Anti-Harassment Complaints Database and 508 Complaints Database
Privacy Impact Assessment (PIA) published by CMS as an Operating Division of the U.S. Department of Health and Human Services
Date signed: 1/30/2025
| PIA Questions | PIA Answers |
|---|---|
| OPDIV: | CMS |
| PIA Unique Identifier: | P-8049034-335879 |
| Name: | Anti-Harassment Complaints Database and 508 Complaints Database |
| The subject of this PIA is which of the following? | Major Application |
| Identify the Enterprise Performance Lifecycle Phase of the system. | Operate |
| Is this a FISMA-Reportable system? | Yes |
| Does the system include a Website or online application available to and for the use of the general public? | No |
| Identify the operator: | Contractor |
| Is this a new or existing system? | New |
| Does the system have Security Authorization (SA)? | No |
| Planned Date of Authorization | 12/23/2024 |
| Describe the purpose of the system | Anti-Harassment Complaints Database and 508 Complaints Database System (AH-508-CDBS) is comprised of two applications: the Anti-Harassment Database and the 508 Compliant Database. They are Commercial Off the Shelf (COTS) products built within the Tyler Technologies Cloud-based software. They are used by select CMS Office of Equal Rights and Civil Rights employees to track harassment and Section 508 complaints. Section 508 is part of a 1998 amendment to the Rehabilitation Act of 1973 that concern accessibility. This system follows the mandates of the U.S. Equal Employment Opportunity Commission (EEOC) to create necessary workflows for 508 complaints filed by HHS CMS. |
| Describe the type of information the system will collect, maintain (store), or share. (Subsequent questions will identify if this information is PII and ask about the specific data elements) | The system will collect and maintain the following PII elements: Name Date of Birth Protected Health Information Demographics (age, sex, race) Mailing address Phone number Personnel disciplinary and performance information Military Status Employment Status
|
| Provide an overview of the system and describe the information it will collect, maintain (store), or share, either permanently or temporarily. | AH-508-CDBS are two case management databases using Tyler Federal Product Suite which is a Software as a Service (SaaS) tool. The Anti-Harassment Database is a configurable COTS solution that is 508 compliant and based on Application Platform, a configurable workflow software which will mimic the Agency’s anti-harassment complaint process. 508 Compliant Database is a configurable Commercial Off the Shelf product for the 508 complaints process. |
| Does the system collect, maintain, use or share PII? | Yes |
| Indicate the type of PII that the system will collect or maintain. |
|
| Indicate the categories of individuals about whom PII is collected, maintained or shared. |
|
| How many individuals' PII in the system? | 500-4,999 |
| For what primary purpose is the PII used? | PII is used when an individual files an anti-harassment and/or 508 complaints case. The individual's PII is then shared with the case manager as part of the intake process to collect information about the case. The PII can be shared with individuals that are handling the case. |
| Describe the secondary uses for which the PII will be used (e.g. testing, training or research) | The secondary uses for which the PII will be used is for legal and regulatory matters if cases need to escalate. |
| Describe the function of the SSN. | Not applicable, SSN is not used by the AH-508-CDBs system to retrieve information on employees. |
| Cite the legal authority to use the SSN. | Not applicable. |
| Identify legal authorities governing information use and disclosure specific to the system and program. | Section 501 and 508 of Rehabilitation Act Title 6 of the Civil Rights Act Age, Discrimination and Employment Act The Genetic Information Non-discrimination Act Americans with Disabilities Act 29 CFR 1614 29 CFR 1630 EEOC Enforcement Guidance on Harassment in the Workforce |
| Are records on the system retrieved by one or more PII data elements? | Yes |
| Identify the number and title of the Privacy Act System of Records (SORN) that is being used to cover the system or identify if a SORN is being developed. | EEOC–15 Internal Harassment Inquiries. EEOC–16 Office of Inspector General Investigative Files. EEOC–17 Defensive Litigation Files. EEOC–3 Title VII and Americans with Disabilities Act Discrimination Case Files. EEOC–18 Reasonable Accommodation Records. EEOC/GOVT-1 2016-27702 |
| Identify the sources of PII in the system: Directly from an individual about whom the information pertains |
|
| Identify the sources of PII in the system: Government Sources | Within the OPDIV |
| Identify the sources of PII in the system: Non-Government Sources |
|
| Identify the OMB information collection approval number and expiration date | Not Applicable. |
| Is the PII shared with other organizations? | No |
| Describe the process in place to notify individuals that their personal information will be collected. If no prior notice is given, explain the reason. | A Privacy Act statement is given prior to testimonies; the statement verbally notifies individuals about the collection of PII, and data will be kept confidential. |
| Is the submission of the PII by individuals voluntary or mandatory? | Voluntary |
| Describe the method for individuals to opt-out of the collection or use of their PII. If there is no option to object to the information collection, provide a reason. | Individuals can opt-out of the collection or use of their PII by selecting the Anonymous Reporting option. |
| Describe the process to notify and obtain consent from the individuals whose PII is in the system when major changes occur to the system (e.g., disclosure and/or data uses have changes since the notice at the time of original collection). Alternatively, describe why they cannot be notified or have their consent obtained. | Due to the nature of the purpose of the system, PII in the system will not be disclosed by the system or used in a manner different from the reason for which the information was originally collected. If it is necessary to disclose PII in the form of a legal testimony, the users are notified, and their consent is obtained to disclose PII during legal testimony proceedings. |
| Describe the process in place to resolve an individual's concerns when they believe their PII has been inappropriately obtained, used, or disclosed, or that the PII is inaccurate. If no process exists, explain why not. | Individuals can submit correct information and are given rights to other entities that handle such concerns about disclosure and improper use of PII. |
| Describe the process in place for periodic reviews of PII contained in the system to ensure the data's integrity, availability, accuracy and relevancy. If no processes are in place, explain why not. | Quarterly reports and audits are conducted to ensure the data's integrity, availability, accuracy, and relevancy. Multiple levels of quality control review are in place for each case. Each case is audited prior to closure. |
| Identify who will have access to the PII in the system and the reason why they require access. |
|
| Describe the procedures in place to determine which system users (administrators, developers, contractors, etc.) may access PII. | Only individuals with a legal need to know. Case managers will need access to view their case(s). There will only be one admin account, and the point of contact will determine who can access PII based on given to users.
|
| Describe the methods in place to allow those with access to PII to only access the minimum amount of information necessary to perform their job. | Role-based access with multiple levels of approval is utilized. Users go through screening and training as well as follows CMS Rules of Behavior policy. |
| Identifying training and awareness provided to personnel (system owners, managers, operators, contractors and/or program managers) using the system to make them aware of their responsibilities for protecting the information being collected and maintained. | The system is only accessed by CMS internal users. The system users are required to take CMS Security and Privacy Computer Based Training annually. Additionally, the system login banner (which requires user click-through) reminds users of their CMS Security and Privacy responsibilities to protect the information being collected and maintained in the system. |
| Describe training system users receive (above and beyond general security and privacy awareness training) | Internal Office of Equal Opportunity and Civil Rights (OEOCR) system training is provided for new users. |
| Do contracts include Federal Acquisition Regulation and other appropriate clauses ensuring adherence to privacy provisions and practices? | Yes |
| Describe the process and guidelines in place with regard to the retention and destruction of PII. Cite specific records retention schedules. | Follow National Archives and Records Administration (NARA) 7-year retention and destruction policy for EEO Incorporate the schedule into the Office of Strategic Operations and Regulatory Affairs' (OSORAs) record schedule Incorporate the schedule into the OEOCR file plan. Record retention schedule link: https://www.archives.gov/files/records-mgmt/grs/grs02-3.pdf
|
| Describe, briefly but with specificity, how the PII will be secured in the system using administrative, technical, and physical controls. | Administrative controls include access approval by management and review of accounts. Technical controls include event logging, role-based access, and networking security controls. Physical controls in place at the Amazon Web Services (AWS) East monitor physical access, visitor logging, and environmental access controls. |