Issuing Offices: OMA 301-496-2832; OCPL
301-496-5787; and OCIO 301-496-1168
Release Date: 08/08/11
Remove: Manual Issuance
2805, dated 12/18/01. PLEASE NOTE: For information on:
A. PURPOSE:This chapter establishes policies and procedures for ensuring the privacy and protection of personal information collected, stored, used, maintained and disseminated via NIH Web sites. This policy applies to NIH Internet Web sites that are developed and/or maintained by NIH staff or by contract personnel. This policy does not apply to internal agency activities (such as on intranets, applications, or interactions that do not involve the public) or to activities that are part of authorized law enforcement, national security, or intelligence activities. B. BACKGROUND:The Web is a powerful tool for conveying information about the activities, objectives, policies and programs of the Federal Government and NIH. It is important that visitors to federal Web sites know that their private information is appropriately protected by the agency when they are accessing these sites, and that agency staff understand their responsibility to safeguard the personally identifiable information (PII) made available, whether solicited or unsolicited, to the agency. Potential consequences for not adequately protecting privacy in the government include criminal and civil penalties, negative impact on individuals where PII is collected and not appropriately used, reduced mission effectiveness and loss of credibility, confidence, and trust in NIH. C. POLICY:
Privacy Policy – A Web privacy policy shall be clearly posted on all NIH top-level/principal Web sites, including NIH and Institute/Center (IC) level sites, major on-line public resource sites and any other known major public facing entry points, as well as any Web page that collects or posts personal information. (See URL: http://www.nih.gov/about/privacy.htm) Privacy Notice/Statement – A comprehensive online privacy notice discusses the information collected through the Web site and typically covers the effective date, scope, information collected (both actively and passively), information uses, choices available, how to modify information or preferences, how to contact or register a dispute, and how policy changes will be communicated. They are easy to find and at or before the point of collection. They are linked from the Web site homepage and from each and all information collection pages (e.g. site-wide navigation component, or header/footer), from pop-up or pop-under windows that contain web forms and in e-mail messages that originate from the Web site. Policy Links – Links to the Institute or OD office privacy policy shall be clearly labeled and easy to access by all visitors to the Web site. If the privacy policy is combined with another mandated or recommended Web site statement, the link should be visibly labeled accordingly, e.g., “Privacy Policy/Disclaimer.” Plain Language – Web privacy policies shall conform to the Plain Writing Act of 2010 which defines “plain writing” as writing that is clear, concise, well-organized, and follows other best practices appropriate to the subject or field and intended audience. Web privacy policies shall clearly and concisely inform visitors to the site of: NIH staff shall also comply with the following NIH policy: NIH Manual Chapter 1825, Information
Collection from the Public Machine-Readable Format – Web privacy policies and statements shall be represented in a machine-readable format (e.g. XML-based standard). A Platform for Privacy Preferences (P3P) is a way to translate a privacy policy into machine-readable format that a browser decodes in order to figure out what the policy says. P3P is designed to provide Internet users with a clear understanding of how PII will be used by a particular Web site. It allows Web site operators to explain their privacy practices to visitors and allows users to configure their browsers and other software tools to provide notifications about whether Web site privacy policies match their preferences. (1) Authority (whether granted by
statute, regulation, or executive order) which
authorizes the solicitation and/or collection of the
information; OMB Memorandum M-07-16, Safeguarding Against and Responding to the Breach of Personally Identifiable Information (PII), directs agencies to eliminate the unnecessary collection and use of Social Security Numbers (SSNs). SSNs may only be required when their collection is authorized by statute and individuals are informed whether provision of the SSN is optional or required. A SORN refers to the notice which describes the purpose of the system, the legal authority to collect information, the categories of information collected, maintained, retrieved, and used within a set of records, the categories of individuals for whom the information is collected, and to whom the information can be disclosed, and safeguards for protecting the information. The SORNs are written broadly to cover information collections designed to retrieve information about an individual by a name or personal identifier linked to the individual. If a collection of records that includes Privacy Act information is proposed for operation and is NOT covered under an existing SORN, one shall be developed and posted in the Federal Register 40 days prior to collection of the data. If no existing SORN covers the proposed data collection, the IC or OD office System Owner/Manager shall work with the IC Privacy Coordinator or NIH Privacy Act Officer to put one in place. Otherwise, the system of records is unauthorized and shall not be operated. An adapted PIA is required on all NIH uses of a third-party Web site or application (TPWA). TPWA can be defined as Web based technologies not exclusively operated or controlled by a government entity, or web-based technologies that involve significant participation of a nongovernment entity. Often, these technologies are located on a “.com” Web site or other location that is not part of an official government domain. However, TPWAs can also be embedded or incorporated on an agency’s official Web site (e.g. Web 2.0 applications and social media networks such as Facebook, Twitter, YouTube, MySpace, LinkedIn, Flickr, blogs, email subscription services, mobile applications, and mobile Web sites). Each adapted PIA shall be tailored to address the specific functions of the Web site or application. It should describe (1) the specific purpose of the agency’s use of the TPWA, (2) any PII that is likely to become available to the agency through public use of the TPWA, (3) the agency’s intended or expected use of PII, (4) with whom the agency will share the PII, (5) whether and how the agency will maintain PII, and for how long, (6) how the agency will secure PII that it uses or maintains, (7) what other privacy risks exist and how the agency will mitigate those risks, and (8) whether the agency’s activities will create or modify a “system of records” under the Privacy Act. IC and OD office staff shall work with their Privacy Coordinator and Information Systems Security Officer (ISSO) to determine if a PIA is needed, when updates are necessary, and to ensure full compliance with OMB, HHS and NIH policies. Web sites used for the purpose of recruiting study subjects shall comply with the human subject protection regulations at 45 CFR Part 46 and 21 CFR Part 56. These regulations require that an Institutional Review Board (IRB) review and approve all research activities including the use of advertising and plans for protecting the confidentiality of actual and prospective subjects. See OHRP guidance at http://www.hhs.gov/ohrp/policy/clinicaltrials.html, FDA guidance at http://www.fda.gov/RegulatoryInformation/Guidances/ucm126428.htm and NIH policy (Manual Chapter 2809, NIH Social and New Media, Appendix 1) at http://oma.od.nih.gov/manualchapters/management/2809. NIH Web sites that are set up for the intended use by children under the age of 13 or that knowingly collect personal information from them shall comply with the Children’s Online Privacy Protection Act of 1998 (COPPA) which restricts the marketing of products and services online to children under 13. NIH “Kid’s Pages” shall comply with the following standards set forth in the COPPA, specifically: The “Kid’s Page” privacy notice shall include: (1) A description of the specific
types of personal information you collect directly
from children (e.g., name, age, home address, e-mail
address, hobbies, personal characteristics, etc.), and
if any additional information is collected passively
(e.g., via cookies and other Web measurement and
customization technologies); (1) The IC or OD office shall obtain parental consent when it collects an e-mail address or other personal information and: (a) Plans to change the kinds
of information previously collected; (2) Parental consent is not necessary if the "Kid’s Page" site collects an e-mail address to: (a) Respond to a one-time
request from the child and then the e-mail address
from the child is deleted (e.g., research poster,
response to a survey or inquiry, and similar
requests). Repeated contact with the same child
requires consent; (1) Parents have the right to review,
change or revoke their consent and ask that
information about their children be deleted from the
site’s database at any time. When a parent revokes
consent, the Web site shall immediately stop
collecting, using or disclosing information from that
child. E-mail messages have similar privacy issues as Web sites. They not only convey information in text or HTML formats, but they may also involve hyperlinks, forms, cookies, Web beacons and active content. Commercial e-mail includes promotional or marketing messages that recipients have indicated they wish to receive. Common privacy principles include no false or misleading header information, no deceptive subject lines, opt-out mechanisms in each message, notification to the recipient that the message contains an advertisement or promotional information, and information about the sending organization. IC and OD offices shall include in their privacy notice, a statement to users about how the site handles unsolicited e-mail, and a notice that the sender should not expect privacy. The following is a sample statement: “E-mail sent to NIH may be seen by a number of people who are responsible for answering questions. If you send us an e-mail, you are advised that e-mail is not necessarily secure against interception. If your communication includes sensitive information like your Social Security Number or personal health information, it is advisable that you contact us by postal mail or telephone rather than e-mail.” These technologies are used to remember a user’s online interactions with a Web site or online application in order to conduct measurement and analysis of usage or to customize the user’s experience. Single-session technologies remember a user’s online interactions within a single session or visit. Any identifier correlated to a particular user is used only within that session, is not later reused, and is deleted immediately after the session ends. Multi-session technologies remember a user’s online interactions through multiple sessions. This approach requires the use of a persistent identifier for each user, which lasts across multiple sessions or visits. Refer to OMB Memorandum M-10-22, Guidance for Online Use of Web Measurement and Customization Technologies. Subject to the limitations described below, Web measurement and customization technologies (e.g. Web server logs, cookies, Web beacons, proxies, etc.) may be used for the purpose of improving IC and OD office services online through conducting measurement and analysis of usage or through customization of the user’s experience. Where information is gathered automatically as the user navigates from page to page on a Web site or across Web sites, under no circumstances may such technologies be used: (1) To track user individual-level
activity on the Internet outside of the Web site or
application from which the technology originates; Below are the defined tiers for authorized use of Web measurement and customization technologies. (1) Tier 1 – Single Session. This tier
encompasses any use of single session Web measurement
and customization technologies. ICs and OD offices shall not use Web measurement and customization technologies from which it is not easy for the public to opt-out. Opt-in/opt-out mechanisms shall be designed to be easily accessible and understandable and be implemented uniformly across all Web sites. ICs and OD offices shall explain in their Privacy Policy the decision to enable Web measurement and customization technologies by default or not, thus requiring users to make an opt-out or opt-in decision. ICs and OD offices shall provide users who decline to opt-in or decide to opt-out with access to comparable information or services. (1) NIH side opt-out. ICs and OD
offices are encouraged and authorized, where
appropriate, to use Web tracking and measurement
technologies in order to remember that a user has
opted out of all other uses of such technologies on
the relevant domain or application. Such uses are
considered Tier 2. (a) Purpose of the Web
measurement and/or customization technology; All uses of Web measurement and customization technologies shall comply with existing policies with respect to privacy and data safeguarding standards. If applicable, ICs and OD offices shall cite the PIA and/or SORN in their online Privacy Policy. If ICs and OD offices are using a Web site or application hosted on a third-party site using Web measurement and customization technologies to which federal privacy and data safeguarding standards do not apply, they should provide the public with alternatives for acquiring comparable information and services. For example, members of the public should be able to learn about NIH activities or communicate with the IC and OD offices without having to join a third-party social media Web site. If the third-party service is used to solicit feedback, ICs and OD offices shall provide an alternative government e-mail address where users can also send feedback. Additional guidance on the use of social media Web sites is addressed in NIH Manual Chapter 2809, Social and New Media and OMB Memorandum M-10-23, Guidance for Agency Use of Third-Party Web Sites and Applications. IC and OD offices shall retain data collected from web measurement and customization technologies for only as long as necessary to achieve the specific objective for which it was collected. Moreover, only staff that needs to have access to the data shall be allowed to do so. (1) Retention Time.
The time frame for retention of data shall be both
limited and correlated to a specific objective. If not
required by law, policy, or a specific need for the
web measurement or customization objective, IC and OD
offices should limit the retention of such data to one
year or less. To the extent feasible, technical enforcement mechanisms should be put in place to implement stated retention times and to limit access to authorized personnel. Where technical enforcement mechanisms are not feasible, policy or contractual enforcement mechanisms shall be present. IC and OD offices using web measurement and customization technology must annually review their systems and procedures to demonstrate that they are in compliance with this policy. The results of this review shall be posted on http://www.hhs.gov/open/. IC and OD offices are authorized to use Tier 1 or Tier 2 technologies as long as they are in compliance with this policy, and provide clear and conspicuous notice in their online Privacy Policy citing the use of such technologies. Any proposed use by an IC or OD office to engage in Tier 3 measurement and customization technology usage shall be reviewed by the NIH Chief Information Officer (CIO). (See Appendix 1) (1) The NIH CIO will review the form
and forward it to the NIH Senior Official for Privacy
(SOP) for review. Following SOP review and CIO
approval, the SOP will send the form to the
Department. Following HHS review, HHS will post the
notice for public comment on the Department’s Open
Government Web page at http://www.hhs.gov/open/ for 30 days.
After the notice and comment period have passed, and
approval by the HHS Senior Agency Official for Privacy
(SAOP) has been granted, the NIH CIO will notify the
IC or OD office to cite the Departmental approval in
their online Privacy Policy prior to using the Tier 3
Web measurement and customization technology. Before an IC or OD office uses any third-party Web site or application to engage with the public, it should examine the third-party’s privacy policy to evaluate the risks and determine whether the Web site or application is appropriate for NIH use. In addition, the IC or OD office shall monitor any changes to the third-party’s privacy policy and periodically reassess the risks. ICs and OD offices may post a link to external, government and non-government sites that are not part of the official NIH.gov domain, such as a third-party social network site. NIH IC and OD office Web pages containing links to external Web pages not located on the NIH network shall provide a statement adjacent to the link or a "pop-up" disclaimer that explains that visitors are being directed to an external, government or non-government Web site that may have different privacy policies from those of the NIH official Web site. The visitor should understand they are exiting the NIH domain and that NIH is not responsible for the material found on, or data collection activities of, external Web pages. Sample disclaimers provided at: http://ocio.nih.gov/policy/disclsamp.html If an IC or OD office incorporates or embeds a third-party application on its Web site or any other official NIH domain, it shall take the necessary steps to disclose the third-party’s involvement and describe the NIH activities in its privacy policy. When an IC or OD office uses a third-party Web site or application that is not part of the official NIH domain, it shall apply appropriate branding to distinguish NIH activities from those of non-government actors. For example, to the extent practicable, NIH should add its seal or emblem to its profile page on a social media Web site to indicate that it is an official agency presence. If information is collected through the IC or OD office use of a third-party Web site or application, NIH shall collect only the information “necessary” for the proper performance of agency functions and which has practical utility. Where a user actively provides PII via an online form, profile, account setting or other technique, the NIH shall collect only the minimum necessary to accomplish its purpose and all applicable policies and regulations governing PII must be followed. A Web form is a portion of a Web page that contains fields that users can fill in with data (including personal information). When the user submits the form, it is sent to a Web server that processes the information where it can be stored in a database. Web forms shall be designed to only require what is really needed (and make clear what, if anything is optional). They shall be accompanied by a link to the privacy notice or statement at the point of collection. They shall: (1) Use the post method of form
submission (the alternative Get method can
inadvertently spill PII to third-parties via the
referrer URL); “Contract” covers any contract subject to the Federal Acquisition Regulations (FAR). When an agency contracts for the design, development, or operation of a Web site or Web page necessary to accomplish an NIH function, the IC or OD office shall apply the requirements of this policy to the contract. Web sites or Web pages operated under a contract, which are designed, developed or operated to accomplish an NIH function, are, in effect, deemed to be maintained by the agency. The Contracting Officer is the official who oversees the development of the documentation and discussions of assigned contracts for award and administration, performs the final review of contract actions, and provides final signature authority. Health and Human Services Acquisition Regulation (HHSAR) Section 324.103(a) states that all requests for contract shall be reviewed by the Contracting Officer to determine whether the Privacy Act requirements are applicable. Solicitations and contracts (both prime and sub) that require the contractor to maintain a system of records covered by the Privacy Act (i.e., when the records will contain personal information that is retrieved by an individual identifier), shall state that the Privacy Act applies and include appropriate FAR citations listed below: (1) FAR Clause 52.224-1, Privacy Act
Notification Contracts for the development, maintenance, or management of NIH Web sites shall include certain language (See Appendix 2, Contract Sample Language). When Federal Information Security Management Act (FISMA) security requirements relevant to the acquisition need to be included, the project Officer (PO), IC Information Systems Security Officer (ISSO), and the IC Privacy Officer will assist the acquisitions staff in selecting the appropriate language. NIH sample language for IT Security Acquisitions Provisions are available at: http://ocio.nih.gov/docs/public/IT-Security-Acquisition-Provisions.doc D. ADDITIONAL INFORMATION/REQUIREMENTS:
E. RESPONSIBILITIES:IC and OD office staff shall comply with the privacy policies in this chapter prior to posting new or revised Web pages. For example, if an IC or OD office Web site states that the information collected will not be available to any other entity, it is the responsibility of the IC or OD office to assure that no such sharing takes place. To ensure adherence to this policy, each IC and OD office shall review all new Web sites and Web page information to be posted or altered for compliance with the NIH privacy and security policy. The following are officials with responsibilities associated with this policy:
F. PROCEDURES:Online Web activities shall follow appropriate procedures and clearances. In most cases, the procedures to be followed for print publication apply unless one is posting content that has already been cleared for public use. For other types of less formal content, such as blogs, micro blogging, and replies to comments in public online space, coordinate your activities through your supervisory channels. At a minimum, contact the IC or OD office (1) Communications Office for approval to communicate outgoing messages on behalf of the IC or OD office and to ensure that content procedures are followed, (2) CIO Office or ISSO to learn of security procedures that shall be followed and, (3) FOIA, PRA, Records and Privacy liaisons to learn about requirements under the Freedom of Information Act, Paperwork Reduction Act, Records Act and Privacy Act. G. RECORDS RETENTION AND DISPOSAL:All records (e-mail and non-e-mail) pertaining to this chapter shall be retained and disposed of under the authority of NIH Manual 1743, “Keeping and Destroying Records”, Appendix 1, NIH Records Control Schedule, in accordance with the specific schedule item as applied to the kind of records. NIH e-mail messages, including attachments that are created on NIH computer systems or transmitted over NIH networks that are evidence of the activities of the agency or have informational value are considered federal records. These records shall be maintained in accordance with current NIH Records Management guidelines. Contact your IC Records Liaison or the NIH Records Officer for additional information. All e-mail messages are considered government property, and, if requested for a legitimate government purpose, shall be provided to the requester, employees’ supervisor, NIH staff conducting official reviews or investigations, and the Office of the Inspector General who may request access to or copies of the e-mail messages. E-mail messages shall also be provided to Congressional oversight committees if requested and are subject to Freedom of Information Act requests. Back-up files are subject to the same information requests as original messages and documents. Web 2.0 Information: A challenge associated with the use of Web 2.0 technologies, including government blogs and wikis and Web pages hosted by commercial providers, is the question of whether information exchanged through these technologies constitute federal records pursuant to the Federal Records Act. According to the guidance, records generated when a user interacts with an agency Web site may form part of a set of official agency records. National Archives and Records Administration (NARA) guidance indicates that content created with interactive software on government Web sites is owned by the government, not the individuals who created it, and is likely to constitute agency records and should be managed as such. NARA issued “Guidance on Managing Web Records” to help agencies make decisions on what records generated by these technologies should be considered agency records: http://www.archives.gov/records-mgmt/pdf/managing-web-records-index.pdf H. INTERNAL CONTROLS:This policy directs ICs and OD offices to meet requirements related to privacy and the protection of personal information on NIH Web pages.
Oversight shall be carried out through a coordinated effort between the Office of Management Assessment (OMA), Office of the Chief Information Officer (OCIO), and Office of Communications and Public Liaison (OCPL). Reviews shall be ongoing. Appropriate internal controls shall be in place before a Web page may be utilized. Web masters, content managers, developers and programmers responsible for the design, development and management of NIH Web pages are responsible for ensuring compliance with NIH policy. Each year, a workgroup of members from OMA, OCIO and OCPL shall survey a sample of NIH Web sites for compliance with NIH policy. External reviews conducted by the OIG/GAO may be used as an alternative internal control review for this purpose. Additionally, the issuing office may decide to initiate an internal Risk Assessment (RA) at the IC or OD level. Reports shall be sent to the NIH Deputy Director for Management (DDM), and circulated to NIH privacy, security and Web stakeholders, as deemed appropriate by OMA, OCIO and OCPL. Reports should indicate that controls are in place and working well, or indicate any internal control issues that require the attention of the report recipient(s). I. REFERENCES:Laws
OMB Circulars and Memorandum
Federal Acquisition Regulations (FAR)
HHS Policy
NIH Policy
NIH Guidance
National Archives and Records Administration (NARA)
APPENDIX 1FORM TO REQUEST HHS APPROVAL OF TIER 3 TECHNOLOGY
APPENDIX 2CONTRACT SAMPLE LANGUAGE A. When FISMA security requirements relevant to the
acquisition need to be included, the project Officer (PO),
IC Information Systems Security Officer (ISSO), and the IC
Privacy Officer will assist the acquisition staff in
selecting the appropriate language. NIH sample language
for IT Security Acquisitions Provisions are available at:
B. Solicitations and contracts (prime and sub) to design, develop, operate or manage a Web site or Web page on behalf of the government which requires the contractor to maintain a system of records covered by the Privacy Act, shall state that the Privacy Act applies and include the appropriate FAR clauses: Privacy Act Notification FAR, Sec. 52.224-1 The Contractor will be required to design, develop, or operate a system of records on individuals, to accomplish an agency function subject to the Privacy Act of 1974, Public Law 93-579, December 31, 1974 (5 U.S.C. 552a) and applicable agency regulations. Violation of the Act may involve the imposition of criminal penalties. Privacy Act FAR, Sec. 52.224-2 (a) The Contractor agrees to-- (1) Comply with the Privacy Act of 1974 (the Act) and the agency rules and regulations issued under the Act in the design, development, or operation of any system of records on individuals to accomplish an agency function when the contract specifically identifies-- (i) The systems of records; and (2) Include the Privacy Act notification contained in this contract in every solicitation and resulting subcontract and in every subcontract awarded without a solicitation, when the work statement in the proposed subcontract requires the design, development, or operation of a system of records on individuals that is subject to the Act; and (3) Include this clause, including this subparagraph (3), in all subcontracts awarded under this contract which requires the design, development, or operation of such a system of records. (b) In the event of violations of the Act, a civil action may be brought against the agency involved when the violation concerns the design, development, or operation of a system of records on individuals to accomplish an agency function, and criminal penalties may be imposed upon the officers or employees of the agency when the violation concerns the operation of a system of records on individuals to accomplish an agency function. For purposes of the Act, when the contract is for the operation of a system of records on individuals to accomplish an agency function, the Contractor and any employee of the Contractor is considered to be an employee of the agency. (c) (1) Operation of a system of records, as used in this clause, means performance of any of the activities associated with maintaining the system of records, including the collection, use, and dissemination of records. (2) Record, as used in this clause, means any item, collection, or grouping of information about an individual that is maintained by an agency, including, but not limited to, education, financial transactions, medical history, and criminal or employment history and that contains the person’s name, or the identifying number, symbol, or other identifying particular assigned to the individual, such as a fingerprint or voiceprint or a photograph. (3) System of records on individuals, as used in this clause means a group of any records under the control of any agency from which information is retrieved by the name of the individual or by some identifying number, symbol, or other identifying particular assigned to the individual. Privacy or Security Safeguards (a) The Contractor shall not publish or disclose in any manner, without the Contracting Officer’s written consent, the details of any safeguards either designed or developed by the Contractor under this contract or otherwise provided by the Government. (b) To the extent required to carry out a program of inspection to safeguard against threats and hazards to the security, integrity, and confidentiality of Government data, the Contractor shall afford the Government access to the Contractor’s facilities, installations, technical capabilities, operations, documentation, records, and databases. (c) If new or unanticipated threats or hazards are discovered by either the Government or the Contractor, or if existing safeguards have ceased to function, the discoverer shall immediately bring the situation to the attention of the other party. Applicability of the Privacy Act (f) Whenever the contracting officer is informed that the Privacy Act is not applicable, but the resultant contract will involve the collection of individually identifiable personal data by the contractor, the contracting officer shall include provisions to protect the confidentiality of the records and the privacy of individuals identified in the records. Confidentiality of Information HHSAR Sec. 352.224-70 (a) Confidential information, as used in this clause, means information or data of a personal nature about an individual, or proprietary information or data submitted by or pertaining to an institution or organization. (b) The Contracting Officer and the Contractor may, by mutual consent, identify elsewhere in this contract specific information and/or categories of information which the Government will furnish to the Contractor or that the Contractor is expected to generate which is confidential. Similarly, the Contracting Officer and the Contractor may, by mutual consent, identify such confidential information from time to time during the performance of the contract. Failure to agree will be settled pursuant to the “Disputes” clause. (c) If it is established elsewhere in this contract that information to be utilized under this contract, or a portion thereof, is subject to the Privacy Act, the Contractor will follow the rules and procedures of disclosure set forth in the Privacy Act of 1974, 5 U.S.C. 552a, and implementing regulations and policies, with respect to systems of records determined to be subject to the Privacy Act. (d) Confidential information, as defined in paragraph (a) of this clause, shall not be disclosed without the prior written consent of the individual, institution, or organization. (e) Whenever the Contractor is uncertain with regard to the proper handling of material under the contract, or if the material in question is subject to the Privacy Act or is confidential information subject to the provisions of this clause, the Contractor should obtain a written determination from the Contracting Officer prior to any release, disclosure, dissemination, or publication. (f) Contracting Officer determinations will reflect the result of internal coordination with appropriate program and legal officials. (g) The provisions of paragraph (d) of this clause shall not apply to conflicting or overlapping provisions in other Federal, State, or local laws. Privacy Act HHSAR Sec. 352.270-11 This contract requires the Contractor to perform one or more of the following: (a) Design; (b) develop; or (c) operate a Federal agency system of records to accomplish an agency function in accordance with the Privacy Act of 1974 (Act) (5 U.S.C. 552a(m)(1)) and applicable agency regulations. The term ``system of records'' means a group of any records under the control of any agency from which information is retrieved by the name of the individual or by some identifying number, symbol, or other identifying particular assigned to the individual. Violations of the Act by the Contractor and/or its employees may result in the imposition of criminal penalties (5 U.S.C. 552a (i)). The Contractor shall ensure that each of its employees knows the prescribed rules of conduct and that each employee is aware that he/she is subject to criminal penalties for violation of the Act to the same extent as HHS employees. These provisions also apply to all subcontracts awarded under this contract which require the design, development or operation of the designated system(s) of records (5 U.S.C. 552a (m) (1)). The contract work statement: (a) identifies the system(s) of records and the design, development, or operation work to be performed by the Contractor; and (b) specifies the disposition to be made of such records upon completion of contract performance. B. Additional Contract Language: 1. Under Federal Information Technology policy, Web sites owned or operated by or for the government shall post clear privacy policies on top-level/principal Web sites, including NIH and Institute/Center-level sites, major on-line public resource sites and any other known major entry points. Web sites that are owned or operated by a contractor on behalf of the NIH that implement and use mechanisms that collect and maintain personally identifiable information from individuals who visit the Web site, e.g., cookies, Web server logs, surveys, and similar mechanisms, may not use that information to identify specific individuals without a valid Privacy Act System Notice published in the Federal Register, which covers the identifiable records. 2. NIH IC and OD office Web pages containing links to external Web pages not located on NIH servers should include a link to an Exit statement that disclaims NIH responsibility for the protection of privacy and material included in the external Web pages. Sample Disclaimers are available at: http://ocio.nih.gov/policy/disclsamp.html 3. Web pages that are directed to children under the age of 13 have additional requirements as provided in the Children’s Online Privacy Protection Act of 1998 (15 U.S.C. 6501 et seq.), and implementing regulations (16 CFR 312) available at: http://www.coppa.org/coppa.htm 4. Additional guidance and requirements for the publication of data on NIH Web servers and acceptable uses for Web pages created for NIH is posted at: http://ocio.nih.gov/policy/guideli2.html |
Manual Chapters Main Menu | Browse | Search | Back to OMA Home Page |
|