UL

Family:

Use Limitation

Class:

Management

This family is intended to assist organizations in complying with the Privacy Act, which prohibits uses of PII that are either not specified in notices, incompatible with the specified purposes, or not otherwise permitted by law. Implementation of the Controls in this Family will ensure that the scope of PII use is limited accordingly.

INTERNAL USE

Control: The organization uses PII internally only for the authorized purpose(s) identified in the Privacy Act and/or in public notices.

Supplemental Guidance: Organizations take steps to ensure that they use PII only for legally authorized purposes and in a manner compatible with uses identified in the Privacy Act and/or in its public notices. These steps include monitoring and auditing organizational use of PII, and training organizational personnel on the authorized uses of PII. With guidance from privacy officials (i.e., SAOPs/CPOs) and where appropriate, legal counsel, organizations document processes and procedures for evaluating any proposed new uses of PII to assess whether they fall within the scope of the organizational authorities. Where appropriate, organizations obtain consent from individuals for the new use(s) of PII.

Related controls: AP-2, AR-4, AR-5, IP-1, TR-1.

Control Enhancements: None.

References: The Privacy Act of 1974, Section 552a (b)(1).

INFORMATION SHARING

Control: The organization uses PII internally only for the authorized purpose(s) identified in the Privacy Act and/or in public notices.

Supplemental Guidance: Organizations take steps to ensure that they use PII only for legally authorized purposes and in a manner compatible with uses identified in the Privacy Act and/or in its public notices. These steps include monitoring and auditing organizational use of PII, and training organizational personnel on the authorized uses of PII. With guidance from privacy officials (i.e., SAOPs/CPOs) and where appropriate, legal counsel, organizations document processes and procedures for evaluating any proposed new uses of PII to assess whether they fall within the scope of the organizational authorities. Where appropriate, organizations obtain consent from individuals for the new use(s) of PII.

Related controls: AP-2, AR-4, AR-5, IP-1, TR-1.

Control Enhancements: None.

References: The Privacy Act of 1974, Section 552a (b)(1).

INFORMATION SHARING

Control: The organization:

a. Shares PII with third parties, including other public and private sector entities, only for the authorized purposes identified in the Privacy Act and/or described in its notice(s) or in a manner compatible with those purposes;

b. Where appropriate, enters into Memoranda of Understanding, Memoranda of Agreement, Letters of Intent, Computer Matching Agreements, or similar agreements, with third parties that specifically enumerate the purposes for which PII may be used;

c. Monitors, audits, and trains its staff on the authorized uses and sharing of PII with third parties; and

d. Establishes and implements a process for evaluating any proposed new instances of sharing PII with third parties to assess whether they are authorized and whether additional or new public notice is required.

Supplemental Guidance: The organization’s SAOP/CPO and, where appropriate, legal counsel review and approve any proposed external sharing of PII for consistency with uses described in the existing organizational public notice(s). Where a new instance of external sharing of PII is authorized but not compatible with the purpose(s) specified in existing public notices, or as otherwise permitted by the Privacy Act, the organization reviews, updates, and republishes its PIA, SORN, Web site privacy policy, and other public notices, if any, to include specific descriptions of the new uses(s). Information-sharing agreements also include security protections consistent with the sensitivity of the information being shared.

Related controls: AR-4, AR-5, AP-2, DI-2, TR-1.

Control Enhancements: None.

References: The Privacy Act of 1974, Section 552a (b), (c), (e)(3)(C), (o); ISE Privacy Guidelines.

SYSTEM DESIGN AND DEVELOPMENT

Control: The organization designs information systems to collect, use, maintain, and share PII only for the authorized purposes specified in the Privacy Act and/or organizational public notice(s) or for uses compatible with those purposes.

Supplemental Guidance: To the extent feasible, when designing new information systems the organization employs technologies that automate privacy controls on the collection, use, and disclosure of PII. By building privacy controls into system design, the organization mitigates privacy risks to PII, thereby reducing the likelihood of system breaches and other privacy incidents. The organization also conducts periodic reviews of the collection, use, and disclosure of PII to assess compliance with the Privacy Act and the organization’s privacy policy. Regardless of whether the organization employs automated privacy controls, it regularly monitors system use and sharing of PII to ensure that it is consistent with the authorized purposes identified in the Privacy Act and/or in the organization’s public notice, or in a manner compatible with those purposes.

Related controls: AC-6, AR-4, AR-5, TR-1.

Control Enhancements: None.

References: Public Law 107-347, E-Government Act of 2002, as amended, Section 208(b), (c); OMB Memorandum 03-22.