myctrl.tools
Compare

PT-5Privacy Notice

PRIVACY

>Control Description

Provide notice to individuals about the processing of personally identifiable information that: a. Is available to individuals upon first interacting with an organization, and subsequently at organization-defined frequency; b. Is clear and easy-to-understand, expressing information about personally identifiable information processing in plain language; c. Identifies the authority that authorizes the processing of personally identifiable information; d. Identifies the purposes for which personally identifiable information is to be processed; and e. Includes organization-defined information.

>Control Enhancements(2)

PT-5(1)
PT-5(2)

>Cross-Framework Mappings

SOC 2 TSC

P1.1
Compare
P1.2
Compare
P2.1
Compare
P3.2
Compare
P5.1
Compare
P6.1
Compare
P6.4
Compare

SCF

PRI-02
Compare

>Supplemental Guidance

Privacy notices help inform individuals about how their personally identifiable information is being processed by the system or organization. Organizations use privacy notices to inform individuals about how, under what authority, and for what purpose their personally identifiable information is processed, as well as other information such as choices individuals might have with respect to that processing and other parties with whom information is shared. Laws, executive orders, directives, regulations, or policies may require that privacy notices include specific elements or be provided in specific formats.

Federal agency personnel consult with the senior agency official for privacy and legal counsel regarding when and where to provide privacy notices, as well as elements to include in privacy notices and required formats. In circumstances where laws or government-wide policies do not require privacy notices, organizational policies and determinations may require privacy notices and may serve as a source of the elements to include in privacy notices.Privacy risk assessments identify the privacy risks associated with the processing of personally identifiable information and may help organizations determine appropriate elements to include in a privacy notice to manage such risks. To help individuals understand how their information is being processed, organizations write materials in plain language and avoid technical jargon.

>Related Controls

PM-20
PM-22
PT-2
PT-3
PT-4
PT-7
RA-3
SC-42
SI-18

>Assessment Interview Topics

Questions assessors commonly ask

Process & Governance:

  • What is the process for providing privacy notices to individuals about PII collection and use?
  • How does the organization ensure privacy notices are clear, accessible, and provided at appropriate times?
  • Who reviews and approves privacy notices?
  • What process exists for updating privacy notices when practices change?
  • What governance exists for ensuring privacy notices are current and compliant?

Technical Implementation:

  • How are privacy notices delivered to individuals (web portals, APIs, physical notices)?
  • What systems manage and version privacy notice content?
  • How are privacy notices presented at appropriate collection points?
  • What mechanisms ensure privacy notices are accessible to individuals with disabilities?
  • How are privacy notice acknowledgments captured and tracked?

Evidence & Documentation:

  • Provide current privacy notices provided to individuals.
  • Provide evidence of privacy notice delivery at appropriate collection points.
  • Provide records of privacy notice reviews and updates.
  • Provide documentation of privacy notice accessibility and clarity testing.
  • Provide examples of privacy notices in different formats (web, mobile, paper).

Ask AI

Configure your API key to use AI features.