PT-07 Specific Categories of Personally Identifiable Information

Baselines

Guidance

Organizations apply any conditions or protections that may be necessary for specific categories of personally identifiable information. These conditions may be required by laws, executive orders, directives, regulations, policies, standards, or guidelines. The requirements may also come from the results of privacy risk assessments that factor in contextual changes that may result in an organizational determination that a particular category of personally identifiable information is particularly sensitive or raises particular privacy risks. Organizations consult with the senior agency official for privacy and legal counsel regarding any protections that may be necessary.

References 4

• PRIVACT Privacy Act (P.L. 93-579), December 1974.
• OMB A-130 Office of Management and Budget Memorandum Circular A-130, *Managing Information as a Strategic Resource* , July 2016.
• OMB A-108 Office of Management and Budget Memorandum Circular A-108, *Federal Agency Responsibilities for Review, Reporting, and Publication under the Privacy Act* , December 2016.
• NARA CUI National Archives and Records Administration, Controlled Unclassified Information (CUI) Registry.

Control Enhancements 2

• PT-07(01) Social Security Numbers L M H P
• PT-07(02) First Amendment Information L M H P

Related controls 4

• IR-09 Information Spillage Response L M H P
• PT-02 Authority to Process Personally Identifiable Information L M H P
• PT-03 Personally Identifiable Information Processing Purposes L M H P
• RA-03 Risk Assessment L M H P