SPARC

Personally Identifiable Information Processing and Transparency

Catalog: Electronic (OSCAL) Version of NIST SP 800-53 Rev 5.2.0 Controls and SP 800-53A Rev 5.2.0 Assessment Procedures | Controls: 52

← Back to Catalog

Control ID

Title / Statement

Priority

Baseline Impact

PT-01

Policy and Procedures 9 params

a. Develop, document, and disseminate to {{ insert: param, pt-1_prm_1 }}: 1. {{ insert: param, pt-01_odp.03 }} personally identifiable information processing and transparency policy that: ...

► View parameters

Param ID	Label	Constraint / Choices
pt-1_prm_1	organization-defined personnel or roles	Organization-defined
pt-01_odp.01	personnel or roles	personnel or roles to whom the personally identifiable information processing and transparency policy is to be dissem...
pt-01_odp.02	personnel or roles	personnel or roles to whom the personally identifiable information processing and transparency procedures are to be d...
pt-01_odp.03		Select one-or-more: organization-level; mission/business process-level; system-level
pt-01_odp.04	official	an official to manage the personally identifiable information processing and transparency policy and procedures is de...
pt-01_odp.05	frequency	the frequency at which the current personally identifiable information processing and transparency policy is reviewed...
pt-01_odp.06	events	events that would require the current personally identifiable information processing and transparency policy to be re...
pt-01_odp.07	frequency	the frequency at which the current personally identifiable information processing and transparency procedures are rev...
pt-01_odp.08	events	events that would require the personally identifiable information processing and transparency procedures to be review...

—

PT-02

Authority to Process Personally Identifiable Information 3 params

a. Determine and document the {{ insert: param, pt-02_odp.01 }} that permits the {{ insert: param, pt-02_odp.02 }} of personally identifiable information; and b. Restrict the {{ insert: param, ...

► View parameters

Param ID	Label	Constraint / Choices
pt-02_odp.01	authority	the authority to permit the processing (defined in PT-02_ODP[02]) of personally identifiable information is defined;
pt-02_odp.02	processing	the type of processing of personally identifiable information is defined;
pt-02_odp.03	processing	the type of processing of personally identifiable information to be restricted is defined;

—

PT-02(01)

Data Tagging 2 params

Attach data tags containing {{ insert: param, pt-02.01_odp.01 }} to {{ insert: param, pt-02.01_odp.02 }}.

► View parameters

Param ID	Label	Constraint / Choices
pt-02.01_odp.01	authorized processing	the authorized processing of personally identifiable information is defined;
pt-02.01_odp.02	elements of personally identifiable information	elements of personally identifiable information to be tagged are defined;

—

PT-02(02)

Automation 1 param

Manage enforcement of the authorized processing of personally identifiable information using {{ insert: param, pt-02.02_odp }}.

► View parameters

Param ID	Label	Constraint / Choices
pt-02.02_odp	automated mechanisms	automated mechanisms used to manage enforcement of the authorized processing of personally identifiable information a...

—

PT-03

Personally Identifiable Information Processing Purposes 4 params

a. Identify and document the {{ insert: param, pt-03_odp.01 }} for processing personally identifiable information; b. Describe the purpose(s) in the public privacy notices and policies of the o...

► View parameters

Param ID	Label	Constraint / Choices
pt-03_odp.01	purpose(s)	the purpose(s) for processing personally identifiable information is/are defined;
pt-03_odp.02	processing	the processing of personally identifiable information to be restricted is defined;
pt-03_odp.03	mechanisms	mechanisms to be implemented for ensuring any changes in the processing of personally identifiable information are ma...
pt-03_odp.04	requirements	requirements for changing the processing of personally identifiable information are defined;

—

PT-03(01)

Data Tagging 2 params

Attach data tags containing the following purposes to {{ insert: param, pt-03.01_odp.02 }}: {{ insert: param, pt-03.01_odp.01 }}.

► View parameters

Param ID	Label	Constraint / Choices
pt-03.01_odp.01	processing purposes	processing purposes to be contained in data tags are defined;
pt-03.01_odp.02	elements of personally identifiable information	elements of personally identifiable information to be tagged are defined;

—

PT-03(02)

Automation 1 param

Track processing purposes of personally identifiable information using {{ insert: param, pt-03.02_odp }}.

► View parameters

Param ID	Label	Constraint / Choices
pt-03.02_odp	automated mechanisms	automated mechanisms for tracking the processing purposes of personally identifiable information are defined;

—

PT-04

Consent 1 param

Implement {{ insert: param, pt-04_odp }} for individuals to consent to the processing of their personally identifiable information prior to its collection that facilitate individuals’ informed deci...

► View parameters

Param ID	Label	Constraint / Choices
pt-04_odp	tools or mechanisms	the tools or mechanisms to be implemented for individuals to consent to the processing of their personally identifiab...

—

PT-04(01)

Tailored Consent 1 param

Provide {{ insert: param, pt-04.01_odp }} to allow individuals to tailor processing permissions to selected elements of personally identifiable information.

► View parameters

Param ID	Label	Constraint / Choices
pt-04.01_odp	mechanisms	tailoring mechanisms for processing selected elements of personally identifiable information permissions are defined;

—

PT-04(02)

Just-in-time Consent 3 params

Present {{ insert: param, pt-04.02_odp.01 }} to individuals at {{ insert: param, pt-04.02_odp.02 }} and in conjunction with {{ insert: param, pt-04.02_odp.03 }}.

► View parameters

Param ID	Label	Constraint / Choices
pt-04.02_odp.01	consent mechanisms	consent mechanisms to be presented to individuals are defined;
pt-04.02_odp.02	frequency	the frequency at which to present consent mechanisms to individuals is defined;
pt-04.02_odp.03	personally identifiable information processing	personally identifiable information processing to be presented in conjunction with organization-defined consent mecha...

—

PT-04(03)

Revocation 1 param

Implement {{ insert: param, pt-04.03_odp }} for individuals to revoke consent to the processing of their personally identifiable information.

► View parameters

Param ID	Label	Constraint / Choices
pt-04.03_odp	tools or mechanisms	the tools or mechanisms to be implemented for revoking consent to the processing of personally identifiable informati...

—

PT-05

Privacy Notice 2 params

Provide notice to individuals about the processing of personally identifiable information that: a. Is available to individuals upon first interacting with an organization, and subsequently at {{ ...

► View parameters

Param ID	Label	Constraint / Choices
pt-05_odp.01	frequency	the frequency at which a notice is provided to individuals after initial interaction with an organization is defined;
pt-05_odp.02	information	information to be included with the notice about the processing of personally identifiable information is defined;

—

PT-05(01)

Just-in-time Notice 1 param

Present notice of personally identifiable information processing to individuals at a time and location where the individual provides personally identifiable information or in conjunction with a dat...

► View parameters

Param ID	Label	Constraint / Choices
pt-05.01_odp	frequency	the frequency at which to present a notice of personally identifiable information processing is defined;

—

PT-05(02)

Privacy Act Statements

Include Privacy Act statements on forms that collect information that will be maintained in a Privacy Act system of records, or provide Privacy Act statements on separate forms that can be retained...

—

PT-06

System of Records Notice

For systems that process information that will be maintained in a Privacy Act system of records: a. Draft system of records notices in accordance with OMB guidance and submit new and significantl...

—

PT-06(01)

Routine Uses 1 param

Review all routine uses published in the system of records notice at {{ insert: param, pt-06.01_odp }} to ensure continued accuracy, and to ensure that routine uses continue to be compatible with t...

► View parameters

Param ID	Label	Constraint / Choices
pt-06.01_odp	frequency	the frequency at which to review all routine uses published in the system of records notice is defined;

—

PT-06(02)

Exemption Rules 1 param

Review all Privacy Act exemptions claimed for the system of records at {{ insert: param, pt-06.02_odp }} to ensure they remain appropriate and necessary in accordance with law, that they have been ...

► View parameters

Param ID	Label	Constraint / Choices
pt-06.02_odp	frequency	the frequency at which to review all Privacy Act exemptions claimed for the system of records is defined;

—

PT-07

Specific Categories of Personally Identifiable Information 1 param

Apply {{ insert: param, pt-07_odp }} for specific categories of personally identifiable information.

► View parameters

Param ID	Label	Constraint / Choices
pt-07_odp	processing conditions	processing conditions to be applied for specific categories of personally identifiable information are defined;

—

PT-07(01)

Social Security Numbers

When a system processes Social Security numbers: (a) Eliminate unnecessary collection, maintenance, and use of Social Security numbers, and explore alternatives to their use as a personal identif...

—

PT-07(02)

First Amendment Information

Prohibit the processing of information describing how any individual exercises rights guaranteed by the First Amendment unless expressly authorized by statute or by the individual or unless pertine...

—

PT-08

Computer Matching Requirements

When a system or organization processes information for the purpose of conducting a matching program: a. Obtain approval from the Data Integrity Board to conduct the matching program; b. Develo...

—

└ pt-1a

Develop, document, and disseminate to {{ insert: param, pt-1_prm_1 }}:

—

└ pt-1a.1

{{ insert: param, pt-01_odp.03 }} personally identifiable information processing and transparency policy that:

—

└ pt-1a.1.(a)

Addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and

—

└ pt-1a.1.(b)

Is consistent with applicable laws, executive orders, directives, regulations, policies, standards, and guidelines; and

—

└ pt-1a.2

Procedures to facilitate the implementation of the personally identifiable information processing and transparency policy and the associated person...

—

└ pt-1b

Designate an {{ insert: param, pt-01_odp.04 }} to manage the development, documentation, and dissemination of the personally identifiable informati...

—

└ pt-1c

Review and update the current personally identifiable information processing and transparency:

—

└ pt-1c.1

Policy {{ insert: param, pt-01_odp.05 }} and following {{ insert: param, pt-01_odp.06 }} ; and

—

└ pt-1c.2

Procedures {{ insert: param, pt-01_odp.07 }} and following {{ insert: param, pt-01_odp.08 }}.

—

└ pt-2a

Determine and document the {{ insert: param, pt-02_odp.01 }} that permits the {{ insert: param, pt-02_odp.02 }} of personally identifiable informat...

—

└ pt-2b

Restrict the {{ insert: param, pt-02_odp.03 }} of personally identifiable information to only that which is authorized.

—

└ pt-3a

Identify and document the {{ insert: param, pt-03_odp.01 }} for processing personally identifiable information;

—

└ pt-3b

Describe the purpose(s) in the public privacy notices and policies of the organization;

—

└ pt-3c

Restrict the {{ insert: param, pt-03_odp.02 }} of personally identifiable information to only that which is compatible with the identified purpose(...

—

└ pt-3d

Monitor changes in processing personally identifiable information and implement {{ insert: param, pt-03_odp.03 }} to ensure that any changes are ma...

—

└ pt-5a

Is available to individuals upon first interacting with an organization, and subsequently at {{ insert: param, pt-05_odp.01 }};

—

└ pt-5b

Is clear and easy-to-understand, expressing information about personally identifiable information processing in plain language;

—

└ pt-5c

Identifies the authority that authorizes the processing of personally identifiable information;

—

└ pt-5d

Identifies the purposes for which personally identifiable information is to be processed; and

—

└ pt-5e

Includes {{ insert: param, pt-05_odp.02 }}.

—

└ pt-6a

Draft system of records notices in accordance with OMB guidance and submit new and significantly modified system of records notices to the OMB and ...

—

└ pt-6b

Publish system of records notices in the Federal Register; and

—

└ pt-6c

Keep system of records notices accurate, up-to-date, and scoped in accordance with policy.

—

└ pt-7.1.(a)

Eliminate unnecessary collection, maintenance, and use of Social Security numbers, and explore alternatives to their use as a personal identifier;

—

└ pt-7.1.(b)

Do not deny any individual any right, benefit, or privilege provided by law because of such individual’s refusal to disclose his or her Social Secu...

—

└ pt-7.1.(c)

Inform any individual who is asked to disclose his or her Social Security number whether that disclosure is mandatory or voluntary, by what statuto...

—

└ pt-8a

Obtain approval from the Data Integrity Board to conduct the matching program;

—

└ pt-8b

Develop and enter into a computer matching agreement;

—

└ pt-8c

Publish a matching notice in the Federal Register;

—

└ pt-8d

Independently verify the information produced by the matching program before taking adverse action against an individual, if required; and

—

└ pt-8e

Provide individuals with notice and an opportunity to contest the findings before taking adverse action against an individual.

—