Data Quality and Integrity
This family ensures compliance with Section 552a (e)(2) of the Privacy Act of 1974 and enhances public confidence that any PII collected and maintained by the organization is accurate, relevant, timely, and complete for the purpose for which it is to be used, as specified in the public notice.
Control: The organization:
a. Confirms to the extent feasible upon collection or creation of PII, the accuracy, relevance, timeliness, and completeness of that PII;
b. Collects PII directly from the individual to the greatest extent practicable;
c. Checks for, and corrects as necessary, any inaccurate or outdated PII used by its programs or systems; and
d. Issues guidelines ensuring and maximizing the quality, utility, objectivity, and integrity of disseminated information.
Supplemental Guidance: Organizations take reasonable steps to confirm the accuracy of PII. Such steps may include, for example, editing and validating addresses as they are collected or entered into information systems using automated address verification look-up application programming interfaces (APIs). The types of measures taken to protect data quality may be based on the nature and context of the PII, how it is to be used, and how it was obtained. The measures taken to validate the accuracy of PII that is used to make determinations about the rights, benefits, or privileges of individuals under federal programs may be more comprehensive than those used to validate less sensitive PII. Additional steps may be necessary to validate PII that is obtained from sources other than individuals or the authorized representatives of individuals.
When PII is of a sufficiently sensitive nature (e.g., when it is used for annual reconfirmation of a taxpayer’s income for a recurring benefit), organizations incorporate mechanisms into information systems and develop corresponding procedures for how frequently, and by what method, the information is to be updated.
Related controls: IP-3, SI-10.
(1) Where feasible, the organization’s systems are configured to record the date PII is collected, created, or updated and when PII is to be deleted or archived under an approved record retention schedule.
Enhancement Supplemental Guidance: None.
References: The Privacy Act of 1974, Section 552a (e)(5); OMB Memorandum 07-16; Treasury and General Government Appropriations Act for Fiscal Year 2001 (Public Law 106-554, app C § 515, 114 Stat. 2763A-153-4); Paperwork Reduction Act (44 U.S.C. § 3501 et seq.); OMB Guidelines for Ensuring and Maximizing the Quality, Objectivity, Utility, and Integrity of Information Disseminated by Federal Agencies.
Control: The organization:
a. Documents processes to ensure the integrity of PII through existing security controls; and
b. Establishes a Data Integrity Board when appropriate, to oversee organizational computer matching agreements and to ensure that those agreements comply with the computer matching provisions of the Privacy Act.
Supplemental Guidance: Organizations conducting or participating in computer matching agreements with other organizations regarding applicants for and recipients of financial assistance or payments under federal benefit programs, and applicants for and holders of positions as federal personnel, establish a Data Integrity Board to oversee and coordinate their implementation of such matching agreements. In many organizations, the Data Integrity Board is led by the SAOP/CPO. The Data Integrity Board ensures that controls are in place to maintain both the quality and the integrity of data shared under computer matching agreements.
Related controls: AC-1, AC-3, AC-4, AC-6, AC-17, AU-2, AU-3, AU-6, AU-10, AU-11, DI-1, SC-8, SC-9, SI-9, UL-2.
Control Enhancements: None.
References: The Privacy Act of 1974, Section 552a (u); OMB Circular A-130, Appendix I.