TR

PRIVACY NOTICE

Control: The organization:

a. Provides effective notice to the public and to individuals regarding: (i) its activities that impact privacy, including its collection, use, sharing, safeguarding, maintenance, and disposal of personally identifiable information (PII); (ii) authority for collecting PII; (iii) the choices, if any, individuals may have regarding how the organization uses PII and the consequences of exercising or not exercising those choices; and (iv) the ability to access and have PII amended or corrected if necessary;

b. Describes: (i) the PII the organization collects and the purpose(s) for which it collects that information; (ii) how the organization uses PII internally; (iii) whether the organization shares PII with external entities and the purposes for such sharing; (iv) whether individuals have the ability to consent to specific uses or sharing of PII and how to exercise any such consent; (v) how individuals may obtain access to PII for the purpose of having it amended or corrected, where appropriate; and (vi) how the PII will be protected;

c. Revises its public notices to reflect changes in practice or policy that affect PII or changes in its activities that impact privacy; and

d. Ensures (e.g., through updated public notice) that individuals are aware of and, where feasible, consent to all uses of PII not initially described in the public notice that was in effect at the time the organization collected the PII.

Supplemental Guidance: Effective notice, by virtue of its clarity and comprehensiveness, enables individuals to understand how an organization uses PII generally and, where appropriate, to make an informed decision prior to providing PII to an organization. Effective notice also demonstrates the privacy considerations that the organization has addressed in implementing its information practices. The organization may provide general public notice through a variety of means, as required by law or policy, including System of Records Notices (SORNs), Privacy Impact Assessments (PIAs), in a Web site privacy policy, or in an Information Sharing Privacy Policy. As required by the Privacy Act, the organization also provides direct notice to individuals via Privacy Act Statements on the paper and electronic forms it uses to collect PII.

Organizational SAOPs/CPOs are responsible for the content of the organization’s public notices, in consultation with legal counsel and relevant program managers. The public notice requirement in this control is satisfied by an organization’s compliance with the public notice provisions of the Privacy Act, the E-Government Act’s PIA requirement, with OMB guidance related to federal agency privacy notices, and, where applicable, with policy pertaining to participation in the Information Sharing Environment (ISE).

Related controls: AC-8, AP-1, AP-2, IP-1, IP-2, IP-3, PL-5, UL-1, UL-2.

Control Enhancements:

(1) The organization provides real-time (i.e., at the point of collection) notice when it collects PII.

Enhancement Supplemental Guidance: None.

References: The Privacy Act of 1974, 5 U.S.C. §§ 552a (e)(3), (e)(4); Public Law 107-347, EGovernment Act of 2002, as amended, Section 208(b); OMB Memoranda 03-22, 07-16, 10-22, 10-23; ISE Privacy Guidelines.

DISSEMINATION OF PRIVACY PROGRAM INFORMATION

Control: The organization:

a. Ensures that the public has access to information about its privacy activities and is able to communicate with its privacy officials; and

b. Ensures that its privacy practices are published in PIAs and SORNs and that all publicly available privacy reports and newsletters are made available either through organizational Web sites or otherwise.

Supplemental Guidance: Privacy officials include, for example, the SAOP and CPO. Organizations employ different mechanisms for informing the public about their privacy practices including, but not limited to, publicly available Web pages, blogs, email distributions, and periodic publications (e.g., quarterly newsletters). The organization also employs a publicly facing email address or phone line that enables the public to provide feedback or direct questions to the privacy office regarding privacy practices.

Related control: AR-6.

Control Enhancements: None.

References: The Privacy Act of 1974, 5 U.S.C. §§ 552a (e)(3), (e)(4); Public Law 107-347, EGovernment Act of 2002, as amended, Section 208(b); OMB Memoranda 03-22, 07-16, 10-22, 10-23; ISE Privacy Guidelines.