Privacy Impact Assessment

Save

Privacy Impact Assessment Form
v 1.47.4
Question

Answer

1

OPDIV:

NIH

2

PIA Unique Identifier:

P-7517519-327592

2a Name:

NCI Cancer Information Service Contact Center
General Support System (GSS)
Major Application

3

Minor Application (stand-alone)

The subject of this PIA is which of the following?

Minor

Application

(child)

Electronic Information Collection
Unknown
3a

Identify the Enterprise Performance Lifecycle Phase
of the system.

Operations and Maintenance
Yes

3b Is this a FISMA-Reportable system?
4

Does the system include a Website or online
application available to and for the use of the general
public?

5

Identify the operator.

6

Point of Contact (POC):

7

Is this a new or existing system?

8

Does the system have Security Authorization (SA)?

8a Date of Security Authorization

No
Yes
No
Agency
Contractor
POC Title

Telecommunications Specialist

POC Name

Robert Zablocki

POC Organization NIH/NCI/OCPL
POC Email

zablocb@mail.nih.gov

POC Phone

240-793-8642
New
Existing
Yes
No

Aug 7, 2023

Page 1 of 8

Save

9

Indicate the following reason(s) for updating this PIA.
Choose from the following options.

PIA Validation (PIA
Refresh/Annual Review)
Anonymous to NonAnonymous
New Public Access
Internal Flow or Collection
Commercial Sources

Significant System
Management Change
Alteration in Character of
Data
New Interagency Uses
Conversion

The following responses have changed since the last PIA was
approved:
10

11

Describe in further detail any changes to the system
that have occurred since the last PIA.

Describe the purpose of the system.

Point of Contact number updated
OMB information collection expiration date updated
Security authorization date updated
The Cancer Information Service Contact Center (CIS) is a public
service provided by the National Cancer Institute (NCI) that
provides the general public with information concerning
cancer causes, prevention and answers to general questions.
The service comprises telephone, web, chat, e-mail, and ereferral methods to communicate.

Through the following access channels phones, chat, e-mail,
mail, social media and Kno2, Veteran Administration's (VA)
preferred secure file transfer provider, clients may voluntarily
provide Personally Identifiable Information (PII) and other
Describe the type of information the system will
information including name, email address, phone number,
collect, maintain (store), or share. (Subsequent
12
questions will identify if this information is PII and ask education records, mailing address, age, sex, ethnicity, race
and household income during the inquiry response, materials
about the specific data elements.)
ordering, or research participation processes. NCI accesses the
system with a user name and password to administer. Chats
are kept and purged in compliance with the records retention
schedule.
The Cancer Information Service is a public service provided by
the National Cancer Institute (NCI) that provides the general
public with information concerning cancer causes, prevention
and answers to general questions. The service comprises
telephone, web, chat, e-mail, and e-referral methods to
communicate.
Provide an overview of the system and describe the
13 information it will collect, maintain (store), or share,
either permanently or temporarily.

14

Does the system collect, maintain, use or share PII?

Through the following access channels phones, chat, e-mail,
mail, social media and Kno2, Veteran Administration's (VA)
preferred secure file transfer provider, clients may voluntarily
provide Personally Identifiable Information (PII) and other
information including name, email address, phone number,
education records, mailing address, age, sex, ethnicity, race and
household income during the inquiry response, materials
ordering, or research participation processes. NCI accesses the
system with a user name and password to administer. Chats
are kept and purged in compliance with the records retention
schedule.
Yes
No

Page 2 of 8

Save

15

Indicate the type of PII that the system will collect or
maintain.

Social Security Number

Date of Birth

Name

Photographic Identifiers

Driver's License Number

Biometric Identifiers

Mother's Maiden Name

Vehicle Identifiers

E-Mail Address

Mailing Address

Phone Numbers

Medical Records Number

Medical Notes

Financial Account Info

Certificates

Legal Documents

Education Records

Device Identifiers

Military Status

Employment Status

Foreign Activities

Passport Number

Taxpayer ID
age, sex, ethnicity, race
household income
user name and password

Employees
Public Citizens
16

Business Partners/Contacts (Federal, state, local agencies)

Indicate the categories of individuals about whom PII
is collected, maintained or shared.

Vendors/Suppliers/Contractors
Patients
Other

17 How many individuals' PII is in the system?

18 For what primary purpose is the PII used?

500-4,999
Personally Identifiable Information (PII) is collected in the
about interactions with the public. Name, mailing address, and
e-mail address information is used for fulfillment of publication
requests.
The calls recorded could contain PII data (name, address, email,
phone, age and sex) if the client requests to have material sent
to them.

19

Describe the secondary uses for which the PII will be
used (e.g. testing, training or research)

Secondary uses of PII are for training and by NCI & Contact
Center Supervisors Quality Assurance (QA) evaluators to
ensure call quality.

20 Describe the function of the SSN.

Not Applicable (NA)

20a Cite the legal authority to use the SSN.

NA

Page 3 of 8

Save
21

Identify legal authorities governing information use
and disclosure specific to the system and program.

22

Are records on the system retrieved by one or more
PII data elements?

Public Health Service Act. (42 U.S.C. 241, 242, 248, 281, 282,
284, 285a-285q, 287, 287b, 287c, 289a, 289c, and 44 U.S.C.
3101)
Yes
No
Published:

Identify the number and title of the Privacy Act
System of Records Notice (SORN) that is being used
22a
to cover the system or identify if a SORN is being
developed.

09-90-1901, HHS Correspondence, Comment,
Customer Service, and Contact List
Records

Published:

Published:
In Progress
Directly from an individual about whom the
information pertains
In-Person
Hard Copy: Mail/Fax
Email
Online
Other
Government Sources
23

Identify the sources of PII in the system.

Non-Government Sources

Within the OPDIV
Other HHS OPDIV
State/Local/Tribal
Foreign
Other Federal Entities
Other
Members of the Public
Commercial Data Broker
Public Media/Internet
Private Sector
Other

23a

Identify the OMB information collection approval
number and expiration date.

24 Is the PII shared with other organizations?

0925-0208; Expiration Date: 11/30/2025
Yes
No

Page 4 of 8

Save

Describe the process in place to notify individuals
25 that their personal information will be collected. If
no prior notice is given, explain the reason.

On the LiveHelp chat welcome page, a written privacy notice is
posted letting users know the service is anonymous and asking
not to send PII during the chat. For PII collected during a
phone call, Information Specialists read a statement to clients
that information provided will be kept confidential, and
research studies contain their own additional informed
consent statements that are read to clients.
Additionally, CIS is working to add a Privacy Act Statement the
the sites.

26

Describe the method for individuals to opt-out of the
collection or use of their PII. If there is no option to
27
object to the information collection, provide a
reason.
Describe the process to notify and obtain consent
from the individuals whose PII is in the system when
major changes occur to the system (e.g., disclosure
28 and/or data uses have changed since the notice at
the time of original collection). Alternatively, describe
why they cannot be notified or have their consent
obtained.
Describe the process in place to resolve an
individual's concerns when they believe their PII has
29 been inappropriately obtained, used, or disclosed, or
that the PII is inaccurate. If no process exists, explain
why not.
Describe the process in place for periodic reviews of
PII contained in the system to ensure the data's
30
integrity, availability, accuracy and relevancy. If no
processes are in place, explain why not.

31

Voluntary

Is the submission of PII by individuals voluntary or
mandatory?

Identify who will have access to the PII in the system
and the reason why they require access.

Mandatory
CIS Specialists inform clients that information provided will be
kept confidential. Research studies contain their own
additional informed consent statements that are read to
clients. Individuals can choose not to provide their
information. However, in doing so, they will not be able to
have material shipped to them.
CIS Specialists inform clients that information provided will be
kept confidential and obtain consent before the call. Research
studies contain their own additional informed consent
statements that are read to clients. Individuals can choose not
to provide their information. However, in doing so, they will
not be able to have material shipped to them.
Clients may contact the Cancer Information Service (CIS) at
800-422-6237 or nciinfo@nih.gov. The CIS would refer the
complaint to the Branch Chief for the Contact Center and
Patient Inquiries Branch.
Validation is run on city/state/ZIP Code combinations entered
into CIS at the time of data entry to ensure accuracy. Records
are reviewed when QA evaluations are done on a monthly
bases.
Users

Users have access to PII to respond to
inquiries and correspondence with the
public. QA evaluators have acccess as
part of their quality reviews.

Administrators

Administrators have access to
troubleshoot issues and for general
maintenance.

Developers

Administrators have access to
troubleshoot issues and for general
maintenance.

Contractors

Third party contractors have access to
handle the daily operations of the call
center. Direct contractors have access
as NCI employees to help with

Others

Researchers reviewing data provided
by clients volunteering to participate
in research studies.

Page 5 of 8

Save
Describe the procedures in place to determine which Determinations are made based on role-based access controls
and least privilege. User rights are provisioned based on
32 system users (administrators, developers,
controls within the system, allowing users only access to the
contractors, etc.) may access PII.
minimum amount of PII necessary to perform their job.
Describe the methods in place to allow those with
33 access to PII to only access the minimum amount of
information necessary to perform their job.

Determinations are made based on role-based access controls
and least privilege. User rights are provisioned based on
controls within the system, allowing users only access to the
minimum amount of PII necessary to perform their job.

Identify training and awareness provided to
personnel (system owners, managers, operators,
contractors and/or program managers) using the
34
system to make them aware of their responsibilities
for protecting the information being collected and
maintained.

According to NIH policy, all personnel who manage or operate
NIH applications must successfully complete annual security
awareness training. There are five categories of mandatory IT
training (Information Security, Counterintelligence, Privacy
Awareness, Records Management and Emergency
Preparedness). Training is completed on the http://
irtsectraining.nih.gov site with valid NIH credentials.
Oracle promotes security awareness and educates employees
through quarterly newsletters, ad hoc security awareness
campaigns, and security-related corporate emails.

Describe training system users receive (above and
35 beyond general security and privacy awareness
training).

Do contracts include Federal Acquisition Regulation
36 and other appropriate clauses ensuring adherence to
privacy provisions and practices?
Describe the process and guidelines in place with
37 regard to the retention and destruction of PII. Cite
specific records retention schedules.

Each employee who handles data is required to complete a
data privacy awareness training course. The course instructs
employees on the definitions of data privacy and personal
data, recognizing risks relating to personal data,
understanding their responsibilities towards data, and
reporting any suspected privacy violations. Employees
handling data are also required to complete training in
corporate ethics. Additionally, employees involved in
development of custom code are required to attend secure
coding training.
Yes
No
Schedule 11-202, Communications and Agency History.
Disposition Authority: DAA-GRS-2016-0005-0002. Destroy
when 90 days old, but longer retention is authorized if
required for business use.

Page 6 of 8

Save
Administrative: CIS maintains a comprehensive list of Standard
Operating Procedures, guidance, and policies for the handling
of CIS data and system use. Contingency and Configuration
Management Plans have been developed, and are updated on
a regular basis to guide management of CIS. The CIS System
Security Plan contains detailed documentation of all selected
controls that describe the access controls, system and
communication, and the physical and environmental families.
These controls detail the protections in place for CIS, and
document the processes and procedures that are followed in
the administration of the system.

Describe, briefly but with specificity, how the PII will
38 be secured in the system using administrative,
technical, and physical controls.

Technical: Access controls are in place to ensure users can only
access data required for their daily job functions. All inbound
and outbound communications are monitored by firewall logs
and intrusion detection systems. File system-level encryption is
used to encrypt all customer data at rest adn during
transmission, including all file attachments.
Physical: Authorization is required to enter Oracle facilities and
access is monitored. Official identification must be worn while
onsite. Visitors must sign a visitor's register and be escorted
when on the premises. Possession of keys/access cards and the
ability to access locations is managed based upon role
requirements. Staff leaving Oracle employment must return
keys/cards. Continuous monitoring is done by Closed Caption
Television. Physical barriers are designed to prevent persons
and vehicles from unauthorized entry. Entrances are manned
24 hours a day, 365 days a year by security guards who
perform visual identity recognition and visitor escort
management.

39 Identify the publicly-available URL:

40 Does the website have a posted privacy notice?

https://livehelp.cancer.gov
http://supportorgs.cancer.gov
http://www.cancer.gov/global/contact/email-us
Yes
No
Yes

41

format?

No

Does the website use web measurement and
customization technology?

Yes
No

Page 7 of 8

Save
Technologies

Collects PII?
Yes

Web beacons

No
Yes

Web bugs
Select the type of website measurement and
41a customization technologies is in use and if it is used
to collect PII. (Select all that apply)

No

Session Cookies
Persistent Cookies

43

Yes

directed at children under the age of thirteen?

No

Does the website contain links to non- federal

Yes

government websites external to HHS?

No

OPDIV Senior Official
for Privacy Signature

No
No

Does the website have any information or pages

General Comments

No
Yes
Yes

Other...

42

Yes

While the CIS doesn't reside within an NIH boundary, third party contractors must still follow Authority to
Operate standards and processes. As well as obtaining authorization approval. Specific and defined
privacy and security control thresholds and expectations controlled by the third party are established
during the acquisitions and contracting process to assure compliance with Federal requirements, and the
continuous monitoring of the agreed upon risk posture.

Dustin B.
Close -S

Digitally signed by Dustin
HHS Senior
B. Close -S
Agency Official

Date: 2024.09.13 08:58:44 for Privacy
-04'00'

Digitally signed by
Bridget M. Guenther -S
Bridget M. Date:
2024.10.31
Guenther -S 11:02:00
-04'00'

Page 8 of 8