PEPFAR Data Governance
PEPFAR Data Governance
PEPFAR Data Governance
August 9, 2017
This document complements relevant policy directives and existing policy documents and guidance from
the Office of Management and Budget (OMB) and PEPFAR implementing agencies: Department of State
(DoS); U.S. Agency for International Development (USAID); Department of Defense (DoD); Department
of Commerce (DoC); Department of Labor (DoL); Department of Health and Human Services (HHS);
Peace Corps and; Department of the Treasury. The document further outlines roles and responsibilities
for critical data management functions that support the PEPFAR program.
2.1 Accountability
PEPFAR meets and exceeds the reporting requirements established by the PEPFAR Stewardship and
Oversight Act of 20134 (Public Law 113-56) the related Senate Foreign Relations Committee’s Report 5 on
those requirements (S. Rept. 113-112) and the Foreign Aid Transparency and Accountability Act. 6, 7
2.2 Transparency
According to OMB Circular A-130, “government information” refers to information “created, collected,
processed, disseminated, or disposed of, by or for the Federal Government.” This directive and data
policy set the guiding principles of PEPFAR to value privacy, transparency and openness.
1 White House Executive Order 13642, Making Open and Machine Readable the New Default for Government Information.
http://www.gpo.gov/fdsys/pkg/FR-2013-05-14/pdf/2013-11533.pdf
2 Office of Management and Budget. OMB Circular A-130, Revised. Management of Federal Information Resources,
https://www.whitehouse.gov/omb/circulars_a130_a130trans4
3 Executive Office of the President. OMB Memorandum M-13-13 Open Data Policy-Managing Information as an Asset.
https://www.whitehouse.gov/sites/whitehouse.gov/files/omb/memoranda/2013/m-13-13.pdf
4 PEPFAR STEWARDSHIP AND OVERSIGHT ACT OF 2013, 127 STAT. 648 PUBLIC LAW 113–56—DEC. 2, 2013.
https://www.congress.gov/113/plaws/publ56/PLAW-113publ56.pdf
5 PEPFAR STEWARDSHIP AND OVERSIGHT ACT OF 2013 (S. 1545). https://www.congress.gov/113/crpt/srpt112/CRPT-
113srpt112.pdf
6
“H.R.3766 — 114th Congress: Foreign Aid Transparency and Accountability Act of 2016.”
https://www.congress.gov/bill/114th-congress/house-bill/3766/
7
"S.2184 — 114th Congress: Foreign Aid Transparency and Accountability Act of 2015", https://www.congress.gov/bill/114th-
congress/senate-bill/2184
The All Things Data Steering Committee (ATDSC) consists of representatives from the implementing
agencies and is chaired by the Deputy Coordinator for Program Results and Impact Monitoring for
Epidemic Control (PRIME) at the U.S. Department of State’s Office of the U.S. Global AIDS Coordinator
and Health Diplomacy (S/GAC). ATDSC provides strategic direction and guidance for all PEPFAR data
collection efforts. The committee chair advises the Coordinator.
ATDSC develops, reviews, and approves data governance policies, processes, and standards, which data
stewards implement. The term “data steward” refers to a role assigned to staff under their existing
position that ensures adherence to data management policies. PEPFAR data stewardship encompasses a
set of roles that a variety of individuals occupy in relation to data at different points in data lifecycles.
Each data stream has its own lifecycle and is subject to data governance policy and data stream-specific
supplementary guidance that is authored by a primary data steward, which is a designated team or
working group. Questions about PEPFAR Data Governance policy should first go to the primary data
steward, described below, and then be posed to ATDSC as necessary.
4. PEPFAR Data
The main focus of this document is on the dissemination of substantive information (i.e., data sets,
reports, studies, and summaries) generated with PEPFAR support rather than information prepared for
the management and operations of PEPFAR. This policy does not apply to press releases or similar
communications. This policy does not cover data curated or owned by other entities outside of PEPFAR,
such as data shared with PEPFAR but owned by a partner government.
Monitoring, Evaluation, and Reporting Indicators (MER): PEPFAR program indicators for targets
and results.
o Primary Data Steward: PRIME
o Documentation: Annual Program Reporting Guidance, PEPFAR Monitoring, Evaluation,
and Reporting Indicator Reference Guide8, and MER Data Life Cycle
Site Improvement Through Monitoring System (SIMS): data from standardized tools that assess
adherence to PEPFAR standards of care and service delivery.
o Primary Data Steward: Program Quality
o Documentation: SIMS Data Life Cycle
Expenditure Analysis: the amount of funds spent by PEPFAR implementing partners via
Country/Regional Operational Plans.
o Primary Data Steward: PRIME
o Documentation: Expenditure Analysis of PEPFAR Programs Guidance
8
PEPFAR Guidance. https://www.pepfar.gov/reports/guidance/
Budget: initial planned funding levels approved each year in the PEPFAR Country Operational
Plans (COP) and Region Operational Plans (ROP). A COP/ROP is the vehicle for documenting U.S.
government annual investments and program activities in HIV/AIDS for each PEPFAR operating
unit (country or region).
o Primary Data Steward: Country Oversight and Accountability
o Documentation: Country Operational Plan Guidance9
Organization unit (OU) hierarchy: geographic relationships, in tabular form, that define the
arrangement of administrative units and health facilities in DATIM, which is PEPFAR’s instance of
DHIS2. 10
o Primary Data Steward: PRIME
Spatial Data: points lines and polygons that capture the geometry of administrative units and
health facilities.
o Primary Data Steward: PRIME
o Documentation: Spatial Data Lifecycle Guidance
Sustainability Index and Dashboard (SID): a tool completed periodically by PEPFAR teams and
partner stakeholders to sharpen the understanding of each country’s sustainability landscape
and to assist PEPFAR and others in making informed HIV/AIDS investment decisions.
o Primary Data Steward: Financial and Programmatic Sustainability
Surveys and Surveillance: data on epidemic features such as HIV prevalence; national HIV
incidence; pediatric HIV prevalence; HIV viral load suppression; behavioral prevalence in the
general population; behavioral prevalence among high-risk populations; and transmission of
drug resistant HIV strains.
o Primary Data Steward: Agency-specific
o Documentation: Agency-specific guidance governs these data streams.
Implementation Science: research that informs delivery and scale-up of efficacious
interventions to improve HIV prevention, care, and treatment
o Primary Data Steward: Agency-specific
o Documentation: Agency-specific guidance governs these data streams.
Evaluations: the systematic collection and analysis of information about the characteristics,
outcomes, and impact of programs and projects
o Primary Data Steward: Agency-specific
o Documentation: Evaluations Standards of Practice11
9
PEPFAR Guidance. https://www.pepfar.gov/reports/guidance/
10
DHIS2 Documentation. Organisation units. https://docs.dhis2.org/2.22/en/user/html/ch04.html
11
PEPFAR Guidance. https://www.pepfar.gov/reports/guidance/
repository, for data collected by transactional systems across the PEPFAR program. PDH consolidates,
stores, and packages PEPFAR data for internal analysis and review as well as public dissemination.
Figure 1 briefly describes the purpose of each of PEPFAR’s information systems and depicts their
interrelationship.
Figure 1. The PEPFAR Data Hub, transactional systems, business intelligence, and analytic tools.
5. Data Access
5.1 Improving access to data for HIV epidemic control
The PEPFAR program makes data accessible to maintain transparency and improve our ability to achieve
HIV epidemic control. Data access policy allows the PEPFAR community to take full advantage of its data
resources and responsibly expand public access to valuable information. PEPFAR encourages its
partners, the academic and scientific communities, and the public at large to make broad use of PEPFAR
data for innovative scientific, technological, analytical, and other applications.
A key feature of data accessibility is whether data are releasable to the public or must remain internal to
the United States Government. PEPFAR uses the OMB categorization that describes data as public,
restricted public, or non-public.12
Public: Data asset is or could be made publicly available to all without restrictions.
12
Chief Information Officer. Supplemental Guidance on the Implementation of M-13-13 “Open Data Policy – Managing
Information as an Asset”. https://project-open-data.cio.gov/implementation-guide/
Restricted Public: Data asset is available under certain use restrictions (e.g. made available to
select researchers under certain conditions).
Non-public: Data asset is not available to members of the public and is only available for internal
use by the Federal Government.
5.2 Redaction
PEPFAR publishes country operations plans with redaction of procurement-sensitive funding
information for awards that have not yet been made. Procurement-sensitive data become open when
the decision is announced.
Some data that PEPFAR collects and manages are sensitive and not appropriately releasable to the
public. PEPFAR attenuates risks associated with personally identifiable information (PII) and other
sensitive data through geographic aggregation. The most granular data used for routine planning and
monitoring are deidentified through aggregation to the site level, which is either a clinical site or a low-
level administrative unit (e.g. a district).13 All data below this level are non-public or restricted public and
should be shared only with groups identified in data use agreements or an ethics board-approved
protocol. Table 1 describes for the primary data streams the level of data granularity associated with
each access level.
13
National Institute of Standards and Technology. Guide to Protecting the Confidentiality of Personally Identifiable Information
(PII). Special Publication (NIST SP) - 800-122, https://www.nist.gov/publications/guide-protecting-confidentiality-personally-
identifiable-information-pii
5.3.1 Data generated at foreign military sites
A portion of PEPFAR data relates to foreign militaries. PEPFAR supports military-to-military (mil-mil),
civilian-to-military (civ-mil), and military-to-civilian (mil-civ) activities.
Military-military (mil-mil) are DoD programs with a primary focus to serve military populations
at military site locations. Beneficiaries may include civilians who are provided with services at
military sites.
Civilian – military (civ – mil) are non-DoD programs serving military populations at military sites.
Beneficiaries may include civilians who are provided with services at military sites.
Military-civilian (mil-civ) have a primary focus to serve civilian populations at civilian site
locations. These may be DOD or non-DOD managed program activities.
PEPFAR records data on mil-civ activities at the level of granularity specified by the data stream with no
special exception. All mil-mil and civ-mil data, at any level of aggregation, is non-public.
5.7.2 Program Results and Impact Monitoring for Epidemic Control (PRIME)
S/GAC’s PRIME Team is responsible for maintaining systems that assure role-based access to PEPFAR
data. These systems, tools, repositories, and business intelligence platforms include The PEPFAR Data
Hub, Panorama Spotlight, Panorama, DATIM, and ArcGIS Online.
5.7.3 Agencies
Implementing agencies should ensure that PEPFAR-supported contracts, grants, cooperative
agreements, and other instruments include existing agency-specific data access-related guidance and
that recipients fulfill those requirements. Where applicable (e.g. SIMS, evaluations, implementation
science, surveillance) agencies submit, in machine readable format, complete and approved data
according to the calendar for each data stream.
17
Project Open Data, Principles. https://project-open-data.cio.gov/principles/
18
Data.gov. A Primer on Machine Readability for Online Documents and Data. https://www.data.gov/developers/blog/primer-
machine-readability-online-documents-and-data
5.7.5 Implementing partners/grantees
PEPFAR fund recipients provide quality data in machine readable formats according to the required
reporting calendar and data definitions for each data stream.
6 Data Security
Data security ensures appropriate access to data through the implementation of risk-based security
requirements.19 Security addresses physical, electronic, and procedural aspects of protecting
information. Security protects data from inadvertent or malicious inappropriate disclosure and non-
availability of data due to system failure and user error.
PEPFAR adheres to standards for categorizing information and information system security according to
a range of risk levels. PEPFAR also adheres to information security requirements (i.e., management,
operational, and technical security controls) for information and information systems in each such
category.20 , 21, 22
Data stream-specific documentation traces the chain of custody from data generation to the data’s state
of rest and should address the following data security components:
Responsibilities
Data collection and use
Data sharing and release
Physical security
Electronic data security
Audit and monitoring
Retention23
An Interagency System Security Forum (ISSF) reviews PEPFAR technology as it pertains to security and
privacy implementations and makes recommendations to the ATDSC on technology configuration, data
security standards, policy, and procedures. The ISSF will be chaired by the Health Information System
Lead at S/GAC, with representation from each agency, plus additional members including the agencies’
19 UNAIDS. 2006. Guidelines on Protecting the Confidentiality and Security of HIV Information.
http://data.unaids.org/pub/manual/2007/confidentiality_security_interim_guidelines_15may2007_en.pdf
20 National Institute of Standards and Technology. Standards for Security Categorization of Federal Information and Information
Types of Information and Information Systems to Security Categories (August 2008). http://dx.doi.org/10.6028/NIST.SP.800-
60v2r1
23 Executive Office of the President. OMB Memorandum M-12-18 Managing Government Records Directive.
https://www.archives.gov/records-mgmt/m-12-18.pdf
Chief Information Security Officers and others with relevant security or privacy expertise. The ISSF meets
monthly or as needed.
PEPFAR data that are influential scientific, financial, or statistical information should be reproducible
according to commonly accepted scientific, financial, or statistical standards. PEPFAR data that are for
internal use only should undergo rigorous, documented robustness checks. Quality standards for
PEPFAR data appear in data stream-specific documentation.
Prepare a draft of the data set or document after consulting the necessary parties, including
government and non-government sources, as appropriate;
Determine and assure the accuracy and completeness of source data;
Determine the expected uses by the government and public;
Determine necessary clearance points;
Determine where the final clearance decision shall be made;
Determine whether peer review would be appropriate and, if necessary, coordinating such
review;
Obtain clearances; and
Overcome delays and, if necessary, present the matter to higher authority.
7.2 Integrity
Several administrative layers ensure the integrity of PEPFAR data against unauthorized, unanticipated,
or unintentional modification. Together these controls protect the security of PEPFAR information (see
Data Security above).
PEPFAR data systems employ role-based access to prevent unauthorized modification of data. Several
key data streams are governed by the PEPFAR Data Calendar (see Data Access above), which promotes
integrity by setting clear expectations for when systems are open or closed for data entry and revision.25
24 OMB, Guidelines for Ensuring and Maximizing the Quality, Objectivity, Utility, and Integrity of Information Disseminated by
Federal Agencies, https://www.gpo.gov/fdsys/pkg/FR-2002-02-22/pdf/R2-59.pdf
25 PEPFAR Data Calendar, https://www.pepfarii.net/
7.3 Requests for corrections
When PEPFAR receives information from the public that raises questions about the quality of the
information it has disseminated, PEPFAR duly considers corrective action. The purpose of this corrective
action is to serve the genuine and valid needs of PEPFAR without disrupting PEPFAR processes, and to
deal with information quality matters, not to resolve underlying substantive policy or legal issues.
“Affected” persons are those who may benefit or be harmed by the disseminated information. This
includes both: (a) persons seeking to address information about themselves or about other persons to
which they are related or associated; and (b) persons who use the information.
Persons seeking to correct information affecting them that was publicly disseminated by PEPFAR may
submit a Petition for Correction addressed to SGACPublicAffairs@state.gov or:
7.4.4 Agencies
Agencies implement PEPFAR-specific and their respective information quality guidelines.26 27
Known issues are documented in data release notes that accompany data sets. A data dictionary should
accompany data sets to support appropriate use of PEPFAR data.
29U.S. Chief Information Officer. Project Open Data. Metadata Resources for Schema v1.1. https://project-open-
data.cio.gov/v1.1/metadata-resources/
8 References
U.S. Department of Health and Human Services (HHS). Guidelines for Ensuring and Maximizing the
Quality, Objectivity, Utility, and Integrity of Information Disseminated to the Public,
https://aspe.hhs.gov/report/hhs-guidelines-ensuring-and-maximizing-quality-objectivity-utility-and-
integrity-information-disseminated-public
Office of Management and Budget. OMB Circular A-130, Revised. Management of Federal Information
Resources, https://www.whitehouse.gov/omb/circulars_a130_a130trans4
Office of Management and Budget. OMB Memorandum M-13-13 Open Data Policy-Managing
Information as an Asset.
https://www.whitehouse.gov/sites/whitehouse.gov/files/omb/memoranda/2013/m-13-13.pdf
Office of Management and Budget. Guidelines for Ensuring and Maximizing the Quality, Objectivity,
Utility, and Integrity of Information Disseminated by Federal Agencies. Federal Register / Vol. 67, No. 36
/ Friday, February 22, 2002 / Notices. https://www.gpo.gov/fdsys/pkg/FR-2002-02-22/pdf/R2-59.pdf
UNAIDS. 2006. Guidelines on Protecting the Confidentiality and Security of HIV Information.
http://data.unaids.org/pub/manual/2007/confidentiality_security_interim_guidelines_15may2007_en.p
df
U.S. Chief Information Officer. Project Open Data. Metadata Resources for Schema v1.1. https://project-
open-data.cio.gov/v1.1/metadata-resources/
U.S. Chief Information Officer. Project Open Data. Open Data Principles. https://project-open-
data.cio.gov/principles/
U.S. Department of State Open Data Plan, IRM. November 12, 2013.
http://www.state.gov/documents/organization/217997.pdf
White House Executive Order 13642, Making Open and Machine Readable the New Default for
Government Information. http://www.gpo.gov/fdsys/pkg/FR-2013-05-14/pdf/2013-11533.pdf