PT 7 SPECIFIC CATEGORIES OF PERSONALLY IDENTIFIABLE INFORMATION - NIST-SP-800-53-R5/NIST-SP-800-53-R5.github.io GitHub Wiki

Control: Apply [ Assignment: organization-defined processing conditions ] for specific categories of personally identifiable information.

Discussion: Organizations apply any conditions or protections that may be necessary for specific categories of personally identifiable information. These conditions may be required by laws, executive orders, directives, regulations, policies, standards, or guidelines. The requirements may also come from the results of privacy risk assessments that factor in contextual changes that may result in an organizational determination that a particular category of personally identifiable information is particularly sensitive or raises particular privacy risks. Organizations consult with the senior agency official for privacy and legal counsel regarding any protections that may be necessary.

Related Controls: IR-9, PT-2, PT-3, RA-3.

Control Enhancements:

• (1) SPECIFIC CATEGORIES OF PERSONALLY IDENTIFIABLE INFORMATION / SOCIAL SECURITY NUMBERS
  When a system processes Social Security numbers:

  • (a) Eliminate unnecessary collection, maintenance, and use of Social Security numbers, and explore alternatives to their use as a personal identifier;
  • (b) Do not deny any individual any right, benefit, or privilege provided by law because of such individual’s refusal to disclose his or her Social Security number; and
  • (c) Inform any individual who is asked to disclose his or her Social Security number whether that disclosure is mandatory or voluntary, by what statutory or other authority such number is solicited, and what uses will be made of it.

  Discussion: Federal law and policy establish specific requirements for organizations’ processing of Social Security numbers. Organizations take steps to eliminate unnecessary uses of Social Security numbers and other sensitive information and observe any particular requirements that apply.

  Related Controls: IA-4.

• (2) SPECIFIC CATEGORIES OF PERSONALLY IDENTIFIABLE INFORMATION / FIRST AMENDMENT INFORMATION
  Prohibit the processing of information describing how any individual exercises rights guaranteed by the First Amendment unless expressly authorized by statute or by the individual or unless pertinent to and within the scope of an authorized law enforcement activity.

  Discussion: The [PRIVACT] limits agencies’ ability to process information that describes how individuals exercise rights guaranteed by the First Amendment. Organizations consult with the senior agency official for privacy and legal counsel regarding these requirements.

  Related Controls: None.

References: [PRIVACT], [OMB A-130], [OMB A-108].