Preliminary Privacy Impact Assessment

The Office of Management and Budget mandates that we publish our lists of Privacy Impact Assessments (PIA's) on our web site. Learn more about PIA's.

TITLE: Integrated Disbursement and Information System (IDIS)

September, 2003

UPI # 025-00-04-00-01-1010-00-207-087

PCAS # 00252200

Is this a new or substantially revised electronic information system? If revised, describe revisions.

IDIS is an existing grants management system used currently by grantees of four major formula grant programs managed by CPD: Community Development Block Grant (CDBG), HOME Investment Partnerships (HOME), Emergency Shelter Grants (ESG), and Housing Opportunities for Persons with AIDS formula (HOPWA) programs. CPD proposes to substantially revise the system to make the following changes:

  • Improve user access which is currently limited to only a few older versions of Netscape and Internet Explorer and older versions of Windows so grantees outside HUD's firewall will be able to use current internet browsers and operating systems to log into IDIS;
  • Improve user navigation within IDIS with a goal of no more than three mouse clicks to get to anywhere within IDIS;
  • Improve screen design to use a GUI interface so Windows features can be used on IDIS screens such as using a mouse, clicking on buttons, and having drop down menus;
  • Improve the system's data quality by adding additional edits to accomplishment data fields to guarantee that grantees do report accomplishments and that what they report appears to be reasonable;
  • Add major functionality to IDIS by incorporating the Consolidated Plan (the "application" for these four grant programs) into IDIS, adding Sec. 108 Guarantee Loan funds as a new fund type linked to the CDBG program, allowing users to subgrant program income funds, re-writing the sub-granting module, incorporating an ad-hoc reporting capacity into IDIS, and preparing IDIS to work with a new Federal e-grants portal and a new Department financial system; and
  • Adding the HOPWA competitive grant program to IDIS.

If any question does not apply, state not applicable (N/A) for each question and explain why.

I. Describe the information to be collected (e.g., nature and source). Be sure to include any information in an identifiable form, e.g., name, address, social security number or other identifying number or code, telephone number, email address, etc).

IDIS collects information on the amount of funds used for projects and activities, the amount and type of funds spent, the nature of the activity on which the money is spent, and accomplishments resulting from the expenditure of funds. The grantees enter this information into IDIS. No beneficiary is identified by name, social security number, or other personal identifying information. For the CDBG, ESG, and HOPWA programs, aggregated information on the nature of all beneficiaries for an activity are entered into IDIS such as the total number of housing units, total number of jobs, total number of persons, total number of households benefiting from the activity. The HOME program does require its grantees to report by housing unit and address on the racial and income characteristics of the occupants, but does not allow the grantees to enter the name or social security number(s) of the occupants of any housing unit.

II. Why is the information being collected (e.g., to determine eligibility)?

These grant programs all have "back-end" review requirements. The information is necessary to determine if each program's money was spend on eligible activities.

III. How will the information be used (e.g., to verify existing data)?

The information is used by HUD Field Offices to determine whether grantees are complying with all statutory and regulatory provision in the use of grant funds. HUD HQ uses the information to determine national uses of funds overall and for various population groups such as those who are of a minority race.

IV. Will you share the information with others (e.g., another agency for a programmatic purpose)? If yes, list the entities.

HUD does not share IDIS information with others, although it allows grantees to download their own data, and it does respond to FOIA requests. The system does store some information, such as the location of shelters, which, if released indiscriminately, could pose a potential violation of safety for those living in the shelter. The IDIS system administrator reviews all FOIA disseminations to guarantee that no violations of personal security are breached.

V. Describe what opportunities individuals have been given to decline to provide information or to consent to particular use of the information (e.g., whether individual may withhold permission for a particular use).

Individual beneficiaries do not enter information into IDIS. Grantees enter information on the use of funds and the nature of beneficiaries and their characteristics without naming individuals, families, or their social security numbers. Grantees collect what information they need to be certain that the beneficiaries of each grant program are eligible.

VI. How will the information be secured (e.g., administrative and technological controls)?

Internet access to IDIS is restricted by HUD's firewall. Passage through the firewall is only permitted to those using a web390 plugin and having a user id and password supplied by the department's security office specifically for the purpose of passage through HUD's firewall. Further, a system userid and password also supplied by the department's security office is also required to access IDIS and restricts the user's rights. The HUD IDIS security administrator establishes profiles for each IDIS user that limits the user's rights to a single grantee and only those rights that were requested and approved by the respective HUD field office. Local system administrators can add to or restrict the rights of their users within the system. Grantee internet access utilizes SSL technology with 128 bit encryption.

All HUD systems use some form of access control software. All Hitachi based systems use CA Top Secret and Unisys based systems use SIMAN. Every IDIS user must authenticate himself or herself through the HUD network before gaining access to IDIS. Furthermore, HUD uses audits and audit trails, encrypts passwords, allows limited log in attempts, and removes stagnant user accounts to help limit access to and ensure the system's protection.

VII. How will the data be retrieved (e.g., will it be retrieved by a personal identifier such as name, social security number, address, telephone number or some other identifier that is unique to an individual)?

Data is retrieved by grantee and activity. No personal information is stored in IDIS by person's or household name or social security number.