PT 2 AUTHORITY TO PROCESS PERSONALLY IDENTIFIABLE INFORMATION - NIST-SP-800-53-R5/NIST-SP-800-53-R5.github.io GitHub Wiki

Control:

• a. Determine and document the [ Assignment: organization-defined authority ] that permits the [ Assignment: organization-defined processing ] of personally identifiable information; and
• b. Restrict the [ Assignment: organization-defined processing ] of personally identifiable information to only that which is authorized.

Discussion: The processing of personally identifiable information is an operation or set of operations that the information system or organization performs with respect to personally identifiable information across the information life cycle. Processing includes but is not limited to creation, collection, use, processing, storage, maintenance, dissemination, disclosure, and disposal. Processing operations also include logging, generation, and transformation, as well as analysis techniques, such as data mining.

Organizations may be subject to laws, executive orders, directives, regulations, or policies that establish the organization’s authority and thereby limit certain types of processing of personally identifiable information or establish other requirements related to the processing. Organizational personnel consult with the senior agency official for privacy and legal counsel regarding such authority, particularly if the organization is subject to multiple jurisdictions or sources of authority. For organizations whose processing is not determined according to legal authorities, the organization’s policies and determinations govern how they process personally identifiable information. While processing of personally identifiable information may be legally permissible, privacy risks may still arise. Privacy risk assessments can identify the privacy risks associated with the authorized processing of personally identifiable information and support solutions to manage such risks.

Organizations consider applicable requirements and organizational policies to determine how to document this authority. For federal agencies, the authority to process personally identifiable information is documented in privacy policies and notices, system of records notices, privacy impact assessments, [PRIVACT] statements, computer matching agreements and notices, contracts, information sharing agreements, memoranda of understanding, and other documentation.

Organizations take steps to ensure that personally identifiable information is only processed for authorized purposes, including training organizational personnel on the authorized processing of personally identifiable information and monitoring and auditing organizational use of personally identifiable information.

Related Controls: AC-2, AC-3, CM-13, IR-9, PM-9, PM-24, PT-1, PT-3, PT-5, PT-6, RA-3, RA-8, SI- 12, SI-18.

Control Enhancements:

• (1) AUTHORITY TO PROCESS PERSONALLY IDENTIFIABLE INFORMATION / DATA TAGGING
  Attach data tags containing [ Assignment: organization-defined permissible processing ] to [ Assignment: organization-defined elements of personally identifiable information ].

  Discussion: Data tags support the tracking and enforcement of authorized processing by conveying the types of processing that are authorized along with the relevant elements of personally identifiable information throughout the system. Data tags may also support the use of automated tools.

  Related Controls: AC-16, CA-6, CM-12, PM-5, PM-22, PT-4, SC-16, SC-43, SI-10, SI-15, SI-19.

• (2) AUTHORITY TO PROCESS PERSONALLY IDENTIFIABLE INFORMATION / AUTOMATION
  Manage enforcement of the authorized processing of personally identifiable information using [ Assignment: organization-defined automated mechanisms ].

  Discussion: Automated mechanisms augment verification that only authorized processing is occurring. Related Controls: CA-6, CM-12, PM-5, PM-22, PT-4, SC-16, SC-43, SI-10, SI-15, SI-19.

References: [PRIVACT], [OMB A-130, Appendix II], [IR 8112].