Download:
pdf |
pdfTemplate Version Number: 01-2021
U.S. Department of Commerce
U.S. Census Bureau
Privacy Impact Assessment
for the
Office of Chief Information Office
(OCIO� Qualtrics
Reviewed by:
Donna Neal (on behalf of Byron Cre
_____________________________________,
Bureau Chief Privacy Officer
܆Concurrence of Senior Agency Official for Privacy/DOC Chief Privacy Officer
܆Non-concurrence of Senior Agency Official for Privacy/DOC Chief Privacy Officer
CHARLES CUTSHALL
Digitally signed by CHARLES CUTSHALL
Date: 2024.05.21 16:40:49 -04'00'
5/21/24
______________________________________________________________________________
Signature of Senior Agency Official for Privacy/DOC Chief Privacy Officer
Date
�Template Version Number: 01-2021
U.S. Department of Commerce Privacy Impact Assessment
U.S. Census Bureau, Qualtrics
Unique Project Identifier: 006-000401700 00-07-02-00-01-00
Introduction: System Description
Provide a brief description of the information system.
Qualtrics is a Cloud-based subscription survey software which allows for online collection of
information to support Census Bureau activities. Survey information collected in Qualtrics is
used for statistical purposes only. The information in Qualtrics can only be accessed by sworn
Census Bureau employees or contractors. The Qualtrics Cloud service provider does not have
access to the encryption keys for Census Bureau data.
The Census Bureau’s use of the Qualtrics system serves four separate and distinct types of
surveys:
1. Qualtrics is used to create/manage/conduct surveys for qualitive research including
cognitive interviews, usability testing, and focus groups to test new materials and
methods.
2. Qualtrics is used to create/manage/conduct surveys to understand public perceptions of
the work the Census Bureau is doing.
3. Qualtrics is used to create/manage/conduct ad-hoc surveys to measure specific social
and economic conditions of the nation.
4. Qualtrics is also used to collect data from Census employees for training and other
human resource purposes.
Address the following elements:
(a) Whether it is a general support system, major application, or other type of system
Qualtrics is a FedRAMP approved Software as a Service (SaaS)
(b) System location
Amazon Web Services (AWS) Gov Cloud located in Oregon, U.S.A.
1
�Template Version Number: 01-2021
(c) Whether it is a standalone system or interconnects with other systems (identifying and
describing any other systems to which it interconnects)
Stand-alone
(d) The way the system operates to achieve the purpose(s) identified in Section 4
This system will serve as a research data collection tool. In addition to collecting data, the tool is
also used to evaluate and improve the Census Bureau’s online services for decennial, economic
and demographic surveys. The tool is programmed by Census Bureau staff and sent to sampled
members of the public, employees, or customers for data collection. Through this tool, the
Census Bureau can:
x
x
x
x
x
x
x
Create, test, modify, and implement surveys,
Apply flow logic to surveys with advanced branching and display logic,
Use a variety of question types,
Embed data (either pre-existing from an input file or from previous survey questions),
Ability to implement survey quotas,
Mobile and offline compatibility,
Randomization within question, between questions and between survey instruments.
(e) How information in the system is retrieved by the user
Data access is predominantly for the purpose of data analysis and the generation of statistics. If a
Census Bureau analyst has access to the data, they can retrieve the data based on any of the
characteristics collected in the data, including personally identifiable information (PII).
However, this type of retrieval is rare and is for the purpose of quality control.
(f) How information is transmitted to and from the system
Respondents submit data using HTTPS (TLSv1.2 with AES 128/256 depending on the browser)
to the front-end web server (typically customername.qualtrics.com). All data in transit
(respondent data to the cloud and the data from the cloud to Census) is encrypted via TLSv1.2.
Data are processed by application servers and sent to database servers for storage. Web data are
delivered to the respondent in the form of survey questions, graphics, and other content created
in the survey design. Some surveys are restricted by password or location, as setup by the survey
creator. This multi-tiered architecture has multiple layers of hardware and software security to
ensure that no device/user can be inserted into the communication channel.
For high availability and speed, base code and static images/docs are stored in the cloud and
delivered to users as efficiently as possible using cache and location information.
2
�Template Version Number: 01-2021
.
(g) Any information sharing conducted by the system
Data collected in this system will be stored within the system and transferred to Census Bureau
systems for storage and analysis as described above. Data will be shared with survey sponsors.
(h) The specific programmatic authorities (statutes or Executive Orders) for collecting,
maintaining, using, and disseminating the information
Title 13 U.S.C., Sections 6 (c), 141 and 193
Title 13 U.S.C., Chapter 5, 8(b), 131, and 182.
Title 13 U.S.C. 8(b), 182, and 196.
15 CFR part 50.
5 U.S.C. 3301 and 1402
1128 of the National Defense Authorization Act
5 USC 1101 Note
EO 13197/66 FR 7853
Title 26 U.S.C
(i) The Federal Information Processing Standards (FIPS) 199 security impact category for the
system
Moderate
3
�Template Version Number: 01-2021
Section 1: Status of the Information System
1.1
Indicate whether the information system is a new or existing system.
____ This is a new information system.
____ This is an existing information system with changes that create new privacy risks.
(Check all that apply.)
Changes That Create New Privacy Risks (CTCNPR)
a. Conversions
d. Significant Merging
b. Anonymous to None. New Public Access
Anonymous
c. Significant System
f. Commercial Sources
Management Changes
j. Other changes that create new privacy risks (specify):
g. New Interagency Uses
h. Internal Flow or
Collection
i. Alteration in Character
of Data
____ This is an existing information system in which changes do not create new privacy
risks, and there is not a SAOP approved Privacy Impact Assessment.
_X__ This is an existing information system in which changes do not create new privacy
risks, and there is a SAOP approved Privacy Impact Assessment.
Section 2: Information in the System
2.1
Indicate what personally identifiable information (PII)/business identifiable information
(BII) is collected, maintained, or disseminated. (Check all that apply.)
Identifying Numbers (IN)
a. Social Security*
f.
b. Taxpayer ID
g.
c. Employer ID
h.
d. Employee ID
i.
e. File/Case ID
n. Other identifying numbers (specify):
Driver’s License
Passport
Alien Registration
Credit Card
j.
k.
l.
m.
Financial Account
Financial Transaction
Vehicle Identifier
Medical Record
*Explanation for the business need to collect, maintain, or disseminate the Social Security number, including
truncated form:
General Personal Data (GPD)
a. Name
X
b. Maiden Name
X
c. Alias
X
d. Gender
X
1
h.
i.
j.
k.
Date of Birth
Place of Birth
Home Address
Telephone Number
X
X
X
X
o.
p.
q.
r.
Financial Information
Medical Information
Military Service
Criminal Record
Does not include financial account information, but only income and program participation.
4
X1
X
X
�Template Version Number: 01-2021
e.
f.
g.
u.
Age
X
l. Email Address
Race/Ethnicity
X
m. Education
Citizenship
X
n. Religion
Other general personal data (specify):
X
X
s. Physical Characteristics
t. Mother’s Maiden Name
i.
j.
Work-Related Data (WRD)
a. Occupation
b. Job Title
X
X
e. Work Email Address
f. Salary
X
X
c. Work Address
X
g. Work History
X
d. Work Telephone
Number
X
h. Employment
Performance Ratings or
other Performance
Information
Business Associates
Proprietary or Business
Information
k. Procurement/contracting
records
X
k. Other work-related data (specify):
Distinguishing Features/Biometrics (DFB)
a. Fingerprints
f. Scars, Marks, Tattoos
b. Palm Prints
g. Hair Color
c. Voice/Audio Recording
h. Eye Color
d. Video Recording
i. Height
e. Photographs
j. Weight
p. Other distinguishing features/biometrics (specify):
System Administration/Audit Data (SAAD)
a. User ID
X
c. Date/Time of Access
b. IP Address
X
f. Queries Run
e. Other system administration/audit data (specify):
X
X
X
k.
l.
m.
n.
o.
Signatures
Vascular Scans
DNA Sample or Profile
Retina/Iris Scans
Dental Profile
e. ID Files Accessed
f. Contents of Files
Other Information (specify)
2.2
Indicate sources of the PII/BII in the system. (Check all that apply.)
Directly from Individual about Whom the Information Pertains
In Person
Hard Copy: Mail/Fax
Telephone
Email
Other (specify):
Government Sources
Within the Bureau
State, Local, Tribal
Other (specify):
X
Other DOC Bureaus
Foreign
5
Online
Other Federal Agencies
X
�Template Version Number: 01-2021
Non-government Sources
Public Organizations
Third Party Website or Application
Other (specify):
2.3
Private Sector
Commercial Data Brokers
Describe how the accuracy of the information in the system is ensured.
Data collected through this system is self-response. After submission of the survey, respondents can submit a
Privacy Act request to review their responses for accuracy.
Respondents’ Perspective:
1. A respondent takes a survey, and the response is submitted to Qualtrics short-term response storage
over HTTPS.
2. All data for every survey collected by Census Bureau are encrypted.
3. The Encryption Service uses the customer-specific Master Key in Amazon KMS service to retrieve the
survey's AES 256-bit data encryption key from the Amazon Key Management Service.
4. The Encryption Service uses the key, plus a response-specific initialization vector, to encrypt the data
and write it to the Qualtrics Response Database.
5. When the response information is eventually recorded to back up in an offsite data center, backup data
are still in its encrypted form and an extra layer of encryption is applied to the entire disc.
Internal Users’ Perspective
1. The user authenticates to Qualtrics.
2. The user makes a request to response storage to get data for a particular survey.
3. The unique customer ID for the survey is referenced to determine whether the customer uses Qualtrics
Data Isolation.
4. If Data Isolation is used, the Encryption Service uses the customer-specific Master Key in Amazon
KMS service to retrieve the survey's AES 256-bit data encryption key from the Amazon Key
Management Service.
5. The encrypted data are retrieved from the Qualtrics Response Cache and/or Response Database and
then decrypted with the customer's key and the response’s unique initialization vector.
6. The data are returned in plaintext to the user over HTTPS.
2.4
X
Is the information covered by the Paperwork Reduction Act?
Yes, the information is covered by the Paperwork Reduction Act.
Provide the OMB control number and the agency number for the collection.
0607-0725; 0607-0978; 0607-0971, 0690-0030, 0690-0035, 0607-1029, 0607-1025, 0607-1027,
1850-0975, 0920-0214
No, the information is not covered by the Paperwork Reduction Act.
2.5
Indicate the technologies used that contain PII/BII in ways that have not been previously
deployed. (Check all that apply.)
Technologies Used Containing PII/BII Not Previously Deployed (TUCPBNPD)
6
�Template Version Number: 01-2021
Smart Cards
Caller-ID
Other (specify):
X
Biometrics
Personal Identity Verification (PIV) Cards
There are not any technologies used that contain PII/BII in ways that have not been previously deployed.
Section 3: System Supported Activities
3.1
Indicate IT system supported activities which raise privacy risks/concerns. (Check all that
apply.)
Activities
Audio recordings
Video surveillance
Other (specify):
X
Building entry readers
Electronic purchase transactions
There are not any IT system supported activities which raise privacy risks/concerns.
Section 4: Purpose of the System
4.1
Indicate why the PII/BII in the IT system is being collected, maintained, or disseminated.
(Check all that apply.)
Purpose
For a Computer Matching Program
For administering human resources programs
For administrative matters
To promote information sharing initiatives
For litigation
For criminal law enforcement activities
For civil enforcement activities
For intelligence activities
To improve Federal services online
X
For employee or customer satisfaction
X
For web measurement and customization
For web measurement and customization
technologies (single-session )
technologies (multi-session )
Other (specify): Information collected by this IT system will be used to produce national demographic and
economic statistics. In addition, this IT system will also be used to support the Census Bureau in testing new
materials and methods to understand public perceptions of the work the Census Bureau is doing. This will be used
in addition to the qualitative research methods, cognitive interviews, usability testing and focus groups that
Census Bureau currently conducts.
Section 5: Use of the Information
5.1
In the context of functional areas (business processes, missions, operations, etc.) supported
by the IT system, describe how the PII/BII that is collected, maintained, or disseminated
will be used. Indicate if the PII/BII identified in Section 2.1 of this document is in
7
�Template Version Number: 01-2021
reference to a federal employee/contractor, member of the public, foreign national, visitor
or other (specify).
PII will be collected from members of the public and from businesses.
x
Research information for developing and testing questionnaires will be used by staff
from the Census Bureau to evaluate and improve the quality of the data in the surveys
and censuses that are ultimately conducted.
x
Information collected for survey data will be used to produce national demographic
and economic statistics.
PII will also be collected from Census Bureau employees, contractors, and other federal
government personnel, for training surveys and other human resource purposes such as the
exit and retention surveys, recruitment at job fairs, satisfaction surveys, etc.
5.2
Describe any potential threats to privacy as a result of the bureau’s/operating unit’s use of
the information, and controls that the bureau/operating unit has put into place to ensure
that the information is handled, retained, and disposed appropriately. (For example:
mandatory training for system users regarding appropriate handling of information,
automatic purging of information in accordance with the retention schedule, etc.)
The U.S. Census Bureau use of data/information presents possible threats such as internal breaches
caused by employees within an organization. Today’s most damaging security threats are not
originating from malicious outsiders or malware but from trusted insiders - both malicious insiders
and negligent insiders. Inside threats are not just malicious employees that intend to directly harm the
Bureau through theft or sabotage. Negligent employees can unintentionally cause security breaches
and leaks by accident. To prevent or mitigate potential threats to privacy the U.S. Census Bureau has
put into place mandatory training for all system users. All Census Bureau employees and contractors
undergo mandatory annual data stewardship training to include proper handling, dissemination, and
disposal of BII/PII/Title 13/Title 26 data.
All system users will complete annual Data Stewardship Training and will sign both the Census
Bureau and the Qualtrics' Acceptable Use Policies, which specify the protection of data, and that the
data, when applicable, is stored on the secure Census network.
All data in transit and at rest (respondent data to the cloud and the data from the cloud to Census) is
encrypted via TLSv1.2. The cloud service providers will not possess the encryption keys to Census
Bureau data.
Deprecated or defective media (specifically, hard drives) are erased according to a U.S. Department of
Defense compliant 3-pass overwrite standard, and/or physically destroyed.
At the end of the retention period, surveys will be deleted. Since Qualtrics uses the data isolation
service, a key hierarchy is created for each Federal customer. Key management is via Amazon
Web Services Key Management Service (KMS). Each customer has a unique Key Encryption Key
(KEK) used to encrypt and protect a series of unique Data Encryption Keys (DEK). Unique
8
�Template Version Number: 01-2021
DEK is created for each customer survey. A federal customer may request key destruction of the
customer specific KEK which leads to survey data destruction. The data decommissioning procedures
are established by the federal customer Brand administrator.
The Census Bureau conducts various surveys that study households, businesses, schools, hospitals,
and more. These statistics deliver valuable information for local officials and organizations who
provide resources and services to the community. If a respondent has been contacted to participate in
a survey and wants to verify that it is legitimate, they can do so in numerous ways. The Census
Bureau provides guidance on how to verify the legitimacy of a survey invitation at the following link:
https://www.census.gov/programs-surveys/surveyhelp/verify-a-survey.html
Section 6: Information Sharing and Access
6.1
Indicate with whom the bureau intends to share the PII/BII in the IT system and how the
PII/BII will be shared. (Check all that apply.)
Recipient
Case-by-Case
Within the bureau
DOC bureaus
Federal agencies
State, local, tribal gov’t agencies
Public
Private sector
Foreign governments
Foreign entities
Other (specify):
How Information will be Shared
Bulk Transfer
Direct Access
X
X
X2
X2
The PII/BII in the system will not be shared.
6.2
Does the DOC bureau/operating unit place a limitation on re-dissemination of PII/BII
shared with external agencies/entities?
Yes, the external agency/entity is required to verify with the DOC bureau/operating unit before redissemination of PII/BII.
X
2
No, the external agency/entity is not required to verify with the DOC bureau/operating unit before redissemination of PII/BII.
No, the bureau/operating unit does not share PII/BII with external agencies/entities.
Data collected on behalf of a survey sponsor is shared with the survey sponsors.
9
�Template Version Number: 01-2021
6.3 Indicate whether the IT system connects with or receives information from any other IT
systems authorized to process PII and/or BII.
X
Yes, this IT system connects with or receives information from another IT system(s) authorized to
process PII and/or BII.
The Qualtrics system does not connect directly to any Census Bureau systems however, contact files can
be manually uploaded from Census Bureau systems into the Qualtrics system when necessary.
Provide the name of the IT system and describe the technical controls which prevent PII/BII leakage:
The Census Bureau uses a multitude of security controls mandated by the Federal Information Security
Modernization Act of 2014 (FISMA) and various other regulatory control frameworks including the
National Institute of Standards and Technology (NIST) special publication 800 series. These security
controls include but are not limited to the use of mandatory HTTPS for public facing websites, access
controls, anti-virus solutions, enterprise auditing/monitoring, encryption of data in transit and at rest, and
various physical controls at Census Bureau facilities that house Information Technology systems. The
Census Bureau also deploys a Data Loss Prevention solution and a security operations center to monitor
all Census IT system on a 24/7/365 basis.
No, this IT system does not connect with or receive information from another IT system(s) authorized to
process PII and/or BII.
6.4
Identify the class of users who will have access to the IT system and the PII/BII. (Check
all that apply.)
Class of Users
General Public
X
Government Employees
X
Contractors
X
Other (specify): General public will have access to enter their own data only. They will not have access to other
respondents’ data.
Section 7: Notice and Consent
7.1
X
X
Indicate whether individuals will be notified if their PII/BII is collected, maintained, or
disseminated by the system. (Check all that apply.)
Yes, notice is provided pursuant to a system of records notice published in the Federal Register and
discussed in Section 9.
Yes, notice is provided by a Privacy Act statement and/or privacy policy. The Privacy Act statement
and/or privacy policy can be found at: A notice specific to the collection will be provided by a Privacy
Act statement once the user accesses the system.
Yes, notice is provided by other
Specify how:
means.
No, notice is not provided.
7.2
Specify why not:
Indicate whether and how individuals have an opportunity to decline to provide PII/BII.
10
�Template Version Number: 01-2021
X
Yes, individuals have an opportunity to
decline to provide PII/BII.
No, individuals do not have an
opportunity to decline to provide
PII/BII.
7.3
X
7.4
X
X
Specify how: Individuals may refuse to participate in the
survey or, if they do participate, they may refuse to answer
specific questions.
Specify why not:
Indicate whether and how individuals have an opportunity to consent to particular uses of
their PII/BII.
Yes, individuals have an opportunity to
consent to particular uses of their
PII/BII.
No, individuals do not have an
opportunity to consent to particular
uses of their PII/BII.
Specify how: The privacy act statement will provide implied
consent specific to each data collection.
Specify why not:
Indicate whether and how individuals have an opportunity to review/update PII/BII
pertaining to them.
Yes, individuals have an opportunity to
review/update PII/BII pertaining to
them.
No, individuals do not have an
opportunity to review/update PII/BII
pertaining to them.
Specify how: For survey data, respondents may submit a
Privacy Act request to review their information.
Specify why not: For research data, these data are collected for
research purposes only, therefore there is not an opportunity to
review/update.
Section 8: Administrative and Technological Controls
8.1
Indicate the administrative and technological controls for the system. (Check all that
apply.)
X
X
X
X
X
All users signed a confidentiality agreement or non-disclosure agreement.
All users are subject to a Code of Conduct that includes the requirement for confidentiality.
Staff (employees and contractors) received training on privacy and confidentiality policies and practices.
Access to the PII/BII is restricted to authorized personnel only.
Access to the PII/BII is being monitored, tracked, or recorded.
Explanation: Only authorized government/contractor personnel are allowed to access PII/BII within a
system. In addition, audit logs are in place and assessed per NIST control AU-03, Content of Audit
records.
X
The information is secured in accordance with FISMA requirements.
Provide date of most recent Assessment and Authorization (A&A): ____7/18/2023_____________
܆This is a new system. The A&A date will be provided when the A&A package is approved.
The Federal Information Processing Standard (FIPS) 199 security impact category for this system is a
moderate or higher.
NIST Special Publication (SP) 800-122 and NIST SP 800-53 Revision 5 Appendix J recommended
security controls for protecting PII/BII are in place and functioning as intended; or have an approved Plan
of Action and Milestones (POA&M).
X
X
11
�Template Version Number: 01-2021
X
X
X
X
8.2
A security assessment report has been reviewed for the supporting information system and it has been
determined that there are no additional privacy risks.
Contractors that have access to the system are subject to information security provisions in their contracts
required by DOC policy.
Contracts with customers establish ownership rights over data including PII/BII.
Acceptance of liability for exposure of PII/BII is clearly defined in agreements with customers.
Other (specify):
Provide a general description of the technologies used to protect PII/BII on the IT system.
(Include data encryption in transit and/or at rest, if applicable).
All response data resides in Amazon Web Services (AWS) GovCloud (environment is specific only for Federal
customers), and data is protected by disk level encryption and database encryption. In addition, the encryption
keys are maintained by the Census Bureau. The cloud provider will not have access to the encryption keys.
AWS GovCloud has an existing ATO (Authority to Operate) under FedRAMP, which gives Government
agencies the ability to leverage AWS GovCloud for sensitive workloads.
Privileged Engineer access to the Insight Platform production environment is by SSH to the bastion host, but
they do not have access to customer PII. Within the production system, Qualtrics uses both disk level encryption
as well as database encryption to protect customer data.
Qualtrics uses Transport Layer Security (TLS) encryption for all transmitted Internet data. Customers may opt
to password protect their surveys or have unique ID links that are difficult to guess. Our services are hosted by
trusted third party data centers that are audited using the industry standard SSAE-16 SOC 1 Type 2 method. All
data at rest are protected using sophisticated electronic controls, and data on deprecated hard drives are
destroyed by U.S. DOD methods and delivered to a third-party data destruction service.
Census Bureau Information technology systems employ a multitude of layered security controls to protect
BII/PII at rest, during processing, as well as in transit. These NIST 800-53 controls, at a minimum, are deployed
and managed at the enterprise level including, but not limited to the following:
• Intrusion Detection | Prevention Systems (IDS | IPS)
• Firewalls
• Mandatory use of HTTP(S) for Census Public facing websites
• Use of trusted internet connection (TIC)
• Anti-Virus software to protect host/end user systems
• Encryption of databases (Data at rest)
• HSPD-12 Compliant PIV cards
• Access Controls
Census Bureau Information technology systems also follow the National Institute of Standards and Technology
(NIST) standards including special publications 800-53, 800-63, 800-37 etc. Any system within the Census
Bureau that contains, transmits, or processes BII/PII has a current authority to operate (ATO) and goes through
continuous monitoring on a yearly basis to ensure controls are implemented and operating as intended. The
Census Bureau also deploys a Data Loss Prevention solution and a security operations center to monitor all
Census IT system on a 24/7/365 basis.
Section 9: Privacy Act
9.1
Is the PII/BII searchable by a personal identifier (e.g., name or Social Security number)?
__X__ Yes, the PII/BII is searchable by a personal identifier.
12
�Template Version Number: 01-2021
____
9.2
No, the PII/BII is not searchable by a personal identifier.
Indicate whether a system of records is being created under the Privacy Act, 5 U.S.C.
§ 552a. (A new system of records notice (SORN) is required if the system is not covered
by an existing SORN).
As per the Privacy Act of 1974, “the term ‘system of records’ means a group of any records under the control of any agency from which
information is retrieved by the name of the individual or by some identifying number, symbol, or other identifying particular assigned
to the individual.”
X
Yes, this system is covered by an existing system of records notice (SORN).
Provide the SORN name, number, and link. (list all that apply):
CENSUS-3, Special Censuses, Surveys, and Other Studies:
https://www.osec.doc.gov/opog/PrivacyAct/SORNs/census-3.html
CENSUS-4, Economic Survey Collection
http://www.osec.doc.gov/opog/PrivacyAct/SORNs/census-4.html
CENSUS-5, Decennial Census Program:
http://www.osec.doc.gov/opog/PrivacyAct/SORNs/census-5.html
CENSUS-7, Demographic Survey Collection (Non-Census Bureau Sampling Frame):
https://www.osec.doc.gov/opog/PrivacyAct/SORNs/census-7.html
Yes, a SORN has been submitted to the Department for approval on (date).
No, this system is not a system of records and a SORN is not applicable.
Section 10: Retention of Information
10.1 Indicate whether these records are covered by an approved records control schedule and
monitored for compliance. (Check all that apply.)
X
X
There is an approved record control schedule.
Provide the name of the record control schedule:
GRS 3.1
GRS 4.2
Decennial Records are covered by:
Nl-29-05-01, N1-29-10-5, GRS 3.1, GRS 5.6 item 181
Demographic Records are covered by:
N1-29-99-5, N1-29-89-3, N1-29-12-1, NC1-29-79-7, and GRS 3.1 GRS 3.2 GRS 4.1, GRS 4.3
No, there is not an approved record control schedule.
Provide the stage in which the project is in developing and submitting a records control schedule:
Yes, retention is monitored for compliance to the schedule.
No, retention is not monitored for compliance to the schedule. Provide explanation:
10.2 Indicate the disposal method of the PII/BII. (Check all that apply.)
13
�Template Version Number: 01-2021
Disposal
Shredding
Overwriting
X
Degaussing
Deleting
X
Other (specify): At the end of the retention period, surveys will be deleted. Since Qualtrics uses the data isolation
service, a key hierarchy is created for each Federal customer. Key management is via Amazon Web Services Key
Management Service (KMS). Each customer has a unique Key Encryption Key (KEK) used to encrypt and
protect a series of unique Data Encryption Keys (DEK). A unique DEK is created for each customer survey. A
federal customer may request key destruction of the customer specific KEK which leads to survey data
destruction. The data decommissioning procedures are established by the federal customer Brand administrator.
Section 11: NIST Special Publication 800-122 PII Confidentiality Impact Level
11.1 Indicate the potential impact that could result to the subject individuals and/or the
organization if PII were inappropriately accessed, used, or disclosed. (The PII
Confidentiality Impact Level is not the same as the Federal Information Processing
Standards (FIPS) 199 security impact category.)
X
Low – the loss of confidentiality, integrity, or availability could be expected to have a limited adverse
effect on organizational operations, organizational assets, or individuals.
Moderate – the loss of confidentiality, integrity, or availability could be expected to have a serious
adverse effect on organizational operations, organizational assets, or individuals.
High – the loss of confidentiality, integrity, or availability could be expected to have a severe or
catastrophic adverse effect on organizational operations, organizational assets, or individuals.
11.2 Indicate which factors were used to determine the above PII confidentiality impact levels.
(Check all that apply.)
X
Identifiability
Provide explanation:
PII collected can be indirectly used to identify individuals or if
combined with other data elements may uniquely identify an
individual.
X
Quantity of PII
Provide explanation:
The collection is for samples; therefore, a serious or substantial
number of individuals would be affected if there was loss, theft,
or compromise of the data.
X
Data Field Sensitivity
Provide explanation:
The PII, alone or in combination, may be relevant in some other
contexts and may, in those contexts, make the individuals or the
Census Bureau vulnerable to harm.
X
Context of Use
Provide explanation:
Disclosure of the PII may result in serious harm to the individual
or organization.
X
Obligation to Protect Confidentiality
Provide explanation:
14
�Template Version Number: 01-2021
Role-specific privacy laws, regulations, or mandates (e.g., those
that cover certain types of healthcare or financial information)
apply that add more restrictive requirements to government-wide
requirements. Violations may result in serious civil or criminal
penalties.
X
Access to and Location of PII
Provide explanation:
The PII is physically located on servers owned and managed by a
third-party vendor at offsite facilities located in the United States.
The third-party vendors used are Federal Risk and Authorization
Management Program (FedRAMP) approved Cloud Service
Providers (CSPs).
Other:
Provide explanation:
Section 12: Analysis
12.1 Identify and evaluate any potential threats to privacy that exist in light of the information
collected or the sources from which the information is collected. Also, describe the
choices that the bureau/operating unit made with regard to the type or quantity of
information collected and the sources providing the information in order to prevent or
mitigate threats to privacy. (For example: If a decision was made to collect less data,
include a discussion of this decision; if it is necessary to obtain information from sources
other than the individual, explain why.)
Data stored in the AWS GovCloud is in accordance with federal information security
standards, however, the Census Bureau has taken the extra step of maintain the encryption
keys to Census data stored on the cloud. The cloud service provider does not have access to
the encryption keys.
Insider threat is always possible. In addition to the security protocols already described in this
assessment, the Census Bureau limits access to sensitive information to sworn employees
who have an authorized business need to know.
12.2 Indicate whether the conduct of this PIA results in any required business process changes.
Yes, the conduct of this PIA results in required business process changes.
Explanation:
X
No, the conduct of this PIA does not result in any required business process changes.
12.3 Indicate whether the conduct of this PIA results in any required technology changes.
15
�Template Version Number: 01-2021
Yes, the conduct of this PIA results in required technology changes.
Explanation:
X
No, the conduct of this PIA does not result in any required technology changes.
16
�
| File Type | application/pdf |
| File Title | Qualtrics-PIA-FY24-SAOP-Approved.pdf |
| Author | lmartin1 |
| File Modified | 2024-05-24 |
| File Created | 2024-05-24 |