Eventbrite
Date signed: 5/18/2021
| TPWA PIA Questions | TPWA PIA Answers |
|---|---|
| OPDIV: | CMS |
| TPWA Unique Identifier (UID): | T-4804283-846399 |
| Is this a new TPWA? | Yes |
| Please provide the reason for revision. | Not applicable |
| Will the use of a third-party Website or application create a new or modify an existing HHS/OPDIV System of Records Notice (SORN) under the Privacy Act? | No |
| Indicate the SORN number (or identify plans to put one in place.) |
|
| Will the use of a third-party Website or application create an information collection subject to OMB clearance under the Paperwork Reduction Act (PRA)? | No |
| Indicate the OMB approval number and approval number expiration date (or describe the plans to obtain OMB clearance.) |
|
| Does the third-party Website or application contain Federal Records? | Yes |
| Describe the specific purpose for the OPDIV use of the third-party Website or application: | The Office of Communications (OC) will create publicly accessible events that are published on https://www.cms.gov/events for registration through Eventbrite.com. Eventbrite will collect PII of registrants (individuals) for the event, in order to provide event information and track attendance. |
| Have the third-party privacy policies been reviewed to evaluate any risks and to determine whether the Website or application is appropriate for OPDIV use? | Yes |
| Describe alternative means by which the public can obtain comparable information or services if they choose not to use the third-party Website or application: | Users may decline registering for an event through Eventbrite and choose to e-mail the CMS contact directly for the event in order to register. |
| Does the third-party Website or application have appropriate branding to distinguish the OPDIV activities from those of nongovernmental actors? | Yes |
| How does the public navigate to the third party Website or application from the OPIDIV? | An external hyperlink from an HHS Website or Website operated on behalf of HHS. |
| Please describe how the public navigate to the third-party website or application: | The public will be redirected to EventBrite.com from https://www.cms.gov/events and CMS posts events at http://cmsgov.eventbrite.com/ An exit notice will be posted for users exiting the CMS.gov domain. |
| If the public navigate to the third-party website or application via an external hyperlink, is there an alert to notify the public that they are being directed to a nongovernmental Website? | Yes |
| Has the OPDIV Privacy Policy been updated to describe the use of a third-party Website or application? | Yes |
| Provide a hyperlink to the OPDIV Privacy Policy: | https://www.cms.gov/privacy |
| Is an OPDIV Privacy Notice posted on the third-party Website or application? | Yes |
| Confirm that the Privacy Notice contains all of the following elements: (i) An explanation that the Website or application is not government-owned or government-operated; (ii) An indication of whether and how the OPDIV will maintain, use, or share PII that becomes available; (iii) An explanation that by using the third-party Website or application to communicate with the OPDIV, individuals may be providing nongovernmental third-parties with access to PII; (iv) A link to the official OPDIV Website; and (v) A link to the OPDIV Privacy Policy. | Yes |
| Is the OPDIV's Privacy Notice prominently displayed at all locations on the third-party Website or application where the public might make PII available? | Yes |
| Is PII collected by the OPDIV from the third-party Website or application? | Yes |
| Will the third-party Website or application make PII available to the OPDIV? | Yes |
| Describe the PII that will be collected by the OPDIV from the third-party Website or application and/or the PII which the public could make available to the OPDIV through the use of the third-party Website or application and the intended or expected use of the PII: | CMS will collect the first name, last name and e-mail address of users. The purpose is for registering for events. This information is collected for communicating with the user about updates to the event, tracking registrants, and providing access to the events (both virtual and in-person). |
| Describe the type of PII from the third-party Website or application that will be shared, with whom the PII will be shared, and the purpose of the information sharing: | First Name, Last name, and email address is shared with the Event Coordinator (CMS personnel who is the creator of the event), and the Web Help Service Desk. The Web Help Service Desk manages and administrates CMS Eventbrite. The Event Coordinator communicates with the registrants and is the host of the event. |
| If PII is shared, how are the risks of sharing PII mitigated? | Sharing the PII is limited to only the Web Help Service Desk and Event coordinator. Further, the PII is secured in a password protected file with the CMS Event Coordinator. |
| Will the PII from the third-party Website or application be maintained by the OPDIV? | Yes |
| If PII will be maintained, indicate how long the PII will be maintained: | The PII will be retained according to the CMS Bucket - DAA-0440-2015-001, Item 0003, Other Public Outreach and Engagement Records. Sub-bucket 8C. Retention: The retention is temporary and records should be destroyed when one year old, or when no longer needed for agency business. |
| Describe how PII that is used or maintained will be secured: | CMS will maintain and secure PII in a password protected file with the CMS Event Coordinator. |
| What other privacy risks exist and how will they be mitigated? | Eventbrite may disclose, transfer or share Personal Data with certain third parties without further notice to participants. Third Parties include: business transfers, parent companies, subsidiaries, affiliates, agents, consultants, service providers, event organizers, Facebook, social media and third party connections, and for legal requirements. CMS will only collect information necessary for event registration to minimize risks of collecting more information than required. The use of Eventbrite will be reviewed on a regular occurring basis to assess new risks. Risks can be mitigated for participants by registering via email to the applicable CMS event address without sharing PII directly with Eventbrite. Participants can reach out to the Privacy Officer at Eventbrite for specific questions by writing to the Privacy Officer at, 155 5th Street, Floor 7, San Francisco, CA 94103, USA or by email privacy@eventbrite.com. |
Third-Party Web and Application (TPWA) Privacy Impact Assessment (PIA) published by CMS as an Operating Division of the U.S. Department of Health and Human Services