IP

CONSENT

Control: The organizationa. Provides means, where feasible and appropriate, for individuals to authorize the collection, use, maintaining, and sharing of PII prior to its collection;

b. Provides appropriate means for individuals to understand the consequences of decisions to approve or decline the authorization of the collection, use, dissemination and retention of PII; and

c. Obtains consent, where feasible and appropriate, from individuals prior to any new uses or disclosure of previously collected PII.

Supplemental Guidance: Consent is fundamental to individuals’ participation in the decision-making process regarding the collection and use of their PII and the use of technologies that may increase risks to personal privacy. To obtain consent, organizations provide individuals both appropriate notice of the purposes of the PII collection or technology use and a means for individuals to consent to the activity. Organizations tailor the public notice and consent mechanisms to meet operational needs.

Organizations may obtain consent through opt-in, opt-out, or implied consent. Opt-in consent requires individuals to take affirmative action to allow organizations to collect or use PII. Opt-out requires individuals to take action to prevent the collection or use of such PII. Implied consent occurs where individuals’ behavior or failure to object indicates agreement with the collection or use of PII (e.g., by entering and remaining in a building where notice has been posted that security cameras are in use, the individual implies consent to the video recording). Depending upon the nature of the program or information system, it may be appropriate to allow individuals to limit the types of PII they provide and subsequent uses of that PII. Organizational consent mechanisms include a discussion of the consequences to individuals for failure to provide PII. Consequences can vary from organization to organization.

Related control: TR-1.

Control Enhancements:

(1) The organization implements mechanisms to support itemized or tiered consent for specific uses of data.

Enhancement Supplemental Guidance: For example, organizations can provide individuals itemized choices as to whether they wish to be contacted for any of a variety of purposes. In this situation, organizations construct consent mechanisms to ensure that the organizational operations comply with individual choices.

References: The Privacy Act of 1974, Section 552a (b); Public Law 107-347, E-Government Act of 2002, as amended, Section 208(c); OMB Memoranda 03-22, 10-22.

ACCESS

Control: The organization provides individuals the ability to have access to their PII maintained in its system(s) of records in order to determine whether to have the PII corrected or amended, as appropriate.

Supplemental Guidance: Access affords individuals the ability to review PII about them held within organizational systems of records. Access includes timely, simplified, and inexpensive access to data. Organizational processes for allowing access to records may differ based on legal requirements, resources, or other factors. Organizations: (i) publish rules and regulations governing how individuals may request access to records maintained in a Privacy Act system of records; (ii) publish their access procedures in SORNs; and (iii) adhere to Privacy Act requirements and OMB policies and guidance for the proper processing of Privacy Act requests. Organizational SAOPs/CPOs are responsible for the content of Privacy Act regulations and record request processing, in consultation with legal counsel.

Related controls: IP-3, TR-1.

Control Enhancements: None.

References: The Privacy Act of 1974, Section 552a (d); OMB Circular A-130.

REDRESS

Control: The organization:

a. Provides a process for individuals to have inaccurate PII maintained by the organization corrected or amended, as appropriate; and

b. Establishes a process for disseminating corrections or amendments of the PII to other authorized users of the PII, such as external information sharing partners, and, where feasible and appropriate, notifies affected individuals that their information has been corrected or amended.

Supplemental Guidance: Redress supports the ability of individuals to ensure the accuracy of PII held by organizations. Effective redress processes demonstrate organizational commitment to data quality especially in those business functions where inaccurate data may result in inappropriate decisions or denial of benefits and services to individuals. Organizations apply appropriate discretion in determining if records are to be corrected or amended, based on the scope of redress requests, the changes sought, and the impact of the changes.

To provide effective redress, organizations: (i) provide effective notice of the existence of a PII collection; (ii) provide plain language explanations of the processes and mechanisms for requesting access to records; (iii) establish criteria for submitting requests for correction or amendment; (iv) implement resources to analyze and adjudicate requests; (v) implement means of correcting or amending data collections; and (vi) review any decisions that may have been the result of inaccurate information.

Organizational redress processes provide responses to individuals of decisions to deny requests for correction or amendment, including the reasons for those decisions, a means to record individual objections to the organizational decisions, and a means of requesting organizational reviews of the initial determinations. Where PII is corrected or amended, organizations take steps to ensure that all authorized recipients of that PII are informed of the corrected or amended information. In instances where redress involves information obtained from other organizations, redress processes include coordination with organizations that originally collected the information.

Related controls: IP-2, TR-1, UL-2.

Control Enhancements: None.

References: The Privacy Act of 1974, Section 552a (d); OMB Circular A-130.

COMPLAINT MANAGEMENT

Control: The organization implements a process for receiving and responding to complaints, concerns, or questions from individuals about the organizational privacy practices.

Supplemental Guidance: Complaints, concerns, and questions from individuals can serve as a valuable source of external input that ultimately improves operational models, uses of technology, data collection practices, and privacy and security safeguards. Organizations provide complaint mechanisms that are readily accessible by the public, include all information necessary for successfully filing complaints (including contact information for the SAOP/CPO or other official designated to receive complaints), and are easy to use. Organizational complaint management processes include tracking mechanisms to ensure that all complaints received are reviewed and appropriately addressed in a timely manner.

Related controls: AR-6, IP-3.

Control Enhancements: None.

References: OMB Circular A-130; OMB Memoranda 07-16, 08-09.