Website Database Discovery Stakeholder Engagement
Date signed: 2/15/2024
| PIA Questions | PIA Answers |
|---|---|
| OPDIV: | CMS |
| PIA Unique Identifier: | P-9905565-055653 |
| Name: | Website Database Discovery Stakeholder Engagement |
| The subject of this PIA is which of the following? | Major Application |
| Identify the Enterprise Performance Lifecycle Phase of the system. | Operate |
| Is this a FISMA-Reportable system? | Yes |
| Does the system include a Website or online application available to and for the use of the general public? | Yes |
| Identify the operator: | Agency |
| Is this a new or existing system? | Existing |
| Does the system have Security Authorization (SA)? | Yes |
| Date of Security Authorization | 7/13/2023 |
| Indicate the following reason(s) for updating this PIA. Choose from the following options. |
|
| Describe in further detail any changes to the system that have occurred since the last PIA. | N/A |
| Describe the purpose of the system | The Website Data Discovery Stakeholder Engagement (WDDSE) empowers different users with the ability to analyze CMS quality data and get the answers they need regarding their provider, research, policy or program questions. A number of different audiences are interested in viewing and analyzing CMS quality reporting compare data. These different audiences have very different needs, some are data scientists that want to analyze data across multiple data sets while others (providers, beneficiaries) are looking for detailed information about a specific provider or summary level information. |
| Describe the type of information the system will collect, maintain (store), or share. (Subsequent questions will identify if this information is PII and ask about the specific data elements) | The Website Data Discovery Stakeholder Engagement shares public use data that CMS makes available at CMS Data. The only other information it stores are credentials for its own administrative users in the form of Name and Email Address for access to the backend of the system. There is no front-end login required for the site and no frontend user data is collected. |
| Provide an overview of the system and describe the information it will collect, maintain (store), or share, either permanently or temporarily. | The WDDSE platform consists of a Frontend React single-page application (SPA) that is hosted on Akamai and a Backend Drupal site that is hosted on Acquia (a Drupal provider). The platform provides the means for CMS/Office of Communications (OC) to make public health data accessible through the CMS Data site. |
| Does the system collect, maintain, use or share PII? | Yes |
| Indicate the type of PII that the system will collect or maintain. |
|
| Indicate the categories of individuals about whom PII is collected, maintained or shared. |
|
| How many individuals' PII in the system? | <100 |
| For what primary purpose is the PII used? | PII is limited to the minimum amount of information to create and manage accounts for CMS and Contractors to access the content management system. |
| Describe the secondary uses for which the PII will be used (e.g. testing, training or research) | None |
| Describe the function of the SSN. | N/A |
| Cite the legal authority to use the SSN. | The system does not collect or use Social Security Numbers. |
| Identify legal authoritiesā governing information use and disclosure specific to the system and program. | 5 U.S.C. 301 |
| Are records on the system retrieved by one or more PII data elements? | No |
| Identify the sources of PII in the system: Directly from an individual about whom the information pertains |
|
| Identify the sources of PII in the system: Government Sources |
|
| Identify the sources of PII in the system: Non-Government Sources |
|
| Identify the OMB information collection approval number and expiration date | Not Applicable |
| Is the PII shared with other organizations? | No |
| Describe the process in place to notify individuals that their personal information will be collected. If no prior notice is given, explain the reason. | There is no Message of the Day Banner for the frontend users, as there is no login. However, backend administrators receive a message of the day banner via CloudVPN login. There is no personal information collected for individual users of the website, the website is publicly available with no required login or information collected. The only users accessing the system are internal contractors / CMS administrators for management of the system. |
| Is the submission of the PII by individuals voluntary or mandatory? | Voluntary |
| Describe the method for individuals to opt-out of the collection or use of their PII. If there is no option to object to the information collection, provide a reason. | No opt-out is provided as all PII collected is solely from CMS and Contractors for the purpose of credentialing. |
| Describe the process to notify and obtain consent from the individuals whose PII is in the system when major changes occur to the system (e.g., disclosure and/or data uses have changes since the notice at the time of original collection). Alternatively, describe why they cannot be notified or have their consent obtained. | No notification or re-consent is provided as all PII collected is solely from CMS and Contractors for the purpose of credentialing. |
| Describe the process in place to resolve an individual's concerns when they believe their PII has been inappropriately obtained, used, or disclosed, or that the PII is inaccurate. If no process exists, explain why not. | No process is provided as all PII collected is solely from CMS and Contractors for the purpose of credentialing. |
| Describe the process in place for periodic reviews of PII contained in the system to ensure the data's integrity, availability, accuracy and relevancy. If no processes are in place, explain why not. | Credentials are reviewed and validated on a regular basis in accordance with CMS security control requirements. |
| Identify who will have access to the PII in the system and the reason why they require access. |
|
| Describe the procedures in place to determine which system users (administrators, developers, contractors, etc.) may access PII. | All CMS users who require access to the system are required to take the Annual CMS Security Awareness training to ensure full compliance to CMS policies and go through a separate request/approval process for access to the Drupal administrative application and the system infrastructure. |
| Describe the methods in place to allow those with access to PII to only access the minimum amount of information necessary to perform their job. | System administrators have broad access to credentialing information as part of their role in managing the system. System administrators are limited to First Name, Last Name and Email Address. There is no Social Security Number, Mailing or Home Address collected. |
| Identify training and awareness provided to personnel (system owners, managers, operators, contractors and/or program managers) using the system to make them aware of their responsibilities for protecting the information being collected and maintained. | All CMS Employees and Direct Contractors are required to undergo annual, role-based, security training to maintain access to CMS systems. |
| Describe training system users receive (above and beyond general security and privacy awareness training) | Prior to receiving access to the system, users and administrators are required to Roles based training on the WDDSE platform and are provided with access to the lower environments in a limited role and access. Based on a per need basis, users and administrators are given greater access after another round of request & approvals. |
| Do contracts include Federal Acquisition Regulation and other appropriate clauses ensuring adherence to privacy provisions and practices? | Yes |
| Describe the process and guidelines in place with regard to the retention and destruction of PII. Cite specific records retention schedules. | Records are maintained in accordance with the National Archives Records Schedule DAA-0440-2015-000-0001. Records are retained for up to 10 years unless longer retention is authorized. |
| Describe, briefly but with specificity, how the PII will be secured in the system using administrative, technical, and physical controls. | Administrative: Administrative credentials are secured via administrative processes that require recurrent training, the use of appropriate approval processes, and personnel processes for on-boarding and off-boarding. Technical: Additional technical controls ensure that credentials are protected with encryption for data in motion and at rest, the use of multi-factor authentication, and access controls to limit administrator privileges to approved people and systems. Physical: Physical controls are implemented by the hosting provider to ensure only approved personnel are permitted physical access to the hosting environment. |
| Identify the publicly-available URL: | CMS Data |
| Does the website have a posted privacy notice? | Yes |
| Is the privacy policy available in a machine-readable format? | Yes |
| Does the website use web measurement and customization technology? | No |
| Does the website have any information or pages directed at children under the age of thirteen? | No |
| Does the website contain links to non-federal government website external to HHS? | Yes |
| Is a disclaimer notice provided to users that follow external links to websites not owned or operated by HHS? | Yes |
Privacy Impact Assessment (PIA) published by CMS as an Operating Division of the U.S. Department of Health and Human Services