Date Signed:
10/14/2016
OPDIV:
CMS
Name:
NewRelic for Quality Payment Program
TPWA Unique Identifier:
Is this a new TPWA?
Yes
Will the use of a third-party Website or application create a new or modify an existing HHS/OPDIV System of Records Notice (SORN) under the Privacy Act?
No
Will the use of a third-party Website or application create an information collection subject to OMB clearance under the Paperwork Reduction Act (PRA)?
No
Does the third-party Website or application contain Federal Records?
No
Describe the specific purpose for the OPDIV use of the third-party Website or application:
The Quality Payment Program (QPP) website, qpp.cms.gov, uses New Relic Browser to collect, report, and analyze visitor interactions at qpp.cms.gov. CMS uses this information to help identify performance issues with the website as well any application errors that might fire during a consumer's browsing session.
The reports received from New Relic are available only to CMS employees and contractors who implement the QPPs represented on qpp.cms.gov, members of the CMS communications and web teams, and other designated federal staff and contractors who need this information to perform their duties.
Have the third-party privacy policies been reviewed to evaluate any risks and to determine whether the Website or application is appropriate for OPDIV use?
Yes
Describe alternative means by which the public can obtain comparable information or services if they choose not to use the third-party Website or application:
If consumers do not want New Relic Browser to collect information related to their visits to qpp.cms.gov, consumers can use the Tealium IQ Privacy Manager on qpp.cms.gov's privacy page and "opt out" of having data collected about them by New Relic Browser. Alternatively, a consumer can disable cookies using their browser if they do not want their information to be collected.
Does the third-party Website or application have appropriate branding to distinguish the OPDIV activities from those of nongovernmental actors?
No
How does the public navigate to the third party Website or application from the OPIDIV?
N/A. New Relic Browser is a web measurement tool used to monitor visitor interaction on a website; it is not a website accessible to the public.
Please describe how the public navigate to the third party website or application.
N/A. New Relic Browser is a web measurement tool used to monitor visitor interaction on a website; it is not a website accessible to the public.
If the public navigate to the third-party website or application via an external hyperlink, is there an alert to notify the public that they are being directed to a nongovernmental Website?
No
Has the OPDIV Privacy Policy been updated to describe the use of a third-party Website or application?
Yes
Provide a hyperlink to the OPDIV Privacy Policy:
https://qpp.cms.gov/privacy/
Is an OPDIV Privacy Notice posted on the third-part website or application?
No
Is PII collected by the OPDIV from the third-party Website or application?
No
Will the third-party Website or application make PII available to the OPDIV?
No
Describe the PII that will be collected by the OPDIV from the third-party Website or application and/or the PII which the public could make available to the OPDIV through the use of the third- party Website or application and the intended or expected use of the PII:
CMS does not collect any PII through the use of New Relic Browser.
Describe the type of PII from the third-party Website or application that will be shared, with whom the PII will be shared, and the purpose of the information sharing:
PII is not stored or shared.
If PII is shared, how are the risks of sharing PII mitigated?
No PII is shared with CMS.
Will the PII from the third-party website or application be maintained by the OPDIV?
No
Describe how PII that is used or maintained will be secured:
Not applicable.
What other privacy risks exist and how will they be mitigated?
CMS will use New Relic Browser in a manner that protects the privacy of consumers who visit qpp.cms.gov and respects the intent of qpp.cms.gov users. CMS will periodically review New Relic's privacy practices to ensure its policies continue to align with agency objectives and privacy policies and do not present unreasonable or unmitigated risks to consumer privacy.
New Relic Browser is employed solely for the purposes of improving CMS’ services and on-line activities related to operating qpp.cms.gov.
Information collected by New Relic Browser is created and maintained by New Relic Browser.
Risk #1:
The New Relic Browser tools use persistent cookies on Qpp.cms.gov and can be stored on a User’s local system. Users approximate geographic location is collected by New Relic Browser based on the IP address of the user’s local system. Other information collected consists of Page Views, JavaScript Errors, Browser, Session Traces and other information specific to the health and performance of qpp.cms.gov systems.
Mitigation:
New Relic Browser uses session cookies that expire at the end of a user's browsing session. New Relic Browser's privacy policies, notices from qpp.cms.gov, information published by New Relic Browser about its privacy policies, and the ability for consumers to opt-out of providing their information to New Relic Browser maximizes consumers’ abilities to protect their information and mitigate risks to their privacy.
Risk #2:
CMS also recognizes that if New Relic Browser is not implemented correctly in relation to qpp.cms.gov, personal information could be collected about qpp.cms.gov visitors.
Mitigation:
Therefore, to mitigate this risk, CMS only allows a limited number of trained and credentialed staff or contractors to implement and have access to the information CMS obtains from New Relic Browser. A consumer can also use the Tealium iQ Privacy Manager on qpp.cms.gov's privacy page and "opt out" of having data collected about them by New Relic Browser.
