Skip to main content

Yello

Date signed: 4/4/2024

TPWA PIA info for Yello
TPWA PIA QuestionsTPWA PIA Answers
OPDIV:CMS
TPWA Unique Identifier (UID):T-3975166-053511
Is this a new TPWA?Yes
Please provide the reason for revision

This is a revision to the existing TPWA. The update reflects the changes released by Health and Human Services (HHS) Key Performance Indicators (KPI) Metrics that was updated on 12/01/2023. Based on the information below, questions were amended to reflect the following and include updates to questions based on age, ethnicity, veteran preference, and gender.

1. Key performance indicators to measure satisfaction with recruitment efforts among diverse and underrepresented populations.
Number of underrepresented candidates reached through tailored programing initiatives.

Number of underrepresented candidates reached through tailored recruitment initiatives.

Level of satisfaction of candidates based on tailored programing initiatives.

Level of satisfaction of candidates based on tailored recruitment initiatives.

2. Key performance indicators to measure recruitment efforts via outreach events.
Increase in number applicants due to recruitment initiatives.

Total number of candidates met at events.

Total number of candidates who attended career fairs.

Percent increase in the number of applicants who applied (FY24 will be used to establish the baseline)

3. Key performance indicators to measure recruitment efforts via HHS social media (e.g. Linked In)
Social media engagement rate (calculated as the total engagement divided by the total followers or reach).
Total number of social media posts.

Will the use of a third-party Website or application create a new or modify an existing HHS/OPDIV System of Records Notice (SORN) under the Privacy Act?Yes
Indicate the SORN number (or identify plans to put one in place.)
  • SORN Number: OPM GOVT-5
Will the use of a third-party Website or application create an information collection subject to OMB clearance under the Paperwork Reduction Act (PRA)?Yes
Indicate the OMB approval number and approval number expiration date (or describe the plans to obtain OMB clearance.)
  • OMB Approval Number: 0938-1185
  • Expiration Date: 03/31/2026
  • Explanation: Generic Clearance for the Collection of Qualitative Feedback on Agency Service Delivery (CMS-10415). In addition to demographic questions, respondents are asked to provide additional information beyond what is necessary to ensure proper transmission of responses.  
Does the third-party Website or application contain Federal Records?Yes
Describe the specific purpose for the OPDIV use of the third-party Website or application:To compete for high quality talent in today’s job market, CMS must modernize its talent acquisition process and create a healthy recruitment pipeline. Currently, the agency has no means to capture leads at events, webinars, or through other digital channels. Additionally, CMS lacks a database to house, segment, and engage with leads. CMS requires a tool to electronically capture leads, house them in a Customer Relationship Management (CRM) database and engage with the talent pipeline. Yello will allow CMS to achieve these goals and modernize its talent acquisition process. In addition, Yello features a robust events management and hosting platform that’s included with the Government Recruitment solution. After researching several options and taking Federal Risk and Authorization Management Program (FedRAMP®) into account, Yello is CMS’s best option. Yello is a cloud-based, digitized, talent acquisition software, deployed on Amazon Web Services (AWS) GovCloud Software as a Service (SaaS) environment. Yello's technology improves organizations’ ability to find, prioritize, manage, engage with, and hire talent. https://yello.co/government-recruiting
Have the third-party privacy policies been reviewed to evaluate any risks and to determine whether the Website or application is appropriate for OPDIV use?Yes
Describe alternative means by which the public can obtain comparable information or services if they choose not to use the third-party Website or application:Individuals who elect not to use Yello are provided surveys via Survey Monkey or Google Surveys as an alternate means of collection.
Does the third-party Website or application have appropriate branding to distinguish the OPDIV activities from those of nongovernmental actors?Yes
How does the public navigate to the third party Website or application from the OPIDIV?An external hyperlink from an HHS Website or Website operated on behalf of HHS
Please describe how the public navigate to the third-party website or application:A unique URL will be created for the client. 
If the public navigate to the third-party website or application via an external hyperlink, is there an alert to notify the public that they are being directed to a nongovernmental Website?No
Has the OPDIV Privacy Policy been updated to describe the use of a third-party Website or application?Yes
Provide a hyperlink to the OPDIV Privacy Policy:https://www.cms.gov/privacy-policy/
https://www.medicare.gov/privacy-policy/ 
Is an OPDIV Privacy Notice posted on the third-party Website or application?Yes
Confirm that the Privacy Notice contains all of the
following elements: (i) An explanation that the
Website or application is not government-owned or
government-operated; (ii) An indication of whether
and how the OPDIV will maintain, use, or share PII
that becomes available; (iii) An explanation that by
using the third-party Website or application to
communicate with the OPDIV, individuals may be
providing nongovernmental third-parties with access
to PII; (iv) A link to the official OPDIV Website; and (v)
A link to the OPDIV Privacy Policy		Yes
Is the OPDIV's Privacy Notice prominently displayed
at all locations on the third-party Website or
application where the public might make PII
available?		Yes
Is PII collected by the OPDIV from the third-party Website or application? Yes
Will the third-party Website or application make PII available to the OPDIV?Yes
Describe the PII that will be collected by the OPDIV from the third-party Website or application and/or the PII which the public could make available to the OPDIV through the use of the third-party Website or application and the intended or expected use of the PII:

Personally Identifiable Information (PII) being collected and transmitted includes Name (First, Last), Email, Telephone Number, Age (34 and Under vs. 35 and Over), Veteran Preference, and Resume information of Candidates.

The age question asked to collect data on the newest Key Performance Indicators (KPI) issued from HHS.

Key performance indicators to measure satisfaction with recruitment efforts among diverse and underrepresented populations.
Number of underrepresented candidates reached through tailored programing initiatives.

Number of underrepresented candidates reached through tailored recruitment initiatives.

Level of satisfaction of candidates based on tailored programing initiatives.

Level of satisfaction of candidates based on tailored recruitment initiatives.

Additionally, the following questions were revised:

Veteran Preference:
From: Are you or have you ever served in the Armed Forces?
Yes / No

To: Are you a veteran?
Yes
No
Undisclosed

Gender:
From: What Gender do you identify with?
Male / Female / Transgender, non-binary, or another gender / Prefer not to answer.

To: Are you: (Mark all that apply)

Female 
Male 

Describe the type of PII from the third-party Website or application that will be shared, with whom the PII will be shared, and the purpose of the information sharing:

Yello stores PII such as name, email, Internet Protocol (IP) address, etc. Information such as Social Security Number (SSN) and identification (ID) numbers are NOT stored.

Yello also does NOT store any user financial information or health information.

If PII is shared, how are the risks of sharing PII mitigated?Yello classifies all customer data as Confidential. Confidential data is encrypted using Transport Layer Security 1.2 (TLS 1.2) encryption in transit and Advanced Encryption Standard 256 (AES256) encryption at rest. Encryption and Decryption keys are managed using Amazon Web Service (AWS) Key Management System (AWS KMS), with access limited to the Information Security team.
Will the PII from the third-party Website or application be maintained by the OPDIV?Yes
Describe how PII that is used or maintained will be secured:Yello follows AWS best practices to ensure security within AWS cloud. AWS is responsible for security "of" the cloud while Yello is responsible for security "in" the cloud. Yello relies on controls such as Host Based Intrusion Detection System, Tiered architecture, Separation of Duties, least privilege access methodology and many others.
If PII will be maintained, indicate how long the PII will
be maintained:		All data will be retained for as long as the client is an active subscriber. Data is not purged on behalf of clients. At the end of the engagement, data would be purged when requested.  
Yello has a Data Retention and Destruction Policy for clients that do not explicitly outline requirements in the contract.
What other privacy risks exist and how will they be mitigated?

CMS will use Yello in a manner that protects the privacy of applicants who submit information through the application. CMS will conduct periodic reviews of Yello’s privacy practices to ensure its policies continue to align with agency objectives and privacy policies and do not present unreasonable or unmitigated risks to individual privacy. Yello is employed solely for the purposes of competing for high quality talent in today’s job market. CMS lacks a database to house, segment, and engage with leads. CMS requires a tool to electronically capture leads, house them in a Customer Relationship Management (CRM) database and engage with the talent pipeline. Yello will allow CMS to achieve these goals and modernize its talent acquisition process.


Additionally, Yello is a voluntary application and applicants can choose not to participate/complete the information collection.

Risk: In some cases, consumers may inappropriately add PII in the free text field of surveys.

Mitigation: The intake forms a customer creates in Yello to capture candidate information is 100% customizable by the customer. While free text fields are an option, customers can collect information without free text fields and instead by customized dropdown options. For example, if a customer wants to ask what a candidate's education major is, instead of a free text field, they could provide a dropdown list of majors for a candidate to choose from. This would eliminate the free text scenario where a candidate could wrongfully input sensitive PII. However, the first/last name fields must be free text so technically there is nothing stopping a candidate from inputting sensitive information although the customer is requesting a first and last name.

Here is an example of a customer’s intake form:
https://usace.yellogov.com/app/collect/form/xG_m9sAdHHlvvJVucFSOoA

All of that said, all candidate responses can be edited, deleted, changed by a staff member (the staff member must have appropriate access rights to make changes) at any time. The Yello application contains a candidate profile which has an "edit" button where a staff member can make changes. So, if a candidate were to input sensitive PII in the field where the employer asks for their Major, that can be changed, edited, or deleted at any time. 

Third-Party Web and Application (TPWA) Privacy Impact Assessment (PIA) published by CMS as an Operating Division of the U.S. Department of Health and Human Services

View all CMS PIAs