Google+
Date signed: 9/21/2015
| TPWA PIA Questions | TPWA PIA Answers |
|---|---|
| OPDIV: | CMS |
| TPWA Unique Identifier (UID): | T-1968080-971831 |
| Is this a new TPWA? | Yes |
| Please provide the reason for revision. | Not applicable because this is a new assessment of a third party tool. |
| Will the use of a third-party Website or application create a new or modify an existing HHS/OPDIV System of Records Notice (SORN) under the Privacy Act? | No |
| Indicate the SORN number (or identify plans to put one in place.) |
|
| Will the use of a third-party Website or application create an information collection subject to OMB clearance under the Paperwork Reduction Act (PRA)? | No |
| Indicate the OMB approval number and approval number expiration date (or describe the plans to obtain OMB clearance.) |
|
| Does the third-party Website or application contain Federal Records? | No |
| Describe the specific purpose for the OPDIV use of the third-party Website or application: | HealthCare.gov has created and maintains an educational presence on Google+ in the form of a HealthCare.gov branded page. This page allows for a direct connection with end users to provide broad educational opportunities and limited opportunities to address consumer questions and concerns. Google+ is a popular platform where users can consume and interact (+1 (like), share, comment) with content related to their friends, and personal interests. HealthCare.gov has created a branded page on Google+ to provide educational content in a space where many potential end users of products made available on HealthCare.gov are already spending their time online. The primary purpose of having a branded page on Google+ is to promote information related to HealthCare.gov and to provide resources to consumers who may not be regular visitors to the HealthCare.gov website; occasionally we will leverage the innate social sharing capacity of this platform by asking followers of our branded page to share our content with their friends on the platform for the purpose of disseminating a particular message as it relates to an initiative or information related to HealthCare.gov. |
| Have the third-party privacy policies been reviewed to evaluate any risks and to determine whether the Website or application is appropriate for OPDIV use? | Yes |
| Describe alternative means by which the public can obtain comparable information or services if they choose not to use the third-party Website or application: | Consumers are also educated through traditional advertising through TV, radio, HealthCare.gov and local partners/counseling entities and events. Additionally information is available through other 3rd party digital properties such as YouTube, Twitter, and Facebook. |
| Does the third-party Website or application have appropriate branding to distinguish the OPDIV activities from those of nongovernmental actors? | Yes |
| How does the public navigate to the third party Website or application from the OPIDIV? | An external hyperlink from an HHS Website or Website operated on behalf of HHS. |
| Please describe how the public navigate to the third-party website or application: | Directly through plus.google.com, via a connect icon on the HealthCare.gov site, using a web search or via a web-based URL to content hosted on plus.google.com. |
| If the public navigate to the third-party website or application via an external hyperlink, is there an alert to notify the public that they are being directed to a nongovernmental Website? | Yes |
| Has the OPDIV Privacy Policy been updated to describe the use of a third-party Website or application? | Yes |
| Provide a hyperlink to the OPDIV Privacy Policy: | https://www.healthcare.gov/privacy/ |
| Is an OPDIV Privacy Notice posted on the third-party Website or application? | Yes |
| Confirm that the Privacy Notice contains all of the following elements: (i) An explanation that the Website or application is not government-owned or government-operated; (ii) An indication of whether and how the OPDIV will maintain, use, or share PII that becomes available; (iii) An explanation that by using the third-party Website or application to communicate with the OPDIV, individuals may be providing nongovernmental third-parties with access to PII; (iv) A link to the official OPDIV Website; and (v) A link to the OPDIV Privacy Policy. | Yes |
| Is the OPDIV's Privacy Notice prominently displayed at all locations on the third-party Website or application where the public might make PII available? | No |
| Is PII collected by the OPDIV from the third-party Website or application? | No |
| Will the third-party Website or application make PII available to the OPDIV? | Yes |
| Describe the PII that will be collected by the OPDIV from the third-party Website or application and/or the PII which the public could make available to the OPDIV through the use of the third-party Website or application and the intended or expected use of the PII: | CMS does not collect any PII through its use of Google+. Individual users who register with Google are required to provide a first name, last name, valid email address, password, sex, and date of birth to create a personal Google account, which is also their Google+ profile. Once registered, users have the option to provide a wealth of additional information about themselves such as telephone number, employment, interests, etc. which may be displayed on the individual user’s personal Google+ profile page or otherwise maintained or used by Google (review Google's data policy, and how they may use the provided information). This information may be available to CMS page administrators in whole or part, based on a user’s privacy settings. CMS does not solicit, collect, or maintain any personally identifiable information from individuals who visit, thumbs up comment, or otherwise engage with the HealthCare.gov Google+ page or posts. The HealthCare.gov Google+ page administrator may however, read, review, or rely upon information that individuals make available on Google+ in the form of comments for the purposes of responding to a user's question. Even though this information may be accessible to HealthCare.gov’s Google+ page administrators, CMS does not collect, disseminate, or maintain any of the information provided on HealthCare.gov’s Google+ page. |
| Describe the type of PII from the third-party Website or application that will be shared, with whom the PII will be shared, and the purpose of the information sharing: | This information is not shared beyond HealthCare.gov and Google+ Administrators. It is not collected or maintained outside of Google+ or used for other CMS purposes. |
| If PII is shared, how are the risks of sharing PII mitigated? | This data is kept within the Google+ platform. It is not downloaded into other tools and or repositories or shared with other entities. |
| Will the PII from the third-party Website or application be maintained by the OPDIV? | No |
| If PII will be maintained, indicate how long the PII will be maintained: | |
| Describe how PII that is used or maintained will be secured: | CMS does not keep separate records or accounting of Google+ users or their interaction with the HealthCare.gov Google+ page. CMS does not store or share this information. User information is retained by Google as long as a user maintains a Google account. See Google's privacy policy to see how long user information is retained after an account has been deleted. Google+ users can learn more about how their information is used and maintained by Google by visiting Google's data policy. |
| What other privacy risks exist and how will they be mitigated? | Note in reference to Question 15b - Due to limitations on Google+, the HealthCare.gov Privacy Notice is not posted in all locations on the HealthCare.gov Google+ page. It is viewable from any place on the HealthCare.gov Google+ page by clicking on the "About" tab and navigating to the "Privacy Notice". Per the terms of service agreed to by HHS and Google+, HealthCare.gov's Google+ page does not contain any third-party advertising. This limits any association with additional content that HealthCare.gov has neither reviewed nor endorsed on the HealthCare.gov Google+ page. In addition, the HealthCare.gov Privacy Notice Statement at HealthCare.gov and on its Google+ page directs Google+ users to review Google+'s terms of service and privacy policies to understand how Google+ may collect information about users, including what pages the user may visit, and how Google may use or share such information for third-party advertising or other purposes. In addition to the notice on Google+, consumers are provided notice on HealthCare.gov. A link to our Linking Policy is in the footer of HealthCare.gov. Our Linking Policy includes a privacy notice for social media sites and provides links to HealthCare.gov presences on Third Party sites as well as the privacy policies of those social media sites. Additionally, when a consumer places their mouse cursor over a link to a social media site, hover text informs them that they will be "Leaving HealthCare.gov" if they click. Google+ is a third-party service that uses persistent tracking technologies. In an effort to help consumers understand how their information is used by Google, the HealthCare.gov Google+ page includes a privacy notice, which addresses this topic. Google+ is created and maintained by Google. CMS has reviewed Google+'s privacy practices and has concluded that risks to consumer privacy are sufficiently mitigated through application of Googles's privacy policies, notices from HealthCare.gov and Google informing consumers of these policies, and the ability of consumers to opt-out of providing their information to HealthCare.gov and Google+. CMS will conduct a periodic review of Google+'s privacy practices to ensure Google+'s policies continue to align with agency objectives and privacy policies and do not present unreasonable or unknown risks to consumer privacy. |
Third-Party Web and Application (TPWA) Privacy Impact Assessment (PIA) published by CMS as an Operating Division of the U.S. Department of Health and Human Services