NIST 800-53 REV 5 • AWARENESS AND TRAINING
AT-3(5) — Processing Personally Identifiable Information
Provide {{ insert: param, at-03.05_odp.01 }} with initial and {{ insert: param, at-03.05_odp.02 }} training in the employment and operation of personally identifiable information processing and transparency controls.
Supplemental Guidance
Personally identifiable information processing and transparency controls include the organization’s authority to process personally identifiable information and personally identifiable information processing purposes. Role-based training for federal agencies addresses the types of information that may constitute personally identifiable information and the risks, considerations, and obligations associated with its processing. Such training also considers the authority to process personally identifiable information documented in privacy policies and notices, system of records notices, computer matching agreements and notices, privacy impact assessments, [PRIVACT](#18e71fec-c6fd-475a-925a-5d8495cf8455) statements, contracts, information sharing agreements, memoranda of understanding, and/or other documentation.
Practitioner Notes
Personnel who handle personally identifiable information (PII) need specific training on privacy requirements, handling procedures, and breach notification obligations.
Example 1: Require annual privacy training for anyone with access to PII (HR, payroll, benefits, recruiting). Cover topics like the Privacy Act, HIPAA if applicable, PII handling requirements, and breach notification procedures. Use the DISA PII training course or your organization's privacy officer-approved content.
Example 2: Train developers who build applications handling PII on privacy by design principles: data minimization, purpose limitation, encryption at rest and in transit, and proper data retention/deletion. Include hands-on exercises using Microsoft Purview's data classification and labeling tools.