NIST 800-53 REV 5 • PROGRAM MANAGEMENT
PM-26 — Complaint Management
Implement a process for receiving and responding to complaints, concerns, or questions from individuals about the organizational security and privacy practices that includes: Mechanisms that are easy to use and readily accessible by the public; All information necessary for successfully filing complaints; Tracking mechanisms to ensure all complaints received are reviewed and addressed within {{ insert: param, pm-26_prm_1 }}; Acknowledgement of receipt of complaints, concerns, or questions from individuals within {{ insert: param, pm-26_odp.03 }} ; and Response to complaints, concerns, or questions from individuals within {{ insert: param, pm-26_odp.04 }}.
Supplemental Guidance
Complaints, concerns, and questions from individuals can serve as valuable sources of input to organizations and ultimately improve operational models, uses of technology, data collection practices, and controls. Mechanisms that can be used by the public include telephone hotline, email, or web-based forms. The information necessary for successfully filing complaints includes contact information for the senior agency official for privacy or other official designated to receive complaints. Privacy complaints may also include personally identifiable information which is handled in accordance with relevant policies and processes.
Practitioner Notes
You need a process for receiving, tracking, and responding to privacy complaints from individuals. When someone believes their personal information has been mishandled, they need a clear path to raise the concern.
Example 1: Publish a privacy complaint email address and form on your website. Create a complaint tracking spreadsheet or ticketing system that logs each complaint, the date received, assigned investigator, resolution, and response date. Target a 30-day resolution window.
Example 2: Use Microsoft Forms to create a privacy complaint intake form, then connect it to a Power Automate flow that creates a task in Planner, assigns it to your privacy officer, and sends an acknowledgment email to the complainant within 48 hours.