PM-22—Personally Identifiable Information Quality Management
>Control Description
>Cross-Framework Mappings
>Supplemental Guidance
Personally identifiable information quality management includes steps that organizations take to confirm the accuracy and relevance of personally identifiable information throughout the information life cycle. The information life cycle includes the creation, collection, use, processing, storage, maintenance, dissemination, disclosure, and disposition of personally identifiable information. Organizational policies and procedures for personally identifiable information quality management are important because inaccurate or outdated personally identifiable information maintained by organizations may cause problems for individuals.
Organizations consider the quality of personally identifiable information involved in business functions where inaccurate information may result in adverse decisions or the denial of benefits and services, or the disclosure of the information may cause stigmatization. Correct information, in certain circumstances, can cause problems for individuals that outweigh the benefits of organizations maintaining the information. Organizations consider creating policies and procedures for the removal of such information.
The senior agency official for privacy ensures that practical means and mechanisms exist and are accessible for individuals or their authorized representatives to seek the correction or deletion of personally identifiable information. Processes for correcting or deleting data are clearly defined and publicly available. Organizations use discretion in determining whether data is to be deleted or corrected based on the scope of requests, the changes sought, and the impact of the changes.
Additionally, processes include the provision of responses to individuals of decisions to deny requests for correction or deletion. The responses include the reasons for the decisions, a means to record individual objections to the decisions, and a means of requesting reviews of the initial determinations. Organizations notify individuals or their designated representatives when their personally identifiable information is corrected or deleted to provide transparency and confirm the completed action.
Due to the complexity of data flows and storage, other entities may need to be informed of the correction or deletion. Notice supports the consistent correction and deletion of personally identifiable information across the data ecosystem.
>Related Controls
>Assessment Interview Topics
Questions assessors commonly ask
Process & Governance:
- •What is the process for ensuring PII quality and integrity across organizational systems?
- •How does the organization validate the accuracy and completeness of PII?
- •Who is responsible for overseeing PII quality and integrity activities?
- •What mechanisms exist for individuals to review and correct their PII?
- •What governance exists for maintaining PII quality throughout its lifecycle?
Technical Implementation:
- •What technical controls ensure PII accuracy and completeness?
- •How do individuals access their PII for review and correction?
- •What validation mechanisms check PII quality?
- •How are PII corrections processed and propagated across systems?
Evidence & Documentation:
- •Provide PII quality and integrity procedures.
- •Provide evidence of PII accuracy validation processes.
- •Provide records of individual requests to review/correct PII.
- •Provide documentation of PII quality assessments.
Ask AI
Configure your API key to use AI features.