PT-02 Authority to Process Personally Identifiable Information
a. Determine and document the pt-02_odp.01 that permits the pt-02_odp.02 of personally identifiable information; and
b. Restrict the pt-02_odp.03 of personally identifiable information to only that which is authorized.
Parameter ID | Definition |
---|---|
pt-02_odp.01 | authority |
pt-02_odp.02 | processing |
pt-02_odp.03 | processing |
Baselines
- L
- M
- H
- P
Guidance
The processing of personally identifiable information is an operation or set of operations that the information system or organization performs with respect to personally identifiable information across the information life cycle. Processing includes but is not limited to creation, collection, use, processing, storage, maintenance, dissemination, disclosure, and disposal. Processing operations also include logging, generation, and transformation, as well as analysis techniques, such as data mining.
Organizations may be subject to laws, executive orders, directives, regulations, or policies that establish the organization’s authority and thereby limit certain types of processing of personally identifiable information or establish other requirements related to the processing. Organizational personnel consult with the senior agency official for privacy and legal counsel regarding such authority, particularly if the organization is subject to multiple jurisdictions or sources of authority. For organizations whose processing is not determined according to legal authorities, the organization’s policies and determinations govern how they process personally identifiable information. While processing of personally identifiable information may be legally permissible, privacy risks may still arise. Privacy risk assessments can identify the privacy risks associated with the authorized processing of personally identifiable information and support solutions to manage such risks.
Organizations consider applicable requirements and organizational policies to determine how to document this authority. For federal agencies, the authority to process personally identifiable information is documented in privacy policies and notices, system of records notices, privacy impact assessments, [PRIVACT](#18e71fec-c6fd-475a-925a-5d8495cf8455) statements, computer matching agreements and notices, contracts, information sharing agreements, memoranda of understanding, and other documentation.
Organizations take steps to ensure that personally identifiable information is only processed for authorized purposes, including training organizational personnel on the authorized processing of personally identifiable information and monitoring and auditing organizational use of personally identifiable information.
References 3
- PRIVACT Privacy Act (P.L. 93-579), December 1974.
- OMB A-130 Office of Management and Budget Memorandum Circular A-130, *Managing Information as a Strategic Resource* , July 2016.
- IR 8112 Grassi P, Lefkovitz N, Nadeau E, Galluzzo R, Dinh, A (2018) Attribute Metadata: A Proposed Schema for Evaluating Federated Attributes. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Interagency or Internal Report (IR) 8112.
Control Enhancements 2
- PT-02(01) Data Tagging L M H P
- PT-02(02) Automation L M H P
Related controls 14
- AC-02 Account Management L M H P
- AC-03 Access Enforcement L M H P
- CM-13 Data Action Mapping L M H P
- IR-09 Information Spillage Response L M H P
- PM-09 Risk Management Strategy L M H P
- PM-24 Data Integrity Board L M H P
- PT-01 Policy and Procedures L M H P
- PT-03 Personally Identifiable Information Processing Purposes L M H P
- PT-05 Privacy Notice L M H P
- PT-06 System of Records Notice L M H P
- RA-03 Risk Assessment L M H P
- RA-08 Privacy Impact Assessments L M H P
- SI-12 Information Management and Retention L M H P
- SI-18 Personally Identifiable Information Quality Operations L M H P