be completed prior to signature and promotion.

21. Is the system subject to the Privacy Act?: No

23. If the system shares or discloses IIF please specify with whom and for what purpose(s): No IIF

30. Please describe in detail: (1) the information the agency will collect, maintain, or disseminate; (2) why and for what purpose the agency will use the information; (3) In this description, indicate whether the information contains IIF; and (4) whether submission of personal information is voluntary or mandatory: Control and Oversight -Program Monitoring Information; Public Affairs – Customer Services; Public Affairs – Product Outreach; and, Public Affairs – Public Relations. The system does not collect or maintain IIF.

31. Please describe in detail any processes in place to: (1) notify and obtain consent from the individuals whose IIF is in the system when major changes occur to the system (e.g., disclosure and/or data uses have changed since the notice at the time of the original collection); and (2) notify and obtain consent from individuals regarding what IIF is being collected from them and how the information will be used or shared: No IIF

32. Does the system host a website?: Yes

37. Does the website have any information or pages directed at children under the age of thirteen?: No

50. Are there policies or guidelines in place with regard to the retention and destruction of IIF?: No

54. Briefly describe in detail how the IIF will be secured on the system using administrative, technical, and physical controls.: No IIF

PIA Reviewer Approval: Promote


PIA Reviewer Name:

Sr. Official for Privacy Approval: Promote


Sr. Official for Privacy Name: Karen Plá

Sign-off Date: Aug 22, 2008

Date Published: Sept 8, 2008


06.3 HHS PIA Summary for Posting (Form) / NIH NCRR Construction Grants Management System (CGMS) (Item)






PIA Summary


Is this a new PIA 2008?: No

If this is an existing PIA, please provide a reason for revision: PIA Validation

1. Date of this Submission: Aug 21, 2008

2. OPDIV Name: NIH

3. Unique Project Identifier (UPI) Number: No

4. Privacy Act System of Records (SOR) Number: N/A

5. OMB Information Collection Approval Number: No

6. Other Identifying Number(s): No

7. System Name: NCRR Construction Grants Management System (CGMS)

9. System Point of Contact (POC). The System POC is the person to whom questions about the system and the responses to this PIA may be addressed: Sean Hagan

10. Provide an overview of the system: The system is used to track C06 Construction grants.

13. Indicate if the system is new or an existing one being modified: Existing

17. Does/Will the system collect, maintain (store), disseminate and/or pass through IIF within any database(s), record(s), file(s) or website(s) hosted by this system?: No

Note: This question seeks to identify any, and all, personal information associated with the system. This includes any IIF, whether or not it is subject to the Privacy Act, whether the individuals are employees, the public, research subjects, or business partners, and whether provided voluntarily or collected by mandate. Later questions will try to understand the character of the data and its applicability to the requirements under the Privacy Act or other legislation

Note: If no IIF is contained in the system, please answer questions 21, 23, 30, 31, 37, 50 and 54, then promote the PIA to the Sr. Privacy Official who will authorize the PIA.

If this system contains IIF, all remaining questions on the PIA Form Tabs must be completed prior to signature and promotion.

21. Is the system subject to the Privacy Act?: No

23. If the system shares or discloses IIF please specify with whom and for what purpose(s): No IIF

30. Please describe in detail: (1) the information the agency will collect, maintain, or disseminate; (2) why and for what purpose the agency will use the information; (3) In this description, indicate whether the information contains IIF; and (4) whether submission of personal information is voluntary or mandatory: CGMS only contains Grant data, not financial data and not Privacy Act data: Grants Financial Management – Reporting and Information; Grants Planning and Resource Allocation - Budget Formulation Information; Program Monitoring Control and Oversight. No IIF is collected or maintained in the system.

31. Please describe in detail any processes in place to: (1) notify and obtain consent from the individuals whose IIF is in the system when major changes occur to the system (e.g., disclosure and/or data uses have changed since the notice at the time of the original collection); and (2) notify and obtain consent from individuals regarding what IIF is being collected from them and how the information will be used or shared: No IIF

32. Does the system host a website?: Yes

37. Does the website have any information or pages directed at children under the age of thirteen?: No

50. Are there policies or guidelines in place with regard to the retention and destruction of IIF?: No

54. Briefly describe in detail how the IIF will be secured on the system using administrative, technical, and physical controls.: No IIF

PIA Reviewer Approval: Promote


PIA Reviewer Name:

Sr. Official for Privacy Approval: Promote


Sr. Official for Privacy Name: Karen Plá

Sign-off Date: Aug 22, 2008

Date Published: Sept 8, 2008


06.3 HHS PIA Summary for Posting (Form) / NIH NCRR Electronic Funds Management System (eFMS) (Item)






PIA Summary


Is this a new PIA 2008?: No

If this is an existing PIA, please provide a reason for revision: PIA Validation

1. Date of this Submission: Aug 21, 2008

2. OPDIV Name: NIH

3. Unique Project Identifier (UPI) Number: No

4. Privacy Act System of Records (SOR) Number: N/A

5. OMB Information Collection Approval Number: No

6. Other Identifying Number(s): No

7. System Name: NCRR Electronic Funds Management System (eFMS)

9. System Point of Contact (POC). The System POC is the person to whom questions about the system and the responses to this PIA may be addressed: Sean Hagan

10. Provide an overview of the system: The eFMS is a web-enabled fiscal planning tool of the current fiscal year for the Office of Financial Management (OFM) and NCRR managers. Both dynamic data from IMPAC II and local non-enterprise data are available. Grant data are displayed in a variety of formats, including web pages, web summary tables, Excel spreadsheets and formal reports. This system provides the Budget Officer with a means to ensure appropriate fiscal control, monitor obligations to verify compliance, and provide accurate, current information to NCRR management for the NCRR extramural portfolio.

13. Indicate if the system is new or an existing one being modified: Existing

17. Does/Will the system collect, maintain (store), disseminate and/or pass through IIF within any database(s), record(s), file(s) or website(s) hosted by this system?: No

Note: This question seeks to identify any, and all, personal information associated with the system. This includes any IIF, whether or not it is subject to the Privacy Act, whether the individuals are employees, the public, research subjects, or business partners, and whether provided voluntarily or collected by mandate. Later questions will try to understand the character of the data and its applicability to the requirements under the Privacy Act or other legislation

Note: If no IIF is contained in the system, please answer questions 21, 23, 30, 31, 37, 50 and 54, then promote the PIA to the Sr. Privacy Official who will authorize the PIA.

If this system contains IIF, all remaining questions on the PIA Form Tabs must be completed prior to signature and promotion.

21. Is the system subject to the Privacy Act?: No

23. If the system shares or discloses IIF please specify with whom and for what purpose(s): No IIF

30. Please describe in detail: (1) the information the agency will collect, maintain, or disseminate; (2) why and for what purpose the agency will use the information; (3) In this description, indicate whether the information contains IIF; and (4) whether submission of personal information is voluntary or mandatory: eFMS only contains Grant data, not financial data and not Privacy Act data: Grants Financial Management – Reporting and Information; Grants Planning and Resource Allocation - Budget Formulation Information; Program Monitoring Control and Oversight. No IIF is collected or maintained in the system.

31. Please describe in detail any processes in place to: (1) notify and obtain consent from the individuals whose IIF is in the system when major changes occur to the system (e.g., disclosure and/or data uses have changed since the notice at the time of the original collection); and (2) notify and obtain consent from individuals regarding what IIF is being collected from them and how the information will be used or shared: No IIF

32. Does the system host a website?: No IIF

37. Does the website have any information or pages directed at children under the age of thirteen?: No

50. Are there policies or guidelines in place with regard to the retention and destruction of IIF?: No

54. Briefly describe in detail how the IIF will be secured on the system using administrative, technical, and physical controls.: No IIF

PIA Reviewer Approval: Promote


PIA Reviewer Name:

Sr. Official for Privacy Approval: Promote


Sr. Official for Privacy Name: Karen Plá

Sign-off Date: Aug 22, 2008

Date Published: Sept 8, 2008


06.3 HHS PIA Summary for Posting (Form) / NIH NCRR Grants Workflow Information System (GWIS) (Item)






PIA Summary


Is this a new PIA 2008?: Yes

If this is an existing PIA, please provide a reason for revision:

1. Date of this Submission: Aug 21, 2008

2. OPDIV Name: NIH

3. Unique Project Identifier (UPI) Number: No

4. Privacy Act System of Records (SOR) Number: N/A

5. OMB Information Collection Approval Number: No

6. Other Identifying Number(s): No

7. System Name: Grants Workflow Information System (GWIS)

9. System Point of Contact (POC). The System POC is the person to whom questions about the system and the responses to this PIA may be addressed: Gregory Farber, Ph.D.

10. Provide an overview of the system: GWIS provides web-based and Microsoft Outlook integration to help authorized NCRR personnel automate and improve the grant management processes/workflows.

13. Indicate if the system is new or an existing one being modified: New

17. Does/Will the system collect, maintain (store), disseminate and/or pass through IIF within any database(s), record(s), file(s) or website(s) hosted by this system?: No

Note: This question seeks to identify any, and all, personal information associated with the system. This includes any IIF, whether or not it is subject to the Privacy Act, whether the individuals are employees, the public, research subjects, or business partners, and whether provided voluntarily or collected by mandate. Later questions will try to understand the character of the data and its applicability to the requirements under the Privacy Act or other legislation

Note: If no IIF is contained in the system, please answer questions 21, 23, 30, 31, 37, 50 and 54, then promote the PIA to the Sr. Privacy Official who will authorize the PIA.

If this system contains IIF, all remaining questions on the PIA Form Tabs must be completed prior to signature and promotion.

21. Is the system subject to the Privacy Act?: No

23. If the system shares or discloses IIF please specify with whom and for what purpose(s): No IIF

30. Please describe in detail: (1) the information the agency will collect, maintain, or disseminate; (2) why and for what purpose the agency will use the information; (3) In this description, indicate whether the information contains IIF; and (4) whether submission of personal information is voluntary or mandatory: GWIS is an internal grants workflow solution. Information is obtained from the IMPAC II and eFMS (NCRR Electronic Funds Management System). This information is for internal use only, and only the minimal necessary data is collected to support the NCRR internal grants workflow process. GWIS is integrated with Microsoft Outlook for authorized NCRR users. Workflows have been identified and are being developed to process Unsolicited Administrative Supplements, Carry-Over Requests, Funding Opportunity Announcements (FOAs)/ Program Announcements, Annual Progress Report Approvals, National Advisory Research Resources Council (NARRC) Processes, New and Competing Continuation Awards, and Competitive Administrative Supplements.

31. Please describe in detail any processes in place to: (1) notify and obtain consent from the individuals whose IIF is in the system when major changes occur to the system (e.g., disclosure and/or data uses have changed since the notice at the time of the original collection); and (2) notify and obtain consent from individuals regarding what IIF is being collected from them and how the information will be used or shared: No IIF

32. Does the system host a website?: Yes

37. Does the website have any information or pages directed at children under the age of thirteen?: No

50. Are there policies or guidelines in place with regard to the retention and destruction of IIF?: No

54. Briefly describe in detail how the IIF will be secured on the system using administrative, technical, and physical controls.: No IIF

PIA Reviewer Approval: Promote


PIA Reviewer Name:

Sr. Official for Privacy Approval: Promote


Sr. Official for Privacy Name: Karen Plá

Sign-off Date: Aug 22, 2008

Date Published: Sept 8, 2008