Date signed: 9/7/2018
| TPWA PIA Questions | TPWA PIA Answers |
|---|---|
| OPDIV: | CMS |
| TPWA Unique Identifier (UID): | T-1772925-340827 |
| Is this a new TPWA? | Yes |
| Please provide the reason for revision. | This TPWA is revised to identify all of the added CMS websites that occasionally deliver digital advertising on third-party websites in order to reach new users and that provide information to previous visitors. The CMS websites are; www.CMS.gov, www.Medicare.gov, www.MyMedicare.gov, www.Medicaid.gov, www.InsureKidsNow.gov, HealthCare.gov, and CuidadoDeSalud.gov. |
| Will the use of a third-party Website or application create a new or modify an existing HHS/OPDIV System of Records Notice (SORN) under the Privacy Act? | No |
| Indicate the SORN number (or identify plans to put one in place.) |
|
| Will the use of a third-party Website or application create an information collection subject to OMB clearance under the Paperwork Reduction Act (PRA)? | No |
| Indicate the OMB approval number and approval number expiration date (or describe the plans to obtain OMB clearance.) |
|
| Does the third-party Website or application contain Federal Records? | No |
| Describe the specific purpose for the OPDIV use of the third-party Website or application: | Instagram Social is a free social networking site that allows registered users to create profiles, upload photos and videos, send messages, and keep in touch with the people in their social network. Instagram Social account holders provide a username, password, and email address when they register for an account. Users may also link their Facebook account to their Instagram Social account. CMS maintains a presence on Instagram Social in the form of a CMS website branded page. Occasionally CMS will leverage the innate social sharing capacity of this platform by asking fans of our branded page to share our content with their friends on the platform; for the purpose of disseminating a particular message as it relates to an initiative or information related to the CMS website page. Instagram Social allows CMS to communicate directly with users to provide broad educational opportunities and provide limited opportunities to address consumer questions and concerns, by maintaining an Instagram Social account. In addition, CMS will disseminate information related to CMS programs and provide resources to consumers who may not be regular visitors to CMS or HHS websites. |
| Have the third-party privacy policies been reviewed to evaluate any risks and to determine whether the Website or application is appropriate for OPDIV use? | Yes |
| Describe alternative means by which the public can obtain comparable information or services if they choose not to use the third-party Website or application: | If consumers do not want to interact with Instagram Social, consumers can learn about CMS campaigns through other advertising channels such as TV, radio, CMS websites, and in-person events. |
| Does the third-party Website or application have appropriate branding to distinguish the OPDIV activities from those of nongovernmental actors? | Yes |
| How does the public navigate to the third party Website or application from the OPIDIV? | By clicking on the external hyperlink on a CMS website. |
| Please describe how the public navigate to the third-party website or application: | Directly to Instagram.com (the website or mobile app), via a connect icon on the CMS website site, using a web search or via a web-based URL to content hosted on Instagram.com. |
| If the public navigate to the third-party website or application via an external hyperlink, is there an alert to notify the public that they are being directed to a nongovernmental Website? | Yes |
| Has the OPDIV Privacy Policy been updated to describe the use of a third-party Website or application? | Yes |
| Provide a hyperlink to the OPDIV Privacy Policy: | https://www.cms.gov/privacy/ is the privacy policy for all CMS websites unless a separate one is noted below. https://www.healthcare.gov/privacy/ https://www.medicare.gov/privacy-policy/index.html |
| Is an OPDIV Privacy Notice posted on the third-party Website or application? | Yes |
| Confirm that the Privacy Notice contains all of the following elements: (i) An explanation that the Website or application is not government-owned or government-operated; (ii) An indication of whether and how the OPDIV will maintain, use, or share PII that becomes available; (iii) An explanation that by using the third-party Website or application to communicate with the OPDIV, individuals may be providing nongovernmental third-parties with access to PII; (iv) A link to the official OPDIV Website; and (v) A link to the OPDIV Privacy Policy. | Yes |
| Is the OPDIV's Privacy Notice prominently displayed at all locations on the third-party Website or application where the public might make PII available? | Yes |
| Is PII collected by the OPDIV from the third-party Website or application? | No |
| Will the third-party Website or application make PII available to the OPDIV? | Yes |
| Describe the PII that will be collected by the OPDIV from the third-party Website or application and/or the PII which the public could make available to the OPDIV through the use of the third-party Website or application and the intended or expected use of the PII: | Not Applicable. CMS does not receive any PII through its use of Instagram Social. Individual users who register with Instagram Social are required to provide a first name, last name, valid email address, and password to create a personal Instagram Social profile. CMS websites do not routinely solicit, collect, or maintain any personally identifiable information from individuals who visit, like, comment, or otherwise engage with the CMS website’s Instagram Social page. The CMS website’s Instagram Social page Administrator may however, read, review, or rely upon information that individuals make available on the CMS website’s Instagram Social page in the form of comments for the purposes of responding to a user's question. CMS website Instagram Social Page Administrators may delete any comments on the Instagram page that contains unnecessary amounts of PII. |
| Describe the type of PII from the third-party Website or application that will be shared, with whom the PII will be shared, and the purpose of the information sharing: | Not Applicable. Instagram Social does not share any PII with CMS. |
| If PII is shared, how are the risks of sharing PII mitigated? | Not applicable |
| Will the PII from the third-party Website or application be maintained by the OPDIV? | No |
| Describe how PII that is used or maintained will be secured: | Not Applicable. CMS does not store or maintain any PII received through its Instagram Social account. Instagram Social does not share any PII with CMS. |
| What other privacy risks exist and how will they be mitigated? | CMS will conduct periodic reviews of Instagram Social’s privacy policy to ensure its policies continue to align with agency objectives and privacy policies and do not present unreasonable or unmitigated risks to user’s privacy interests. Limited Availability of HealthCare.gov Privacy Notice Potential. Risk: Due to limitations on Instagram Social, the CMS website Privacy Notice is not posted in all locations on the CMS website’s Instagram Social page. Mitigation: A link to the CMS website’s Privacy Notice is located on the CMS website’s branded page. The CMS website’s Privacy Notice is also available to users in other places, including on the CMS website where users can access the privacy policy directly. Instagram Social Account Information Leading To Identification of CMS website Visitors. Potential Risk: Instagram Social’s access to both personally identifiable and non-personally identifiable data about registered Instagram Social users presents the risk that CMS website visitors who are also registered Instagram Social users could be identified, and the data about these users could be misused by Instagram Social. In addition, users who link their Facebook and Instagram Social accounts may make available additional PII to Instagram. Mitigation: CMS does not receive any personally identifiable information from Instagram Social. Instagram Social provides information on the types of information collected about users in its privacy policy, as well as choices with respect to such information collection and/or how it is used. CMS’s Potential to Access PII from Instagram Social Users Potential Risk: Instagram Social users who interact directly with the CMS website branded page on Instagram Social could leave PII in their comments on the page. CMS would have access to this PII. Mitigation: CMS does not collect any PII that users leave on Instagram Social. Individual users who register with Instagram Social are required to provide a first name, last name and valid email address and password. Once registered, users may comment on CMS website’s Instagram Social posts. CMS websites do not routinely solicit, collect, or maintain any personally identifiable information from individuals who visit, like, comment, or otherwise engage with the CMS website’s Instagram Social page. CMS website’s Instagram Social page Administrators may however, read, review, or rely upon information that individuals make available on the CMS website’s Instagram Social page in the form of comments for the purposes of responding to a user's question. Any public comments that users leave on Instagram Social that are re-used for additional outreach activities will be de-identified so as to exclude any PII (e.g., Name, email, etc). CMS also reserves the right to remove comments on their Instagram Social branded page. CMS websites provide consumers with information about the use of persistent cookies and related technologies, what data is collected, and the data gathering choices, including choices related to behaviorally targeted advertising. Tealium iQ Privacy Manager offers the ability to opt out of persistent cookies. Tealium settings can be accessed via the CMS privacy policy on CMS websites. CMS will not implement pixels or web beacons, w on a browser, if Tealium iQ is not available on a CMS website. |
Third-Party Web and Application (TPWA) Privacy Impact Assessment (PIA) published by CMS as an Operating Division of the U.S. Department of Health and Human Services