myctrl.tools
Compare

PM-21Accounting Of Disclosures

PRIVACY

>Control Description

a

Develop and maintain an accurate accounting of disclosures of personally identifiable information, including:

1.

Date, nature, and purpose of each disclosure; and

2.

Name and address, or other contact information of the individual or organization to which the disclosure was made;

b

Retain the accounting of disclosures for the length of the time the personally identifiable information is maintained or five years after the disclosure is made, whichever is longer; and

c

Make the accounting of disclosures available to the individual to whom the personally identifiable information relates upon request.

>Cross-Framework Mappings

SCF

PRI-14.1
Compare

>Supplemental Guidance

The purpose of accounting of disclosures is to allow individuals to learn to whom their personally identifiable information has been disclosed, to provide a basis for subsequently advising recipients of any corrected or disputed personally identifiable information, and to provide an audit trail for subsequent reviews of organizational compliance with conditions for disclosures. For federal agencies, keeping an accounting of disclosures is required by the PRIVACT; agencies should consult with their senior agency official for privacy and legal counsel on this requirement and be aware of the statutory exceptions and OMB guidance relating to the provision.Organizations can use any system for keeping notations of disclosures, if it can construct from such a system, a document listing of all disclosures along with the required information. Automated mechanisms can be used by organizations to determine when personally identifiable information is disclosed, including commercial services that provide notifications and alerts.

Accounting of disclosures may also be used to help organizations verify compliance with applicable privacy statutes and policies governing the disclosure or dissemination of information and dissemination restrictions.

>Related Controls

AC-3
AU-2
PT-2

>Assessment Interview Topics

Questions assessors commonly ask

Process & Governance:

  • What is the process for accounting for personally identifiable information (PII) across organizational systems?
  • How does the organization maintain an inventory of PII holdings?
  • Who is responsible for maintaining and updating PII inventories?
  • How frequently are PII inventories reviewed and validated?
  • What governance exists for ensuring PII inventories are accurate and complete?

Technical Implementation:

  • What systems or tools inventory PII holdings across the organization?
  • How is PII discovery and classification automated?
  • What data mapping capabilities exist for PII flows and processing?
  • How are PII inventories integrated with data governance tools?

Evidence & Documentation:

  • Provide PII inventory documentation for organizational systems.
  • Provide evidence of PII inventory validation and updates.
  • Provide data flow diagrams showing PII processing and sharing.
  • Provide records of PII inventory reviews.

Ask AI

Configure your API key to use AI features.