Date Signed:
10/14/2016
OPDIV:
CMS
Name:
Tealium for Quality Payment Program
TPWA Unique Identifier:
Is this a new TPWA?
Yes
Will the use of a third-party Website or application create a new or modify an existing HHS/OPDIV System of Records Notice (SORN) under the Privacy Act?
No
Will the use of a third-party Website or application create an information collection subject to OMB clearance under the Paperwork Reduction Act (PRA)?
No
Does the third-party Website or application contain Federal Records?
No
Describe the specific purpose for the OPDIV use of the third-party Website or application:
Many of the third-party tools used in connection with qpp.cms.gov rely on cookies to perform their functions. The Quality Payment Program (QPP) uses Tealium iQ as a solution to manage these cookies from a single interface.
Specifically, Tealium iQ allows CMS to allow consumers to control which cookies are enabled/disabled, and thus which third-party tools are enabled/disabled.
Tealium iQ adds, removes and modifies code across cms.hhs.gov. Many of the tools CMS uses to gather visitor data and monitor the health of qpp.cms.gov are deployed using Tealium iQ. Tealium iQ gives CMS and its staff and contractors an easy way to manage all of these tools.
The Tealium iQ Privacy Manager offers opt-in or opt-out choices to site visitors. Tealium iQ Privacy Manager gives site visitors control over which tags or cookies they want to accept while they visit the site.
Have the third-party privacy policies been reviewed to evaluate any risks and to determine whether the Website or application is appropriate for OPDIV use?
Yes
Describe alternative means by which the public can obtain comparable information or services if they choose not to use the third-party Website or application:
Tealium is a tool used to access information about the QPPs without their activity being tracked by third parties. Consumers can use Tealium iQ to disable cookies if they do not want their device information to be collected.
Does the third-party Website or application have appropriate branding to distinguish the OPDIV activities from those of nongovernmental actors?
No
How does the public navigate to the third party Website or application from the OPIDIV?
N/A. Tealium iQ is a tool that provide consumers a convenient opt-out choices; it is not a website accessible to the public.
Please describe how the public navigate to the third party website or application:
N/A. Tealium iQ is a tool that provide consumers a convenient opt-out choices; it is not a website accessible to the public.
If the public navigate to the third-party website or application via an external hyperlink, is there an alert to notify the public that they are being directed to a non-governmental Website?
No
Has the OPDIV Privacy Policy been updated to describe the use of a third-party Website or application?
Yes
Provide a hyperlink to the OPDIV Privacy Policy:
https://qpp.cms.gov/privacy/
Is an OPDIV Privacy Notice posted on the third-part website or application?
No
Is PII collected by the OPDIV from the third-party Website or application?
No
Will the third-party Website or application make PII available to the OPDIV?
No
Describe the PII that will be collected by the OPDIV from the third-party Website or application and/or the PII which the public could make available to the OPDIV through the use of the third- party Website or application and the intended or expected use of the PII:
CMS does not collect any PII through the use of Tealium iQ.
Describe the type of PII from the third-party Website or application that will be shared, with whom the PII will be shared, and the purpose of the information sharing:
PII is not stored or shared.
If PII is shared, how are the risks of sharing PII mitigated?
No PII is shared with CMS.
Will the PII from the third-party website or application be maintained by the OPDIV?
No
Describe how PII that is used or maintained will be secured:
Not applicable.
What other privacy risks exist and how will they be mitigated?
CMS will use Tealium iQ in a manner that protects the privacy of consumers who visit qpp.cms.gov and respects the intent of qpp.cms.gov users. CMS will conduct periodic reviews of Tealium iQ's privacy practices to ensure its policies continue to align with agency objectives and privacy policies and do not present unreasonable or unmitigated risks to consumer privacy. Tealium iQ is employed solely for the purposes of improving CMS' services and online activities related to operating qpp.cms.gov. Information collected by Tealium iQ is created and maintained by Tealium.
Risk #1:
Persistent cookies are used by third party tools on qpp.cms.gov to collect user’s information such as IP address, host name, operating system, browser, screen resolution timestamp, etc. These cookies are stored on a user’s local browser. Persistent cookies remain in your browser after you close your browser or turn off your computer. With the exception of the Tealium "Privacy Manager" cookie discussed below, Tealium cookies remain on users’ browsers for one (1) year.
The Tealium "Privacy Manager" feature creates a cookie that has a lifespan of 3 years. This cookie only stores information about consumer's privacy settings to ensure their preferences are saved. Because the Privacy Manager works using a cookie that is installed on a site visitor's browser, the opt-in and opt-out choices made through the Privacy Manager will only be effective on the device through which a user makes opt-in or opt-out choices using the Privacy Manager, and a user's choices will expire after 3 years when the Privacy Manager cookie expires. Thereafter, users must revisit the Privacy Manager to renew their opt-in and opt-out choices.
Mitigation:
Tealium iQ's privacy policies, notices from qpp.cms.gov, information published by Tealium about its privacy policies, and the ability for consumers to disable cookies and opt out of providing their information to Tealium maximizes consumers ability to protect their information and mitigates risks to their privacy.
Risk #2:
CMS also recognizes that if Tealium iQ is not implemented correctly in relation to qpp.cms.gov, personal information could be collected about qpp.cms.gov visitors.
Mitigation:
Therefore, to mitigate this risk, CMS only allows a limited number of trained and credentialed staff or contractors to implement Tealium iQ.
