PT-2—Authority To Process Personally Identifiable Information
>Control Description
Determine and document the ⚙organization-defined authority that permits the ⚙organization-defined processing of personally identifiable information; and
Restrict the ⚙organization-defined processing of personally identifiable information to only that which is authorized.
>Control Enhancements(2)
>Cross-Framework Mappings
>Supplemental Guidance
The processing of personally identifiable information is an operation or set of operations that the information system or organization performs with respect to personally identifiable information across the information life cycle. Processing includes but is not limited to creation, collection, use, processing, storage, maintenance, dissemination, disclosure, and disposal. Processing operations also include logging, generation, and transformation, as well as analysis techniques, such as data mining.
Organizations may be subject to laws, executive orders, directives, regulations, or policies that establish the organization's authority and thereby limit certain types of processing of personally identifiable information or establish other requirements related to the processing. Organizational personnel consult with the senior agency official for privacy and legal counsel regarding such authority, particularly if the organization is subject to multiple jurisdictions or sources of authority. For organizations whose processing is not determined according to legal authorities, the organization's policies and determinations govern how they process personally identifiable information.
While processing of personally identifiable information may be legally permissible, privacy risks may still arise. Privacy risk assessments can identify the privacy risks associated with the authorized processing of personally identifiable information and support solutions to manage such risks. Organizations consider applicable requirements and organizational policies to determine how to document this authority.
For federal agencies, the authority to process personally identifiable information is documented in privacy policies and notices, system of records notices, privacy impact assessments, PRIVACT statements, computer matching agreements and notices, contracts, information sharing agreements, memoranda of understanding, and other documentation.Organizations take steps to ensure that personally identifiable information is only processed for authorized purposes, including training organizational personnel on the authorized processing of personally identifiable information and monitoring and auditing organizational use of personally identifiable information.
>Related Controls
>Assessment Interview Topics
Questions assessors commonly ask
Process & Governance:
- •What is the process for determining legal authority to collect, use, maintain, and share PII?
- •How does the organization document and maintain legal authority documentation?
- •Who reviews and validates legal authority for PII processing activities?
- •What process exists for updating authority documentation when laws or missions change?
- •What governance exists for ensuring all PII processing is supported by appropriate legal authority?
Technical Implementation:
- •What systems document and track legal authority for PII processing?
- •How is legal authority information integrated with PII inventories and data flows?
- •What technical controls enforce authority-based processing restrictions?
- •How are authority limitations technically implemented in PII systems?
Evidence & Documentation:
- •Provide documentation of legal authority for collecting and processing PII.
- •Provide authority citations for each system or program processing PII.
- •Provide evidence of legal review and validation of authority documentation.
- •Provide records of authority documentation updates when legal bases change.
- •Provide system of records notices (SORNs) or other authority documentation.
Ask AI
Configure your API key to use AI features.