Pia

Save

Privacy Impact Assessment Form
v 1.47.4
Status Draft

Form Number

F-84398

Form Date

Question

Answer

1

OPDIV:

NIH

2

PIA Unique Identifier:

P-4312795-620477

2a Name:

5/12/2023 12:13:59 PM

Chimpanzee Research Use Reporting System
General Support System (GSS)
Major Application

3

Minor Application (stand-alone)

The subject of this PIA is which of the following?

Minor Application (child)
Electronic Information Collection
Unknown

3a

Identify the Enterprise Performance Lifecycle Phase
of the system.

Operations and Maintenance
Yes

3b Is this a FISMA-Reportable system?

4

Does the system include a Website or online
application available to and for the use of the general
public?

5

Identify the operator.

6

Point of Contact (POC):

7

Is this a new or existing system?

8

Does the system have Security Authorization (SA)?

8a Date of Security Authorization

No
Yes
No
Agency
Contractor
POC Title

Health Science Policy Analyst

POC Name

C. Taylor Gilliland

POC Organization NIH/OD/DPCPSI
POC Email

c.gilliland@nih.gov

POC Phone

301-332-0093
New
Existing
Yes
No

Dec 21, 2020

Page 1 of 7

Save

9

Indicate the following reason(s) for updating this PIA.
Choose from the following options.

PIA Validation (PIA
Refresh/Annual Review)
Anonymous to NonAnonymous
New Public Access
Internal Flow or Collection

Significant System
Management Change
Alteration in Character of
Data
New Interagency Uses
Conversion

Commercial Sources

10

Describe in further detail any changes to the system
that have occurred since the last PIA.

11 Describe the purpose of the system.

There have been no changes to the system.
The Chimpanzee Research Use Reporting System (CRU) is a
National Institutes of Health (NIH) system to obtain
information needed by the NIH to assess whether proposed
research satisfies the agency policy for research involving
chimpanzees. The NIH considers the information submitted
through this form prior to the agency making funding
decisions or otherwise allowing the research to begin.
Completion of this form is a mandatory step toward receiving
NIH support or approval for research involving chimpanzees.
The CRU collects descriptions of proposed research from
applicants or offerors and how it satisfies the agency policy for
research involving chimpanzees. The following applicant
Personally Identifiable Information (PII) is collected: name,
email, phone number, mailing address, organizational
affiliation, Electronic Research Administration (eRA) Commons
Identification (ID), and login credentials for 3rd party
applicants.

Describe the type of information the system will
System users log into the system using the NIH Identity,
collect, maintain (store), or share. (Subsequent
12
questions will identify if this information is PII and ask Credential, and Access Management (IAM) Services which
maintains its own unique privacy impact assessment (PIA) on
about the specific data elements.)
record, including all legal authorities documented. The
purpose of IAM Services is to authenticate and authorize all
users and computers in a Windows domain type network;
assigning and enforcing information security policies for all
computers and installing or updating software. The IAM
Services collect unique user credentials and stores them in an
encrypted format. The IAM Services are an essential service
which facilitates and governs network access to various
resources.
Provide an overview of the system and describe the
13 information it will collect, maintain (store), or share,
either permanently or temporarily.
14 Does the system collect, maintain, use or share PII?

The Chimpanzee Research Use Reporting System (CRU) is a
National Institutes of Health (NIH) system to obtain
information needed by the NIH to assess whether proposed
Yes
No

Page 2 of 7

Save

15

Indicate the type of PII that the system will collect or
maintain.

Social Security Number

Date of Birth

Name

Photographic Identifiers

Driver's License Number

Biometric Identifiers

Mother's Maiden Name

Vehicle Identifiers

E-Mail Address

Mailing Address

Phone Numbers

Medical Records Number

Medical Notes

Financial Account Info

Certificates

Legal Documents

Education Records

Device Identifiers

Military Status

Employment Status

Foreign Activities

Passport Number

Taxpayer ID
eRA Commons ID
login credentials (only for 3rd party applicants)
Organizational affiliation

Employees
Public Citizens
16

Business Partners/Contacts (Federal, state, local agencies)

Indicate the categories of individuals about whom PII
is collected, maintained or shared.

Vendors/Suppliers/Contractors
Patients
Other

17 How many individuals' PII is in the system?

18 For what primary purpose is the PII used?

19

Describe the secondary uses for which the PII will be
used (e.g. testing, training or research)

100-499
The primary purpose and use of the PII collected is for
providing contact information and for logging into the system
for submitting research applications.
N/A

20 Describe the function of the SSN.

N/A

20a Cite the legal authority to use the SSN.

N/A

21

Identify legal authorities governing information use
5 USC 301
and disclosure specific to the system and program.

22

Are records on the system retrieved by one or more
PII data elements?

Yes
No

Page 3 of 7

Save
Directly from an individual about whom the
information pertains
In-Person
Hard Copy: Mail/Fax
Email
Online
Other
Government Sources
23

Within the OPDIV
Other HHS OPDIV
State/Local/Tribal
Foreign
Other Federal Entities
Other

Identify the sources of PII in the system.

Non-Government Sources
Members of the Public
Commercial Data Broker
Public Media/Internet
Private Sector
Other
23a

Identify the OMB information collection approval
number and expiration date.

24 Is the PII shared with other organizations?

Describe the process in place to notify individuals
25 that their personal information will be collected. If
no prior notice is given, explain the reason.

26

Is the submission of PII by individuals voluntary or
mandatory?

OMB control #: 0925-0705; expires 9/30/23 and is under OMB
review for 3 year extension
Yes
No
Individuals are notified that their information will be collected
during their application for system access and participation in
the CRU program.
For login credentials via IMS and eRA, these two systems
maintain their own processes that are documented in their
respective Privacy Impact Assessments (PIAs), including all
legal authorities documented.
Voluntary
Mandatory

Describe the method for individuals to opt-out of the
collection or use of their PII. If there is no option to
27
object to the information collection, provide a
reason.

There is no formal opt-out option. During the application
process, individuals may decline to provide their PII. However,
in doing so, they will not have access to the CRU system or be
able to submit proposals.

Describe the process to notify and obtain consent
from the individuals whose PII is in the system when
major changes occur to the system (e.g., disclosure
28 and/or data uses have changed since the notice at
the time of original collection). Alternatively, describe
why they cannot be notified or have their consent
obtained.

When major changes occur, individuals have the ability to
update their own PII within the system. for login credentials via
IMS and eRA Commons, the processes are documented in their
respective Privacy Impact Assessments (PIAs), including all
legal authorities documented.

Page 4 of 7

Save
If an individual believes their PII has been inappropriately
obtained and used, they may reach out to system
administrators.

Describe the process in place to resolve an
individual's concerns when they believe their PII has
29 been inappropriately obtained, used, or disclosed, or
that the PII is inaccurate. If no process exists, explain For login credentials via IMS and eRA, these two systems
maintain their own processes that are documented in their
why not.
respective Privacy Impact Assessments (PIAs), including all
legal authorities documented.
Describe the process in place for periodic reviews of
PII contained in the system to ensure the data's
30
integrity, availability, accuracy and relevancy. If no
processes are in place, explain why not.

Identify who will have access to the PII in the system
31
and the reason why they require access.

Periodic system audits and reviews by system administrators
are performed to verify PII within the system.
For login credentials via IMS and eRA, these two systems
maintain their own processes that are documented in their
respective Privacy Impact Assessments (PIAs), including all
legal authorities documented.
Users

Users have access to their own PII for
submission of proposals.

Administrators

Administrators have access to PII for
review of submitted proposals.

Developers

Developers have access to perform
system maintenance and
troubleshooting.

Contractors

Direct Contractors have access to
perform administrative duties
regarding the review of submitted
proposals.

Others
Describe the procedures in place to determine which Determinations are made based on role-based access controls
and least privilege. User rights are provisioned based on
32 system users (administrators, developers,
controls within the system, allowing users only access to the
contractors, etc.) may access PII.
minimum amount of PII necessary to perform their job.
Describe the methods in place to allow those with
33 access to PII to only access the minimum amount of
information necessary to perform their job.

Determinations are made based on role-based access controls
and least privilege. User rights are provisioned based on
controls within the system, allowing users only access to the
minimum amount of PII necessary to perform their job.

Identify training and awareness provided to
personnel (system owners, managers, operators,
contractors and/or program managers) using the
34
system to make them aware of their responsibilities
for protecting the information being collected and
maintained.

The NIH Security Awareness Training course is used to satisfy
this requirement. According to NIH policy, all personnel who
use NIH applications must attend security awareness training
every year. There are five categories of mandatory IT training
(Information Security, Counterintelligence, Privacy Awareness,
Records Management and Emergency Preparedness).

Describe training system users receive (above and
35 beyond general security and privacy awareness
training).

System specific standard operating procedures (SOPs) are
provided.

Do contracts include Federal Acquisition Regulation
36 and other appropriate clauses ensuring adherence to
privacy provisions and practices?

Yes
No

Page 5 of 7

Save

Describe the process and guidelines in place with
37 regard to the retention and destruction of PII. Cite
specific records retention schedules.

NIH Intramural Records Schedule, Item I-0003: Records of All
Other Intramural Research Projects. These are temporary
records, cut off annually at termination of project/program or
when no longer needed for scientific reference, whichever is
longer. Destroy 7 years after cutoff. Disposition Authority:
DAA-0443-2012-0007-0003.
Administrative Controls: All personnel who access CRU have
met background investigation criteria for Public Trust
positions. All personnel have taken mandatory security and
privacy training classes and annual refreshers. Administrative
personnel accessing these systems use privileged and separate
accounts for administrative access.

Describe, briefly but with specificity, how the PII will
38 be secured in the system using administrative,
technical, and physical controls.

Technical Controls: IT hardware and software is segregated
from default commodity public networks to prevent
unauthorized or malicious access. Access controls lists and
event logs are maintained and monitored to detect
unauthorized, suspicious or malicious activity. Access lists are
restricted to approved IT technical personnel. Two factor
authentication must be used for access. File integrity and
auditing software are employed on hardware.
Physical Controls: The information technology (IT) hardware
used to host protected information is located in a secured
datacenter facility. The facility is only open to authorized
personnel whose access is monitored by locking doors with
badge readers for both ingress and egress. Each discrete
ingress and egress event is logged. The facility is under 24hour surveillance by facilities security for security and
environmental hazards.

39 Identify the publicly-available URL:
40 Does the website have a posted privacy notice?

https://cru.dpcpsi.nih.gov/
Yes
No

40a

Is the privacy policy available in a machine-readable
format?

Yes

41

Does the website use web measurement and
customization technology?

Yes

42

Does the website have any information or pages
directed at children under the age of thirteen?

Yes

43

Does the website contain links to non- federal
government websites external to HHS?

Yes

General Comments

No
No

No

No

This component is under the OD GSS, whose Universal Unique Identifier (UUID) is: 2092B382-A4F2-4FD5A93E-1857E18B771E.

Page 6 of 7

Save
OPDIV Senior Official
for Privacy Signature

Dustin B.
Close -S

Digitally signed by Dustin
B. Close -S
Date: 2023.05.12 12:20:54
-04'00'

Page 7 of 7