Privacy Program

Privacy Program – The NIH Privacy Program is responsible for mitigating and managing privacy breaches within NIH, and coordinates with IC Privacy Coordinators across NIH to prevent and manage situations where persons other than authorized users have access, or potential access, to personally identifiable information (PII).

Privacy Impact Assessments

The requirement for PIAs originated in the Electronic Government (E-Gov) Act of 2002, and was further clarified in Office of Management and Business OMB Memorandum (M) 03-22, "OMB Guidance for Implementing the Privacy Provisions of the E-Government Act of 2002."
 
The PIA is an integral part of risk management.  A PIA form creates an opportunity for organizations to anticipate and address the likely impacts of new initiatives, to foresee problems and identify what needs to be done to design features that minimize any impact on privacy and/or to find less privacy intrusive alternatives.  The PIA process helps the public understand what information the organization is collecting, why the information is being collected, how the information will be accessed, used, shared, and securely stored.  It demonstrates that the organization has critically analyzed how the project will deal with personal data. Thus, a PIA promotes a more fully informed decision-making process.
 
The E-Gov Act requires that PIAs be conducted on all new Federal systems collecting information in identifiable form, which means any representation of information that permits the identity of an individual to whom the information applies to be reasonably inferred by either direct or indirect means.
 
Title III of the E-Gov Act is referred to as the Federal Information Security Management Act (FISMA).  It requires that the agency conduct annual reviews of information security and privacy programs and report the results to OMB.  
 
HHS requires PIAs to be conducted on all Information Technology (IT) systems and uses of Third-Party Websites and Applications (TPWAs).  HHS also requires quarterly reviews and annual FISMA reports.
 
PIAs are required for:
  • All FISMA Reportable Electronic Systems (these include General Support Systems, Major Applications and Minor Stand-Alone Applications owned/operated by the NIH or operated on behalf of the agency including those internally hosted at the NIH or externally hosted (i.e., hosted off-site by commercial vendors/contractors, including cloud-based systems)).
  • All Uses of Third-Party Websites and Applications (TPWAs) (these include Web-based technologies that are not exclusively operated or controlled by a government entity, or web-based technologies that involve significant participation of a nongovernment entity.  Often these technologies are located on a “.com” website or other location that is not part of an official government domain.  However, third-party applications can also be embedded or incorporated on an agencys official website).
  • All Surveys that contain/process PII and Sensitive Information (these include online surveys, employee surveys that ask non-work related information, and those included as part of an OMB request for clearance under the Paperwork Reduction Act to survey 10 or more members of the public in order to evaluate a program, etc.).
A PIA must be completed before an IT system is operational, a third-party website or application account is created and a survey is launched.  Since a PIA is an analysis of how information is handled, it ensures handling conforms to applicable legal, regulatory, and policy requirements regarding privacy; determines the risks and effects of collecting, maintaining, and disseminating information in identifiable form; and examines and evaluates protections and alternative processes for handling information to mitigate potential privacy risks. 
 
Currently, PIAs are stored in the NIH Office of the Senior Official for Privacy (OSOP).  The plan is to store them in the NIH System Authorization Tool (NSAT) which will communicate with the HHS Security Data Warehouse (HSDW) and the HHS Enterpise Acrchitecture Repsoitory (HEAR).  

To add a new IT system, TPWA or survey to the NIH Inventory, or receive assistance in completing a PIA, please contact the staff in the NIH Privacy Program via email at privacy@mail.nih.gov or by phone at (301) 451-3426.  We are happy to help get you started!


Additional References

IC Privacy Coordinators
IC Information Systems Security Officers
NIH Information Security and Privacy Awareness Training Dashboard
NIH Project Clearance Branch Website
NIH Records Management Website
NIH Policy 1745, IT Privacy Program
NIH Policy 1745-1, Privacy Impact Assessments
PIA Form (IT System)
NIH PIA Guide
PIA Form (TPWA)
NSAT Website
NIH NSAT Entity Creation Form​​​

Privacy Program

Privacy Program Laws, Policies, and Memoranda
Privacy Act
Privacy Impact Assessments (PIAs)
Privacy Incidents and Breach Response
Social Media and Web Management
Training Resources
Privacy Program FAQs
Privacy Program Glossary
Privacy Program Laws & References
IC Privacy Coordinators
​​​​​​​​​​​​​​
​​

Contacting DMS

Division of Management Support

Director, Ekaterini 'Katy' Perry

National Institutes of Health,

Office of Management Assessment

6011 Executive Blvd., Suite 601, MSC 7669

Rockville, MD 20852

Phone: (301) 496-2832 or (301) 496-4606

Fax: (301) 402-0169

Want to know more about allegations?

DPI has the authority to conduct reviews using certain rules and acts.

Learn More About Allegations
​​​​​​​​​​​​
​​