Download:
pdf |
pdfPrivacy Impact Assessment (PIA): CDC - NYTS - QTR1 - 2023 - CDC6656395
Created Date: 1/30/2023 11:51 PM Last Updated: 5/3/2023 4:00 PM
Copy PIA (Privacy Impact Assessment)
Do you want to copy this PIA ?
Please select the user, who would be submitting the copied PIA.
Instructions
Review the following steps to complete this questionnaire:
1) Answer questions. Select the appropriate answer to each question. Question specific help text may be available via the
your answer dictates an explanation, a required text box will become available for you to add further information.
icon. If
2) Add Comments. You may add question specific comments or attach supporting evidence for your answers by clicking on the
icon next to each question. Once you have saved the comment, the icon will change to the icon to show that a comment has been
added.
3) Change the Status. You may keep the questionnaire in the "In Process" status until you are ready to submit it for review. When
you have completed the assessment, change the Submission Status to "Submitted". This will route the assessment to the proper
reviewer. Please note that all values list questions must be answered before submitting the questionnaire.
4) Save/Exit the Questionnaire. You may use any of the four buttons at the top and bottom of the screen to save or exit the
questionnaire. The button allows you to complete the questionnaire. The button allows you to save your work and close the
questionnaire. The button allows you to save your work and remain in the questionnaire. The button closes the questionnaire without
saving your work.
Acronyms
ATO - Authorization to Operate
CAC - Common Access Card
FISMA - Federal Information Security Management Act
ISA - Information Sharing Agreement
HHS - Department of Health and Human Services
MOU - Memorandum of Understanding
NARA - National Archives and Record Administration
OMB - Office of Management and Budget
PIA - Privacy Impact Assessment
PII - Personally Identifiable Information
POC - Point of Contact
PTA - Privacy Threshold Assessment
SORN - System of Records Notice
SSN - Social Security Number
URL - Uniform Resource Locator
�General Information
PIA Name:
CDC - NYTS - QTR1 - 2023 - CDC6656395
PIA ID:
6656395
Name of
Component:
National Youth Tobacco Survey
Name of ATO
Boundary:
National Youth Tobacco Survey
Overall Status:
PIA Queue:
Submitter:
ALLEN, Cynthia
# Days Open:
93
Submission
Status:
Re-Submitted
Submit Date:
4/3/2023
Next
Assessment
Date:
N/A
Expiration Date:
Office:
DDNID
OpDiv:
CDC
Security
Categorization:
Low
Make PIA
available to
Public?:
Yes
History Log:
View History Log
Legacy PIA ID:
1:
Identify the Enterprise Performance Lifecycle Phase of the system
Operations and Maintenance
2:
Is this a FISMA-Reportable system?
Yes
3:
Does the system have or is it covered by a Security Authorization
to Operate (ATO)?
Yes
4:
ATO Date or Planned ATO Date
3/31/2023
PTA
PTA
PTA - 2:
Indicate the following reason(s) for this PTA. Choose from the
following options.
Significant System Management Change
PTA - 2A:
Describe in further detail any changes to the system that have
occurred since the last PIA.
Changes to system operation environment and
developmental tool from Voxco to Qualtrics; onprem dedicated to a FedRAMP authorized cloud
services. There are minor changes to a recently
approved PIA data elements. These changes
have been updated in this version PI A.
PTA - 3:
Is the data contained in the system owned by the agency or
contractor?
Agency
PTA - 4:
Please give a brief overview and purpose of the system by
describing what the functions of the system are and how the
system carries out those functions.
National Youth Tobacco Survey (NYTS) system
is an electronic survey system that collects and
stores anonymous survey data. It is a national
comprehensive survey to examine 6th through
12th grade students’ behaviors, knowledge, and
attitudes toward tobacco, and to measure shifts
in behaviors and use of emerging products.
�PTA - 5:
List and/or describe all the types of information that are collected
(into), maintained, and/or shared in the system regardless of
whether that information is PII and how long that information is
stored.
PTA - 5A:
Are user credentials used to access the system?
PTA - 5B:
Please identify the type of user credentials used to access the
system.
The system collects and maintains rudimentary
responses of survey questionnaires from
approximately 23,000 anonymous middle school
and high school students annually. The survey
is voluntary and students are asked about their
behaviors, knowledge, and attitudes toward
specific tobacco products (e.g., cigarettes,
cigarillos, e-cigarettes, hookah/water pipes,
smokeless tobacco, flavored tobacco), as well
as questions related to exposure to how they
obtain tobacco products and tobacco
advertising. Additionally there are some social
context questions to understand factors of
tobacco usage and knowledge such as the
Adolescent Discrimination and Distress Index
(ADDI) and Neighborhood Environment Scale
(NES). Some of the examples questions
include:
--“How old were you when you first tried
cigarette smoking, even one or two puffs?”
--“During the past 30 days, on how many days
did you use any tobacco product(s)?”
--Asks for age, sex, and grade level, for
statistical analysis purposes only.
--"There are plenty of safe places to walk or
spend time outdoors in my neighborhood?"
--"You were discourage from joining a club?"
�PTA - 6:
Describe why all types of information is collected (into),
maintained, and/or shared with another system. This description
should specify what information is collected about each category
of individual.
Survey responses are collected from middle
school and high school students annually to
understand their behaviors, knowledge, and
attitudes toward tobacco products. Participants
are asked about their behaviors, knowledge,
and attitudes toward specific tobacco products
(e.g., cigarettes, cigarillos, e-cigarettes,
hookah/water pipes, smokeless tobacco,
flavored tobacco), as well as questions related
to exposure to how they obtain tobacco
products and tobacco advertising. Additionally,
there are some social context questions to
understand factors of tobacco usage and
knowledge such as the Adolescent
Discrimination and Distress Index (ADDI) and
Neighborhood Environment Scale (NES).
Some of the examples questions include:
--“How old are you?”
--“How old were you when you first tried
cigarette smoking, even one or two puffs?”
--“During the past 30 days, on how many days
did you use any tobacco product(s)?”
--Asks for age, sex, and grade level, for
statistical analysis purposes only.
--"There are plenty of safe places to walk or
spend time outdoors in my neighborhood?"
--"You were discourage from joining a club?"
These data are used by CDC to help design,
implement, monitor, and evaluate CDC's
programs for reducing tobacco use among
youth. These data are not shared with other
systems.
Survey respondents: Students access the
survey using a randomly generated access
code that is uniquely assigned to them with no
identifying information about the students
collected or requested.
Indirect contractor (Administrator): The system
maintains authentication credential (user id and
password) in a separate information system for
four administrators to securely accessing the
system for administration, development, and
maintenance purposes
PTA - 7:
Does the system collect, maintain, use or share PII?
Yes
PTA - 7A:
Does this include Sensitive PII as defined by HHS?
Yes
PTA - 8:
Does the system include a website or online application?
No
PTA - 8A:
Are any of the URLs listed accessible by the general public (to
include publicly accessible log in and internet websites/online
applications)?
No
�PTA - 9:
Describe the purpose of the website, who has access to it, and
how users access the web site (via public URL, log in, etc.).
Please address each element in your response.
NYTS is an electronic survey data collection
non-publicly accessible website. The web URL
is only known to selected students grade 6th
through 12th to access using a randomly
generated PIN for providing responses.
PTA - 10:
Does the website have a posted privacy notice?
No
PTA - 11:
Does the website contain links to non-federal government
websites external to HHS?
No
PTA - 11A:
Is a disclaimer notice provided to users that follow external links to
websites not owned or operated by HHS?
PTA - 12:
Does the website use web measurement and customization
technology?
PTA - 12A:
Select the type(s) of website measurement and customization
technologies in use and if it is used to collect PII.
PTA - 13:
Does the website have any information or pages directed at
children under the age of thirteen?
No
PTA - 13A:
Does the website collect PII from children under the age thirteen?
No
PTA - 13B:
Is there a unique privacy policy for the website and does the
unique privacy policy address the process for obtaining parental
consent if any information is collected?
PTA - 14:
Does the system have a mobile application?
PTA - 14A:
Is the mobile application HHS developed and managed or a thirdparty application?
PTA - 15:
Describe the purpose of the mobile application, who has access to
it, and how users access it. Please address each element in your
response.
PTA - 16:
Does the mobile application/ have a privacy notice?
PTA - 17:
Does the mobile application contain links to non-federal
government website external to HHS?
PTA - 17A:
Is a disclaimer notice provided to users that follow external links to
resources not owned or operated by HHS?
PTA - 18:
Does the mobile application use measurement and customization
technology?
PTA - 18A:
Describe the type(s) of measurement and customization
technologies or techniques in use and what information is
collected.
PTA - 19:
Does the mobile application have any information or pages
directed at children under the age of thirteen?
PTA - 19A:
Does the mobile application collect PII from children under the age
thirteen?
PTA - 19B:
Is there a unique privacy policy for the mobile application and
does the unique privacy policy address the process for obtaining
parental consent if any information is collected?
PTA - 20:
Is there a third-party website or application (TPWA) associated
with the system?
No
PTA - 21:
Does this system use artificial intelligence (AI) tools or
technologies?
No
No
PIA
PIA
No
�PIA - 1:
Indicate the type(s) of personally identifiable information (PII) that
the system will collect, maintain, or share.
Email Address
User Credentials
Other - Free text Field - Age, Sex, Grade level
Indicate the categories of individuals about whom PII is collected,
maintained or shared.
Members of the public
PIA - 3:
Indicate the approximate number of individuals whose PII is
maintained in the system.
Above 2000
PIA - 4:
For what primary purpose is the PII used?
PII is used to establish system access
credential. Students access the survey using a
unique access code that is associated with their
school, and no identifying information about the
students is collected or requested. Survey
respondent's PII (age, sex, grade level) is
collected for statistical analysis only but is not
retrievable by PII element.
PIA - 2:
Vendors/Suppliers/Third-Party Contractors
(Contractors other than HHS Direct Contractors)
Changes occurred in 2022: project awarded to a
different indirect contractor for the redesign and
rearchitecting using cloud-based tools. The
updates to the survey data included changes to
some of the value's name while adding some
social context questions to understand factors of
tobacco usage and knowledge such as the
Adolescent Discrimination and Distress Index
(ADDI) and Neighborhood Environment Scale
(NES).
PIA - 5:
Describe any secondary uses for which the PII will be used (e.g.
testing, training or research).
indirect contractor internal communication
PIA - 6:
Describe the function of the SSN and/or Taxpayer ID.
N/A
PIA - 6A:
Cite the legal authority to use the SSN.
N/A
PIA - 7:
Identify legal authorities, governing information use and disclosure Public Health Service Act, Section 301,
"Research and Investigation" (48 U.S.C.241).
specific to the system and program.
PIA - 8:
Are records in the system retrieved by one or more PII data
elements?
PIA - 8A:
Please specify which PII data elements are used to retrieve
records.
PIA - 8B:
Provide the number, title, and URL of the Privacy Act System of
Records Notice (SORN) that is being used to cover the system or
indicate whether a new or revised SORN is in development.
PIA - 9:
Identify the sources of PII in the system.
No
Directly from an individual about whom the
information pertains
In-person
Non-Government Sources
Members of the Public
PIA - 10:
Is there an Office of Management and Budget (OMB) information
collection approval number?
Yes
�PIA - 10:
PIA - 10A:
Provide the information collection approval number.
Existing OMB# 0920-0621 exp. 1/31/2024.
A new submission is in place and pending
approval.
1/31/2024
PIA - 10B:
Identify the OMB information collection approval number
expiration date.
PIA - 10C:
Explain why an OMB information collection approval number is not Existing OMB# 0920-0621 exp. 1/31/2024.
required.
A new submission is in place and pending
approval.
PIA - 11:
Is the PII shared with other organizations outside the system’s
Operating Division?
PIA - 11A:
Identify with whom the PII is shared or disclosed.
PIA - 11B:
Please provide the purpose(s) for the disclosures described in PIA
- 11A.
PIA - 11C:
N/A
List any agreements in place that authorize the information
sharing or disclosure (e.g., Computer Matching Agreement (CMA),
Memorandum of Understanding (MOU), or Information Sharing
Agreement (ISA)).
PIA - 11D:
Describe process and procedures for logging/tracking/accounting
for the sharing and/or disclosing of PII. If no process or
procedures are in place, please explain why not.
N/A-No process is in place. The system is only
maintaining authentication system credential for
administrators.
PIA - 12:
Is the submission of PII by individuals voluntary or mandatory?
Voluntary
PIA - 12A:
N/A
If PII submission is mandatory, provide the specific legal
requirement that requires individuals to provide information or face
potential civil or criminal penalties.
PIA - 13:
Describe the method for individuals to opt-out of the collection or
use of their PII. If there is no option to object to the information
collection, provide a reason.
No
No option for administrators to opt-out of having
their user credentials and emails used because
it is required for their role. This information is
necessary to establish an account in supporting
the study and accessing the system.
Respondents PII (age, sex, grade level) is
optional multiple-choice selection value and
only collected for statistical analysis.
PIA - 14:
Describe the process to notify and obtain consent from the
individuals whose PII is in the system when major changes occur
to the system (e.g., disclosure and/or data uses have changed
since the notice at the time of original collection). Alternatively,
describe why they cannot be notified or have their consent
obtained.
PII identified is an authentication credential for
system administrator. There is no process in
place to notify and obtain consent from the
individuals when major changes occur to the
system because those changes would require
themselves as an administrator, to perform or
take action.
Respondents PII (age, sex, grade level) is
optional multiple-choice selection value and
only collected for statistical analysis.
PIA - 15:
Describe the process in place to resolve an individual's concerns
when they believe their PII has been inappropriately obtained,
used, or disclosed, or that the PII is inaccurate. If no process
exists, explain why not.
System administrator may send an email to their
supervisor if issues arise. Respondents PII
(age, sex, grade level) is optional multiplechoice selection value and only collected for
statistical analysis.
�PIA - 16:
Describe the process in place for periodic reviews of PII contained
in the system to ensure the data's integrity, availability, accuracy
and relevancy. Please address each element in your response. If
no processes are in place, explain why not.
PII identified is an authentication credential for
system administrator. User accounts are
reviewed annually.
Respondents PII (age, sex, grade level) is
optional multiple-choice selection value and
only collected for statistical analysis.
PIA - 17:
Identify who will have access to the PII in the system.
Administrators
Contractors
PIA - 17A:
Select the type of contractor.
Third-Party Contractor (Contractors other than HHS
Direct Contractors)
PIA - 17B:
Do contracts include Federal Acquisition Regulation (FAR) and
other appropriate clauses ensuring adherence to privacy
provisions and practices?
Yes
PIA - 18:
Provide the reason why each of the groups identified in PIA - 17
needs access to PII.
Indirect contractor is system administrator who
has access to support the information system.
PIA - 19:
Describe the administrative procedures in place to determine
which system users (administrators, developers, contractors, etc.)
may access PII.
Indirect contractors managing NYTS are
granted access by the system administrator
based on the user's role as authorized by the
project manager. These indirect contractors
can view their own PII (email address) in the
system.
PIA - 20:
Describe the technical methods in place to allow those with
access to PII to only access the minimum amount of information
necessary to perform their job.
Role based access controls are in place to
ensure the concept of "least privilege" is
implemented. Based on the technical director
and project director's assessment of each team
member, the software administrator creates and
implements access groups. the access group
can include system administrator, data analyst,
database administrator, and survey developer
working on data validation, processing, etc.
Each individual assigned to work on the project
is assigned to a group associated with their role.
Access rights are then derived from that role.
The project directory structure is organized
such that access to each group is restricted to
one or more access groups, effectively ensuring
that an individual's access to data containing PII
is restricted only to areas pertaining to tasks the
individual is required to perform.
PIA - 21:
Identify the general security and privacy awareness training
provided to system users (system owners, managers, operators,
contractors and/or program managers) using the system to make
them aware of their responsibilities for protecting the information
being collected and maintained.
Indirect contractors are required to complete the
Information Security Awareness Training (SAT)
annually which covers all aspects of systems
and data security and confidentiality. Systems
and network staff with higher role and
responsibilities are require to complete
additional training on contingency plan and
disaster recovery training on an annual basis.
PIA - 22:
Describe training system users receive (above and beyond
general security and privacy awareness training).
None
�PIA - 23:
Describe the process and guidelines in place with regard to the
retention and destruction of PII. Cite specific National Archives
and Records Administration (NARA) records retention schedule(s)
and include the retention period(s).
User accounts and associated PII are removed
when no longer needed for access. The PII and
user accounts are temporary administrative
records and not subject to long term records
retention.
CDC Records Control Schedule GRS-24-13a
PKI Administrative Records.
User accounts are reviewed annually.
PIA - 24:
Describe how the PII will be secured in the system using
administrative, technical, and physical controls. Please address
each element in your response.
PII identified is an authentication credential for
system administrator.
Administrative Controls: include a security
plan, file back-up, least privilege, and training.
Technical Controls: Only the system
administrator will have access to the
authentication credential. The users' credential
will be encrypted at the database level.
Physical Controls: include ID Badges, Key
Cards, Security Guards, and Closed Circuit TV
(CCTV) for servers.
�Review & Comments
Privacy Analyst Review
OpDiv Privacy
Analyst Review
Status:
Approved
Privacy Analyst
Comments:
Privacy Analyst
Review Date:
4/13/2023
Privacy Analyst
Days Open:
SOP Review
SOP Review
Status:
Approved
SOP Comments:
SOP Signature:
JWO Signature.docx
SOP Review
Date:
4/18/2023
SOP Days Open: 15
Agency Privacy Analyst Review
Agency Privacy
Analyst Review
Status:
Approved
Agency Privacy
Analyst Review
Date:
4/25/2023
Agency Privacy
Analyst Review
Comments:
Reviewer: Shanai Shobowale
7
This PIA is ready for approval and signature.
Agency Privacy
Analyst Days
Open:
SAOP Review
Status:
Approved
SAOP Signature:
SAOP
Comments:
Other responses in the PTA and/or PIA
state that this system collects user
credentials. However, PTA-5A says that
"user credentials are maintained in a
separate system (e.g., AD, AMS) and not
collected or maintained by this system." If
a system collects or maintains user
credentials, the response to PTA-5A should
be yes, even if some users authenticate to
the system via a separate system. OpDivs
can use PTA-5 or PTA-6 to explain how
different users authenticate, the name of
the separate system providing
authentication for some users, and
whether the authenticating system has its
own PIA. As PTA responses cannot revised
once approved by the OpDiv SOP, these
responses will need to be updated when
directed by the CDC SOP.
SAOP Review
Date:
5/3/2023
SAOP Days
Open:
8
SAOP Review
�Supporting Document(s)
Name
Size
Type
Upload Date
Downloads
No Records Found
Comments
Question Name
Submitter
Date
Comment
PIA - 1
BANKS, Quentin
2/10/2023
Please include all PII that`s within
this tool. Name, age, sex, and
grade level are missing.
PIA - 3
BANKS, Quentin
2/10/2023
Please confirm the accuracy of the
number you selected. The last
approved number had a higher
number. If number is correct, when
did the change occur? Why did the
change happen?
PIA - 13
BANKS, Quentin
2/10/2023
If this is true, then why is PIA-12
Voluntary? I recommend looking at
the last approved PIA for
reference.
PIA - 17
BANKS, Quentin
2/10/2023
In the last approved PIA,
administrators also had access to
the PII. Why did their access end?
PIA - 18
BANKS, Quentin
2/10/2023
Please include administrators as
well in PIA-17.
PIA - 1
BANKS, Quentin
3/28/2023
Nonresponsive. Please include all
PII that`s within this tool. Name,
age, sex, and grade level are
missing.
PIA - 3
BANKS, Quentin
3/28/2023
Nonresponsive. Please confirm the
PIA - 13
BANKS, Quentin
3/28/2023
Nonresponsive. The PII collected is
not only from administrators but
from middle school and high school
students. Can these students opt
out by not taking the survey? If so,
then that`s an op-out!
PIA - 19
BANKS, Quentin
3/28/2023
Please remove the first sentence.
That statement is not relevant for
this question.
PIA - 22
BANKS, Quentin
3/28/2023
What`s the frequency of this
training?
PIA - 1
ALLEN, Cynthia
3/28/2023
The current system only collects
user credentials (email address and
Attachment
�pw) for system access. The old
NYTS collected additional PII which
is not collected in this version.
PIA - 3
ALLEN, Cynthia
3/28/2023
NYTS has been redesigned to
reduce the need for individual user
PII. NYTS will only contain PII on
less 50 users for this data collection
cycle. There will be 500-4,999
respondents who will access the
survey through a URL provided in
person.
PIA - 13
ALLEN, Cynthia
3/28/2023
Unlike the previous NYTS, middle
and high school students do not
enter PII into the system. The only
PII in the system is that of the
contractors conducting and
managing the survey. The role of
the contractor requires the use of
PII to access the system.
Therefore, contractors cannot opt
out of providing their email address
for system access.
PIA - 19
ALLEN, Cynthia
3/28/2023
Description has been updated.
PIA - 22
ALLEN, Cynthia
3/28/2023
Technical training on the use of
NYTS is provided as needed.
There is no additional security or
privacy training provided or needed
to utilize the low impact system.
PIA - 1
BANKS, Quentin
4/13/2023
.
�
| File Type | application/pdf |
| File Modified | 2023-05-10 |
| File Created | 2023-05-09 |