NASA 141863main PIA MYNASA NASA GOV 12-14
-
Upload
nasadocuments -
Category
Documents
-
view
215 -
download
0
Transcript of NASA 141863main PIA MYNASA NASA GOV 12-14
-
8/14/2019 NASA 141863main PIA MYNASA NASA GOV 12-14
1/16
-
8/14/2019 NASA 141863main PIA MYNASA NASA GOV 12-14
2/16
Response
No. Privacy Question SetsYes No N/A
Comments
System Characterization and Data Categorization
1 Has/Have any of the major changes listedin the Comments column occurred to thesystem since April 2003 or the conduct ofthe last PIA?
If yes, please check which change(s)
have occurred.
Conversions
Anonymous to Non-Anonymous
Significant System Management Changes
Significant Merging
New Public Access
Commercial Sources
Internal Flow or Collection
New Interagency Use
Alteration in Character of Data
2 Does/Will the system contain Federalrecords?
3 If the system contains/will containFederal records, under which dispositionauthority item in the NASA Records
Retention Schedules or the GeneralRecords Schedules are/will the recordsbe retained and disposed of or archived?
Schedule Item: ________________________
4 Do the records in the system pertain toactive programs/projects?
5 Are the records Vital records for theorganization?
6 Are backup files (tapes or other media)being stored off-site?
If yes, please indicate in the comment fieldwhere backups are located.
Backup storage location : Vericenter secure
fireproof tape archives and secure remote
repository
NASA PIA Worksheet Page 2
-
8/14/2019 NASA 141863main PIA MYNASA NASA GOV 12-14
3/16
ResponseNo. Privacy Question Sets
Yes No N/AComments
System Characterization and Data Categorization
7 Does/Will the system contain (store)information in identifiable form (IIF) withinany database(s), record(s), file(s) or Website(s) hosted by this system?
Note: If yes, check all that apply in theComments column. If the category ofpersonal information is not listed, please
check Other and identify the category.
Please note: This question seeks to identifyall personal information contained within thesystem. This includes any IIF, whether or notit is subject to the Privacy Act, whether theindividuals are employees, the public,research subjects, or business partners, andwhether provided voluntarily or collected bymandate. Later questions will try tounderstand the character of the data and itsapplicability to the requirements under thePrivacy Actor other legislation.
.
Personal Information:
NameDate of birthSocial Security Number (or other numberoriginated by a government that specificallyidentifies an individual)Photographic identifiers (e.g., photographimage, x-rays, and video)
Drivers licenseBiometric identifiers (e.g., fingerprint andvoiceprint)Mothers maiden nameVehicle identifiers (e.g., license plates)Mailing addressPhone numbers (e.g., phone, fax, and cell)Medical records numbersMedical notesFinancial account information and/ornumbers (e.g., checking account numberand Personal Identification Numbers [PIN])Certificates (e.g., birth, death, andmarriage)Legal documents or notes (e.g., divorcedecree, criminal records, or other)Device identifiers (e.g., pacemaker, hearing
aid, or other)Web Uniform Resource Locators (URL)E-mail addressEducation recordsMilitary status and/or recordsEmployment status and/or recordsForeign activities and/or interestsOther:________________________
8 Indicate all the categories of individualsabout whom IIF is or will be stored.
EmployeesPublic citizensPatientsBusiness partners/contacts (federal, state,local agencies)Vendors/Suppliers/ContractorsOther:
NASA PIA Worksheet Page 3
-
8/14/2019 NASA 141863main PIA MYNASA NASA GOV 12-14
4/16
ResponseNo. Privacy Question Sets
Yes No N/AComments
System Characterization and Data Categorization
9 Are records on the system (or willrecords on the system be) retrieved byone or more data elements?
Note: If yes, specify in the Commentscolumn data elements will be used inretrieving the records (i.e., using a recordnumber, name, social security number, or
other data element or record locatormethodology). If the category of personalinformation is not listed, please checkOther and identify the category.
Personal Information:
NameSocial Security Number (or other numberoriginated by a government that specificallyidentifies an individual)Photographic identifiers (e.g., photographimage, x-rays, and video)Drivers license
Biometric identifiers (e.g., fingerprint andvoiceprint)Mothers maiden nameVehicle identifiers (e.g., license plates)Mailing addressPhone numbers (e.g., phone, fax, and cell)Medical records numbersMedical notesFinancial account information and/ornumbers (e.g., checking account numberand Personal Identification Numbers [PIN])Certificates (e.g., birth, death, andmarriage)Legal documents or notes (e.g., divorcedecree, criminal records, or other)Device identifiers (e.g., pacemaker, hearingaid, or other)
Web Uniform Resource Locators (URL)E-mail addressEducation recordsMilitary status and/or recordsEmployment status and/or recordsForeign activities and/or interestsOther:________________________
10 Are/Will records on 10 or moreindividuals containing IIF [be] maintained,stored or transmitted/passed through thissystem?
11 Is the system (or will it be) subject to thePrivacy Act?
Note: If the answer to questions 7, 9, and 10
were yes, the system will likely be subject tothe Privacy Act. System owners shouldcontact their Center PAM for assistance withthis question if they are uncertain of theapplicability of the Privacy Act.
12 Has a Privacy ActSystem of Record(SOR) Notice been published in theFederal Register for this system?
Note: If no, explain why not in theComments column.
No IIF is contained in the system.IIF is in the system, but records are notretrieved by IIF.Should have published an SOR, but wasunaware of the requirement.System is required to have an SOR but isnot yet procured or operational.Other:______
13 If a SOR Notice has been published, have
major changes to the system occurredsince publication of the SOR?
Information Sharing Practices
14 Is the IIF in the system voluntarilysubmitted (or will it be)?
NASA PIA Worksheet Page 4
-
8/14/2019 NASA 141863main PIA MYNASA NASA GOV 12-14
5/16
ResponseNo. Privacy Question Sets
Yes No N/AComments
15 Does/Will the system collectIIF directlyfrom individuals?
Note: If yes, identify in the Commentscolumn the IIF the system collects or willcollect directly from individuals. If thecategory of personal information is not listed,please check Other and identifythe category.
16 Does/Will the system collectIIF fromother resources(i.e., databases, Websites, etc.)?
Note: If yes, specify the resource(s) and IIF
in the Comments column.
The IIF is collected from sections in
www.nasa.gov and the SpaceChat feature ofGoddard Space Flight Center
17 Does/Will the system populatedata forother resources(i.e., do databases, Websites, or other resources rely on thissystems data)?
Note: If yes, specify resource(s) and purposefor each instance in the Comments column.
Resource: www.nasa.gov
Resource: ____________________
Resource: ____________________
Resource: ____________________
Resource: ____________________
18 Does/Will the system shareor discloseIIFwith agencies external to NASA, or otherpeople or organizations outside NASA?
Note: If yes, specify with whom and for whatpurposes, and identify which data elementsin the Comments column. If the category ofpersonal information is not listed, pleasecheck Other and identify the category.
With whom and for what purposes:
______________________________
______________________________
______________________________
______________________________
______________________________
NASA PIA Worksheet Page 5
-
8/14/2019 NASA 141863main PIA MYNASA NASA GOV 12-14
6/16
ResponseNo. Privacy Question Sets
Yes No N/AComments
19 If the IIF in the system is or will bematched against IIF in one or more othercomputer systems internal or external toNASA, are (or will there be) computerdata matching agreement(s) in place?
If yes, indicate in the Comments columninternal or external and the system(s) withdata which are matched.
Location of other systems involved in matching:
Internal NASA
External to NASA
Other systems involved:
________________________________
________________________________
20 If data matching activities will occur, willthe IIF be de-identified, aggregated, orotherwise made anonymous?
Note: If yes, please describe this use in theComments column.
De-identified
Aggregated
Other
21 Is there a process, either planned or inplace, to notify organizations or systemsthat are dependent upon the IIF containedin this system when changes occur (i.e.,revisions to IIF, when the systemencounters a major change, or is
replaced)?22 Is there a process, either planned or in
place, to notify and obtain consent fromthe individuals whose IIF is in the systemwhen major changes occur to the system(e.g., disclosure and/or data uses havechanged since the notice at the time ofthe original collection)?
23 Is there/Will there be a process in placefor individuals to choose how their IIFdata is used?
Note: If yes, please describe the process forallowing individuals choice in theComments column.
Process: IIF includes email addresses.
Individuals will be notified by email of any
major system changes.
24 Is there/Will there be a complaint processin place for individuals who believe theirIIF has been inappropriately obtained,used, or disclosed, or that the IIF isinaccurate?
Note: If yes, please describe brieflythe notification process in theComments column.
Process: Individuals are provided with
contact information for email or postal mail.
25 Are there or will there be processes inplace for periodic reviews of IIFcontained in the system to ensure thedatas integrity, availability, accuracy,
and relevancy?
Note: If yes, please describe briefly thereview process in the Comments column.
Process: System security is monitored on 24
x 7 basis, periodic security probe tests are
conducted, and system alert notification.
NASA PIA Worksheet Page 6
-
8/14/2019 NASA 141863main PIA MYNASA NASA GOV 12-14
7/16
ResponseNo. Privacy Question Sets
Yes No N/AComments
26 Are there/Will there be rules of conduct inplace for access to IIF on the system?
Note: If yes, identify in the Commentscolumn all users with access to IIF on thesystem and for what purposes they usethe IIF.
Users
Administrators
Developers
Contractors
For what purposes:
Protection of IIF information
Duplicate and copy prevention
______________________________
______________________________
______________________________
27 Is there a process in place to log routineand non-routine disclosures and/or
unauthorized access?
If yes, check in the Comments column whichkind of disclosures are logged.
Disclosures logged:
Routine
Non-routine
Public Internet Intrusion detection
Web site Host Question Sets
28 Does/Will the system host a Web site?
Note:If yes, identify what type of site the systemhosts in the Comments column.
If no, check No for all remaining questionsin the Web Site Host Question Sets section
and answer questions starting with theAdministrative Controls section beginningwith question 42.
Type of site:
Public Internet_mynasa.nasa.gov
Internal NASA __________________
Both__________________________
29 Is the Web site (or will it be) accessible bythe public or other entities (i.e., federal,state, and local agencies, contractors,third-party administrators, etc.)?
30 Is the Agency Web site privacy policystatement posted (or will it be posted) onthe Web site?
31 Is the Web sites privacy policy inmachine-readable format, such asPlatform for Privacy Preferences (P3P)?
Note: If no, please describe in the Commentscolumn your timeline to implement P3Prequirements for this system.
Implementation Plan:______________________
_______________________________________
_______________________________________
NASA PIA Worksheet Page 7
-
8/14/2019 NASA 141863main PIA MYNASA NASA GOV 12-14
8/16
ResponseNo. Privacy Question Sets
Yes No N/AComments
32 Does the Web site employ (or will itemploy) persistent trackingtechnologies?
Note: If yes, identify types of cookies in theComments column. If persistent trackingtechnologies are in place, please indicate theofficial who authorized the use of thepersistent tracking technology.
Session Cookies
Persistent Cookies
Web bugs
Web beacons
Other (Describe): ________________
Authorizing Official: ____________________
Authorizing Date: ______________________
33 Does/Will the Web site collect or maintainpersonal information from or aboutchildren under the age of 13?
34 If the Web site does/will collect ormaintain personal information from orabout children under the age of 13, pleaseindicate what information and how theinformation is collected.
Actively directly from the child
Passively through cookies
Both of the above
What Information collected:
_______________________________________
_______________________________________
_______________________________________
35 If the Web site does/will collect ormaintain personal information from orabout children under the age of 13, is theinformation shared with any non-NASAorganizations, grantees, universities, etc.
Note: If yes, also identify the non-NASAorganizations in the comments field
Information is shared with:
_______________________________________
_______________________________________
_______________________________________
36 If the Web site does/will collect ormaintain personal information from orabout children under the age of 13,specify in the comments field whatmethod is used for obtaining parentalconsent.
Method used for obtaining parental consent
(please check all that apply)
No consent is obtainedSimple email
email accompanied by digital signature
signed form from the parent via postal mail
or facsimile
accepting and verifying a credit card
number in connection with a transaction
taking calls from parents, through a toll-free
telephone number staffed by trained personnel
NASA PIA Worksheet Page 8
-
8/14/2019 NASA 141863main PIA MYNASA NASA GOV 12-14
9/16
ResponseNo. Privacy Question Sets
Yes No N/AComments
37 Does/Will the Web site collectIIFelectronically from any individuals?
Note: If yes, identify what IIF the systemcollects in the Comments column. If thecategory of personal information is notlisted, please check Other and identifythe category.
Personal Information:
NameDate of birthSocial Security Number (or other numberoriginated by a government that specificallyidentifies an individual)Photographic identifiers (e.g., photographimage, x-rays, and video)Drivers licenseBiometric identifiers (e.g., fingerprint andvoiceprint)Mothers maiden nameVehicle identifiers (e.g., license plates)Mailing addressPhone numbers (e.g., phone, fax, and cell)Medical records numbersMedical notesFinancial account information and/ornumbers (e.g., checking account numberand Personal Identification Numbers [PIN])Certificates (e.g., birth, death, andmarriage)Legal documents or notes (e.g., divorcedecree, criminal records, or other)Device identifiers (e.g., pacemaker, hearingaid, or other)Web Uniform Resource Locators (URL)E-mail addressEducation recordsMilitary status and/or recordsEmployment status and/or recordsForeign activities and/or interestsOther:________________________
38 Does/Will the Web site provide a PDFform to be completed with IIF from anyindividuals and then mailed or otherwiseprovided to NASA?
Note: If yes, identify what IIF the PDF formcollects in the Comments column. If the
category of personal information is notlisted, please check Other and identifythe category.
Personal Information:
NameDate of birthSocial Security Number (or other numberoriginated by a government that specifically
identifies an individual)Photographic identifiers (e.g., photographimage, x-rays, and video)Drivers licenseBiometric identifiers (e.g., fingerprint andvoiceprint)Mothers maiden nameVehicle identifiers (e.g., license plates)Mailing addressPhone numbers (e.g., phone, fax, and cell)Medical records numbersMedical notesFinancial account information and/ornumbers (e.g., checking account numberand Personal Identification Numbers [PIN])Certificates (e.g., birth, death, andmarriage)
Legal documents or notes (e.g., divorcedecree, criminal records, or other)Device identifiers (e.g., pacemaker, hearingaid, or other)Web Uniform Resource Locators (URL)E-mail addressEducation recordsMilitary status and/or recordsEmployment status and/or recordsForeign activities and/or interestsOther:________________________
NASA PIA Worksheet Page 9
-
8/14/2019 NASA 141863main PIA MYNASA NASA GOV 12-14
10/16
ResponseNo. Privacy Question Sets
Yes No N/AComments
39 Does/Will the Web site shareIIF withorganizations external to NASA, or otherpeople or organizations outside NASA?
Note: If yes, specify with whom and for whatpurposes.
With whom and for what purposes:
______________________________
______________________________
______________________________
______________________________
______________________________
40 Are rules of conduct in place (or will theybe in place) for access to IIF on theWeb site?
Note: If yes, identify in the Commentscolumn all categories of users with access toIIF on the system, and for what purposes theIIF is used.
Users
Administrators
Developers
Contractors
For what purposes:
Users to modify their preferences
To maintain the system day to day
To respond to user inquiries
______________________________
41 Does (or will) the Web site contain linksto sites external to the Center that ownsand/or operates the system?
Note: If yes, note in the Comments columnwhether the system provides a disclaimernotice for users that follow external links toWeb sites not owned or operated bythe Center.
Disclaimer notice for all external links
Administrative Controls
42 Have there been major changes to thesystem since it was last certified and
accredited?
Note: If the system is under developmentand not yet certified and accredited at thetime of this PIA, please describe in theComments column the plan and timeline forconducting a certification and accreditation(C&A) for this system.
43 Have personnel (system owners,managers, operators, contractors and/orprogram managers) using the systembeen (or will they be) trained and madeaware of their responsibilities forprotecting the IIF being collected andmaintained?
44 Who has /will have access to the IIF onthe system?
Note: Check all that apply in theComments column.
Users
Administrators
Developers
Contractors
Other
NASA PIA Worksheet Page 10
-
8/14/2019 NASA 141863main PIA MYNASA NASA GOV 12-14
11/16
ResponseNo. Privacy Question Sets
Yes No N/AComments
45 If contractors operate or use the system,do the contracts include clauses ensuringadherence to privacy provisions andpractices?
46 Are methods in place to ensure thataccess to IIF is restricted to only thoserequired to perform their official duties?
Note: If yes, please specify method(s) in the
Comments column.
47 Are there policies or guidelines in placefor the retention and destruction of IIFwithin the application/system?
Note: If yes, please provide some detailabout these policies/practices in theComments column.
Information is retained for the shorter of the time
required to complete the action requested by the
provider.
Technical Controls
48Are technical controls in place to
minimize the possibility of unauthorizedaccess, use, or dissemination of the datain the system (or will there be)?
49 Are any of the password controls listed inthe Comments column in place (or willthey be)?
Note: Check all that apply in theComments column.
Passwords expire after a set period of time.Accounts are locked after a set period ofinactivity.Minimum length of passwords is eightcharacters.Passwords must be a combination ofuppercase, lowercase, and specialcharacters.Accounts are locked after a set number ofincorrect attempts.
50 Is there (or will there be) a process in
place to monitor and respond to privacyand/or security incidents?
Physical Controls
51Are physical access controls in place (orwill they be)
- END -
NASA PIA Worksheet Page 11
-
8/14/2019 NASA 141863main PIA MYNASA NASA GOV 12-14
12/16
PIA Analysis WorksheetContact Information
______________________________________ ___________________
Signature of NASA Cognizant Official Date
for Technical Operation of this System
Nitin Naik
NASA Associate CTO
NASA Office of the Chief Information Officer
NASA HeadquartersWashington, DC 20546-0001
202/358-1519
______________________________________ ___________________
Signature of NASA Cognizant Official Date
for Editorial Content within this system
Brian DunbarInternet Services Manager
NASA Office of Public Affairs
NASA HeadquartersWashington, DC 20546-0001
202/358-0873
NASA PIA Worksheet Page 12
-
8/14/2019 NASA 141863main PIA MYNASA NASA GOV 12-14
13/16
Privacy Impact Assessment (PIA) Summary
Date of this Submission: (12/15/2005)
NASA Center: Headquarters, NASA Office of Public Affairs
Application Name: http://mynasa.nasa.gov/ (the NASA Portal)
Is this application or information collection new or is an existing one being modified? No
Does this application collect, maintain, and/or disseminate information in identifiable
form (IIF)? Yes
Mission Program/Project Supported: All, through the NASA Office of Public Affairs
Identifying Numbers (Use N/A, where appropriate)
Privacy Act System of Records Number: N/A
OMB Information Collection Approval Number and Expiration Date: N/A
Other Identifying Number(s): N/A
Description
1. Provide an overview of the application or collection and indicate the legislationauthorizing this activity.
http://mynasa.nasa.gov/ is NASAs public application portal. It hosts thedynamic application content for the NASA Portal, a secure system provided toallow web publication of NASAs public content to a broad public audience.http://mynasa.nasa.gov/ interacts with other NASA Portal applicationsincluding www.nasa.gov and mediaservices.nasa.gov, each of which isdesigned to securely accomplish the requests of web users who voluntarilyprovide information. It also allows voluntary user registration that whencompleted allows users to personalize what they want to view on NASAsportal. This IIF is not disseminated to any other location or system.
2. Describe the information the agency will collect, maintain, or disseminate and howthe agency will use the information. In this description, indicate whether theinformation contains IIF and whether submission is voluntaryor mandatory.
http://mynasa.nasa.gov/ stores web user IIF directly through user registrationswhich are submitted voluntarily. In addition, through a contact us pageprovided for each NASA Center, Mission Support Office, and MissionDirectorate that is hosted within http://www.nasa.gov/, and through a specialevent registration system for Goddard Space Flight Center called SpaceChat,first name, last name, email address, and in the case of SpaceChat, certaindemographic information is collected and stored. The information is
submitted voluntarily by the web user. This information is maintained insecure systems and used for personalization of the user experience and torespond to user queries and requests.
NASA PIA Summary Page 1
-
8/14/2019 NASA 141863main PIA MYNASA NASA GOV 12-14
14/16
3. Explain how the IIF collected, maintained, and/or disseminated is the minimumnecessary to accomplish the purpose for this effort.
The information collected and stored by http://mynasa.nasa.gov/ will be usedonly for its intended purpose as described above. Information collected is theminimum required accomplish the users voluntary request.
4. Explain why the IIF is being collected, maintained, or disseminated.
Information isvoluntarily provided by the user who chooses to register onmynasa.nasa.gov for the sole purpose of customizing their view of NASAcontent. These preferences are stored so that the user is always presentedwith their customized view when the return to the site. MyNASA, also servesas the repository for requests submitted to contacta NASA Center, MissionSupport Office, and Mission Directorate that is hosted withinhttp://www.nasa.gov/, and through SpaceChat, an special event registrationsystem for Goddard Space Flight Center. The information is collected torespond to a users request or register them for a NASA special event.
5. Identify with whom the agency will share the IIF.
The agency does not share this information with anyone other then NASA, itsagents, or as otherwise required by law. Information is accessible only by thesystem administrators as required for them to perform their day to day jobsand to specific individuals who are designated by NASA management torespond to users requests for information. Registered users can access theirregistration information through a user id and password that is only known tothem.
6. Describe how the IIF will be obtained, from whom it will be collected, what thesuppliers of information and the subjects will be told about the information collection,and how this message will be conveyed to them (e.g., written notice, electronicnotice if a Web-based collection, etc.). Describe any opportunities for consent
provided to individuals regarding what information is collected and how theinformation will be shared.
The user voluntarily on the registration web page provides information. Linksto the privacy policy are provided in a statement on the web page where theinformation is collected. Users are not required to submit this information tobrowse http://www.nasa.gov/ but are required to submit it upon registering tocustomize to their choices. Registered users can access their registrationinformation through a user id and password that is only known to them.
7. State whether personal information will be collected from children under age 13 onthe Internet and, if so, how parental or guardian approval will be obtained.(Reference: Childrens Online Privacy Protection Actof 1998).
N/A
8. Describe how the IIF will be secured.
All IIF information is stored in systems protected by security as described inthe security plan that requires annual certification, frequent auditing andconstant monitoring. Any IIF information collected by http://mynasa.nasa.gov/ stored in a secure Oracle database where access is limited to
NASA PIA Summary Page 2
-
8/14/2019 NASA 141863main PIA MYNASA NASA GOV 12-14
15/16
mynasa.nasa.gov system administrators. Information is accessible only by thesystem administrators as required for them to perform their day to day jobs.We protect IIF information consistent with the principles of the E-GovernmentAct of 2002, and as applicable, the Freedom of Information Act.
9. Describe plans for retention and destruction of IIF.
Logon Ids and passwords are retained for a period of time that the user wishesto use http://mynasa.nasa.gov. These are deleted if the user requests deletion.
Where information is collected for a request or question through email, NASAstores the users email address for a sufficient time to allow research to becompleted and to properly respond to the user. In any case, the emailaddress is retained for no longer than ninety days. Other information isretained for a period of time to carry out the request of the user and in no caselonger than the time allowed by the General Records Schedule. Whereinformation is maintained for backup purposes on magnetic tapes, these tapesare overwritten, erased, or destroyed within 120 days.
10. Identify whether a system of records is being created under section 552a of Title 5,United States Code (the Privacy Act), or identify the existing Privacy Act system ofrecords notice under which the records will be maintained.
N/A
Identify a point of contact to whom a member of the public can address questions
concerning this information system and the privacy concerns associated with it:
Nitin Naik
NASA Associate CTONASA Office of Chief Information OfficerNASA HeadquartersWashington, DC 20546-0001202/358-1519
Submitted by: (Signature on Record)Nitin NaikAssociate CTONASA Office of Chief Information OfficerNASA HeadquartersWashington, DC 20546-0001202/358-1519
Date 12/15/2005
Concur: Concur:
Patti F. Stockman Scott Santiago
NASA Privacy Act Officer Deputy CIO for IT Security
Date Date:
NASA PIA Summary Page 3
-
8/14/2019 NASA 141863main PIA MYNASA NASA GOV 12-14
16/16
Approved for Publication:
Patricia L. Dunnington
Chief Information Officer
Date