Privacy Impact Assessment for the Peer Reviewer Panelist Information System
On this page:
- I. Data in the System
- II. Access to the Data
- III. Attributes of the Data
- IV. Maintenance of Administrative Controls
I. Data in the System
Generally describe what data/information will be collected in the system.
PRPIS is a database used by ORD's Peer Review Division (PRD) to search for relevant experts to serve as reviewers for research grant, contract and fellowship proposals. The information is entered by potential panelists and includes: contact information, expertise, institution, education, employement history, awards/funding, publications, panels served, memberships, and keywords. Data entry is voluntary and is performed by the individual for consideration as a reviewer. The individual may enter information for some or all fields.
What are the sources and types of the information in the system?
The source of information is the individual entering the data. The type of information is descriptive - what would be found in a curriculum vitae (CV) or resume. The system is maintained by a contractor who also enters some basic information such as reviewer name and panels served. The contractor receives this information from EPA.
How will the data be used by the Agency?
The information will be used to assist EPA in selecting and maintaining a record of contract peer reviewers who assist EPA in assessing and reviewing grant applications submitted under the Federal Grant and Cooperative Agreement Act of 1977. The data is used by PRD staff to search for appropriate reviewers to serve on review panels. Staff can search by name, keyword, insitution, expertise, qualification, and/or publications.
Why is the information being collected? (Purpose)
The information being collected enhances the repository of qualified experts EPA can access and ask to serve on review panels. Data entry into the system is voluntary on behalf of the reveiwer.
II. Access to the Data
Who will have access to the data/information in the system (internal and external parties)? If contractors, are the Federal Acquisition Regulations (FAR) clauses included in the contract (24.104 Contract clauses; 52.224-1 Privacy Act Notification; and 52.224-2 Privacy Act)?
Internally, only staff members of EPA/ORD/NCER/PRD have access to the information in PRPIS. Externally, a support contractor maintains the system on their server and performs any necessary programming. All appropriate FAR clauses are included in the contract. Occassionally, other offices within EPA may request suggestions for outside expertise and we may search PRPIS on their behalf and provide data in an electronic format (i.e. spreadsheet or word processing document).
What controls are in place to prevent the misuse of data by those having authorized access?
Access to PRPIS is limited to only PRD staff, approximately 11 people. These users only have the ability to conduct searches, they do not have access to data entry or data modification. The office has a policy of keeping confidential any information associated with the preparation of a panel. Any hard copy information printed from the system that is not part of the file must be shredded.
Do other systems share data or have access to data/information in this system? If yes, explain who will be responsible for protecting the privacy rights of the individuals affected by the interface? (i.e., System Administrators, System Developers, System Managers)
Will other agencies, state or local governments share data/information or have access to data in this system? (Includes any entity external to EPA.)
Do individuals have the opportunity to decline to provide information or to consent to particular uses of the information? If yes, how is notice given to the individual? (Privacy policies must clearly explain where the collection or sharing of certain information may be optional and provide users a mechanism to assert any preference to withhold information or prohibit secondary use.)
Yes, being listed in PRPIS is voluntary. The home page of the web site contains contains a privacy statement that states the following: "Providing this information is voluntary."
III. Attributes of the Data
Explain how the use of the data is both relevant and necessary to the purpose for which the system is being designed.
PRPIS is a collection of external experts in various environmentally-related fields whose expertise we utilize in conducting external peer reviews for research grant, contract and fellowship submissions. The data is relevant and necessary because we must have a searchable sytem of individuals who are interested in serving on our panels (entry into PRPIS is voluntary and at the individual's choice) and qualified. PRPIS allows us to search on multiple categories to best match expertise to a particlar review panel and it also contains current contact information.
If data are being consolidated, what controls are in place to protect the data from unauthorized access or use? Explain.
PRPIS data is not being consolidated.
If processes are being consolidated, are the proper controls remaining in place to protect the data and prevent unauthorized access? Explain.
No processes are being consolidated.
How will data be retrieved? Can it be retrieved by personal identifier? If yes, explain. (A personal identifier is a name, Social Security Number, or other identifying symbol assigned to an individual, i.e. any identifier unique to an individual.)
The data can be retrieved by conducting a search on any field within PRPIS (see response to 1.1 for fields). Since this is a database of individuals, names are included and therefore data can be retrieved by this personal identifier. PRPIS does not collect social security numbers.
The privacy statement is two paragraphs long and is included on the home page. It is the main part of the home page and individuals must visit this site in order to login.
IV. Maintenance of Administrative Controls
Has a record control schedule been issued for the records in the system? If so, provide the schedule number. What are the retention periods for records in this system? What are the procedures for eliminating the records at the end of the retention period? (You may check with the record liaison officer (RLO) for your AA-ship, Tammy Boulware (Headquarters Records Officer) or Judy Hutt, Agency Privacy Act Officer, to determine if there is a retention schedule for the subject records.)
PRPIS contains CV-type records of potential panelists. There is no retention period because PRD convenes panels throughout the year and needs access to records all the time. Furthermore, reviewers often update their records to keep them current, making a retention period and record elimination counter-productive to the function of the system. Records are rarely removed from the system, however we will remove an individual's record at her request.
I am not aware if a records control schedule has been issued.
While the data are retained in the system, what are the requirements for determining if the data are still sufficiently accurate, relevant, timely, and complete to ensure fairness in making determinations?
A reviewer profile update is sent to each indiviudal listed in PRPIS annually.
Will this system provide the capability to identify, locate, and monitor individuals? If yes, explain.
This system contains name and contact information so that we may query and invite indiviudals to serve on panels, so yes, it provides the capability to identify and locate individuals. It does not provide the capability to monitor individuals.
Does the system use any persistent tracking technologies?
Under which System of Records (SOR) notice does the system operate? Provide the name of the system and its SOR number if applicable. For reference, please view this list of Agency SORs. (A SOR is any collection of records under the control of the Agency in which the data is retrieved by a personal identifier. The Privacy Act Officer will determine if a SOR is necessary for your system.)
PRPIS is listed under EPA-37 "ORD Peer Review Panelist Information System (PRPIS) System."