PT-05 Privacy Notice
Provide notice to individuals about the processing of personally identifiable information that:
a. Is available to individuals upon first interacting with an organization, and subsequently at pt-05_odp.01;
b. Is clear and easy-to-understand, expressing information about personally identifiable information processing in plain language;
c. Identifies the authority that authorizes the processing of personally identifiable information;
d. Identifies the purposes for which personally identifiable information is to be processed; and
e. Includes pt-05_odp.02.
| Parameter ID | Definition |
|---|---|
| pt-05_odp.01 | frequency |
| pt-05_odp.02 | information |
Baselines
- L
- M
- H
- P
Guidance
Privacy notices help inform individuals about how their personally identifiable information is being processed by the system or organization. Organizations use privacy notices to inform individuals about how, under what authority, and for what purpose their personally identifiable information is processed, as well as other information such as choices individuals might have with respect to that processing and other parties with whom information is shared. Laws, executive orders, directives, regulations, or policies may require that privacy notices include specific elements or be provided in specific formats. Federal agency personnel consult with the senior agency official for privacy and legal counsel regarding when and where to provide privacy notices, as well as elements to include in privacy notices and required formats. In circumstances where laws or government-wide policies do not require privacy notices, organizational policies and determinations may require privacy notices and may serve as a source of the elements to include in privacy notices.
Privacy risk assessments identify the privacy risks associated with the processing of personally identifiable information and may help organizations determine appropriate elements to include in a privacy notice to manage such risks. To help individuals understand how their information is being processed, organizations write materials in plain language and avoid technical jargon.
References 3
- PRIVACT Privacy Act (P.L. 93-579), December 1974.
- OMB A-130 Office of Management and Budget Memorandum Circular A-130, *Managing Information as a Strategic Resource* , July 2016.
- OMB A-108 Office of Management and Budget Memorandum Circular A-108, *Federal Agency Responsibilities for Review, Reporting, and Publication under the Privacy Act* , December 2016.
Control Enhancements 2
- PT-05(01) Just-in-time Notice L M H P
- PT-05(02) Privacy Act Statements L M H P
Related controls 9
- PM-20 Dissemination of Privacy Program Information L M H P
- PM-22 Personally Identifiable Information Quality Management L M H P
- PT-02 Authority to Process Personally Identifiable Information L M H P
- PT-03 Personally Identifiable Information Processing Purposes L M H P
- PT-04 Consent L M H P
- PT-07 Specific Categories of Personally Identifiable Information L M H P
- RA-03 Risk Assessment L M H P
- SC-42 Sensor Capability and Data L M H P
- SI-18 Personally Identifiable Information Quality Operations L M H P