8b Planned Date of Security Authorization

November 15, 2019

Not Applicable

11 Describe the purpose of the system.

Application system designed to allow faculty recruitment candidates to apply for positions electronically thus eliminating the need to submit paper applications via the mail. The system also allows for search committee members to rate and rank candidates electronically thus eliminating the need for printing multiple copies of applications to distribute to committee members.

Accept Reject

^{Describe the type of information the system will} The application form requires that the candidate provide:

₁₂ collect, maintain (store), or share. (Subsequent _{email address, home phone, business phone, degree}

^{questions will identify if this information is PII and ask} information, home address, business address, and the names

^{about the specific data elements.)} and contact information for three references. Additionally, the

Accept Reject

^{Provide an overview of the system and describe the} Applicant information, including candidate's email address,

13 information it will collect, maintain (store), or share, _{home phone, business phone, degree information, home}

^{either permanently or temporarily.} address, business address, the names and contact information

Accept Reject

14 Does the system collect, maintain, use or share PII?

Yes

No

Accept

Reject

₁₅ Indicate the type of PII that the system will collect or maintain.

Social Security Number Date of Birth

Name Photographic Identifiers Driver's License Number Biometric Identifiers

Mother's Maiden Name Vehicle Identifiers

E-Mail Address Mailing Address

Phone Numbers Medical Records Number

Medical Notes Financial Account Info

Certificates Legal Documents

Education Records Device Identifiers

Military Status Employment Status

Foreign Activities Passport Number Taxpayer ID

Other... Names and contact information of references. Other...Resumes/CVs/supporting documents from applicants Other...Letters of Recommendation from references

Other...

Other...

Accept Reject

₁₆ Indicate the categories of individuals about whom PII is collected, maintained or shared.

Employees

Public Citizens

Business Partners/Contacts (Federal, state, local agencies) Vendors/Suppliers/Contractors

Patients

Other

Accept Reject

17 How many individuals' PII is in the system? _500-4,999

Accept

Reject

^{18 For what primary purpose is the PII used?} The PII is used primarily to contact candidates.

Accept

Reject

₁₉ Describe the secondary uses for which the PII will be used (e.g. testing, training or research)

N/A

Accept

Reject

^{20 Describe the function of the SSN.} N/A - SSN information is not collected.

Accept Reject

20a Cite the legal authority to use the SSN. _{N/A - SSN information is not collected.}

₂₁ Identify legal authorities governing information use _{SORN 09-25-0168} and disclosure specific to the system and program.

Accept

Reject

Are records on the system retrieved by one or more ^Yes

²² PII data elements? _No

Accept

Reject

Published: SORN 09-25-0168

Identify the number and title of the Privacy Act

System of Records Notice (SORN) that is being used ^{Published: 22a} to cover the system or identify if a SORN is being

developed.

Published:

In Progress

Directly from an individual about whom the information pertains

In-Person Hard Copy: Mail/Fax

Email Online

Other Government Sources

Within the OPDIV Other HHS OPDIV

²³ Identify the sources of PII in the system. _{State/Local/Tribal}

Foreign Other Federal Entities

Other Non-Government Sources

Members of the Public Commercial Data Broker Public Media/Internet

Private Sector

Other

Accept Reject

Users

Reviewing Candidates

Administrators

Reviewing Candidates

Developers

Migration/Maintenance of Data

Contractors

Migration/Maintenance of Data

Others

23a

Identify the OMB information collection approval number and expiration date.

0925-0046

07/31/2019

24

Is the PII shared with other organizations?

Yes

No

Accept

Reject

25

Describe the process in place to notify individuals that their personal information will be collected. If no prior notice is given, explain the reason.

The Burden and Privacy Act statement is included on all public- facing pages of the system.

Accept

Reject

26

Is the submission of PII by individuals voluntary or mandatory?

Voluntary

Mandatory

Accept

Reject

27

Describe the method for individuals to opt-out of the collection or use of their PII. If there is no option to object to the information collection, provide a reason.

PII collected is candidate contact information only. Without collecting this data, we will be unable to contact candidates to provide updates on the status of their applications, contact for interviews, etc.

Accept Reject

28

Describe the process to notify and obtain consent

from the individuals whose PII is in the system when major changes occur to the system (e.g., disclosure

_{and/or data uses have changed since the notice at} All applicants will be contacted via email if major changes

the time of original collection). Alternatively, describe ^{occur to disclosure and/or data uses, etc.}

why they cannot be notified or have their consent obtained.

Accept Reject

29

Describe the process in place to resolve an

individual's concerns when they believe their PII has been inappropriately obtained, used, or disclosed, or that the PII is inaccurate. If no process exists, explain why not.

Individuals may contact the application administrator via email to discuss concerns pertaining to PII. We will follow all processes and procedures as outlined in SORN 09-25-0168.

Accept Reject

30

Describe the process in place for periodic reviews of

PII contained in the system to ensure the data's integrity, availability, accuracy and relevancy. If no processes are in place, explain why not.

PII is only reviewed during the application review step, where applicants are given a score based on their resume/CV and references.

Accept Reject

31

Identify who will have access to the PII in the system and the reason why they require access.

Accept Reject

32

Describe the procedures in place to determine which system users (administrators, developers, contractors, etc.) may access PII.

Administrators and users may access PII. If an issue occurs in production, developers/contractors may need to gain access to the system containing PII to troubleshoot the issue.

Accept Reject

33

Describe the methods in place to allow those with access to PII to only access the minimum amount of information necessary to perform their job.

Users are only allowed to access applicant PII for specific positions if they have been given access by the administrator. Developers/Contractors may be given temporary access by the administrator to troubleshoot any issues that occur in production.

Accept Reject

Identify training and awareness provided to

_{personnel (system owners, managers, operators,} N/A – there are no plans to provide additional training to

_{contractors and/or program managers) using the} personnel. Access to the system is very limited and

³⁴ _{system to make them aware of their responsibilities} responsibilities for the protection of information being

_{for protecting the information being collected and} collected and maintained is covered in annual security and

_maintained. privacy awareness training.

Accept Reject

Describe training system users receive (above and

35 beyond general security and privacy awareness _N/A training).

Accept Reject

Do contracts include Federal Acquisition Regulation _Yes

36 and other appropriate clauses ensuring adherence to

privacy provisions and practices? ^No

Accept Reject

Describe the process and guidelines in place with

_{37 regard to the retention and destruction of PII. Cite} Application records/PII information will be removed within six

specific records retention schedules. ^{months of filling the vacancy.}

Accept Reject

Describe, briefly but with specificity, how the PII will

_{38 be secured in the system using administrative,} Users may only access applicant data if they have permission

_{technical, and physical controls.} to do so. Administrators control user access.

Accept Reject

^{39 Identify the publicly-available URL:} https://service.cancer.gov/ccr-careers

Accept

Reject

Yes

40 Does the website have a posted privacy notice?

No

Accept

Reject

Does the website use web measurement and ^Yes

⁴¹ customization technology? _No

Accept

Reject

Does the website have any information or pages ^Yes

⁴² directed at children under the age of thirteen? _No

Accept Reject

Does the website contain links to non- federal ^Yes

⁴³ government websites external to HHS? _No

Accept

Reject

Is a disclaimer notice provided to users that follow _Yes 43a external links to websites not owned or operated by

HHS? ^No

REVIEWER QUESTIONS: The following section contains Reviewer Questions which are not to be filled out unless the user is an OPDIV Senior Officer for Privacy.

Reviewer Questions Answer

Yes

1 Are the questions on the PIA answered correctly, accurately, and completely?

No

Accept

Reject

Reviewer

Notes

Does the PIA appropriately communicate the purpose of PII in the system and is the purpose ^Yes

² justified by appropriate legal authorities? _No

Accept

Reject

Reviewer

Notes

Do system owners demonstrate appropriate understanding of the impact of the PII in the ^Yes

³ system and provide sufficient oversight to employees and contractors? _No

Accept

Reject

Reviewer Questions

Answer

Reviewer

Notes

4

Does the PIA appropriately describe the PII quality and integrity of the data?

Yes

No

Accept

Reject

Reviewer

Notes

5

Is this a candidate for PII minimization?

Yes

No

Accept

Reject

Reviewer

Notes

6

Does the PIA accurately identify data retention procedures and records retention schedules?

Yes

No

Accept

Reject

Reviewer

Notes

7

Are the individuals whose PII is in the system provided appropriate participation?

Yes

No

Accept

Reject

Reviewer

Notes

8

Does the PIA raise any concerns about the security of the PII?

Yes

No

Accept

Reject

Reviewer

Notes

9

Is applicability of the Privacy Act captured correctly and is a SORN published or does it need to be?

Yes

No

Accept

Reject

Reviewer

Notes

10

Is the PII appropriately limited for use internally and with third parties?

Yes

No

Accept

Reject

Reviewer

Notes

11

Does the PIA demonstrate compliance with all Web privacy requirements?

Yes

No

Accept

Reject

Reviewer

Notes

12

Were any changes made to the system because of the completion of this PIA?

Yes

No

Accept

Reject

Reviewer

Notes

General Comments

Have the third-party privacy policies been reviewed

10 to evaluate any risks and to determine whether the Website or application is appropriate for OPDIV use?

Yes

No

Accept

Reject

Describe alternative means by which the public can

₁₁ obtain comparable information or services if they choose not to use the third-party Website or

application:

Accept Reject

Does the third-party Website or application have

12 appropriate branding to distinguish the OPDIV activities from those of nongovernmental actors?

Yes

No

Accept

Reject

₁₃ How does the public navigate to the third party Website or application from the OPIDIV?

Accept

Reject

_13a Please describe how the public navigate to the third- party website or application:

If the public navigate to the third-party website or

_13b application via an external hyperlink, is there an alert to notify the public that they are being directed to a

nongovernmental Website?

Yes No

Has the OPDIV Privacy Policy been updated to

14 describe the use of a third-party Website or application?

Yes No

Accept Reject

14a Provide a hyperlink to the OPDIV Privacy Policy:

₁₅ Is an OPDIV Privacy Notice posted on the third-party Website or application?

Yes No

Accept Reject

Confirm that the Privacy Notice contains all of the

following elements: (i) An explanation that the Website or application is not government-owned or government-operated; (ii) An indication of whether and how the OPDIV will maintain, use, or share PII

15a that becomes available; (iii) An explanation that by using the third-party Website or application to communicate with the OPDIV, individuals may be providing nongovernmental third-parties with access to PII; (iv) A link to the official OPDIV Website; and (v) A link to the OPDIV Privacy Policy

Yes No

Is the OPDIV's Privacy Notice prominently displayed

_15b at all locations on the third-party Website or application where the public might make PII

available?

Yes No

₁₆ Is PII collected by the OPDIV from the third-party Website or application?

Yes

No

Accept

Reject

₁₇ Will the third-party Website or application make PII available to the OPDIV?

Yes

No

Accept

Reject

Describe the PII that will be collected by the OPDIV

from the third-party Website or application and/or

₁₈ the PII which the public could make available to the OPDIV through the use of the third-party Website or

application and the intended or expected use of the PII:

Accept Reject

Describe the type of PII from the third-party Website

₁₉ or application that will be shared, with whom the PII will be shared, and the purpose of the information

sharing:

Accept Reject

_19a If PII is shared, how are the risks of sharing PII mitigated?

₂₀ Will the PII from the third-party Website or application be maintained by the OPDIV?

Yes

No

Accept

Reject

_20a If PII will be maintained, indicate how long the PII will be maintained:

₂₁ Describe how PII that is used or maintained will be secured:

Accept

Reject

₂₂ What other privacy risks exist and how will they be mitigated?

Accept

Reject

REVIEWER QUESTIONS: The following section contains Reviewer Questions which are not to be filled out unless the user is an OPDIV Senior Officer for Privacy.

Reviewer Questions

Answer

1

Are the responses accurate and complete?

Yes

No

Accept

Reject

Reviewer

Notes

2

Is the TPWA compliant with all M-10-23 requirements, including appropriate branding and alerts?

Yes

No

Accept

Reject

Reviewer

Notes

3

Has the OPDIV posted an updated privacy notice on the TPWA and does it contain the five required elements?

Yes

No

Accept

Reject

Reviewer

Notes

4

Does the PIA clearly identify PII made available and/or collected by the TPWA?

Yes

No

Accept

Reject

Reviewer

Notes

5

Is the handling of PII appropriate?

Yes

No

Accept

Reject

Reviewer

Notes

REVIEWER QUESTIONS: The following section contains Reviewer Questions which are not to be filled out unless the user is an OPDIV Senior Officer for Privacy.

General Comments

OPDIV Senior Official for Privacy Signature

HHS Senior Agency Official for Privacy