SI 18 PERSONALLY IDENTIFIABLE INFORMATION QUALITY OPERATIONS - NIST-SP-800-53-R5/NIST-SP-800-53-R5.github.io GitHub Wiki

Control:

• a. Check the accuracy, relevance, timeliness, and completeness of personally identifiable information across the information life cycle [ Assignment: organization-defined frequency ]; and
• b. Correct or delete inaccurate or outdated personally identifiable information.

Discussion: Personally identifiable information quality operations include the steps that organizations take to confirm the accuracy and relevance of personally identifiable information throughout the information life cycle. The information life cycle includes the creation, collection, use, processing, storage, maintenance, dissemination, disclosure, and disposal of personally identifiable information. Personally identifiable information quality operations include editing and validating addresses as they are collected or entered into systems using automated address verification look-up application programming interfaces. Checking personally identifiable information quality includes the tracking of updates or changes to data over time, which enables organizations to know how and what personally identifiable information was changed should erroneous information be identified. The measures taken to protect personally identifiable information quality are based on the nature and context of the personally identifiable information, how it is to be used, how it was obtained, and the potential de-identification methods employed. The measures taken to validate the accuracy of personally identifiable information used to make determinations about the rights, benefits, or privileges of individuals covered under federal programs may be more comprehensive than the measures used to validate personally identifiable information used for less sensitive purposes.

Related Controls: PM-22 , PM-24 , SI-4.

Control Enhancements:

• (1) PERSONALLY IDENTIFIABLE INFORMATION QUALITY OPERATIONS / AUTOMATION SUPPORT
  Correct or delete personally identifiable information that is inaccurate or outdated, incorrectly determined regarding impact, or incorrectly de-identified using [ Assignment: organization-defined automated mechanisms ].

  Discussion: The use of automated mechanisms to improve data quality may inadvertently create privacy risks. Automated tools may connect to external or otherwise unrelated systems, and the matching of records between these systems may create linkages with unintended consequences. Organizations assess and document these risks in their privacy impact assessments and make determinations that are in alignment with their privacy program plans.

  As data is obtained and used across the information life cycle, it is important to confirm the accuracy and relevance of personally identifiable information. Automated mechanisms can augment existing data quality processes and procedures and enable an organization to better identify and manage personally identifiable information in large-scale systems. For example, automated tools can greatly improve efforts to consistently normalize data or identify malformed data. Automated tools can also be used to improve the auditing of data and detect errors that may incorrectly alter personally identifiable information or incorrectly associate such information with the wrong individual. Automated capabilities backstop processes and procedures at-scale and enable more fine-grained detection and correction of data quality errors.

  Related Controls: PM-18 , PM-22 , RA-8.

• (2) PERSONALLY IDENTIFIABLE INFORMATION QUALITY OPERATIONS / DATA TAGS
  Employ data tags to automate the correction or deletion of personally identifiable information across the information life cycle within organizational systems.

  Discussion: Data tagging personally identifiable information includes tags that note processing permissions, authority to process, de-identification, impact level, information life cycle stage, and retention or last updated dates. Employing data tags for personally identifiable information can support the use of automation tools to correct or delete relevant personally identifiable information.

  Related Controls: AC-3 , AC-16 , SC-16.

• (3) PERSONALLY IDENTIFIABLE INFORMATION QUALITY OPERATIONS / COLLECTION
  Collect personally identifiable information directly from the individual.

  Discussion: Individuals or their designated representatives can be sources of correct personally identifiable information. Organizations consider contextual factors that may incentivize individuals to provide correct data versus false data. Additional steps may be necessary to validate collected information based on the nature and context of the personally identifiable information, how it is to be used, and how it was obtained. The measures taken to validate the accuracy of personally identifiable information used to make determinations about the rights, benefits, or privileges of individuals under federal programs may be more comprehensive than the measures taken to validate less sensitive personally identifiable information.

  Related Controls: None.

• (4) PERSONALLY IDENTIFIABLE INFORMATION QUALITY OPERATIONS / INDIVIDUAL REQUESTS
  Correct or delete personally identifiable information upon request by individuals or their designated representatives.

  Discussion: Inaccurate personally identifiable information maintained by organizations may cause problems for individuals, especially in those business functions where inaccurate information may result in inappropriate decisions or the denial of benefits and services to individuals. Even correct information, in certain circumstances, can cause problems for individuals that outweigh the benefits of an organization maintaining the information. Organizations use discretion when determining if personally identifiable information is to be corrected or deleted based on the scope of requests, the changes sought, the impact of the changes, and laws, regulations, and policies. Organizational personnel consult with the senior agency official for privacy and legal counsel regarding appropriate instances of correction or deletion.

  Related Controls: PM-22.

• (5) PERSONALLY IDENTIFIABLE INFORMATION QUALITY OPERATIONS / NOTICE OF CORRECTION OR DELETION
  Notify [ Assignment: organization-defined recipients of personally identifiable information ] and individuals that the personally identifiable information has been corrected or deleted.

  Discussion: When personally identifiable information is corrected or deleted, organizations take steps to ensure that all authorized recipients of such information, and the individual with whom the information is associated or their designated representatives, are informed of the corrected or deleted information.

  Related Controls: None.

References: [SP 800-188], [IR 8112].