NIST 800-53 REV 5 • PERSONALLY IDENTIFIABLE INFORMATION PROCESSING AND TRANSPARENCY
PT-5 — Privacy Notice
Provide notice to individuals about the processing of personally identifiable information that: Is available to individuals upon first interacting with an organization, and subsequently at {{ insert: param, pt-05_odp.01 }}; Is clear and easy-to-understand, expressing information about personally identifiable information processing in plain language; Identifies the authority that authorizes the processing of personally identifiable information; Identifies the purposes for which personally identifiable information is to be processed; and Includes {{ insert: param, pt-05_odp.02 }}.
Supplemental Guidance
Privacy notices help inform individuals about how their personally identifiable information is being processed by the system or organization. Organizations use privacy notices to inform individuals about how, under what authority, and for what purpose their personally identifiable information is processed, as well as other information such as choices individuals might have with respect to that processing and other parties with whom information is shared. Laws, executive orders, directives, regulations, or policies may require that privacy notices include specific elements or be provided in specific formats. Federal agency personnel consult with the senior agency official for privacy and legal counsel regarding when and where to provide privacy notices, as well as elements to include in privacy notices and required formats. In circumstances where laws or government-wide policies do not require privacy notices, organizational policies and determinations may require privacy notices and may serve as a source of the elements to include in privacy notices. Privacy risk assessments identify the privacy risks associated with the processing of personally identifiable information and may help organizations determine appropriate elements to include in a privacy notice to manage such risks. To help individuals understand how their information is being processed, organizations write materials in plain language and avoid technical jargon.
Practitioner Notes
Before collecting PII, you must provide individuals with a clear notice explaining what data you collect, why, how it will be used, who it may be shared with, and their rights. No surprises.
Example 1: Post a comprehensive privacy notice on your website that covers: categories of PII collected, purposes of collection, legal authority, whether disclosure is voluntary or mandatory, third parties who may receive the data, retention periods, and how to contact your privacy officer.
Example 2: For federal systems, publish a Privacy Act System of Records Notice (SORN) in the Federal Register that describes the system, the records it maintains, and how individuals can request access or amendment. For commercial organizations, publish equivalent information in your privacy policy.