Download:
pdf |
pdfSave
Privacy Impact Assessment Form
v 1.47.4
Status Draft
Form Number
F-11186
Form Date
Question
Answer
1
OPDIV:
CDC
2
PIA Unique Identifier:
P-6144866-524316
2a Name:
2/8/2021 10:45:18 AM
CDC Office 365 (CDC O365)
General Support System (GSS)
Major Application
3
Minor Application (stand-alone)
The subject of this PIA is which of the following?
Minor Application (child)
Electronic Information Collection
Unknown
3a
Identify the Enterprise Performance Lifecycle Phase
of the system.
Operations and Maintenance
Yes
3b Is this a FISMA-Reportable system?
4
Does the system include a Website or online
application available to and for the use of the general
public?
5
Identify the operator.
6
Point of Contact (POC):
7
Is this a new or existing system?
8
Does the system have Security Authorization (SA)?
8b Planned Date of Security Authorization
No
Yes
No
Agency
Contractor
POC Title
Associate Director Shared
Services Office
POC Name
David Ausefski
POC Organization CSPO
POC Email
add7@cdc.gov
POC Phone
412-386-6758
New
Existing
Yes
No
April 30, 2021
Not Applicable
Page 1 of 11
�Save
11 Describe the purpose of the system.
Describe the type of information the system will
collect, maintain (store), or share. (Subsequent
12
questions will identify if this information is PII and ask
about the specific data elements.)
Provide an overview of the system and describe the
13 information it will collect, maintain (store), or share,
either permanently or temporarily.
14 Does the system collect, maintain, use or share PII?
15
Indicate the type of PII that the system will collect or
maintain.
CDC has established this cloud computing Software as a
Service (SaaS) for the purpose of providing the agency with
The CDC O356 system does not solicit, collect or request
specific personally identifiable information (PII); however, it is
expected that individuals or groups of individuals will include
PII in the transmission of email messages. Likewise, users have
The CDC O365 is a Major Application (MA) supporting the
transfer of messages among users of the system. Staff can send
messages to other CDC staff members or externally to other
Yes
No
Social Security Number
Date of Birth
Name
Photographic Identifiers
Driver's License Number
Biometric Identifiers
Mother's Maiden Name
Vehicle Identifiers
E-Mail Address
Mailing Address
Phone Numbers
Medical Records Number
Medical Notes
Financial Account Info
Certificates
Legal Documents
Education Records
Device Identifiers
Military Status
Employment Status
Foreign Activities
Passport Number
Taxpayer ID
EEO case related documents
Other...(a) Active Directory credential information (UserID)
and IP address to allow for mailbox synchronization and
email delivery (b) Any information a user chooses to include
in an email message such as unspecified PII
Page 2 of 11
�Save
Employees
Public Citizens
Business Partners/Contacts (Federal, state, local agencies)
Vendors/Suppliers/Contractors
Patients
These categories only apply as a user may choose to
include such information and unspecified PII in an
email message, although it is not required by the
information system.
Indicate the categories of individuals about whom PII
16
is collected, maintained or shared.
Other Within the Microsoft Teams component, external
party information related to cases may be included in
the documents. Most PII will consist of business
contact information for professionals (such as
attorneys, doctors, and representatives) and
witnesses, who may be public citizens.
17 How many individuals' PII is in the system?
50,000-99,999
The limited PII collected outside of transmitted message
content is used primarily for authentication, inbox
synchronization and message delivery. For example, Active
Directory credential information is used by the system for
authentication purposes only.
The uses of PII transmitted in the context of messages is as
varied as the functions and activities of CDC, from
administrative to regulatory to educational and others.
18 For what primary purpose is the PII used?
19
Describe the secondary uses for which the PII will be
used (e.g. testing, training or research)
Within the Microsoft Teams component, EEO legal documents
include complaints, settlements, alternative dispute resolution,
and reasonable accommodations for CDC EEO cases. These
documents contain PII, which may include names, mailing
address, date of birth, medical records number, financial
information related settlement agreements, and employment
status. The primary purpose the PII is meet the standard
information collected to adjudicate EEO matters and required
for other documents in the EEO scope, such as reasonable
accommodations and alternative dispute resolutions.
None
20 Describe the function of the SSN.
Not Applicable. SSN is not requested or required as part of the
agency’s or individuals’ use of this system. SSNs may be
transmitted in individual emails, but not according to any
particular, defined use.
20a Cite the legal authority to use the SSN.
Not Applicable
Page 3 of 11
�Save
5 U.S.C. Section 301 which provides authority for the agency to
establish the organizations, procedures and tools necessary to
perform its duties and pursue its mission. Information use and
disclosure for this system is governed by the laws and
regulations of the individual business practice that this system
is used to conduct. Users work in various agency organizations
Identify legal authorities governing information use that have different functions and are subject to different laws
21
and disclosure specific to the system and program.
and regulations.
Within the Microsoft Teams component, EEO legal documents
include complaints, settlements, alternative dispute resolution,
and reasonable accommodations for CDC EEO cases. Legal
authorities include Executive Order 11478, 42 USC 2000e and
29 USC 633a.
22
Yes
Are records on the system retrieved by one or more
PII data elements?
No
Published:
Identify the number and title of the Privacy Act
System of Records Notice (SORN) that is being used
22a
to cover the system or identify if a SORN is being
developed.
09-90-0009, "Discrimination Complaints
Records"
Published:
Published:
In Progress
Directly from an individual about whom the
information pertains
In-Person
Hard Copy: Mail/Fax
Email
Online
Other
Government Sources
23
Within the OPDIV
Other HHS OPDIV
State/Local/Tribal
Foreign
Other Federal Entities
Other
Identify the sources of PII in the system.
Non-Government Sources
Members of the Public
Commercial Data Broker
Public Media/Internet
Private Sector
Other
23a
Identify the OMB information collection approval
number and expiration date.
Not Applicable
Page 4 of 11
�Save
Yes
24 Is the PII shared with other organizations?
No
Within HHS
Email address and content are shared as part of normal
communication. Content of email varies with business
function.
EEO legal documents including complaints, settlements,
alternative dispute resolution, and reasonable
accommodations for CDC EEO cases may be shared with
HHS EEO staff via the HHS iComplaints system, which is used
to track EEO cases Department-wide.
Other Federal
Agency/Agencies
24a
Identify with whom the PII is shared or disclosed and
for what purpose.
Email address and content are shared as part of normal
communication. Content of email varies with business
function.
State or Local
Agency/Agencies
Email address and content are shared as part of normal
communication. Content of email varies with business
function.
Private Sector
Email address and content are shared as part of normal
communication. Content of email varies with business
function.
EEO and related case files may be shared or disclosed with
professionals (attorneys, doctors, representatives) involved
in a specific case, in order provide either legal representation
or to provide expert analysis and opinions on the details of
the case.
The agreements governing information exchange will vary
with the business functions and purposes of exchanging email.
Memorandum of Understanding and Information Sharing
Describe any agreements in place that authorizes the Agreements may be used as directed by policy with other HHS
information sharing or disclosure (e.g. Computer
OpDivs with whom CDC interacts.
24b Matching Agreement, Memorandum of
Understanding (MOU), or Information Sharing
For EEO and related cases, the CDC employee is required to
Agreement (ISA)).
complete a Designation of Representation Form in order to
authorize information sharing and disclosure of case
information to external professionals (attorneys, doctors,
representatives).
Page 5 of 11
�Save
24c
Describe the procedures for accounting for
disclosures
CDC O365 may be required to make such disclosures in the
event that discovery is required pursuant to legal action; if
needed to respond to public health or other national
emergencies; or to investigate security or privacy incidents/
breaches. Such requests can be performed by an approved
System Administrator; an accounting of responses for such
disclosures will be managed through the existing
management processes within CDC Information Technology
Services Office (ITSO). For EEO and related cases, the
Designation of Representation Forms are stored and
accounted for outside of the CDC O365 system.
The specific processes will vary along with the underlying
business processes and practices that the use of email is
supporting. CDC personnel are notified at the time of hire of
the agency’s use of their information in the context of their
work for the agency. Personnel are also aware of the content
of messages they send through the system. Upon logging on
to the agency network prior to accessing the system, a warning
banner advising personnel that they have no expectation of
privacy when using government systems. External email
transmitters may view CDC’s web and privacy policies made
available by the agency across all CDC.gov pages.
Describe the process in place to notify individuals
25 that their personal information will be collected. If
no prior notice is given, explain the reason.
For EEO and related cases, individuals and organizations which
consulted an EEO counselor or filed a formal allegation of
discrimination are aware of that fact. They may write the
appropriate system manager indicated below or the general
coordinator if the immediate system manager is unknown,
regarding the existence of such records pertaining to them.
The inquirers, as appropriate, should provide their name, date
of birth, agency in which employed or agency in which the
situation arose if different from employing agency, the
approximate date, and the kind of action taken, when making
inquiries about records.
System Manager: Centers for Disease Control EEO Officer,
Room 2405, Building 1, 1600 Clifton Road, NE., Atlanta, Georgia
30333
26
Is the submission of PII by individuals voluntary or
mandatory?
Voluntary
Mandatory
Voluntary: No PII data is specifically collected or used
throughout the use of an email system; therefore, there are no
notifications to users about PII data and no consent obtained
Describe the method for individuals to opt-out of the from individuals. Obtaining consent and/or providing
notification is part of the business processes underlying the
collection or use of their PII. If there is no option to
27
use of an email service.
object to the information collection, provide a
reason.
Voluntary: For EEO and related cases, PII collection is required
for case processing and adjudication. However, if the
individual declines to share PII, he or she may not initiate an
EEO complaint.
Page 6 of 11
�Save
Describe the process to notify and obtain consent
from the individuals whose PII is in the system when
major changes occur to the system (e.g., disclosure
28 and/or data uses have changed since the notice at
the time of original collection). Alternatively, describe
why they cannot be notified or have their consent
obtained.
No major changes to CDC O365 are planned or anticipated. No
PII data is specifically collected or used throughout the use of
an email system; therefore, there are no CDC O365 specific
notifications to users about PII data and no consent obtained
from individuals. Obtaining consent and/or providing
notification is part of the business processes underlying the
use of an email service and is the responsibility of the
organization administering the business process.
For EEO and related cases, individuals and organizations which
consulted an EEO counselor or filed a formal allegation of
discrimination are aware of that fact. They may write the
appropriate system manager indicated below or the general
coordinator if the immediate system manager is unknown,
regarding the existence of such records pertaining to them
and if major changes have occurred to the system.
System Manager: Centers for Disease Control EEO Officer,
Room 2405, Building 1, 1600 Clifton Road, NE., Atlanta, Georgia
30333
The process in place for resolving an individual's concerns is to:
Contact the CDC Privacy Office at privacy@cdc.gov (or by
phone at 770-488-8660) , reasonably identify the record and
specify the information being contested, the corrective action
sought, and the reasons for requesting the correction, along
with supporting information to show how the record is
inaccurate, incomplete, untimely, or irrelevant.
Describe the process in place to resolve an
individual's concerns when they believe their PII has
29 been inappropriately obtained, used, or disclosed, or
that the PII is inaccurate. If no process exists, explain For EEO and related cases, individuals may also write the
why not.
appropriate system manager indicated below or the general
coordinator if the immediate system manager is unknown:
System Manager: Centers for Disease Control EEO Officer,
Room 2405, Building 1, 1600 Clifton Road, NE., Atlanta, Georgia
30333
Page 7 of 11
�Save
Describe the process in place for periodic reviews of
PII contained in the system to ensure the data's
30
integrity, availability, accuracy and relevancy. If no
processes are in place, explain why not.
Review of PII transmitted in the email system would not be
efficient or appropriate.
Data integrity is maintained at the level of the business
process, or through maintenance of the applications that
support business processes. The Active Directory information
used by CDC O365 originates from a separate information
system which has its own processes for maintaining integrity,
availability, accuracy and relevancy. Agency-wide
cybersecurity, physical security, continuing operations and
other measures also support data integrity and availability and
system functionality. Users are responsible for the accuracy
and relevancy of PII they transmit over CDC O365.
Within the Microsoft Teams component, EEO legal documents
include complaints, settlements, alternative dispute resolution,
and reasonable accommodations for CDC EEO cases. These
documents contain PII, which may include names, mailing
address, date of birth, medical records number, financial
information related settlement agreements, and employment
status. The EEO case managers periodically review the EEO
legal documents (including PII) for assigned cases on an annual
basis, to ensure that only those records that are relevant and
necessary are maintained; that all records used to make a
determination about an individual are sufficiently accurate,
relevant, timely, and complete to make a fair decision; and that
all records disclosed outside CDC are consistent with
disclosure requirements of SORN 09-90-0009 "Discrimination
Complaints Records, HHS/OS/ASPER"
Users
Administrators
31
Identify who will have access to the PII in the system
and the reason why they require access.
To send and receive email and perform
duties.
Within the Microsoft Teams
CDC administrators provide Tier 4 Help
Desk support which may require
performing queries related to PII.
Developers
Contractors
Offsite (indirect contractors) Microsoft
Cloud Service provider support
personnel (system administrators)
have access to PII in order to provide
Others
Describe the procedures in place to determine which Users (i.e., those authorized to send and receive emails) and
32 system users (administrators, developers,
administrators that have completed CDC onboarding and
contractors, etc.) may access PII.
personnel security processes, including security awareness and
Page 8 of 11
�Save
This is a standard email system, and emails are sent from user
to specified recipients. Other parties (system administrators,
contractors, users not party to a specific communication, etc.)
will not have access to emails not specifically addressed to
them, except as needed to perform support functions such as
queries. Cloud providers in particular are not expected to have
any access to the content of transmissions.
Describe the methods in place to allow those with
33 access to PII to only access the minimum amount of
information necessary to perform their job.
CDC O365 system administrators with the appropriate
permissions, who have signed Rules of Behavior and
performed the required training, are able to access the
contents of emails, for authorized purposes such as e-discovery
or detection of breaches.
Enforcement of this access is implemented by a Role Based
Access Control methodology which uses a least privileges
model to determine access ability based on job roles.
Within the Microsoft Teams component, EEO legal documents
include complaints, settlements, alternative dispute resolution,
and reasonable accommodations for CDC EEO cases. Access to
and use of these records are limited to those persons whose
official duties require such access. The EEO Resource Manager
determines which OEEO staff require access to specific Teams
folders and documents and grants the minimum level of
access accordingly.
Identify training and awareness provided to
personnel (system owners, managers, operators,
contractors and/or program managers) using the
34
system to make them aware of their responsibilities
for protecting the information being collected and
maintained.
All users are required to complete annual Information Security
Training and Privacy Awareness Training.
Describe training system users receive (above and
35 beyond general security and privacy awareness
training).
Users are provided training regarding the basic concepts of
accessing email and collaboration services offered by the CDC
O365 cloud-based solution. CDC O365 Administrators are
required to complete training in Security Incident Response,
Contingency Planning and Operations, and Role-Based
training.
Do contracts include Federal Acquisition Regulation
36 and other appropriate clauses ensuring adherence to
privacy provisions and practices?
Yes
No
Page 9 of 11
�Save
Email messages and content that constitute a federal record
which CDC is obligated to preserve will be subject to a variety
of record retention schedules specific to each business use.
Each agency user is responsible for adhering to the schedules
that apply to the records under their control.
Beyond PII maintained under an approved records schedule,
users have the ability to archive messages containing PII on
their workstation or in their mailbox indefinitely. Otherwise,
the data retention policy on the CDC O365 storage arrays is 14
days. If a user deletes a message, at which time it is moved to
the Deleted Items Recovery folder for 14 days. After this
period, the deleted mail is stored in a purge folder for 14 days,
during which time only authorized administrators can access it.
Describe the process and guidelines in place with
37 regard to the retention and destruction of PII. Cite
specific records retention schedules.
The General Records Schedule (GSR) 5.5, item 10 (DAAGRS-2016-0012-0001) and item 020 (DAAGRS-2016-0012-0002) provide the specific retention schedules.
GRS 5.5, item 10 Disposition Authority: DAAGRS2016-00120001. Destroy when 3 years old, or 3 years after
applicable agreement expires or is cancelled, as appropriate,
but longer retention is authorized if required for business use.
GRS 5.5, item 20 Disposition Authority: DDAAGRS2016-00120002. Destroy when 1 year old or when
superseded or obsolete, whichever is applicable, but longer
retention is authorized if required for business use.
Within the Microsoft Teams component:
SORN 09-90-0009, "Discrimination Complaints Records, HHS/
OS/ASPER", Retention and disposal: The records are retained
for four years after final disposition, and are then destroyed.
(See HHS Personnel Instruction 293-1, Exhibit X293-1-1, item
26a(1).)
Page 10 of 11
�Save
CDC O365 implements security controls to protect PII, as
defined by OMB mandates, the Federal Information Security
Management Act (FISMA), and NIST Special Publications (SP)
800-53, 800-37, 800-122, NIST Federal Information Processing
Standards (FIPS) 200, 201, 199, 197, 140-2, and other
associated documents as outlined by Federal Risk and
Authorization Management Program (FedRAMP)
(www.fedramp.gov).
Describe, briefly but with specificity, how the PII will
38 be secured in the system using administrative,
technical, and physical controls.
ADMINISTRATIVE CONTROLS:
PII is secured within the system through the use of
administrative controls in the form of mandatory security
awareness and privacy training for all users; role-based training
for privileged users; personnel screening as required by CDC;
completion of contractual agreements and Rules of Behavior;
and, users can encrypt email traffic, including those messages
containing PII, in accordance with applicable CDC policies.
TECHNICAL CONTROLS:
Technical controls applied to CDC O365 include: continuous
network/system monitoring; anti-malware; spam and email
content filtering; FIPS 140-2 compliant encryption of data in
transit; firewalls; Intrusion Detection System (IDS), Intrusion
Prevention System (IPS), Security Information and Event
Management (SIEM), Data Loss Prevention (DLP); and multifactor authentication.
PHYSICAL CONTROLS:
Physical controls include: Hosting within data centers which
control and monitor physical access to the system
components, including security guards, visitor control and
auditing of access records; and, protection of power
equipment and cabling, transmission medium, output devices
and use of emergency power and shutoff systems as well as
fire and water damage protection.
General Comments
OPDIV Senior Official
for Privacy Signature
Q10: The system will also include Equal Employment Opportunity (EEO) legal documents and other
related documents.
signed by Jarell
Jarell Oshodi Digitally
Oshodi -S
Date: 2021.02.18 14:21:43
-S
-05'00'
Page 11 of 11
�
| File Type | application/pdf |
| File Modified | 2021-02-18 |
| File Created | 2016-03-30 |