PT-03 Personally Identifiable Information Processing Purposes
a. Identify and document the pt-03_odp.01 for processing personally identifiable information;
b. Describe the purpose(s) in the public privacy notices and policies of the organization;
c. Restrict the pt-03_odp.02 of personally identifiable information to only that which is compatible with the identified purpose(s); and
d. Monitor changes in processing personally identifiable information and implement pt-03_odp.03 to ensure that any changes are made in accordance with pt-03_odp.04.
Identifying and documenting the purpose for processing provides organizations with a basis for understanding why personally identifiable information may be processed. The term "process" includes every step of the information life cycle, including creation, collection, use, processing, storage, maintenance, dissemination, disclosure, and disposal. Identifying and documenting the purpose of processing is a prerequisite to enabling owners and operators of the system and individuals whose information is processed by the system to understand how the information will be processed. This enables individuals to make informed decisions about their engagement with information systems and organizations and to manage their privacy interests. Once the specific processing purpose has been identified, the purpose is described in the organization’s privacy notices, policies, and any related privacy compliance documentation, including privacy impact assessments, system of records notices, [PRIVACT](#18e71fec-c6fd-475a-925a-5d8495cf8455) statements, computer matching notices, and other applicable Federal Register notices.
Organizations take steps to help ensure that personally identifiable information is processed only for identified purposes, including training organizational personnel and monitoring and auditing organizational processing of personally identifiable information.
Organizations monitor for changes in personally identifiable information processing. Organizational personnel consult with the senior agency official for privacy and legal counsel to ensure that any new purposes that arise from changes in processing are compatible with the purpose for which the information was collected, or if the new purpose is not compatible, implement mechanisms in accordance with defined requirements to allow for the new processing, if appropriate. Mechanisms may include obtaining consent from individuals, revising privacy policies, or other measures to manage privacy risks that arise from changes in personally identifiable information processing purposes.
- PRIVACT Privacy Act (P.L. 93-579), December 1974.
- OMB A-130 Office of Management and Budget Memorandum Circular A-130, *Managing Information as a Strategic Resource* , July 2016.
- IR 8112 Grassi P, Lefkovitz N, Nadeau E, Galluzzo R, Dinh, A (2018) Attribute Metadata: A Proposed Schema for Evaluating Federated Attributes. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Interagency or Internal Report (IR) 8112.
Control Enhancements 2
- PT-03(01) Data Tagging L M H P
- PT-03(02) Automation L M H P
Related controls 15
- AC-02 Account Management L M H P
- AC-03 Access Enforcement L M H P
- AT-03 Role-based Training L M H P
- CM-13 Data Action Mapping L M H P
- IR-09 Information Spillage Response L M H P
- PM-09 Risk Management Strategy L M H P
- PM-25 Minimization of Personally Identifiable Information Used in Testing, Training, and Research L M H P
- PT-02 Authority to Process Personally Identifiable Information L M H P
- PT-05 Privacy Notice L M H P
- PT-06 System of Records Notice L M H P
- PT-07 Specific Categories of Personally Identifiable Information L M H P
- RA-08 Privacy Impact Assessments L M H P
- SC-43 Usage Restrictions L M H P
- SI-12 Information Management and Retention L M H P
- SI-18 Personally Identifiable Information Quality Operations L M H P