Please view the full page.

NIH POLICY MANUAL

2805 – NIH Web Privacy Policy

Issuing Offices: OMA 301-496-2832; OCPL 301-496-5787; and OCIO 301-496-1168
Release Date: 08/08/11


  1. Explanation of Material Transmitted: This chapter establishes policies and procedures for ensuring the privacy and protection of personal information collected, stored, used, maintained and disseminated via NIH Web sites. This policy applies to NIH Internet Web sites that are developed and/or maintained by NIH staff or by contract personnel. This revision includes new privacy requirements for emerging web-based technologies that are not exclusively operated or controlled by NIH, or which involve the significant participation of a non-government entity. Often these technologies are located on a “.com” Website or other location that is not part of the NIH official government domain. They may include Third-Party Websites or Applications (TPWAs) and Web Measurement and Customization Technologies embedded or incorporated on NIH Websites.
  2. Filing Instructions:

Remove: Manual Issuance 2805, dated 12/18/01.
Insert: Manual Issuance 2805, dated 08/08/11.

PLEASE NOTE: For information on:

  • Content of this chapter, contact the issuing offices listed above.
  • NIH Manual System, contact the Division of Management Support, OMA on 301-496-2832, or enter this URL: http://oma.od.nih.gov/manualchapters/

A. PURPOSE:

This chapter establishes policies and procedures for ensuring the privacy and protection of personal information collected, stored, used, maintained and disseminated via NIH Web sites. This policy applies to NIH Internet Web sites that are developed and/or maintained by NIH staff or by contract personnel. This policy does not apply to internal agency activities (such as on intranets, applications, or interactions that do not involve the public) or to activities that are part of authorized law enforcement, national security, or intelligence activities.

B. BACKGROUND:

The Web is a powerful tool for conveying information about the activities, objectives, policies and programs of the Federal Government and NIH. It is important that visitors to federal Web sites know that their private information is appropriately protected by the agency when they are accessing these sites, and that agency staff understand their responsibility to safeguard the personally identifiable information (PII) made available, whether solicited or unsolicited, to the agency.

Potential consequences for not adequately protecting privacy in the government include criminal and civil penalties, negative impact on individuals where PII is collected and not appropriately used, reduced mission effectiveness and loss of credibility, confidence, and trust in NIH.

C. POLICY:

  1. General Requirements
  2. Privacy Policy – A Web privacy policy shall be clearly posted on all NIH top-level/principal Web sites, including NIH and Institute/Center (IC) level sites, major on-line public resource sites and any other known major public facing entry points, as well as any Web page that collects or posts personal information. (See URL: http://www.nih.gov/about/privacy.htm)

    Privacy Notice/Statement – A comprehensive online privacy notice discusses the information collected through the Web site and typically covers the effective date, scope, information collected (both actively and passively), information uses, choices available, how to modify information or preferences, how to contact or register a dispute, and how policy changes will be communicated. They are easy to find and at or before the point of collection. They are linked from the Web site homepage and from each and all information collection pages (e.g. site-wide navigation component, or header/footer), from pop-up or pop-under windows that contain web forms and in e-mail messages that originate from the Web site.

    Policy Links – Links to the Institute or OD office privacy policy shall be clearly labeled and easy to access by all visitors to the Web site. If the privacy policy is combined with another mandated or recommended Web site statement, the link should be visibly labeled accordingly, e.g., “Privacy Policy/Disclaimer.”

    Plain Language – Web privacy policies shall conform to the Plain Writing Act of 2010 which defines “plain writing” as writing that is clear, concise, well-organized, and follows other best practices appropriate to the subject or field and intended audience. Web privacy policies shall clearly and concisely inform visitors to the site of:

    1. Specific purpose of the agency use of the Web site;
    2. How the agency will use PII that becomes available through the use of the Web site;
    3. Who at the agency will have access to PII;
    4. With whom PII will be shared outside the agency;
    5. Whether and how the agency will maintain PII, and for how long;
    6. How the agency will secure PII that it uses or maintains; and,
    7. What other privacy risks exist and how the agency will mitigate those risks.

    NIH staff shall also comply with the following NIH policy:

    NIH Manual Chapter 1825, Information Collection from the Public
    NIH Manual Chapter 2804, NIH Public-Facing Web Management
    NIH Manual Chapter 2809, Social and New Media

    Machine-Readable Format – Web privacy policies and statements shall be represented in a machine-readable format (e.g. XML-based standard). A Platform for Privacy Preferences (P3P) is a way to translate a privacy policy into machine-readable format that a browser decodes in order to figure out what the policy says. P3P is designed to provide Internet users with a clear understanding of how PII will be used by a particular Web site. It allows Web site operators to explain their privacy practices to visitors and allows users to configure their browsers and other software tools to provide notifications about whether Web site privacy policies match their preferences.

  3. Privacy Act Requirements
    1. Privacy Notice or Notification Statement: Any NIH Web site or property that collects and/or maintains PII that will, in practice, be retrieved by a personal identifier, shall include a privacy notice or notification statement. The notice shall be on or directly linked to the information collection page and contain the following information:
    2. (1) Authority (whether granted by statute, regulation, or executive order) which authorizes the solicitation and/or collection of the information;
      (2)Purpose of the information collection;
      (3)Routine uses for information disclosure (likely or known disclosures of the data made outside of the Department of Health and Human Services (HHS), without the consent of the subject individual, for a purpose which is compatible with the purpose for which the record was collected);
      (4)Whether disclosure of the information is mandatory or voluntary; and,
      (5)What effect, if any, there will be on the individual if they choose to not provide all or part of the requested information.

      OMB Memorandum M-07-16, Safeguarding Against and Responding to the Breach of Personally Identifiable Information (PII), directs agencies to eliminate the unnecessary collection and use of Social Security Numbers (SSNs). SSNs may only be required when their collection is authorized by statute and individuals are informed whether provision of the SSN is optional or required.

    3. System of Records Notice (SORN): Any NIH Web site, Web page or property designed to retrieve information about an individual by a personal identifier linked to them shall have a valid Privacy Act System Notice published in the Federal Register which covers the record system.
    4. A SORN refers to the notice which describes the purpose of the system, the legal authority to collect information, the categories of information collected, maintained, retrieved, and used within a set of records, the categories of individuals for whom the information is collected, and to whom the information can be disclosed, and safeguards for protecting the information. The SORNs are written broadly to cover information collections designed to retrieve information about an individual by a name or personal identifier linked to the individual. If a collection of records that includes Privacy Act information is proposed for operation and is NOT covered under an existing SORN, one shall be developed and posted in the Federal Register 40 days prior to collection of the data. If no existing SORN covers the proposed data collection, the IC or OD office System Owner/Manager shall work with the IC Privacy Coordinator or NIH Privacy Act Officer to put one in place. Otherwise, the system of records is unauthorized and shall not be operated.

    5. Privacy Impact Assessment: A Privacy Impact Assessment (PIA) shall be conducted on all IT systems (i.e., Web sites, databases associated with a Web site, etc.) owned, operated or controlled by the NIH or contractor acting on its behalf. A PIA is a living document that shall be updated when a major change occurs within an IT system as defined in OMB Memorandum M-03-22, Guidance for Implementing the Privacy Provisions of the E-Government Act of 2002. The PIA is an analysis tool designed to identify any privacy or security risk associated with information that is collected, processed, stored, and/or transmitted by an IT system. A PIA collects data on the information to be contained/collected by an IT system, how the information will be used, and what safeguards will be put into place to protect the collected information. The PIA process assists System Owners/Managers in thoroughly assessing all phases of the system development life cycle (SDLC). PIAs should be performed before the development phase of an IT system; however, an initial PIA can be performed on an existing operational IT system if it is found that a PIA is not currently in place. Departmental policy requires that PIAs be conducted and maintained on all IT systems, whether the system is already in existence, in development, or undergoing modification, as defined by the E-Government Act of 2002, OMB guidance, HHS policy, and supporting guidance.
    6. An adapted PIA is required on all NIH uses of a third-party Web site or application (TPWA). TPWA can be defined as Web based technologies not exclusively operated or controlled by a government entity, or web-based technologies that involve significant participation of a nongovernment entity. Often, these technologies are located on a “.com” Web site or other location that is not part of an official government domain. However, TPWAs can also be embedded or incorporated on an agency’s official Web site (e.g. Web 2.0 applications and social media networks such as Facebook, Twitter, YouTube, MySpace, LinkedIn, Flickr, blogs, email subscription services, mobile applications, and mobile Web sites). Each adapted PIA shall be tailored to address the specific functions of the Web site or application. It should describe (1) the specific purpose of the agency’s use of the TPWA, (2) any PII that is likely to become available to the agency through public use of the TPWA, (3) the agency’s intended or expected use of PII, (4) with whom the agency will share the PII, (5) whether and how the agency will maintain PII, and for how long, (6) how the agency will secure PII that it uses or maintains, (7) what other privacy risks exist and how the agency will mitigate those risks, and (8) whether the agency’s activities will create or modify a “system of records” under the Privacy Act.

      IC and OD office staff shall work with their Privacy Coordinator and Information Systems Security Officer (ISSO) to determine if a PIA is needed, when updates are necessary, and to ensure full compliance with OMB, HHS and NIH policies.

  4. Human Subject Requirements
  5. Web sites used for the purpose of recruiting study subjects shall comply with the human subject protection regulations at 45 CFR Part 46 and 21 CFR Part 56. These regulations require that an Institutional Review Board (IRB) review and approve all research activities including the use of advertising and plans for protecting the confidentiality of actual and prospective subjects. See OHRP guidance at http://www.hhs.gov/ohrp/policy/clinicaltrials.html, FDA guidance at http://www.fda.gov/RegulatoryInformation/Guidances/ucm126428.htm and NIH policy (Manual Chapter 2809, NIH Social and New Media, Appendix 1) at http://oma.od.nih.gov/manualchapters/management/2809.

  6. Children’s Online Protection Requirements
  7. NIH Web sites that are set up for the intended use by children under the age of 13 or that knowingly collect personal information from them shall comply with the Children’s Online Privacy Protection Act of 1998 (COPPA) which restricts the marketing of products and services online to children under 13. NIH “Kid’s Pages” shall comply with the following standards set forth in the COPPA, specifically:

    1. Avoid Unnecessary Data Collection - Web sites that collect personally identifiable information from children under age 13 should eliminate or reconsider using instruments that could collect data on “Kid’s Pages” if the information is not essential to the IC or OD office program. Using age gate techniques makes it difficult for younger users to provide personal information.
    2. Privacy Notice – Internal or external Web sites and Kid’s Pages that are set up for the intended use by children or that knowingly collect personal information from children under the age of 13, shall contain a privacy notice of the information collection practices (i.e., whether or not the Web sites collect/store information).
    3. The “Kid’s Page” privacy notice shall include:

      (1) A description of the specific types of personal information you collect directly from children (e.g., name, age, home address, e-mail address, hobbies, personal characteristics, etc.), and if any additional information is collected passively (e.g., via cookies and other Web measurement and customization technologies);
      (2) A description of how you will use the information (e.g., make the information available through a child’s participation in a chat room) and, whether personal information is forwarded to a third-party social network Web site and/or application;
      (3) How long your IC will maintain the information;
      (4) Who will have access to the information; and,
      (5) A contact name and information (address, telephone, e-mail address) for the site.

    4. Parental Consent – ICs and OD offices shall ensure that a parent (or legal guardian) of the child receives notice of these information collection practices and consents to those practices before personal information is collected from a child. (Note: Disclosure of personal information is permitted only to the extent that it has also been included as a “purpose” or “routine use” in an active Privacy Act System of Records). Specifically,
    5. (1) The IC or OD office shall obtain parental consent when it collects an e-mail address or other personal information and:

      (a) Plans to change the kinds of information previously collected;
      (b) Changes how the information is used;
      (c) Offers the information to new or different third-party Web site and/or application;
      (d) Uses the information in a way that is different than how it was specified when parental consent was originally obtained; or
      (e) Gives a child access to a secondary site that was not originally specified in the Web site privacy notice.

      (2) Parental consent is not necessary if the "Kid’s Page" site collects an e-mail address to:

      (a) Respond to a one-time request from the child and then the e-mail address from the child is deleted (e.g., research poster, response to a survey or inquiry, and similar requests). Repeated contact with the same child requires consent;
      (b) Contact the parent;
      (c) Ensure the safety of the child or the site;
      (d) Fulfill an NIH newsletter subscription request for one issue. (Note: Continuation of the subscription requires consent).

    6. Provide Instructions to Parents
    7. (1) Parents have the right to review, change or revoke their consent and ask that information about their children be deleted from the site’s database at any time. When a parent revokes consent, the Web site shall immediately stop collecting, using or disclosing information from that child.
      (2) It is also advisable that an exit page be placed between the IC or OD office “Kid’s Page” and any external links. This provides clear notification to the child and parent that they are exiting NIH controlled Web space and that NIH can no longer guarantee their privacy or the security of information belonging to them.

  8. E-mail Requirements
  9. E-mail messages have similar privacy issues as Web sites. They not only convey information in text or HTML formats, but they may also involve hyperlinks, forms, cookies, Web beacons and active content.

    Commercial e-mail includes promotional or marketing messages that recipients have indicated they wish to receive. Common privacy principles include no false or misleading header information, no deceptive subject lines, opt-out mechanisms in each message, notification to the recipient that the message contains an advertisement or promotional information, and information about the sending organization.

    IC and OD offices shall include in their privacy notice, a statement to users about how the site handles unsolicited e-mail, and a notice that the sender should not expect privacy.

    The following is a sample statement:

    “E-mail sent to NIH may be seen by a number of people who are responsible for answering questions. If you send us an e-mail, you are advised that e-mail is not necessarily secure against interception. If your communication includes sensitive information like your Social Security Number or personal health information, it is advisable that you contact us by postal mail or telephone rather than e-mail.”

  10. Web Measurement and Customization Technology Requirements
  11. These technologies are used to remember a user’s online interactions with a Web site or online application in order to conduct measurement and analysis of usage or to customize the user’s experience. Single-session technologies remember a user’s online interactions within a single session or visit. Any identifier correlated to a particular user is used only within that session, is not later reused, and is deleted immediately after the session ends. Multi-session technologies remember a user’s online interactions through multiple sessions. This approach requires the use of a persistent identifier for each user, which lasts across multiple sessions or visits. Refer to OMB Memorandum M-10-22, Guidance for Online Use of Web Measurement and Customization Technologies.

    1. Appropriate Use and Prohibitions
    2. Subject to the limitations described below, Web measurement and customization technologies (e.g. Web server logs, cookies, Web beacons, proxies, etc.) may be used for the purpose of improving IC and OD office services online through conducting measurement and analysis of usage or through customization of the user’s experience. Where information is gathered automatically as the user navigates from page to page on a Web site or across Web sites, under no circumstances may such technologies be used:

      (1) To track user individual-level activity on the Internet outside of the Web site or application from which the technology originates;
      (2) To share the data obtained through such technologies, without the user’s explicit consent, with other departments or agencies;
      (3) To cross-reference, without the user’s explicit consent, any data gathered from Web measurement and customization technologies against PII to determine individual-level online activity;
      (4) To collect PII without the user’s explicit consent in any fashion; and,
      (5) For any like usages so designated by the Office of Management and Budget (OMB).

    3. Usage Tiers
    4. Below are the defined tiers for authorized use of Web measurement and customization technologies.

      (1) Tier 1 – Single Session. This tier encompasses any use of single session Web measurement and customization technologies.
      (2) Tier 2 – Multi-Session without PII. This tier encompasses any use of multi-session Web measurement and customization technologies when no PII is collected (including when the IC and OD office is unable to identify an individual as a result of its use of such technologies).
      (3) Tier 3 – Multi-Session with PII. This tier encompasses any use of multi-session Web measurement and customization technologies when PII is collected (including when the IC or OD office is able to identify an individual as a result of its use of such technologies).

    5. Clear Notice and Personal Choice
    6. ICs and OD offices shall not use Web measurement and customization technologies from which it is not easy for the public to opt-out. Opt-in/opt-out mechanisms shall be designed to be easily accessible and understandable and be implemented uniformly across all Web sites.

      ICs and OD offices shall explain in their Privacy Policy the decision to enable Web measurement and customization technologies by default or not, thus requiring users to make an opt-out or opt-in decision. ICs and OD offices shall provide users who decline to opt-in or decide to opt-out with access to comparable information or services.

      (1) NIH side opt-out. ICs and OD offices are encouraged and authorized, where appropriate, to use Web tracking and measurement technologies in order to remember that a user has opted out of all other uses of such technologies on the relevant domain or application. Such uses are considered Tier 2.
      (2) Client side opt-out. If IC and OD office opt-out mechanisms are not appropriate or available, instructions on how to enable client side opt-out mechanisms may be used. Client side opt-out mechanisms allow the user to opt out of Web measurement and customization technologies by changing the settings of a specific application or program on the user’s local computer. For example, users may be able to disable persistent cookies by changing the settings on commonly used Web browsers. ICs and OD offices should refer to http://www.usa.gov/optout_instructions.shtml which contains general instructions on how the public can opt out of some of the most commonly used Web measurement and customization technologies.
      (3) Tier 3 restrictions. ICs and OD offices employing Tier 3 uses shall use opt-in functionality. Opt-in functionality shall allow the client complete control over the collection and dissemination of their personal information. An opt-in functionality requires a client to self-select the services they wish to subscribe to, and how any information they provide may be used.
      (4) Privacy Policy. The following items shall be included in the IC and OD office online Privacy Policy, in any instance when Web measurement and customization technologies are used:

      (a) Purpose of the Web measurement and/or customization technology;
      (b) Usage Tier, session type, and technology used;
      (c) Nature of the information collected;
      (d) Purpose and use of the information;
      (e) Whether and to whom the information will be disclosed;
      (f) Privacy safeguards applied to the information;
      (g) Data retention policy for the information;
      (h) Whether the technology is enabled by default or not and why;
      (i) How to opt-out of the Web measurement and/or customization technology;
      (j) Statement that opting-out still permits users to access comparable information or services; and,
      (k) Identities of all third-party vendors involved in the measurement and customization process.

    7. Data Safeguarding and Privacy
    8. All uses of Web measurement and customization technologies shall comply with existing policies with respect to privacy and data safeguarding standards. If applicable, ICs and OD offices shall cite the PIA and/or SORN in their online Privacy Policy.

    9. Comparable Information and Services
    10. If ICs and OD offices are using a Web site or application hosted on a third-party site using Web measurement and customization technologies to which federal privacy and data safeguarding standards do not apply, they should provide the public with alternatives for acquiring comparable information and services. For example, members of the public should be able to learn about NIH activities or communicate with the IC and OD offices without having to join a third-party social media Web site. If the third-party service is used to solicit feedback, ICs and OD offices shall provide an alternative government e-mail address where users can also send feedback.

      Additional guidance on the use of social media Web sites is addressed in NIH Manual Chapter 2809, Social and New Media and OMB Memorandum M-10-23, Guidance for Agency Use of Third-Party Web Sites and Applications.

    11. Data Retention and Access Limits
    12. IC and OD offices shall retain data collected from web measurement and customization technologies for only as long as necessary to achieve the specific objective for which it was collected. Moreover, only staff that needs to have access to the data shall be allowed to do so.

      (1) Retention Time. The time frame for retention of data shall be both limited and correlated to a specific objective. If not required by law, policy, or a specific need for the web measurement or customization objective, IC and OD offices should limit the retention of such data to one year or less.

      (2) Records Disposition Schedule. Information collected from web measurement and customization technologies that are determined to be a federal record must comply with Federal Records Act regulations. The General Records Schedule 20 (GRS 20) pertains to Electronic Records; specifically, the disposition authority cited in General Record Schedule 20 Item 1C, “Electronic Records” (“Files/Records Relating to the Creation, Use, and Maintenance of Computer Systems, Applications, or Electronic Records - Electronic files ...created to monitor system usage...”) is applicable to information collected from web measurement and customization technologies. Use of GRS 20 is mandatory for those categories of electronic records described in the schedule unless the IC and OD office have requested an alternative disposition authority from the National Archives and Records Administration (NARA).

    13. Enforcement
    14. To the extent feasible, technical enforcement mechanisms should be put in place to implement stated retention times and to limit access to authorized personnel. Where technical enforcement mechanisms are not feasible, policy or contractual enforcement mechanisms shall be present.

    15. Verification
    16. IC and OD offices using web measurement and customization technology must annually review their systems and procedures to demonstrate that they are in compliance with this policy. The results of this review shall be posted on http://www.hhs.gov/open/.

    17. Approval
    18. IC and OD offices are authorized to use Tier 1 or Tier 2 technologies as long as they are in compliance with this policy, and provide clear and conspicuous notice in their online Privacy Policy citing the use of such technologies. Any proposed use by an IC or OD office to engage in Tier 3 measurement and customization technology usage shall be reviewed by the NIH Chief Information Officer (CIO). (See Appendix 1)

      (1) The NIH CIO will review the form and forward it to the NIH Senior Official for Privacy (SOP) for review. Following SOP review and CIO approval, the SOP will send the form to the Department. Following HHS review, HHS will post the notice for public comment on the Department’s Open Government Web page at http://www.hhs.gov/open/ for 30 days. After the notice and comment period have passed, and approval by the HHS Senior Agency Official for Privacy (SAOP) has been granted, the NIH CIO will notify the IC or OD office to cite the Departmental approval in their online Privacy Policy prior to using the Tier 3 Web measurement and customization technology.
      (2) If a contractor develops, operates or manages the Web site on behalf of NIH, a copy of the HHS SAOP approval should be kept in the contract file.
      (3) If an IC or OD office is found to be using Web measurement and customization technologies outside of the process or parameters specified by this policy, the office shall immediately cease use of such technologies and inform the NIH CIO of the extent of such unauthorized use.

  12. Third-Party Web sites and/or Applications
    1. Privacy Policy
    2. Before an IC or OD office uses any third-party Web site or application to engage with the public, it should examine the third-party’s privacy policy to evaluate the risks and determine whether the Web site or application is appropriate for NIH use. In addition, the IC or OD office shall monitor any changes to the third-party’s privacy policy and periodically reassess the risks.

    3. External Links
    4. ICs and OD offices may post a link to external, government and non-government sites that are not part of the official NIH.gov domain, such as a third-party social network site. NIH IC and OD office Web pages containing links to external Web pages not located on the NIH network shall provide a statement adjacent to the link or a "pop-up" disclaimer that explains that visitors are being directed to an external, government or non-government Web site that may have different privacy policies from those of the NIH official Web site. The visitor should understand they are exiting the NIH domain and that NIH is not responsible for the material found on, or data collection activities of, external Web pages. Sample disclaimers provided at: http://ocio.nih.gov/policy/disclsamp.html

    5. Embedded Applications
    6. If an IC or OD office incorporates or embeds a third-party application on its Web site or any other official NIH domain, it shall take the necessary steps to disclose the third-party’s involvement and describe the NIH activities in its privacy policy.

    7. Agency Branding
    8. When an IC or OD office uses a third-party Web site or application that is not part of the official NIH domain, it shall apply appropriate branding to distinguish NIH activities from those of non-government actors. For example, to the extent practicable, NIH should add its seal or emblem to its profile page on a social media Web site to indicate that it is an official agency presence.

    9. Information Collection
    10. If information is collected through the IC or OD office use of a third-party Web site or application, NIH shall collect only the information “necessary” for the proper performance of agency functions and which has practical utility. Where a user actively provides PII via an online form, profile, account setting or other technique, the NIH shall collect only the minimum necessary to accomplish its purpose and all applicable policies and regulations governing PII must be followed.

    11. Web Form Requirements
    12. A Web form is a portion of a Web page that contains fields that users can fill in with data (including personal information). When the user submits the form, it is sent to a Web server that processes the information where it can be stored in a database.

      Web forms shall be designed to only require what is really needed (and make clear what, if anything is optional). They shall be accompanied by a link to the privacy notice or statement at the point of collection. They shall:

      (1) Use the post method of form submission (the alternative Get method can inadvertently spill PII to third-parties via the referrer URL);
      (2) Place limitations on one-line text boxes to help ensure they are only used as intended (e.g. maximum of 14 characters for first name);
      (3) Be cautious in using free text fields where users may make PII available where none is requested;
      (4) Use secure transmission (e.g., https//) for the collection of sensitive personal information; and
      (5) Turn off Auto complete for all confidential information (e.g., passwords, credit card numbers, PINs, SSNs, etc.)

    13. Web Sites Developed, Maintained and Operated Under Contract
    14. “Contract” covers any contract subject to the Federal Acquisition Regulations (FAR). When an agency contracts for the design, development, or operation of a Web site or Web page necessary to accomplish an NIH function, the IC or OD office shall apply the requirements of this policy to the contract. Web sites or Web pages operated under a contract, which are designed, developed or operated to accomplish an NIH function, are, in effect, deemed to be maintained by the agency.

      The Contracting Officer is the official who oversees the development of the documentation and discussions of assigned contracts for award and administration, performs the final review of contract actions, and provides final signature authority. Health and Human Services Acquisition Regulation (HHSAR) Section 324.103(a) states that all requests for contract shall be reviewed by the Contracting Officer to determine whether the Privacy Act requirements are applicable.

      Solicitations and contracts (both prime and sub) that require the contractor to maintain a system of records covered by the Privacy Act (i.e., when the records will contain personal information that is retrieved by an individual identifier), shall state that the Privacy Act applies and include appropriate FAR citations listed below:

      (1) FAR Clause 52.224-1, Privacy Act Notification
      (2) FAR Clause 52.224-2, Privacy Act
      (3) FAR Clause 52.239-1, Privacy or Security Safeguards
      (4) HHSAR Clause 324.102 – Applicability of the Privacy Act (please verify)
      (5) HHSAR Clause 352.224-70 Confidentiality of Information
      (6) HHSAR Clause 352.270-11 Privacy Act

      Contracts for the development, maintenance, or management of NIH Web sites shall include certain language (See Appendix 2, Contract Sample Language).

      When Federal Information Security Management Act (FISMA) security requirements relevant to the acquisition need to be included, the project Officer (PO), IC Information Systems Security Officer (ISSO), and the IC Privacy Officer will assist the acquisitions staff in selecting the appropriate language.

      NIH sample language for IT Security Acquisitions Provisions are available at: http://ocio.nih.gov/docs/public/IT-Security-Acquisition-Provisions.doc

D. ADDITIONAL INFORMATION/REQUIREMENTS:

  1. Child and Children: Unless the context otherwise provides, it means individuals under the age of 13. (Children’s Online Privacy Protection Act (COPPA) of 1998)
  2. Contract: A contract is a legal instrument used to reflect a relationship between the Federal Government and the recipient whenever the principle purpose of the transaction is to acquire goods or services for the direct benefit or use of the Government. (A Guide to the NIH Acquisition Process 2007)
  3. Cookies: A piece of state information supplied by a Web server to a browser, in a response for a requested resource, for the browser to store temporarily and return to the server on any subsequent visits or requests. (NIST SP 800-28 Version 2, Guidelines on Active Content and Mobile Code)
    1. Authentication Cookie – A cookie that assists the visitor during the login process, by containing the user ID and possibly, password data. A login cookie is typically persistent but may be session-based, and may be linked to other personal information maintained by the Web site. Login cookies tied to a name, account number, or personal e-mail address are considered personally identifiable.
    2. Personalization Cookie – A cookie that is used to tailor a Web site based on the past behavior of the visitor. These cookies are not normally tied to a users stated preferences but based on analysis by the Web site on user activity. These cookies are normally persistent.
    3. Tracking Cookie – A cookie that is used for aggregate visitor tracking. It is non-personally identifiable and not linked to other logs or information about the visitors that are identifiable. A shopping cart cookie is used to maintain state and associate a visitor with a shopping cart or other transaction thread. These cookies may be linked to PII if the visitor has logged in, is in the check-out process, or is otherwise known. Otherwise, they are often non-personally identifiable.
  4. Disclaimer: NIH Web pages containing links to external Web pages not located on NIH servers should include a link to a statement that releases NIH from responsibility for the material included in the external Web pages. It is important to avoid giving a user the impression that NIH is endorsing information, or a commercial product described in an external site. Notice regarding inclusion of information which may be copyrighted and disclaimers on endorsement (general and external links), liability, and medical information should be used, as appropriate, for individual IC or OD office Web sites. In determining appropriate statements, careful consideration should be given to the nature of the specific site and its potential risk. (NIH Guidance, World Wide Web)
  5. External Links: If an agency posts a link that leads to a third-party Web site or any other location that is not part of an official government domain, the agency should provide an alert to the visitor, such as a statement adjacent to the link or a “pop-up,” explaining that visitors are being directed to a nongovernment Web site that may have different privacy policies from those of the agency’s official Web site. (OMB Memorandum M-10-23, Guidance for Agency Use of Third-Party Websites and Applications)
  6. Kid’s Pages: NIH Web sites directed to children under the age of 13. (Children’s Online Privacy Protection Act (COPPA) of 1998)
  7. Machine-Readable Policy File: A privacy policy file that can be read automatically by a Web browser or other software agent to enable an end-user to quickly determine a Website’s privacy practices, and whether that site’s privacy practices are in accordance with the end-user’s privacy preferences, without the end-user having to read the entire privacy policy. (HHS-OCIO, Policy for Machine-Readable Privacy Policies)
  8. Make PII Available: Includes any agency action that causes PII to become available or accessible to the agency, whether or not the agency solicits or collects it. In general, an individual can make PII available to an agency when he or she provides, submits, communicates, links, posts, or associates PII while using the Web site or application. “Associate” can include activities commonly referred to as “friend-ing,” “following,” “liking,” joining a “group,” becoming a “fan,” and comparable functions. (OMB Memorandum M-10-23, Guidance for Agency Use of Third-Party Websites and Applications)
  9. Platform for Privacy Preferences (P3P): A specification created by the World Wide Web Consortium. P3P allows allow users' Web browsers to automatically understand Websites’ privacy practices. (HHS-OCIO, Policy for Machine-Readable Privacy Policies)
  10. Personal Identifier: A name, or the identifying number, symbol, or other unique identifier, such as social security number or User ID Number assigned to an individual.
  11. Personally Identifiable Information (PII): Information which can be used to distinguish or trace an individual’s identity, such as their name, social security number, biometric records, etc. alone, or when combined with other personal or identifying information which is linked or linkable to a specific individual, such as date and place of birth, mother’s maiden name, etc. (OMB M-07-16, Safeguarding Against and Responding to the Breach of Personally Identifiable Information)
  12. Privacy Act of 1974, as amended: Protects the privacy of individuals by establishing “Fair Information Practices” for the collection, maintenance, use, and dissemination of information by federal agencies. The Privacy Act is the most significant milestone in the history of the protection of the privacy of personal information held by the Federal Government. Many subsequent laws, regulations, and guidance build upon the principles first articulated in the Privacy Act. (Privacy Act of 1974, as amended, 5 U.S.C. 552a)
  13. Privacy Act System of Records: A group of any records under the control of any agency where information is retrieved by the name of the individual, by some identifying number or symbol, or other identifiers assigned to the individual. The key to this definition is that the records shall be “retrieved by”, not “retrievable by” an individual’s name and/or personal identifier. (Privacy Act, as amended, 5 U.S.C. Section 552a(a)(5))
  14. Privacy Impact Assessment (PIA): An analysis of how information is handled: (i) to ensure handling conforms to applicable legal, regulatory, and policy requirements regarding privacy, (ii) to determine the risks and effects of collecting, maintaining and disseminating information in identifiable form in an electronic information system, and (iii) to examine and evaluate protections and alternative processes for handling information to mitigate potential privacy risks. (OMB Memorandum M-03-22, OMB Guidance for Implementing the Privacy Provisions of the E-Government Act of 2002)
  15. Privacy Policy: A consolidated explanation of the agency’s general privacy-related practices that pertain to its official Web site and its other online activities. Federal agencies shall protect an individual’s right to privacy when they collect personal information. This is required by the Privacy Act and OMB Circular No. A-130, Management of Federal Information Resources. Posting a privacy policy helps ensure that individuals have notice and choice about, and thus confidence in, how their personal information is handled when they use the Internet. Privacy policy in standardized machine-readable format means a statement about site privacy practices written in a standard computer language (not English text) that can be read automatically by a Web browser. (OMB Memorandum M-99-18, Privacy Policies on Federal Web Sites and OMB Memorandum M-03-22, OMB Guidance for Implementing the Privacy Provisions of the E-Government Act of 2002)
  16. Privacy Notice: A brief description of how the agency’s Privacy Policy will apply in a specific situation. Because the Privacy Notice should serve to notify individuals before they engage with an agency, a Privacy Notice should be provided on the specific Web page or application where individuals have the opportunity to make PII available to the agency. (OMB Memorandum M-99-18, Privacy Policies on Federal Web Sites and OMB Memorandum M-03-22, OMB Guidance for Implementing the Privacy Provisions of the E-Government Act of 2002)
  17. Senior Agency Official for Privacy (SAOP): A title extended by OMB to HHS to effectively meet the reporting requirements outlined in OMB M-06-20, Reporting Instructions for the Federal Information Security Management Act and Agency Privacy Management. (OMB Memorandum M-05-08, Designation of Senior Agency Officials for Privacy)
  18. System of Records: A group of any records under the control of any agency from which information is retrieved by the name of the individual or by some identifying number, symbol, or other identifying particular assigned to the individual. (Privacy Act of 1974, as amended)
  19. Systems of Records Notice (SORN): All systems with Privacy Act information contained within them are required to publish a “Records Notice” in the Federal Register that informs the public what information is contained in the system, how it is used, how individuals may gain access to information about themselves, and other specific aspects of the system. SORNs can be internal, such as those which cover NIH records. Central agency SOR notices are those that belong to OPM. Government-wide SOR notices are those that belong to the EEOC, FEMA, GSA, DOL, OGE, etc. and which are also referred to as “umbrella” systems of record notices. Before data can be collected, a SORN shall be published and maintained in the Federal Register for 40 days. (Privacy Act of 1974, as amended, 5 U.S.C. § 552a(e)(4) and HHS Cybersecurity Program, Standard Operating Procedures for Completing a Privacy Impact Assessment)
  20. Third-Party Websites or Applications (TPWA): Web-based technologies that are not exclusively operated or controlled by a government entity, or Web-based technologies that involve significant participation of a nongovernment entity. Often these technologies are located on a “.com” Web site or other location that is not part of an official government domain. However, third-party applications can also be embedded or incorporated on an agency’s official Web site. (OMB Memorandum M-10-23, Guidance for Agency Use of Third-Party Websites and Applications)
  21. Usage Tiers: Below are the defined tiers for authorized use of Web measurement and customization technologies (OMB Memorandum M-10-22, Guidance for Online Use of Web Measurement and Customization Technologies):
    1. Tier 1 – Single Session. This tier encompasses any use of single session Web measurement and customization technologies.
    2. Tier 2 – Multi-Session without PII. This tier encompasses any use of multi-session Web measurement and customization technologies when no PII is collected (including when the agency is unable to identify an individual as a result of its use of such technologies)
    3. Tier 3 – Multi-Session with PII. This tier encompasses any use of multi-session Web measurement and customization technologies when PII is collected (including when the agency is able to identify an individual as a result of its use of such technologies)
  22. Verifiable Parental Consent: Verifiable parental consent means any reasonable effort (taking into consideration available technology), including a request for authorization for future collection, use, and disclosure described in the notice, to ensure that a parent of a child receives notice of the operator’s personal information collection, use, and disclosure practices, and authorizes the collection, use, and disclosure, as applicable, of personal information and the subsequent use of that information before that information is collected from that child. (Children’s Online Privacy Protection Act (COPPA) of 1998)
  23. Web 2.0/Social Media Technology: Web 2.0 technologies refer to a second generation of the World Wide Web as an enabling platform for Web-based communities of interest, collaboration, and interactive services. These technologies include those that exist today (listed below) as well as emerging new media technologies that will be developed in the future.
    1. Blogs: Web sites where regular entries are made (such as in a journal or diary) and presented in reverse chronological order. Provides the ability to disseminate a message or information to a worldwide audience.
    2. Cloud Computing: Uses Internet hosted applications rather than locally installed applications.
    3. Social Networking Sites: Web sites that connect people through online communities. Users can establish pages with their profiles and find other people they know or look for other members with similar interests or affiliations. Examples include Facebook and Twitter.
    4. Video and Multimedia Sharing: Web sites that use videos, images, and audio libraries to share information. YouTube is an example.
    5. Wikis: Collections of Web pages that encourage users to contribute or directly modify the content.
    6. Podcasting/Vodcasting: Publishing digital media files on the Web so they can be downloaded onto computers or portable listening devices. Users can subscribe to a “feed” of new media files and download them automatically as they are posted.
    7. RSS Feed: Really Simple Syndication and Rich Site Summary used to publish frequently updated (syndicated) works to multiple venues.
    8. Mashups: Web sites that combine content from multiple sources for an integrated experience.
    9. Mobile Applications: Software designed to run on handheld computers, personal digital assistants (PDAs), enterprise digital assistants (EDAs), smart phones and cell phones.
  24. Web Measurement and Customization Technologies: These technologies are used to remember a user’s online interactions with a Web site or online application in order to conduct measurement and analysis of usage or to customize the user’s experience. (Ex. persistent cookies, Web bugs, Web beacons, etc.) (OMB Memorandum M-10-22, Guidance for Online Use of Web Measurement and Customization Technologies)
    1. Single-session technologies – These technologies remember a user’s online interactions within a single session or visit. Any identifier correlated to a particular user is used only within that session, is not later reused, and is deleted immediately after the session ends.
    2. Multi-session technologies – These technologies remember a user’s online interactions through multiple sessions. This approach requires the use of a persistent identifier for each user, which lasts across multiple sessions or visits.
  25. Web Site: A collection of interlinked Web pages (on either Internet or intranet sites) with a related topic, usually under a single domain name, which includes an intended starting file called a “home page.” From the home page, access is gained to all the other pages on the Web site. (HHS Cybersecurity Program, Standard Operating Procedures for Completing a Privacy Impact Assessment (PIA) Guide)

E. RESPONSIBILITIES:

IC and OD office staff shall comply with the privacy policies in this chapter prior to posting new or revised Web pages. For example, if an IC or OD office Web site states that the information collected will not be available to any other entity, it is the responsibility of the IC or OD office to assure that no such sharing takes place. To ensure adherence to this policy, each IC and OD office shall review all new Web sites and Web page information to be posted or altered for compliance with the NIH privacy and security policy.

The following are officials with responsibilities associated with this policy:

  1. NIH Chief Information Officer (CIO) - The NIH CIO is responsible for the management and oversight of information technology at NIH. Specific to this policy, the NIH CIO is responsible for reviewing and approving or disapproving IC and OD office proposals to use Tier 3 measurement and customization technology as described in section C. Policy, subsection 6 (i) (1).
  2. NIH Senior Official for Privacy (SOP) - The OPDIV official responsible for the NIH Privacy Program. Specific to this policy, the NIH SOP is responsible for reviewing IC and OD office proposals to use Tier 3 measurement and customization technology as described in section C. Policy, subsection 6 (i) (1).
  3. NIH Chief Information Security Officer (CISO) – The OPDIV official responsible for the NIH Information Security Program.
  4. NIH Records Officer – The OPDIV official responsible for the NIH Records Program.
  5. Chief, NIH Project Clearance Branch – The OPDIV official responsible for clearance of information collections under the Paperwork Reduction Act.
  6. NIH Freedom of Information Act Officer – The OPDIV official responsible for the NIH FOIA Program.
  7. NIH Forms Officer – The OPDIV official responsible for establishing new, or revising existing NIH forms used on Web sites to collect data.
  8. IC Privacy Coordinator – The IC or OD office official who serves as the liaison between IC and OD staff and the NIH Senior Official for Privacy on privacy issues.
  9. IC Privacy Act System Owner/Manager – The IC or OD office official responsible for a group of records under the control of the agency where information is retrieved by the name of the individual, by some identifying number or symbol, or by other identifiers assigned to the individual.
  10. IC Information Technology (IT) System Owner/Manager – The IC or OD office official responsible for the development, operation and/or maintenance of an information technology system defined as an organized assembly of IT resources and procedures integrated and regulated by interaction or interdependence to accomplish a set of specified functions.
  11. IC FOIA Officer – The IC or OD office official who serves as the liaison between staff and the FOIA Officer on issues concerning the Freedom of Information Act.
  12. IC Information Systems Security Officer (ISSO) – The IC or OD office official who serves as the principal contact for coordination, implementation, and enforcement of information-security policies with the NIH Senior ISSO and the NIH CISO.
  13. IC Records Liaison – The IC or OD office official who serves as the liaison between IC staff and the NIH Records Officer in overseeing the records management program within IC or OD Office.
  14. IC Project Clearance Liaison – The IC or OD office official who serves as the liaison between IC staff and the Office of Management and Budget for clearance functions concerning public information collection activities such as regulations, survey interviews, customer satisfaction surveys, Web site questionnaires and epidemiology research.
  15. IC Web Site Owner/Manager – The IC or OD office official who serves as the principal contact responsible for IC Web product development and project management.
  16. IC Contracting/Project Officer – The IC or OD office official who oversees the development of the documentation and discussions of assigned contracts for award and administration, performs the final review of contract actions, and provides final signature authority.

F. PROCEDURES:

Online Web activities shall follow appropriate procedures and clearances. In most cases, the procedures to be followed for print publication apply unless one is posting content that has already been cleared for public use.

For other types of less formal content, such as blogs, micro blogging, and replies to comments in public online space, coordinate your activities through your supervisory channels.

At a minimum, contact the IC or OD office (1) Communications Office for approval to communicate outgoing messages on behalf of the IC or OD office and to ensure that content procedures are followed, (2) CIO Office or ISSO to learn of security procedures that shall be followed and, (3) FOIA, PRA, Records and Privacy liaisons to learn about requirements under the Freedom of Information Act, Paperwork Reduction Act, Records Act and Privacy Act.

G. RECORDS RETENTION AND DISPOSAL:

All records (e-mail and non-e-mail) pertaining to this chapter shall be retained and disposed of under the authority of NIH Manual 1743, “Keeping and Destroying Records”, Appendix 1, NIH Records Control Schedule, in accordance with the specific schedule item as applied to the kind of records.

NIH e-mail messages, including attachments that are created on NIH computer systems or transmitted over NIH networks that are evidence of the activities of the agency or have informational value are considered federal records. These records shall be maintained in accordance with current NIH Records Management guidelines. Contact your IC Records Liaison or the NIH Records Officer for additional information. All e-mail messages are considered government property, and, if requested for a legitimate government purpose, shall be provided to the requester, employees’ supervisor, NIH staff conducting official reviews or investigations, and the Office of the Inspector General who may request access to or copies of the e-mail messages. E-mail messages shall also be provided to Congressional oversight committees if requested and are subject to Freedom of Information Act requests. Back-up files are subject to the same information requests as original messages and documents.

Web 2.0 Information: A challenge associated with the use of Web 2.0 technologies, including government blogs and wikis and Web pages hosted by commercial providers, is the question of whether information exchanged through these technologies constitute federal records pursuant to the Federal Records Act. According to the guidance, records generated when a user interacts with an agency Web site may form part of a set of official agency records. National Archives and Records Administration (NARA) guidance indicates that content created with interactive software on government Web sites is owned by the government, not the individuals who created it, and is likely to constitute agency records and should be managed as such. NARA issued “Guidance on Managing Web Records” to help agencies make decisions on what records generated by these technologies should be considered agency records: http://www.archives.gov/records-mgmt/pdf/managing-web-records-index.pdf

H. INTERNAL CONTROLS:

This policy directs ICs and OD offices to meet requirements related to privacy and the protection of personal information on NIH Web pages.

  1. Office Responsible for Reviewing Internal Controls Relative to this policy:
  2. Oversight shall be carried out through a coordinated effort between the Office of Management Assessment (OMA), Office of the Chief Information Officer (OCIO), and Office of Communications and Public Liaison (OCPL).

  3. Frequency of Review:
  4. Reviews shall be ongoing. Appropriate internal controls shall be in place before a Web page may be utilized. Web masters, content managers, developers and programmers responsible for the design, development and management of NIH Web pages are responsible for ensuring compliance with NIH policy.

  5. Method of Review:
  6. Each year, a workgroup of members from OMA, OCIO and OCPL shall survey a sample of NIH Web sites for compliance with NIH policy. External reviews conducted by the OIG/GAO may be used as an alternative internal control review for this purpose. Additionally, the issuing office may decide to initiate an internal Risk Assessment (RA) at the IC or OD level.

  7. Review Reports:
  8. Reports shall be sent to the NIH Deputy Director for Management (DDM), and circulated to NIH privacy, security and Web stakeholders, as deemed appropriate by OMA, OCIO and OCPL. Reports should indicate that controls are in place and working well, or indicate any internal control issues that require the attention of the report recipient(s).

I. REFERENCES:

Laws

  1. Children’s Online Privacy Protection Act (COPPA) of 1998, (15 U.S.C. Section 6501 et seq., 16 CFR, Part 312): http://www.coppa.org/coppa.htm and http://www.coppa.org/comply.htm
  2. Computer Matching and Privacy Protection Act of 1988, (5 U.S.C. 552a(o)): http://www.whitehouse.gov/sites/default/files/omb/inforeg/final_guidance_pl100-503.pdf
  3. Computer Security Act of 1987, (15 U.S.C. Chapter 7, 40 U.S.C. Section 1441): http://www.nist.gov/cfo/legislation/Public%20Law%20100-235.pdf
  4. E-Government Act of 2002 (E-GOV) Section 208, (44 U.S.C. Chapter 36): http://frwebgate.access.gpo.gov/cgi-bin/getdoc.cgi?dbname=107_cong_public_laws&docid=f:publ347.107.pdf
  5. Federal Records Act of 1950, (44 U.S.C 2108 and 31, as amended): http://frwebgate.access.gpo.gov/cgi-bin/usc.cgi?ACTION=BROWSE&TITLE=44USCC31&PDFS=YES
  6. Freedom of Information Act (FOIA) of 1966, (5 U.S.C 552): http://www.nih.gov/icd/od/foia/efoia.htm
  7. Information Technology Management Reform Act of 1996, (40 U.S.C. 1401 et seq.): http://www.cio.gov/Documents/it_management_reform_act_Feb_1996.html
  8. Paperwork Reduction Act (PRA) of 1995, (44 U.S.C. 3501): http://frwebgate.access.gpo.gov/cgi-bin/getdoc.cgi?dbname=104_cong_public_laws&docid=f:publ13.104.pdf
  9. Plain Writing Act of 2010 (5 USC 301): http://www.gpo.gov/fdsys/pkg/PLAW-111publ274/pdf/PLAW-111publ274.pdf
  10. Privacy Act of 1974, (5 U.S.C. 552a, as amended): http://www.justice.gov/opcl/privstat.htm
  11. Rehabilitation Act of 1998 Section 508, (29 U.S.C. Section 794d): http://www.section508.gov/index.cfm?fuseAction=1998Amend

OMB Circulars and Memorandum

  1. OMB Circular A-130, Management of Federal Information Resources (November 28, 2000): http://www.whitehouse.gov/omb/circulars/a130/a130trans4.html
  2. OMB Memorandum M-99-18, Privacy Policies on Federal Web Sites (June 2, 1999): http://www.whitehouse.gov/omb/memoranda/m99-18.html
  3. OMB Memorandum M-03-22, Guidance for Implementing the Privacy Provisions of the E-Government Act of 2002 (Sep. 26, 2003): http://www.whitehouse.gov/omb/memoranda_m03-22/
  4. OMB Memorandum M-05-04, Policies for Federal Agency Public Web Sites (Dec. 17, 2004): http://www.whitehouse.gov/OMB/memoranda/fy2005/m05-04.pdf
  5. OMB Memorandum M-05-08, Designation of Senior Agency Officials for Privacy (Feb. 11, 2005): http://www.whitehouse.gov/sites/default/files/omb/assets/omb/memoranda/fy2005/m05-08.pdf
  6. OMB Memorandum M-07-16, Safeguarding Against and Responding to the Breach of Personally Identifiable Information (May 22, 2007): http://www.whitehouse.gov/OMB/memoranda/fy2007/m07-16.pdf
  7. OMB Memorandum M-10-22, Guidance for Online Use of Web Measurement and Customization Technologies (June 25, 2010): http://www.whitehouse.gov/omb/assets/memoranda_2010/m10-22.pdf
  8. OMB Memorandum M-10-23, Guidance for Agency Use of Third-Party Websites and Applications (June 25, 2010): http://www.whitehouse.gov/omb/assets/memoranda_2010/m10-23.pdf
  9. OMB, Office of Information and Regulatory Affairs, Memorandum, Social Media, Web-Based Interactive Technologies, and the Paperwork Reduction Act (April 7, 2010): http://www.whitehouse.gov/sites/default/files/omb/assets/inforeg/SocialMediaGuidance_04072010.pdf

Federal Acquisition Regulations (FAR)

  1. FAR Part 52.224-1, Privacy Act Notification: http://www.acquisition.gov/FAR/current/html/52_223_226.html#wp1168976
  2. FAR Part 52.224-2, Privacy Act: http://www.acquisition.gov/FAR/current/html/52_223_226.html#wp1168981
  3. FAR Part 52.239-1, Privacy or Security Safeguards: http://www.acquisition.gov/FAR/current/html/52_233_240.html#wp1113650

HHS Policy

  1. HHS-OCIO Policy for Machine Readable Privacy Policies: http://www.hhs.gov/ocio/policy/hhs-ocio-2010_0001_policy_for_machine-readable_privacy_policies.html
  2. HHS-OCIO Policy for Social Media Technologies: http://www.hhs.gov/ocio/policy/policy_2010-0003_-_ocio.html
  3. HHS-OCIO Policy for Information Systems Security and Privacy: http://www.hhs.gov/ocio/policy/policy-hhs-ocio-2010-0006-html.html
  4. HHS-OCIO Policy for Information Systems Security and Privacy Handbook: http://intranet.hhs.gov/it/cybersecurity/docs/policies_guides/PISSP/pol_for_info_sys_sec_and_priv_hndbk_9-22-2010.pdf
  5. HHS-OCIO Memo for the Implementation of OMB M-10-22 and 23: http://intranet.hhs.gov/it/cybersecurity/docs/policies_guides/PC/memo_implementation_of_omb_m_10_22_and_m_10_23_pdf.pdf
  6. HHS-OCIO Guide for Using Web Measurement and Customization Technologies: http://intranet.hhs.gov/it/cybersecurity/docs/policies_guides/guide_for_using_web_measurement_and_customization_technologies_20110720.pdf
  7. HHS Policy for Internet Domain Names: http://www.hhs.gov/policies/webpolicies/200501.html
  8. HHS Policy for Section 508 Compliance: http://www.hhs.gov/od/508policy/508_policy.html

NIH Policy

  1. NIH Manual Chapter 1186, Use of NIH Names and Logos: http://oma.od.nih.gov/manualchapters/management/1186
  2. NIH Manual Chapter 1743, Keeping and Destroying Records, Appendix 1, NIH Records Control Schedule: http://oma.od.nih.gov/manualchapters/management/1743/
  3. NIH Manual Chapter 1745, NIH Information Technology (IT) Privacy Program: http://oma.od.nih.gov/manualchapters/management/1745/
  4. NIH Manual Chapter 1745-1, NIH Privacy Impact Assessments: http://oma.od.nih.gov/manualchapters/management/1745-1/
  5. NIH Manual Chapter 1825, Information Collection from the Public: http://oma.od.nih.gov/manualchapters/management/1825
  6. NIH Manual Chapter 2804, NIH Public-Facing Web Management: http://oma.od.nih.gov/manualchapters/management/2804
  7. NIH Manual Chapter 2809, NIH Social and New Media: http://oma.od.nih.gov/manualchapters/management/2809

NIH Guidance

  1. NIH Guidance, World Wide Web: http://ocio.nih.gov/policy/guideli2.html
  2. NIH Web Authors Group Policy & Guidance on Web Site Development, Management, and Evaluation: http://www.nih.gov/icd/od/ocpl/resources/wag/index.htm
  3. NIH, OCPL Guidance on Developing Web Sites at NIH: http://www.nih.gov/icd/od/ocpl/resources/wag/documents/Developing_Issues.htm

National Archives and Records Administration (NARA)

  1. National Archives and Records Administration, Guidance on Managing Web Records: http://www.archives.gov/records-mgmt/pdf/managing-web-records-index.pdf
  2. NARA Bulletin 2011-02, Guidance on Managing Records in Web 2.0/Social Media Platforms: http://www.archives.gov/records-mgmt/bulletins/2011/2011-02.html

 

 

APPENDIX 1

FORM TO REQUEST HHS APPROVAL OF TIER 3 TECHNOLOGY

Proposed Use of a Multi-Session Web Measurement and Customization Technology that Collects Personally Identifiable Information Form

Per Office of Management and Budget (OMB) instructions found in Memorandum 10-22 Guidance for Online Use of Web Measurement and Customization Technologies (June 25, 2010), the following information serves as public notice for the proposed use by the United States Department of Health & Human Services of a Tier 3 a multi-session Web measurement and customization technology that collects personally identifiable information (PII).
The HHS Senior Agency Official for Privacy (SAOP) will post this notice for public comment on the Department’s Open Government Web page (www.hhs.gov/open) for 30 days from the date of the posting.

Comments about the proposed use can be submitted electronically or in writing. Electronic comments should be directed to OCIO.HHS@hhs.gov. Written comments should be directed to:  HHS Senior Agency Official for Privacy, 200 Independence Ave. S.W., Room 555-G, Washington, D.C. 20201

OPDIV

 

OPDIV Chief Information Officer (CIO)

 

OPDIV CIO Approval Date

MM/DD/YYYY

HHS Senior Agency Official for Privacy

 

Date posted for public comment

MM/DD/YYYY

The purpose of the Web measurement and/or customization technology

 

The usage tier (i.e., Tier 1, 2, or 3)

 

Session Type (multi-session or single session)

 

Information about the technology used

 

Describe the nature of the information collected

 

Describe the purpose and use of the information

 

Describe whether and to whom the information will be disclosed

 

Describe the privacy safeguards applied to the information

 

Describe the data retention policy for the information

 

Name of the Privacy Impact Assessment associated with the Web site or application using the Web measurement and/or customization technology

 

Name of the System of Records Notice associated with the Web site or application using the Web measurement and/or customization technology (if applicable)

 

Describe whether or not the technology is enabled by default; and if so, why

 

Describe how to opt-out or opt-in to the Web measurement and/or customization technology

 

Describe how a member of the public can access comparable information or services if they choose to opt-out of the Web measurement and/or  customization technology

 

Identities of all third-party vendors involved in the measurement and/or customization process

 

 

 

APPENDIX 2


CONTRACT SAMPLE LANGUAGE

A. When FISMA security requirements relevant to the acquisition need to be included, the project Officer (PO), IC Information Systems Security Officer (ISSO), and the IC Privacy Officer will assist the acquisition staff in selecting the appropriate language. NIH sample language for IT Security Acquisitions Provisions are available at:
http://ocio.nih.gov/docs/public/IT-Security-Acquisition-Provisions.doc

B. Solicitations and contracts (prime and sub) to design, develop, operate or manage a Web site or Web page on behalf of the government which requires the contractor to maintain a system of records covered by the Privacy Act, shall state that the Privacy Act applies and include the appropriate FAR clauses:

Privacy Act Notification

FAR, Sec. 52.224-1

The Contractor will be required to design, develop, or operate a system of records on individuals, to accomplish an agency function subject to the Privacy Act of 1974, Public Law 93-579, December 31, 1974 (5 U.S.C. 552a) and applicable agency regulations. Violation of the Act may involve the imposition of criminal penalties.

Privacy Act FAR, Sec. 52.224-2

(a) The Contractor agrees to--

(1) Comply with the Privacy Act of 1974 (the Act) and the agency rules and regulations issued under the Act in the design, development, or operation of any system of records on individuals to accomplish an agency function when the contract specifically identifies--

(i) The systems of records; and
(ii) The design, development, or operation work that the contractor is to perform;

(2) Include the Privacy Act notification contained in this contract in every solicitation and resulting subcontract and in every subcontract awarded without a solicitation, when the work statement in the proposed subcontract requires the design, development, or operation of a system of records on individuals that is subject to the Act; and

(3) Include this clause, including this subparagraph (3), in all subcontracts awarded under this contract which requires the design, development, or operation of such a system of records.

(b) In the event of violations of the Act, a civil action may be brought against the agency involved when the violation concerns the design, development, or operation of a system of records on individuals to accomplish an agency function, and criminal penalties may be imposed upon the officers or employees of the agency when the violation concerns the operation of a system of records on individuals to accomplish an agency function. For purposes of the Act, when the contract is for the operation of a system of records on individuals to accomplish an agency function, the Contractor and any employee of the Contractor is considered to be an employee of the agency.

(c)

(1) Operation of a system of records, as used in this clause, means performance of any of the activities associated with maintaining the system of records, including the collection, use, and dissemination of records.

(2) Record, as used in this clause, means any item, collection, or grouping of information about an individual that is maintained by an agency, including, but not limited to, education, financial transactions, medical history, and criminal or employment history and that contains the person’s name, or the identifying number, symbol, or other identifying particular assigned to the individual, such as a fingerprint or voiceprint or a photograph.

(3) System of records on individuals, as used in this clause means a group of any records under the control of any agency from which information is retrieved by the name of the individual or by some identifying number, symbol, or other identifying particular assigned to the individual.

Privacy or Security Safeguards
FAR Sec. 52.239-1

(a) The Contractor shall not publish or disclose in any manner, without the Contracting Officer’s written consent, the details of any safeguards either designed or developed by the Contractor under this contract or otherwise provided by the Government.

(b) To the extent required to carry out a program of inspection to safeguard against threats and hazards to the security, integrity, and confidentiality of Government data, the Contractor shall afford the Government access to the Contractor’s facilities, installations, technical capabilities, operations, documentation, records, and databases.

(c) If new or unanticipated threats or hazards are discovered by either the Government or the Contractor, or if existing safeguards have ceased to function, the discoverer shall immediately bring the situation to the attention of the other party.

Applicability of the Privacy Act
HHSAR Sec. 324.102

(f) Whenever the contracting officer is informed that the Privacy Act is not applicable, but the resultant contract will involve the collection of individually identifiable personal data by the contractor, the contracting officer shall include provisions to protect the confidentiality of the records and the privacy of individuals identified in the records.

Confidentiality of Information HHSAR Sec. 352.224-70

(a) Confidential information, as used in this clause, means information or data of a personal nature about an individual, or proprietary information or data submitted by or pertaining to an institution or organization.

(b) The Contracting Officer and the Contractor may, by mutual consent, identify elsewhere in this contract specific information and/or categories of information which the Government will furnish to the Contractor or that the Contractor is expected to generate which is confidential. Similarly, the Contracting Officer and the Contractor may, by mutual consent, identify such confidential information from time to time during the performance of the contract. Failure to agree will be settled pursuant to the “Disputes” clause.

(c) If it is established elsewhere in this contract that information to be utilized under this contract, or a portion thereof, is subject to the Privacy Act, the Contractor will follow the rules and procedures of disclosure set forth in the Privacy Act of 1974, 5 U.S.C. 552a, and implementing regulations and policies, with respect to systems of records determined to be subject to the Privacy Act.

(d) Confidential information, as defined in paragraph (a) of this clause, shall not be disclosed without the prior written consent of the individual, institution, or organization.

(e) Whenever the Contractor is uncertain with regard to the proper handling of material under the contract, or if the material in question is subject to the Privacy Act or is confidential information subject to the provisions of this clause, the Contractor should obtain a written determination from the Contracting Officer prior to any release, disclosure, dissemination, or publication.

(f) Contracting Officer determinations will reflect the result of internal coordination with appropriate program and legal officials.

(g) The provisions of paragraph (d) of this clause shall not apply to conflicting or overlapping provisions in other Federal, State, or local laws.

Privacy Act HHSAR Sec. 352.270-11

This contract requires the Contractor to perform one or more of the following: (a) Design; (b) develop; or (c) operate a Federal agency system of records to accomplish an agency function in accordance with the Privacy Act of 1974 (Act) (5 U.S.C. 552a(m)(1)) and applicable agency regulations. The term ``system of records'' means a group of any records under the control of any agency from which information is retrieved by the name of the individual or by some identifying number, symbol, or other identifying particular assigned to the individual.

Violations of the Act by the Contractor and/or its employees may result in the imposition of criminal penalties (5 U.S.C. 552a (i)). The Contractor shall ensure that each of its employees knows the prescribed rules of conduct and that each employee is aware that he/she is subject to criminal penalties for violation of the Act to the same extent as HHS employees. These provisions also apply to all subcontracts awarded under this contract which require the design, development or operation of the designated system(s) of records (5 U.S.C. 552a (m) (1)).

The contract work statement: (a) identifies the system(s) of records and the design, development, or operation work to be performed by the Contractor; and (b) specifies the disposition to be made of such records upon completion of contract performance.

B. Additional Contract Language:

1. Under Federal Information Technology policy, Web sites owned or operated by or for the government shall post clear privacy policies on top-level/principal Web sites, including NIH and Institute/Center-level sites, major on-line public resource sites and any other known major entry points. Web sites that are owned or operated by a contractor on behalf of the NIH that implement and use mechanisms that collect and maintain personally identifiable information from individuals who visit the Web site, e.g., cookies, Web server logs, surveys, and similar mechanisms, may not use that information to identify specific individuals without a valid Privacy Act System Notice published in the Federal Register, which covers the identifiable records.

2. NIH IC and OD office Web pages containing links to external Web pages not located on NIH servers should include a link to an Exit statement that disclaims NIH responsibility for the protection of privacy and material included in the external Web pages. Sample Disclaimers are available at: http://ocio.nih.gov/policy/disclsamp.html

3. Web pages that are directed to children under the age of 13 have additional requirements as provided in the Children’s Online Privacy Protection Act of 1998 (15 U.S.C. 6501 et seq.), and implementing regulations (16 CFR 312) available at: http://www.coppa.org/coppa.htm

4. Additional guidance and requirements for the publication of data on NIH Web servers and acceptable uses for Web pages created for NIH is posted at: http://ocio.nih.gov/policy/guideli2.html

 

 

Manual Chapters Main Menu Browse Search Back to OMA Home Page

 

NIH