Quantum Metric

Date signed: 9/27/2019

TPWA PIA info for Quantum Metric
TPWA PIA Questions	TPWA PIA Answers
OPDIV:	CMS
TPWA Unique Identifier (UID):	T-6756865-308818
Is this a new TPWA?	Yes
Will the use of a third-party Website or application create a new or modify an existing HHS/OPDIV System of Records Notice (SORN) under the Privacy Act?	No
Indicate the SORN number (or identify plans to put one in place.)	SORN Number: Not Applicable If not published: Not applicable
Will the use of a third-party Website or application create an information collection subject to OMB clearance under the Paperwork Reduction Act (PRA)?	No
Indicate the OMB approval number and approval number expiration date (or describe the plans to obtain OMB clearance.)	OMB Approval Number: Not applicable Expiration Date: Not applicable Explanation: Not applicable
Does the third-party Website or application contain Federal Records?	No
Describe the specific purpose for the OPDIV use of the third-party Website or application:	The Centers for Medicare & Medicaid Services (CMS) uses Quantum Metric to analyze user interaction with CMS’ websites, including Medicare.gov, MyMedicare.gov, HealthCare.gov, CuidadoDeSalud.gov, and various subdomains of the above top-level domains (TLDs). These TLDs are hereafter referred to as “CMS’ websites.” Quantum Metric is a technology platform that provides digital analytics and session replay. The CMS staff analyze and report using Quantum Metric. The reports are available only to CMS managers, teams who implement CMS represented on CMS’ websites, members of the CMS communications and web teams, and other designated federal staff and contractors who need this information to understand behavioral data related to areas where users are frustrated or unable to complete tasks on CMS’ websites to better perform their duties. CMS uses this information to determine what types of changes need to be made to CMS’ websites to improve the user experience for visitors by delivering different user interfaces to consumers and observing which allows consumers to perform a task easier.
Have the third-party privacy policies been reviewed to evaluate any risks and to determine whether the Website or application is appropriate for OPDIV use?	Yes
Describe alternative means by which the public can obtain comparable information or services if they choose not to use the third-party Website or application:	If consumers do not want Quantum Metric to collect information related to their visits to CMS’ websites, consumers can use other means of interaction, including but not limited to paper applications, call centers, or in-person assisters. In addition to these options, a consumer can use the Tealium iQ Privacy Manager on each CMS website’s privacy page and opt out of having data collected about them by Quantum Metric. Tealium iQ allows CMS to control which cookies or web beacons are enabled/disabled, and thus which third-party tools are enabled/disabled. This functionality is covered in in more detail within the Tealium TPWA. Alternatively, a consumer can disable their cookies, and/or block this functionality in the browsers Flash player settings manager, Global Privacy Settings panel, if they do not want their information to be collected.
Does the third-party Website or application have appropriate branding to distinguish the OPDIV activities from those of nongovernmental actors?	No
How does the public navigate to the third party Website or application from the OPIDIV?	Other...
Please describe how the public navigate to the third-party website or application:	Not Applicable. The public cannot navigate directly to Quantum Metric.
If the public navigate to the third-party website or application via an external hyperlink, is there an alert to notify the public that they are being directed to a nongovernmental Website?	No
Has the OPDIV Privacy Policy been updated to describe the use of a third-party Website or application?	Yes
Provide a hyperlink to the OPDIV Privacy Policy:	https://www.cms.gov/privacy/
Is an OPDIV Privacy Notice posted on the third-party Website or application?	No
Is PII collected by the OPDIV from the third-party Website or application?	No
Will the third-party Website or application make PII available to the OPDIV?	No
Describe the PII that will be collected by the OPDIV from the third-party Website or application and/or the PII which the public could make available to the OPDIV through the use of the third-party Website or application and the intended or expected use of the PII:	Not applicable. CMS does not collect any PII through the use of Quantum Metric.
Describe the type of PII from the third-party Website or application that will be shared, with whom the PII will be shared, and the purpose of the information sharing:	Not applicable. CMS does not collect any PII through the use of Quantum Metric.
If PII is shared, how are the risks of sharing PII mitigated?	Not applicable. CMS does not collect any PII through the use of Quantum Metric.
Will the PII from the third-party Website or application be maintained by the OPDIV?	Not applicable. CMS does not collect any PII through the use of Quantum Metric.
Describe how PII that is used or maintained will be secured:	Not applicable
What other privacy risks exist and how will they be mitigated?	CMS will use Quantum Metric in a manner that protects the privacy of consumers who visit CMS’ websites and respects the intent of visitors. CMS will conduct periodic reviews of Quantum Metric’s privacy practices to ensure its policies continue to align with agency objectives and privacy policies and do not present unreasonable or unmitigated risks to consumer privacy. Quantum Metric is employed solely for the purposes of improving CMS’ services and activities online related to operating CMS’ websites. Information collected by Quantum Metric is created and maintained by Quantum Metric. Potential Risk: Quantum Metric uses persistent cookies on CMS’ websites and can be stored on a user’s local system. Mitigation: Users can opt-out of Quantum Metric by using the Tealium iQ Privacy Manager on each CMS website’s privacy page. Alternatively, a consumer can disable their cookies, if they do not want their information to be collected. Quantum Metric privacy policies, notices from CMS websites and Quantum Metric informing consumers of its privacy policies, and the ability of consumers to opt out of providing their information to Quantum Metric, mitigate risks to consumer privacy. For consumers that do not opt out, CMS has configured its use of Quantum Metric to mask IP addresses before being stored to add additional safeguards to ensure that this data cannot be connected with other data. CMS will not deploy the Quantum Metric tool if the website is not using Tealium iQ. Potential Risk: In addition to using persistent cookies, Quantum Metric uses local object storage such as HTML5. Mitigation: Local object storage, can store data within the user's browser. Local object storage is more secure, and large amounts of data can be stored locally, without affecting website performance. Unlike cookies, the storage limit is far larger and information is never transferred to the server. Users can opt-out of Quantum Metric by using the Tealium iQ Privacy Manager on each CMS website’s privacy page. Alternatively, users have the ability to block this functionality in the browsers Flash player settings manager, Global Privacy Settings panel.

Third-Party Web and Application (TPWA) Privacy Impact Assessment (PIA) published by CMS as an Operating Division of the U.S. Department of Health and Human Services

View all CMS PIAs

Authorization to Operate (ATO)

Ongoing Authorization (OA)

Assessments & Audits

CMS Policies and Guidance

Federal Policies and Guidance

Application Security

Security Operations

Risk Management and Reporting

Agreements

Privacy Activities

Privacy Resources

Reporting & Compliance

System Security

Tests & Assessments

Quantum Metric