attach6

attach6.pdf

National Epidemiologic Survey on Alcohol and Related Conditions-III (NIAAA)

attach6

OMB: 0925-0628

Document [pdf]

Download: pdf | pdf

ATTACHMENT 6
PRIVACY IMPACT ASSESSMENT

Primavera ProSight Report

06.1 HHS Privacy Impact Assessment
Management System (Item)

Page 1 of 17

(Form)

/ NIH NIAAA NESARC3 Study

Form Report, printed by: Anderson, Pamela, Dec 3, 2010
PIA SUMMARY
1
The following required questions with an asterisk (*) represent the information necessary to complete the PIA Summary for transmission to the Office of
Management and Budget (OMB) and public posting in accordance with OMB Memorandum (M) 03-22.
Note: If a question or its response is not applicable, please answer “N/A” to that question where possible. If the system hosts a website, the Website Hosting
Practices section is required to be completed regardless of the presence of personally identifiable information (PII). If no PII is contained in the system, please
answer questions in the PIA Summary Tab and then promote the PIA to the Senior Official for Privacy who will authorize the PIA. If this system contains PII, all
remaining questions on the PIA Form Tabs must be completed prior to signature and promotion.

Summary of PIA Required Questions

*Is this a new PIA?

Yes
If this is an existing PIA, please provide a reason for revision:

*1. Date of this Submission:

Oct 15, 2010
*2. OPDIV Name:

NIH
*4. Privacy Act System of Records Notice (SORN) Number (If response to Q.21 is Yes, a SORN number is required for Q.4):

09-25-0200
*5. OMB Information Collection Approval Number:

TBD
*6. Other Identifying Number(s):

Westat Internal Project ID 8690
*7. System Name (Align with system item name):

NIH NIAAA National Epidemiologic Survey on Alcohol and Related Conditions III Study Management System (NESARC3-SMS)
*9. System Point of Contact (POC). The System POC is the person to whom questions about the system and the responses to this PIA may be addressed:

Point of Contact Information
POC Name

Bridget Grant, Ph.D, Ph.D

*10. Provide an overview of the system:

New
*17. Does/Will the system collect, maintain (store), disseminate and/or pass through PII within any database(s), record(s), file(s) or website(s) hosted by this
system?
TIP: If the answer to Question 17 is “No” (indicating the system does not contain PII), only the remaining PIA Summary tab questions need to be completed and
submitted. If the system does contain PII, the full PIA must be completed and submitted. (Although note that “Employee systems,” – i.e., systems that collect

http://sport.hhs.gov/prosight/Forms/FormsPrint.aspx?ExportPrintAction=Print&pfId=4369... 12/3/2010

Primavera ProSight Report

Page 2 of 17

PII “permitting the physical or online contacting of a specific individual … employed [by] the Federal Government – only need to complete the PIA Summary
tab.)

Yes
17a. Is this a GSS PIA included for C&A purposes only, with no ownership of underlying application data? If the response to Q.17a is Yes, the response to Q.17
should be No and only the PIA Summary must be completed.

No
*19. Are records on the system retrieved by 1 or more PII data elements?

Yes
*21. Is the system subject to the Privacy Act? (If the response to Q.19 is Yes, the response to Q.21 must be Yes and a SORN number is required for Q.4)

Yes
*23. If the system shares or discloses PII, please specify with whom and for what purpose(s):

Information stored in the system is shared in accordance with the routine uses outlined in NIH Systems of Record Notice 09-25-0200.
*30. Please describe in detail: (1) The information the agency will collect, maintain, or disseminate (clearly state if the information contained in the system
ONLY represents federal contact data); (2) Why and for what purpose the agency will use the information; (3) Explicitly indicate whether the information
contains PII; and (4) Whether submission of personal information is voluntary or mandatory:

The information is collected under 42 USC 285n and participation in the NESARC-III is voluntary. The information contains PII and
information is shared in accordance with the guidance in the System of Records Notice 09-25-0200. The NESARC-III is a nationally
representative survey of the U.S. population (N=46,500). The NESARC-III will collect information on alcohol use practices and alcohol use
disorders and their associated physical (e.g. liver cirrhosis) and psychological (e.g. depressed mood) disabilities and also DNA through
saliva samples. There are two small methodological components (N=1700) that collect information on reliability and validity. The major
purpose of the information is to determine the prevalence, distribution, treatment and health disparities and economic costs and to identify
environmental and genetic risk factors and their interactions for these conditions. Information collected includes background information,
including sociodemographic variables; alcohol use practices, disorders and alcohol related social, psychological and physical consequences;
symptoms scales indexing major mood, anxiety, and eating conditions that frequently co-occur with alcohol and drug use disorders;
tobacco, medicine and drug use and disorders and related social, psychological, and physical consequences; selected personality traits,
including behavior; alcohol, drug, and mental health treatment utilization; medical conditions related to alcohol consumption; care giving
roles; discrimination in health care; race-ethnicity; gender; income; sexual orientation; physical disability; acculturation; perceived stress
and social support; adverse childhood experiences and intimate partner violence; nativity; generational status; sexual orientation; age at
first intercourse; presence of HIV/AIDS and other medical disease; health insurance coverage; and executive functioning.
*31. Please describe in detail any processes in place to: (1) Notify and obtain consent from the individuals whose PII is in the system when major changes
occur to the system (e.g., disclosure and/or data uses have changed since the notice at the time of the original collection); (2) Notify and obtain consent from
individuals regarding what PII is being collected from them; and (3) How the information will be used or shared. (Note: Please describe in what format
individuals will be given notice of consent [e.g., written notice, electronic notice, etc.]):

Individuals whose information is in the system only interact with the system to respond to the surveys. No changes will be made to the
information that they provide. Respondents are notified and consent is obtained regarding PII collected from them through advance letters,
informational study materials and written notice on consent. The information will be used for research purposes and shared in accordance
with the guidance in System of Records Notice 09-25-0200.
*32. Does the system host a website? (Note: If the system hosts a website, the Website Hosting Practices section is required to be completed regardless of the
presence of PII)

No
*37. Does the website have any information or pages directed at children under the age of thirteen?

No
*50. Are there policies or guidelines in place with regard to the retention and destruction of PII? (Refer to the C&A package and/or the Records Retention and
Destruction section in SORN)

Yes
*54. Briefly describe in detail how the PII will be secured on the system using administrative, technical, and physical controls:

Information will be secured on the system through access controls, personnel security awareness and training, regular auditing of
information and information management processes, careful monitoring of a properly accredited NESARC3-SMS information system, control
of changes to the system, by appropriate planning and testing of configuration management and contingency processes, by ensuring that
all users of the NESARC3-SMS are properly identified and authorized for access and are aware of and acknowledge the system rules of
behavior, by ensuring that any contingency or incident is handled expeditiously, properly maintaining the system and regulating the
environment it operates in, by controlling media, by evaluating risks and planning for information management and information system
operations, by ensuring that the system and any exchange of information is protected, by maintaining the confidentiality and integrity of
the NESARC3-SMS, and by adhering to the requirements established in the contract and statement of work.

http://sport.hhs.gov/prosight/Forms/FormsPrint.aspx?ExportPrintAction=Print&pfId=4369... 12/3/2010

Primavera ProSight Report

Page 3 of 17

PIA REQUIRED INFORMATION
1

HHS Privacy Impact Assessment (PIA)

The PIA determines if Personally Identifiable Information (PII) is contained within a system, what kind of PII, what is done with that information, and how that
information is protected. Systems with PII are subject to an extensive list of requirements based on privacy laws, regulations, and guidance. The HHS Privacy
Act Officer may be contacted for issues related to Freedom of Information Act (FOIA) and the Privacy Act. Respective Operating Division (OPDIV) Privacy
Contacts may be contacted for issues related to the Privacy Act. The Office of the Chief Information Officer (OCIO) can be used as a resource for questions
related to the administrative, technical, and physical controls of the system. Please note that answers to questions with an asterisk (*) will be submitted to the
Office of Management and Budget (OMB) and made publicly available in accordance with OMB Memorandum (M) 03-22.
Note: If a question or its response is not applicable, please answer “N/A” to that question where possible.

General Information

*Is this a new PIA?

Yes
If this is an existing PIA, please provide a reason for revision:

*1. Date of this Submission:

Oct 15, 2010
*2. OPDIV Name:

NIH
3. Unique Project Identifier (UPI) Number for current fiscal year (Data is auto-populated from the System Inventory form, UPI table):

TBD
*4. Privacy Act System of Records Notice (SORN) Number (If response to Q.21 is Yes, a SORN number is required for Q.4):

09-25-0200
*5. OMB Information Collection Approval Number:

TBD
5a. OMB Collection Approval Number Expiration Date:

*6. Other Identifying Number(s):

Westat Internal Project ID 8690
*7. System Name: (Align with system item name)

NIH NIAAA National Epidemiologic Survey on Alcohol and Related Conditions III Study Management System (NESARC3-SMS)
8. System Location: (OPDIV or contractor office building, room, city, and state)

System Location:
OPDIV or contractor office building

Westat Inc. 1600 Research Blvd

Room

2011

City

Rockville

State

*9. System Point of Contact (POC). The System POC is the person to whom questions about the system and the responses to this PIA may be addressed:

Point of Contact Information
POC Name

Bridget Grant, Ph.D, Ph.D

The following information will not be made publicly available:

http://sport.hhs.gov/prosight/Forms/FormsPrint.aspx?ExportPrintAction=Print&pfId=4369... 12/3/2010

Primavera ProSight Report

Page 4 of 17

POC Title

Chief, Laboratory of Epidemiology and Biometry

POC Organization

DHHS/NIH/NIAAA

POC Phone

(301) 443-7370

POC Email

*10. Provide an overview of the system: (Note: The System Inventory form can provide additional information for child dependencies if the system is a GSS)

http://sport.hhs.gov/prosight/Forms/FormsPrint.aspx?ExportPrintAction=Print&pfId=4369... 12/3/2010

Primavera ProSight Report

Page 5 of 17

SYSTEM CHARACTERIZATION AND DATA CATEGORIZATION
1

System Characterization and Data Configuration

11. Does HHS own the system?

Yes
11a. If no, identify the system owner:

12. Does HHS operate the system? (If the system is operated at a contractor site, the answer should be No)

No
12a. If no, identify the system operator:

Westat, Inc 1600 Research Blvd, Rockville, MD 20850
*13. Indicate if the system is new or an existing one being modified:

New
14. Identify the life-cycle phase of this system:

Development/Acquisition
15. Have any of the following major changes occurred to the system since the PIA was last submitted?

Please indicate “Yes” or “No” for each category below:

Yes/No

Conversions

Anonymous to Non-Anonymous

Significant System Management Changes

Significant Merging

New Public Access

Commercial Sources

New Interagency Uses

Internal Flow or Collection

Alteration in Character of Data

16. Is the system a General Support System (GSS), Major Application (MA), Minor Application (child) or Minor Application (stand-alone)?

Major Application
*17. Does/Will the system collect, maintain (store), disseminate and/or pass through PII within any database(s), record(s), file(s) or website(s) hosted by this
system?

Yes
TIP: If the answer to Question 17 is “No” (indicating the system does not contain PII), only the remaining PIA Summary tab questions need to be completed and
submitted. If the system does contain PII, the full PIA must be completed and submitted. (Although note that “Employee systems,” – i.e., systems that collect
PII “permitting the physical or online contacting of a specific individual … employed [by] the Federal Government – only need to complete the PIA Summary
tab.)
Please indicate "Yes" or "No" for each PII category. If the applicable PII category is not listed, please use the Other field to identify the appropriate category of
PII.

Categories:

Yes/No

Name (for purposes other than contacting federal
employees)

Yes

Date of Birth

Yes

Social Security Number (SSN)

http://sport.hhs.gov/prosight/Forms/FormsPrint.aspx?ExportPrintAction=Print&pfId=4369... 12/3/2010

Primavera ProSight Report

Page 6 of 17

Photographic Identifiers

Driver’s License

Biometric Identifiers

Mother’s Maiden Name

Vehicle Identifiers

Personal Mailing Address

Yes

Personal Phone Numbers

Yes

Medical Records Numbers

Medical Notes

Financial Account Information

Certificates

Legal Documents

Device Identifiers

Web Uniform Resource Locator(s) (URL)

Personal Email Address

Yes

Education Records

Military Status

Employment Status

Foreign Activities

Other

17a. Is this a GSS PIA included for C&A purposes only, with no ownership of underlying application data? If the response to Q.17a is Yes, the response to Q.17
should be No and only the PIA Summary must be completed.

No
18. Please indicate the categories of individuals about whom PII is collected, maintained, disseminated and/or passed through. Note: If the applicable PII
category is not listed, please use the Other field to identify the appropriate category of PII. Please answer "Yes" or "No" to each of these choices (NA in other is
not applicable).

Categories:

Yes/No

Employees

Public Citizen

Yes

Patients

Business partners/contacts (Federal, state, local
agencies)

Vendors/Suppliers/Contractors

Other

*19. Are records on the system retrieved by 1 or more PII data elements?

Yes
Please indicate "Yes" or "No" for each PII category. If the applicable PII category is not listed, please use the Other field to identify the appropriate category of
PII.

Categories:

Yes/No

Name (for purposes other than contacting federal
employees)

Yes

http://sport.hhs.gov/prosight/Forms/FormsPrint.aspx?ExportPrintAction=Print&pfId=4369... 12/3/2010

Primavera ProSight Report

Page 7 of 17

Date of Birth

SSN

Photographic Identifiers

Driver’s License

Biometric Identifiers

Mother’s Maiden Name

Vehicle Identifiers

Personal Mailing Address

Yes

Personal Phone Numbers

Yes

Medical Records Numbers

Medical Notes

Financial Account Information

Certificates

Legal Documents

Device Identifiers

Web URLs

Personal Email Address

Education Records

Military Status

Employment Status

Foreign Activities

Other

20. Are 10 or more records containing PII maintained, stored or transmitted/passed through this system?

Yes
*21. Is the system subject to the Privacy Act? (If the response to Q.19 is Yes, the response to Q.21 must be Yes and a SORN number is required for Q.4)

Yes
21a. If yes but a SORN has not been created, please provide an explanation.

http://sport.hhs.gov/prosight/Forms/FormsPrint.aspx?ExportPrintAction=Print&pfId=4369... 12/3/2010

Primavera ProSight Report

Page 8 of 17

INFORMATION SHARING PRACTICES
1

Information Sharing Practices

22. Does the system share or disclose PII with other divisions within this agency, external agencies, or other people or organizations outside the agency?

Yes

Please indicate “Yes” or “No” for each category below:

Yes/No

Name (for purposes other than contacting federal
employees)

Yes

Date of Birth

SSN

Photographic Identifiers

Driver’s License

Biometric Identifiers

Mother’s Maiden Name

Vehicle Identifiers

Personal Mailing Address

Yes

Personal Phone Numbers

Yes

Medical Records Numbers

Medical Notes

Financial Account Information

Certificates

Legal Documents

Device Identifiers

Web URLs

Personal Email Address

Education Records

Military Status

Employment Status

Foreign Activities

Other

*23. If the system shares or discloses PII please specify with whom and for what purpose(s):

Information stored in the system is shared in accordance with the routine uses outlined in NIH Systems of Record Notice 09-25-0200.
24. If the PII in the system is matched against PII in one or more other computer systems, are computer data matching agreement(s) in place?

No
25. Is there a process in place to notify organizations or systems that are dependent upon the PII contained in this system when major changes occur (i.e.,
revisions to PII, or when the system is replaced)?

No
26. Are individuals notified how their PII is going to be used?

Yes
26a. If yes, please describe the process for allowing individuals to have a choice. If no, please provide an explanation.

A Privacy Act Notification Statement pursuant to Privacy Act 5 USC 552a Section (b)(3) is provided in written form to the individual through
an advance letter prior to the survey.

http://sport.hhs.gov/prosight/Forms/FormsPrint.aspx?ExportPrintAction=Print&pfId=4369... 12/3/2010

Primavera ProSight Report

Page 9 of 17

27. Is there a complaint process in place for individuals who believe their PII has been inappropriately obtained, used, or disclosed, or that the PII is inaccurate?

Yes
27a. If yes, please describe briefly the notification process. If no, please provide an explanation.

Individuals can contact the project at any time to redress their grievances and make any corrections. Information regarding this process is
available in the documentation provided to the participant. The notification process is described in SORN 09-25-0200. The process includes
detailed information on who to contact, form of notification request, verification of identity, conditions for granting access to information,
and procedures for reviewing the records and informing the subject individual.
28. Are there processes in place for periodic reviews of PII contained in the system to ensure the data’s integrity, availability, accuracy and relevancy?

Yes
28a. If yes, please describe briefly the review process. If no, please provide an explanation.

PII is reviewed for integrity, accuracy and relevance through system consistency checking procedures as part of the process of contacting
and interviewing the participants.
29. Are there rules of conduct in place for access to PII on the system?

Yes
Please indicate "Yes," "No," or "N/A" for each category. If yes, briefly state the purpose for each user to have access:

Users with access to PII

Yes/No/N/A

Purpose

User

Yes

Project staff members have access to the
PII in order to contact participants and
prepare for participant interviews.

Administrators

Yes

Manage Westat resources supporting or
included in the NESARC3-SMS

Developers

Yes

Extract and utilize participant information
for phone, mail, and email contacts and
other routine information management
tasks.

Contractors

Yes

Westat, a contracted research
organization, is conducting the field of
work.

Other

*30. Please describe in detail: (1) The information the agency will collect, maintain, or disseminate (clearly state if the information contained in the system
ONLY represents federal contact data); (2) Why and for what purpose the agency will use the information; (3) Explicitly indicate whether the information
contains PII; and (4) Whether submission of personal information is voluntary or mandatory:

http://sport.hhs.gov/prosight/Forms/FormsPrint.aspx?ExportPrintAction=Print&pfId=4369... 12/3/2010

Primavera ProSight Report

Page 10 of 17

http://sport.hhs.gov/prosight/Forms/FormsPrint.aspx?ExportPrintAction=Print&pfId=4369... 12/3/2010

Primavera ProSight Report

Page 11 of 17

WEBSITE HOSTING PRACTICES
1

Website Hosting Practices

*32. Does the system host a website? (Note: If the system hosts a website, the Website Hosting Practices section is required to be completed regardless of the
presence of PII)

Please indicate “Yes” or “No” for
each type of site below. If the
system hosts both Internet and
Intranet sites, indicate “Yes”
for “Both” only.

Yes/ No

Internet

Intranet

Both

If the system hosts an Internet site,
please enter the site URL. Do not
enter any URL(s) for Intranet sites.

33. Does the system host a website that is accessible by the public and does not meet the exceptions listed in OMB M-03-22?
Note: OMB M-03-22 Attachment A, Section III, Subsection C requires agencies to post a privacy policy for websites that are accessible to the public, but
provides three exceptions: (1) Websites containing information other than "government information" as defined in OMB Circular A-130; (2) Agency intranet
websites that are accessible only by authorized government users (employees, contractors, consultants, fellows, grantees); and (3) National security systems
defined at 40 U.S.C. 11103 as exempt from the definition of information technology (see section 202(i) of the E-Government Act.).

Yes
34. If the website does not meet one or more of the exceptions described in Q. 33 (i.e., response to Q. 33 is "Yes"), a website privacy policy statement
(consistent with OMB M-03-22 and Title II and III of the E-Government Act) is required. Has a website privacy policy been posted?

Yes
35. If a website privacy policy is required (i.e., response to Q. 34 is “Yes”), is the privacy policy in machine-readable format, such as Platform for Privacy
Preferences (P3P)?

No
35a. If no, please indicate when the website will be P3P compliant:

The web site links to the NIH policy which is P3P compliant.
36. Does the website employ tracking technologies?

Yes

Please indicate “Yes”, “No”, or “N/A” for each type of
cookie below:

Yes/No/N/A

Web Bugs

Web Beacons

Session Cookies

Yes

Persistent Cookies

Other

*37. Does the website have any information or pages directed at children under the age of thirteen?

No
37a. If yes, is there a unique privacy policy for the site, and does the unique privacy policy address the process for obtaining parental consent if any information
is collected?

38. Does the website collect PII from individuals?

http://sport.hhs.gov/prosight/Forms/FormsPrint.aspx?ExportPrintAction=Print&pfId=4369... 12/3/2010

Primavera ProSight Report

Page 12 of 17

Please indicate “Yes” or “No” for each category below:

Yes/No

Name (for purposes other than contacting federal
employees)

Date of Birth

SSN

Photographic Identifiers

Driver's License

Biometric Identifiers

Mother's Maiden Name

Vehicle Identifiers

Personal Mailing Address

Personal Phone Numbers

Medical Records Numbers

Medical Notes

Financial Account Information

Certificates

Legal Documents

Device Identifiers

Web URLs

Personal Email Address

Education Records

Military Status

Employment Status

Foreign Activities

Other

39. Are rules of conduct in place for access to PII on the website?

Yes
40. Does the website contain links to sites external to HHS that owns and/or operates the system?

No
40a. If yes, note whether the system provides a disclaimer notice for users that follow external links to websites not owned or operated by HHS.

http://sport.hhs.gov/prosight/Forms/FormsPrint.aspx?ExportPrintAction=Print&pfId=4369... 12/3/2010

Primavera ProSight Report

Page 13 of 17

ADMINISTRATIVE CONTROLS
1

Administrative Controls

Note: This PIA uses the terms “Administrative,” “Technical” and “Physical” to refer to security control questions—terms that are used in several Federal laws
when referencing security requirements.
41. Has the system been certified and accredited (C&A)?

No
41a. If yes, please indicate when the C&A was completed (Note: The C&A date is populated in the System Inventory form via the responsible Security
personnel):

41b. If a system requires a C&A and no C&A was completed, is a C&A in progress?

Yes
42. Is there a system security plan for this system?

Yes
43. Is there a contingency (or backup) plan for the system?

Yes
44. Are files backed up regularly?

Yes
45. Are backup files stored offsite?

Yes
46. Are there user manuals for the system?

No
47. Have personnel (system owners, managers, operators, contractors and/or program managers) using the system been trained and made aware of their
responsibilities for protecting the information being collected and maintained?

Yes
48. If contractors operate or use the system, do the contracts include clauses ensuring adherence to privacy provisions and practices?

Yes
49. Are methods in place to ensure least privilege (i.e., “need to know” and accountability)?

Yes
49a. If yes, please specify method(s):

There are user roles defined for the NESARC3-SMS. These roles ensure that access privileges are narrowly defined, and that only those
staff members that need certain types of access are granted that access. In addition to limiting functions, physicial access controls limit
access to the system. Accountability is assured through strict authentication and authorization and the use of audit logs that exist for
applications, systems and network infrastructure components.
*50. Are there policies or guidelines in place with regard to the retention and destruction of PII? (Refer to the C&A package and/or the Records Retention and
Destruction section in SORN):

Yes
50a. If yes, please provide some detail about these policies/practices:

PII maintained in the NESARC3-SMS is retained for the duration of the fielding of the survey, and will be destroyed at the end of data
collection in accordance with contract provisions and NIAAA direction.

http://sport.hhs.gov/prosight/Forms/FormsPrint.aspx?ExportPrintAction=Print&pfId=4369... 12/3/2010

Primavera ProSight Report

Page 14 of 17

TECHNICAL CONTROLS
1

Technical Controls

51. Are technical controls in place to minimize the possibility of unauthorized access, use, or dissemination of the data in the system?

Yes

Please indicate “Yes” or “No” for each category below:

Yes/No

User Identification

Yes

Passwords

Yes

Firewall

Yes

Virtual Private Network (VPN)

Yes

Encryption

Yes

Intrusion Detection System (IDS)

Yes

Common Access Cards (CAC)

Yes

Smart Cards

Biometrics

Public Key Infrastructure (PKI)

Yes

52. Is there a process in place to monitor and respond to privacy and/or security incidents?

Yes
52a. If yes, please briefly describe the process:

Westat Systems group is responsible for monitoring and responding to any security incident in collaboration with the NESARC3-SMS project
group. The systems group employs various tools like Snort, regularly scheduled internal and external agency network vulnerability scans
etc. to stay on top of any security threat. All privacy and/or security incidents, or suspected incidents, must be reported promptly to the
NIAAA ISSO, and the NIAAA Project Officer. The IC ISSO is responsible to be the principal IC contact for coordination, implementation, and
enforcement of this policy with the NIH Sr. ISSO and IC stakeholders.

http://sport.hhs.gov/prosight/Forms/FormsPrint.aspx?ExportPrintAction=Print&pfId=4369... 12/3/2010

Primavera ProSight Report

Page 15 of 17

PHYSICAL ACCESS
1

Physical Access

53. Are physical access controls in place?

Yes

Please indicate “Yes” or “No” for each category below:

Yes/No

Guards

Yes

Identification Badges

Yes

Key Cards

Yes

Cipher Locks

Yes

Biometrics

Closed Circuit TV (CCTV)

Yes

*54. Briefly describe in detail how the PII will be secured on the system using administrative, technical, and physical controls:

http://sport.hhs.gov/prosight/Forms/FormsPrint.aspx?ExportPrintAction=Print&pfId=4369... 12/3/2010

Primavera ProSight Report

Page 16 of 17

APPROVAL/DEMOTION
1

System Information

System Name:

NIH NIAAA National Epidemiologic Survey on Alcohol and Related Conditions III Study Management
System (NESARC3-SMS)

PIA Reviewer Approval/Promotion or Demotion

Promotion/Demotion:

Promote

Comments:
Approval/Demotion Point
of Contact:
Date:

Oct 15, 2010

Senior Official for Privacy Approval/Promotion or Demotion

Promotion/Demotion:

Promote

Comments:

OPDIV Senior Official for Privacy or Designee Approval

Please print the PIA and obtain the endorsement of the reviewing official below. Once the signature has been collected,
retain a hard copy for the OPDIV's records. Submitting the PIA will indicate the reviewing official has endorsed it
This PIA has been reviewed and endorsed by the OPDIV Senior Official for Privacy or Designee (Name and Date):
Name: __________________________________ Date: ________________________________________

Name:
Date:

Karen Plá
Dec 2, 2010

Department Approval to Publish to the Web

Approved for web publishing
Date Published:
Publicly posted PIA URL or no PIA URL explanation:

http://sport.hhs.gov/prosight/Forms/FormsPrint.aspx?ExportPrintAction=Print&pfId=4369... 12/3/2010

Primavera ProSight Report

Page 17 of 17

PIA % COMPLETE
1

PIA Completion

PIA Percentage Complete:

100.00

PIA Missing Fields:

http://sport.hhs.gov/prosight/Forms/FormsPrint.aspx?ExportPrintAction=Print&pfId=4369... 12/3/2010

File Type	application/pdf
Author	fstinson
File Modified	2010-12-06
File Created	2010-10-15