Qualtrics

Date signed: 9/7/2018

TPWA PIA info for Qualtrics
TPWA PIA Questions	TPWA PIA Answers
OPDIV:	CMS
TPWA Unique Identifier (UID):	T-9830368-261543
Is this a new TPWA?	Yes
Please provide the reason for revision.	Changed scope of PIA to cover CMS’ public websites beyond HealthCare.gov.
Will the use of a third-party Website or application create a new or modify an existing HHS/OPDIV System of Records Notice (SORN) under the Privacy Act?	No
Indicate the SORN number (or identify plans to put one in place.)	SORN Number: Not Applicable If not published: Not applicable
Will the use of a third-party Website or application create an information collection subject to OMB clearance under the Paperwork Reduction Act (PRA)?	No
Indicate the OMB approval number and approval number expiration date (or describe the plans to obtain OMB clearance.)	OMB Approval Number: Not applicable Expiration Date: Not applicable Explanation: Not applicable
Does the third-party Website or application contain Federal Records?	No
Describe the specific purpose for the OPDIV use of the third-party Website or application:	The Centers for Medicare & Medicaid Services (CMS) uses Qualtrics to gather feedback from visitors to CMS’ websites, including CMS.gov, Medicare.gov, MyMedicare.gov, HealthCare.gov, CuidadoDeSalud.gov, Medicaid.gov, InsureKidsNow.gov, and various subdomains of the above top-level domains (TLDs), to gauge overall satisfaction with the website and to find out how we can improve the consumer experience. These TLDs are hereafter referred to as “CMS’ websites.” Feedback collected is general consumer feedback information via multiple-choice questions such as, "What is your feedback about?" "How can we improve this page?" and "Did you find the information helpful?" Consumers provide feedback through online surveys facilitated by the Qualtrics tool. These surveys are anonymous and not associated with a Consumers account or application. Persistent cookies can be stored on a user’s local browser and are used to ensure a consumer cannot fill out a feedback survey multiple times. Qualtrics cookies are stored for one year. Qualtrics' privacy policies, notices from CMS’ websites, information published by Qualtrics about its privacy policies, and the ability for consumers to opt-out of providing their information to Qualtrics maximizes consumers’ ability to protect their information and mitigate risks to their privacy. The CMS staff analyze and report using the collected data from Qualtrics. The reports are available only to CMS managers, teams who implement CMS programs represented on CMS’ websites, members of the CMS communications and web teams, and other designated federal staff and contractors who need this information to perform their duties.
Have the third-party privacy policies been reviewed to evaluate any risks and to determine whether the Website or application is appropriate for OPDIV use?	Yes
Describe alternative means by which the public can obtain comparable information or services if they choose not to use the third-party Website or application:	If consumers do not want Qualtrics to collect information about their device, consumers can choose not to take a CMS website survey or they can use the CMS website privacy manager to opt-out website analytics tools. Survey questions are used to improve the online application process and are not applicable to alternative application channels.
Does the third-party Website or application have appropriate branding to distinguish the OPDIV activities from those of nongovernmental actors?	No
How does the public navigate to the third party Website or application from the OPIDIV?	The public does not navigate to Qualtrics. Qualtrics is embedded into CMS website pages.
Please describe how the public navigate to the third-party website or application:	The public does not navigate to Qualtrics. Qualtrics is embedded into CMS website pages.
If the public navigate to the third-party website or application via an external hyperlink, is there an alert to notify the public that they are being directed to a nongovernmental Website?	No
Has the OPDIV Privacy Policy been updated to describe the use of a third-party Website or application?	Yes
Provide a hyperlink to the OPDIV Privacy Policy:	https://www.cms.gov/privacy-policy/ https://www.medicare.gov/privacy-policy/ https://www.healthcare.gov/privacy/ Additional privacy policies for subdomains of the above websites can be found at https://www.cms.gov/privacy-policy/
Is an OPDIV Privacy Notice posted on the third-party Website or application?	No
Is PII collected by the OPDIV from the third-party Website or application?	No
Will the third-party Website or application make PII available to the OPDIV?	No
Describe the PII that will be collected by the OPDIV from the third-party Website or application and/or the PII which the public could make available to the OPDIV through the use of the third-party Website or application and the intended or expected use of the PII:	CMS does not collect any PII through the use of Qualtrics.
Describe the type of PII from the third-party Website or application that will be shared, with whom the PII will be shared, and the purpose of the information sharing:	PII is not stored or shared.
If PII is shared, how are the risks of sharing PII mitigated?	No PII is shared with CMS.
Will the PII from the third-party Website or application be maintained by the OPDIV?	No
Describe how PII that is used or maintained will be secured:	Not applicable
What other privacy risks exist and how will they be mitigated?	CMS will use Qualtrics in a manner that protects the privacy of consumers who visit CMS’ websites and respects the intent of visitors. CMS will conduct periodic reviews of Qualtrics’ privacy practices to ensure its policies continue to align with agency objectives and privacy policies and do not present unreasonable or unmitigated risks to consumer privacy. Qualtrics is employed solely for the purposes of improving CMS' services and activities online related to operating HealthCare.gov. Information collected by Qualtrics is created and maintained by Qualtrics. Potential Risk: Persistent cookies are used with third-party tools on CMS’ websites and can be stored on a user’s local browser. Qualtrics cookies are stored for one year. Mitigation: Qualtrics' privacy policies, notices from CMS’ websites, information published by Qualtrics about its privacy policies, and the ability for consumers to opt-out of providing their information to Qualtrics maximizes consumers’ ability to protect their information and mitigate risks to their privacy. Additionally, Qualtrics' surveys are voluntary and consumers can choose not to participate in surveys. CMS has configured its use of Qualtrics to mask IP addresses before being stored to add additional safeguards to ensure that this data cannot be connected with other data in order to identify a consumer who completes a survey supported by Qualtrics. In some cases, consumers may volunteer PII information in the free text field of surveys. If CMS staff see this occur, they will delete this information from the Qualtrics system. CMS will not deploy the Qualtrics tool if the website is not using Tealium iQ. Potential Risk: CMS also recognizes that if Qualtrics is not implemented correctly in relation to CMS’ websites, personal information could be collected about CMS website visitors. Mitigation: Therefore, to mitigate this risk, CMS only allows a limited number of trained and credentialed staff or contractors to implement Qualtrics.

Third-Party Web and Application (TPWA) Privacy Impact Assessment (PIA) published by CMS as an Operating Division of the U.S. Department of Health and Human Services

View all CMS PIAs

Authorization to Operate (ATO)

Ongoing Authorization (OA)

Assessments & Audits

CMS Policies and Guidance

Federal Policies and Guidance

Application Security

Security Operations

Risk Management and Reporting

Agreements

Privacy Activities

Privacy Resources

Reporting & Compliance

System Security

Tests & Assessments

Qualtrics