Effective on 2018. Last revised on March 6, 2020.
- What information is automatically collected
- Why the referred information is collected and the use that is given to such information
- With whom the information can be shared
- Alternatives for the User to control the use of their personal information
- The security measures used to protect the information that is collected and stored in the database of the Website.
Information automatically collected
When requesting services through the CDBG-DR Program Website, Users may be asked for general personal information (e.g. name/legal name, address, phone number, e-mail) with the sole purpose of identifying the User and verifying its identity to provide the Website services.
In addition, the Website server will automatically collect certain non-personally identifiable information (non PII) about Website users. Specifically, each time a request for a hypertext transmission protocol (http request) is received, information will be collected and stored including the following:
- The apparent Internet Protocol (“IP”)[ii] address of your Internet Service Provider (“ISP”) and/or your computer, if your computer has an IP address assigned directly to it.
- The apparent Fully Qualified Domain Name (“Domain Name”)[iii] of your Internet Service Provider (“ISP”)[iv] and/or your computer, if your computer has a domain name assigned directly to it.
- The type of browser (such as, for example Internet Explorer, Opera, Firefox, Chrome, etc.) used and the operating system resident on your computer.
- The date and time that you visited the site, including web pages accessed at the site, as well as any applications used and forms data.
- The Uniform Resource Locator (“URL”)[v] of the site which you visited prior to accessing the Website (if detectable), if you did not connect directly to the Website or use it as a homepage.
This information is used to identify site performance needs and to ensure compatibility with the technology used by the Website’s Users. Also, to improve services offered on the Website. In order to accomplish those goals, from time to time, statistical analysis may be conducted of the data it collects.
The Website does not sell, exchange, or otherwise distribute the data collected for commercial or marketing purposes.
Why is personal information collected and how is personal information used.
Affirmatively submitted information by the User may also be used for administrative purposes of the Website, in order to audit and evaluate the performance of the electronic management of the various agencies and public corporations of the Government of Puerto Rico[vi]. The purposes to which the affirmatively submitted information by the User may include, but are not limited to, the following:
- Helping to respond to a request for information not readily available from the Website.
- Respond to inquiries to a contact request.
- Investigating a problem reported via the Website.
- For the maintenance and improvement of the Website.
- Keeping lists of parties interested in some particular issue or facet about which it anticipates issuing further information in the future.
- To analyze information from time to time to determine the interests of the users and the frequency that they visit the sites and web pages of this Website.
- Sending informational updates and conducting outreach on topics such as, but not limited to, public benefits and services and upcoming events.
- Sharing information with other agencies or offices or other government agencies for the limited purpose of facilitating services and benefits, in accordance with all applicable federal, state, and local laws and regulations.
- Disclosure of such information pursuant to a request made under Freedom of Information Act (“FOIA”) or court order, if such information is not protected by federal, or state, or local law.
Personally identifiable information (PII) (e.g., information such as name, address, phone number, e-mail, etc., or other information that identifies or could lead to the identification of a user as a particular person) is not sold or rented nor exchange or trade with third-parties without a User’s explicit permission.
The Website sends electronic mails (“e-mails”) to all registered Users, and such e-mails are NOT confidential, they are identical in nature to that information generally available to the public and news media.
With whom is the personal information of the users shared?
The personal information of the users may be shared with the agencies, dependencies and public corporations of the Government of Puerto Rico and the federal government and their respective suppliers and/or contractors under the Program. In such events, only the information that is necessary to carry out the services under the Program will be disclosed. Information may also be disclosed to agencies (local and federal) responsible for maintaining law and public order, if such disclosure is required by law or by a court order.
Protection of collected information
In program application or applications, Users will have the opportunity to create a username and password to access or submit personally identifiable information. One should not divulge a password to anyone and the PRDOH will never ask a User for a password on a telephone call, fax, e-mail or other form of unsolicited communication. When a User is finished with an application or applications that are password protected, such User should exit the relevant page(s). If the browser used to access said password protected pages is a publicly-accessible browser, Users should close down the entire session and, if applicable or possible, flush any temporary caches or other areas where such a password might be stored subsequent to use, and log out of all applications.
The Website uses cryptographic protocols, or Transport Layer Security (TLS)[vii], designed to provide communications securely over the internet or through a computer network. User information collected and stored will be protected and the online platform will not be used to provide the services unless it can be done in a secure manner. For these purposes, reasonable precautions shall be taken to maintain the security, confidentiality and integrity of the information collected on and through this Website. Occasionally third parties will be hired to provide certain services with respect to the Website and its database, to whom the necessary requirements will be made so that they do not compromise the security, confidentiality and integrity of the personal information to which said contractors may have access during the course of the performance of their services. Industry standard or better security measures and systems have been integrated into the design, implementation and day-to-day operation of the Website and its underlying servers and networks. Furthermore, ongoing efforts will be maintained to identify and/or block unauthorized intrusions into or onto the Website, and to upload to or change information on or otherwise cause damage to the Website or the information resident hereon or submitted hereto. The act of using the Website constitutes the User’s express consent to the monitoring of all uses of the Website’s system. If such monitoring reveals possible evidence of criminal activity or any other unauthorized use, system administration personnel may provide User’s information to law enforcement or other officials, as authorized or required by law.
Information of persons under 21 years of age
No applications on the Website specifically solicit information from minors or seek to determine whether the visitor is a minor. Consequently, because such information will not be specifically identified as being from minors, users of the Website should be aware that personally identifiable information submitted to the Website by minors will be subject to being treated in the same manner as information given by an adult and may become subject to the Freedom of Information Act (“FOIA”).
Health Care Information
Any agency subject to the Health Insurance Portability and Accountability Act of 1996 and its regulations (collectively, “HIPAA”) that creates, receives, maintains, or transmits via a website any Protected Health Information (“PHI”), as that term is defined by HIPAA, must comply with HIPAA’s Privacy and Security Rules. The agency must also require its Business Associates, as that term is defined by HIPAA, to comply with HIPAA when, on behalf of the agency, each such Business Associate creates, receives, maintains, or transmits PHI hosted by this Website. Nothing stated herein shall be interpreted to diminish the compliance requirements imposed by any other applicable law or State policy.
Warning regarding the use of electronic mail
Electronic mail is not a secure medium for the transmission of personal information. Therefore, the Website does not send personal information via e-mail. The user will only receive general information via e-mail.
Warning about the use of “cookies”
The Website uses “cookies”[viii] when a Website User navigates the sites and web pages of the same. Such “cookies” do not provide personal information that identifies the User and cannot read the “cookies” files created by other providers.
The type of “cookies” set on the Website are:
- Site preferences cookies
To provide you with a better experience on this Website, we have a functionality to set your preferences for how the Website runs when you use it. To remember your preferences, we need to set cookies so that this information can be called whenever you interact with a page that is affected by your preferences.
- Third Party cookies
- This Website uses Google Analytics, which is one of the most trusted analytics solutions available on the web, to help us comprehend how you use the Website and find ways that we can improve your experience. These cookies may track things such as how long you spend on the Website and the pages visited within the Website, so that we can enhance the Website experience.
For more information on Google Analytics cookies, please refer to the official Google Analytics page.
- We also use social media buttons and/or plugins on this site that allow you to connect with your social network in various ways. For these to work, social media sites such as Facebook, will set cookies through our Website which may be used to enhance your profile on their site or contribute to the data they hold for various purposes outlined in their respective privacy policies.
Web Bugs (a/k/a Web Beacons)
The Website does not use web bugs[ix] on its web pages or in any html, e-mail generated by use of the website, or otherwise sent from the Website, for any purpose other than to identify site performance needs; to ensure compatibility with the technology used by the Website’s visitors, and to generally add and improve services offered on the Website.
Third Party Links
Some content on portions of the Website resides on servers run by third parties. Each agency providing content for the Website is bound by this Policy. Any agency using a third-party host, ISP, ASP or other combination of third-party transport, storage, content or application provision services shall require such third party to comply with this Policy.
The content of the Website’s webpages is copyrighted and contains some third-party images/graphics that are used with permission. Users are notified, therefore, that one should presume the need to obtain permission from the copyright holder before reproducing or otherwise using images/graphics from the Website.
The Website may change this policy from time to time and reserves the right to do so without notice.
[i] There is a “CDBG-DR Personally Identifiable Information, Confidentiality, and Nondisclosure Policy”, which can be found on http://itdgprlab.solutions. This stand-alone policy defines “Personally Identifiable Information (PII)” as information that can be used to distinguish or trace an individual’s identity, either alone or when combined with other personal or identifying information that is linked or linkable to a specific individual. 2 C.F.R. § 200.79. This type of information includes, for example, first and last name, social security number, biometric records, date and place of birth, mother’s maiden name, etc.
[ii] 1IP (Internet Protocol): Is the fundamental protocol for communications on the Internet. It is the number used to identifying a computer or another device on the Internet.
[iii] 2Domain Name: It is the address where Internet users can access your website, it was developed to identify entities on the internet rather than using the IP address.
[iv] ISP (Internet Service Provider): Is the term for the company that is able to provide access to the Internet
[v] URL (Uniform Resource Location): Is a special form of individual address of a certain resource on the Internet. It can refer to the website, some particular document, or an image.
[vi] Act No. 75-2019, also known as the Puerto Rico Innovation and Technology Service (PRITS) Act, amends the Electronic Government Act, Law No. 151-2004, to establish that the PRITS is the entity that shall have the faculties of “establishing safety policies at the government level on the access, use, classification and custody of information systems”; and “may establish policies directed to guaranteeing the privacy and protection of the personal information with regard to Internet use”, 3 L.P.R.A. §904 (f) & (g).
[vii] TLS (Transport Layer Security): Is a protocol that provides authentication, privacy, and data integrity between two communicating computer applications. It’s the most widely-deployed security protocol used today and is used for web browsers and other applications that require data to be securely exchanged over a network, such as web browsing sessions, file transfers, VPN connections, remote desktop sessions, and voice over IP (VoIP).
[viii] Cookies: A cookie is a message given to a web browser by a web server. The browser stores the message in a text file. The message is then sent back to the server each time the browser requests a page from the server.
[ix] Web bugs: Are small images (e.g. .gif, .jpeg, .png) that companies and organizations use in their web pages, e-mails and other HTML supporting documents to track information about the users who are using their online web services.