GovDelivery
Privacy Impact Assessment (PIA) published by CMS as an Operating Division of the U.S. Department of Health and Human Services
Date signed: 10/31/2023
| PIA Questions | PIA Answers |
|---|---|
OPDIV: | CMS |
PIA Unique Identifier: | P-1355245-610860 |
Name: | GovDelivery |
The subject of this PIA is which of the following? | Major Application |
Identify the Enterprise Performance Lifecycle Phase of the system. | Operate |
Is this a FISMA-Reportable system? | Yes |
Does the system include a Website or online application available to and for the use of the general public? | Yes |
Identify the operator: | Contractor |
Is this a new or existing system? | Existing |
Does the system have Security Authorization (SA)? | Yes |
Date of Security Authorization | 11/15/2024 |
Indicate the following reason(s) for updating this PIA. Choose from the following options. | PIA Validation (PIA Refresh/Annual Review) |
Describe in further detail any changes to the system that have occurred since the last PIA. | Granicus implemented changes to the system to use Federal Risk and Authorization Management Program (FedRAMP) approved Amazon Web Services (AWS) to improve or add services in support of Domain Name Service (DNS), security key storage, and bulk Short Message Service (SMS) sending. Granicus added containerization as part of an operating system upgrade. Granicus added an additional multi-factor authentication method using Microsoft Azure Multi-Factor Authentication. All changes were assessed by a FedRAMP Third Party Assessment Organization (3PAO) for both security and privacy impact. Other than this question response, there is no impact to this Privacy Impact Assessment (PIA). |
Describe the purpose of the system | GovDelivery is used to handle email subscription management and deliver emails recipients agreed to receive (opt-in email). It is designed to facilitate and increase citizen engagement with public government messaging. In other words, it enables citizens (hereinafter referred to as “members of the public”) to communicate with the Government more effectively (hereinafter referred to as “administrators”). Centers for Medicare and Medicaid Services (CMS) uses GovDelivery to assist with implementing provisions of the Affordable Care Act, to handle outbound communications within the Healthcare.gov ecosystem, and to continually improve communications and access to Agency information on sites Medicare.gov, CMS.gov, Medicaid.gov and Healthcare.gov and CuidadoDeSalud.Gov. This outreach includes using both email and text messaging sent to members of the public to support the CMS Office of Communications outreach planning, including to increase Plan Finder completions for Medicare.gov, and to increase enrollments in the marketplaces via information about enrollment on Healthcare.gov. Medicaid.gov uses email to communicate important updates to state and other partner contacts, including Unwinding and Public Health Emergency information. CMS.gov uses GovDelivery for internal communications to CMS staff and vendors, and also to key partners. GovDelivery allows subscribers to receive updates when new information becomes available on the CMS websites and automates the creation and distribution of messages through email, text messaging and social media. GovDelivery sends personalized messages to a large volume of targeted audiences and provides CMS vital statistics on email delivery rates, open rates and click-through rates used by Healthcare.gov and CuidadoDeSalud.gov (e.g. signup confirmation, password changes, profile changes, etc.). |
Describe the type of information the system will collect, maintain (store), or share. (Subsequent questions will identify if this information is PII and ask about the specific data elements) | GovDelivery collects subscriber-provided names, telephone numbers, and email addresses of subscribers. CMS use GovDelivery to acquire additional information from subscribers using campaign-specific forms defined and maintained by CMS. The subscriber Internet protocol (IP) address may be used approximate Longitude, Latitude, City, State, Country. The system also automatically collects certain log information, including IP address, web pages requested and accessed, and data and time of access, as part of the normal server operation. Log information is not linked to personally identifiable information. CMS employees and direct contractors enter user IDs and passwords to be granted access to GovDelivery. Subscribers are also required to enter email addresses and passwords to be granted access to GovDelivery. The system permanently stores email addresses, names, and phone numbers of individuals who sign up for the service for the duration that the service is provided. This information is either directly entered by the individual user or is uploaded by the agency via an internal list. Information is deleted after GovDelivery service termination. Log information may be retained for up to one year. |
Provide an overview of the system and describe the information it will collect, maintain (store), or share, either permanently or temporarily. | GovDelivery is used to handle email subscription management and deliver opt-in email in support of the applications and communication campaigns. GovDelivery is designed to facilitate and increase citizen engagement with public government messaging. In other words, it enables members of the public to communicate with the Government more effectively. The GovDelivery system collects PII (names, telephone numbers, and email addresses) by requesting the information on a webform. The subscriber IP address may be used approximate Longitude, Latitude, City, State, Country. This PII is retained until the subscribers cancel his or her subscription. The GovDelivery system regularly retrieves and uses the PII collected (names, telephone numbers, and email addresses) to allow subscribers to receive updates when new information becomes available on the CMS websites. The GovDelivery system automates the creation and distribution of messages through email, text messaging and social media. The PII collected is retrieved to also allow the GovDelivery system to send a large volume of personalized messages to targeted audiences and provide CMS vital statistics on mail delivery rates, and open rates. The GovDelivery system regularly uses this same PII for privileged GovDelivery users (these are CMS employees and director contractors that administer the GovDelivery system) to retrieve system records that includes subscriber PII (names, telephone numbers email addresses, and subscriber IP address may be used approximate Longitude, Latitude, City, State, Country). CMS employees and direct contractors support enter user IDs and passwords to be granted administrative access to GovDelivery system records. Subscribers are also required to enter email addresses and passwords to be granted access to their GovDelivery subscriber settings. |
Does the system collect, maintain, use or share PII? | Yes |
Indicate the type of PII that the system will collect or maintain. |
|
Indicate the categories of individuals about whom PII is collected, maintained or shared. |
|
How many individuals' PII in the system? | 1,000,000 or more |
For what primary purpose is the PII used? | The PII is purely used for communicating information from CMS about systems and services available to the end user/subscribers. CMS employees and direct contractor support PII (user IDs and passwords) are used to grant access to GovDelivery and maintain the system. |
Describe the secondary uses for which the PII will be used (e.g. testing, training or research) | N/A |
Describe the function of the SSN. | N/A: GovDelivery does not collect, use or store SSNs. |
Cite the legal authority to use the SSN. | N/A: GovDelivery does not store or use SSNs. |
Identify legal authorities governing information use and disclosure specific to the system and program. | 42 CFR 401.101–401.148 Sec 1106(a) of the Social Security Act, 42 U.S.C. 1306(a) 5 USC 301, Departmental Regulations |
Are records on the system retrieved by one or more PII data elements? | Yes |
Identify the number and title of the Privacy Act System of Records (SORN) that is being used to cover the system or identify if a SORN is being developed. | HHS Correspondence, Customer Service, and Contact List Records, 09-90-1901; Health Insurance Exchanges Program, 09-70-0560 |
Identify the sources of PII in the system: Directly from an individual about whom the information pertains | Online |
Identify the sources of PII in the system: Government Sources |
|
Identify the sources of PII in the system: Non-Government Sources | Members of the Public |
Identify the OMB information collection approval number and expiration date | N/A: Office of Communication (OC) verified with Office of Strategic Operation and Regulation Affairs (OSORA) that OMB information collection approval is not required as the site does not appear to request or require anything other than contact information for identification purposes. No OMB Control Number applies. |
Is the PII shared with other organizations? | No |
Describe the process in place to notify individuals that their personal information will be collected. If no prior notice is given, explain the reason. | Subscribers are given a signup page, so they know that their personal information is being collected because they entered the information themselves. Additionally, there is a Legal & Privacy statement of the website that describes how GovDelivery will use the information the subscribers provide. Employees and direct contractors requesting access to GovDelivery must sign an Account request form prior to account creation. Account request form must also be filled indicating name, email, phone number and access level needed. This form is reviewed and approved by the System information Security Officer (ISSO) prior to account creation. |
Is the submission of the PII by individuals voluntary or mandatory? | Voluntary |
Describe the method for individuals to opt-out of the collection or use of their PII. If there is no option to object to the information collection, provide a reason. | Subscribers are not required to provide PII if they do not want the service. Subscribers can unsubscribe from GovDelivery subscriptions through various methods. All GovDelivery accounts are provided with public subscription pages that subscribers can use to access, edit and delete their subscriptions. While common (and best practice) for agencies to link to these options in every communication sent to subscribers, it is the agency’s responsibility to ensure that information is being made readily available. If the CMS employees and direct contractors requires access to GovDelivery, they cannot 'opt-out' of providing their PII as the user ID and password are used to log on to the system to perform their job duties. |
Describe the process to notify and obtain consent from the individuals whose PII is in the system when major changes occur to the system (e.g., disclosure and/or data uses have changes since the notice at the time of original collection). Alternatively, describe why they cannot be notified or have their consent obtained. | All major system changes concerning PII are published via the System of Record Notice (SORN) for comment in the Federal Register as part of a modification of the applicable System of Record (SOR). This allows a 60-day comment period from members of the public. |
Describe the process in place to resolve an individual's concerns when they believe their PII has been inappropriately obtained, used, or disclosed, or that the PII is inaccurate. If no process exists, explain why not. | All PII within the system is provided directly by the individual. If a user does not believe their information should be in the system, they can contact GovDelivery Help Desk by either phone or email and the information will be removed for them. If they believe the information is inaccurate, they can modify the information themselves by login into GovDelivery. Subscribers only have access to their own PII. |
Describe the process in place for periodic reviews of PII contained in the system to ensure the data's integrity, availability, accuracy and relevancy. If no processes are in place, explain why not. | Individual PII (email, name, and telephone number) is only modified by the individual who owns the PII and therefore cannot be inadvertently modified or destroyed by the system. The subscriber IP address is captured during usage and is used approximate Longitude, Latitude, City, State, Country calculated by the system and not directly modifiable by the individual who owns it. Activities within the system are logged, so any changes to PII can be traced back to a specific time, and user providing non-repudiation within the system. The system is highly available, ensuring the PII is available when needed. GovDelivery is located in a pair of Tier-1 datacenters to provide great availability. Hosting GovDelivery in two physically separate datacenters provide an avenue to ensure continuity of service to the public in a case of unforeseen event. The system automatically detects rejected email addresses, and removes those email addresses and all associated records from the system, ensuring that PII is accurate and up to date within the system. |
Identify who will have access to the PII in the system and the reason why they require access. |
|
Describe the procedures in place to determine which system users (administrators, developers, contractors, etc.) may access PII. | GovDelivery uses role-based access controls to ensure that administrators, and users are granted access on a ‘least privilege’ basis commensurate with their assigned duties (only those with the "need" to access the system are granted access for their assigned task/duties). Administrators have access to PII as part of their day-to-day jobs. For Administrators, role-based access control is used for privileged role assignments. For these roles, the designated government contracting official or authorized representative designates and approves system Administrators. A request to add an Administrator is submitted in writing to the government contracting official or authorized representative and accounts are established in accordance with the access level required based on their role in the organization. It is left to the discretion of the designated CMS contracting official or authorized representative to determine the level of access an Administrator is granted. |
Describe the methods in place to allow those with access to PII to only access the minimum amount of information necessary to perform their job. | GovDelivery uses the principle of least privilege as well as role-based access control to ensure system administrators and users are granted access on a "need-to-know" and "need-to-access" basis commensurate with their assigned duties. Designated government contracting official or authorized representative designates and approves System Administrators. A request to add an Administrator is submitted in writing to the government contracting official or authorized representative and accounts are established in accordance with the access level required based on their role in the organization. It is left to the discretion of the designated CMS contracting official or authorized representative to determine the level of access an Administrator is granted. |
Identifying training and awareness provided to personnel (system owners, managers, operators, contractors and/or program managers) using the system to make them aware of their responsibilities for protecting the information being collected and maintained. | All CMS employees and direct contractors are required to take the CMS Information Security and Privacy training on an annual basis, or whenever changes to the training module are made. This training includes details on the handling of PII. System administrators are required to complete role-based training and meet continuing education requirements commensurate with their role. Other training avenues such as conferences, seminars and classroom training provided by CMS/HHS is available apart from the regular annual training. |
Describe training system users receive (above and beyond general security and privacy awareness training) | Not applicable |
Do contracts include Federal Acquisition Regulation and other appropriate clauses ensuring adherence to privacy provisions and practices? | Yes |
Describe the process and guidelines in place with regard to the retention and destruction of PII. Cite specific records retention schedules. | User information will be disposed of (permanently deleted) when the service is no longer available. User preferences are also permanently deleted when a user unsubscribes and will be destroyed 1 year(s) after user account is terminated or password is altered or when no longer needed for investigative or security purposes, whichever is appropriate. This is based on National Archives and Records Administration (NARA) DAA-GRS-2013-0006-0003. |
Describe, briefly but with specificity, how the PII will be secured in the system using administrative, technical, and physical controls. | Designated government contracting official or authorized representative designate approves System Administrators. A request to add an Administrator is submitted in writing to the government contracting official or authorized representative and accounts are established in accordance with the access level required based on their role in the organization. It is left to the discretion of the designated CMS contracting official or authorized representative to determine the level of access an Administrator is granted. GovDelivery is located in a pair of Tier-1 data centers which provide physical control protections. The data centers are physically secured with all exterior doors being locked and badges required for accessing the buildings. There are closed circuit cameras monitoring both the exterior and interior of the building. There are also security guards on duty during all hours of operation. There are extensive training programs in place that repeatedly address Health Insurance Portability and Accountability Act (HIPAA), Health Information Technology for Economic and Clinical Health (HITECH), privacy, and security. There are policies in place regarding the proper use of sensitive data, and all employees/contractors are fully aware of the penalties for misuse, whether intentional or unintentional. Peers are encouraged to report any violations or issues related to security and privacy events. All USB ports are locked to prevent usage of unauthorized devices. GovDelivery is built using industry best practices and independently reviewed against Federal Information Security Management Act (FISMA) and National Institute of Science and Technology (NIST) Security and Privacy controls to ensure technical, operational, and management controls are properly applied. |
Identify the publicly-available URL: | CMS.gov |
Does the website have a posted privacy notice? | Yes |
Is the privacy policy available in a machine-readable format? | Yes |
Does the website use web measurement and customization technology? | Yes |
Select the type of website measurement and customization technologies is in use and if is used to collect PII. (Select all that apply) |
|
Web Beacons - Collects PII?: | Yes |
Web Bugs - Collects PII?: | N/A |
Session Cookies - Collects PII?: | No |
Persistent Cookies - Collects PII?: | N/A |
Other - Collects PII?: | No |
Does the website have any information or pages directed at children under the age of thirteen? | No |
Does the website contain links to non-federal government website external to HHS? | Yes |
Is a disclaimer notice provided to users that follow external links to websites not owned or operated by HHS? | Yes |