myctrl.tools
Compare

PT-5(2)Privacy Act Statements

PRIVACY

>Control Description

Include Privacy Act statements on forms that collect information that will be maintained in a Privacy Act system of records, or provide Privacy Act statements on separate forms that can be retained by individuals.

>Cross-Framework Mappings

SCF

PRI-01.2
Compare

>Supplemental Guidance

If a federal agency asks individuals to supply information that will become part of a system of records, the agency is required to provide a PRIVACT statement on the form used to collect the information or on a separate form that can be retained by the individual. The agency provides a PRIVACT statement in such circumstances regardless of whether the information will be collected on a paper or electronic form, on a website, on a mobile application, over the telephone, or through some other medium. This requirement ensures that the individual is provided with sufficient information about the request for information to make an informed decision on whether or not to respond.PRIVACT statements provide formal notice to individuals of the authority that authorizes the solicitation of the information; whether providing the information is mandatory or voluntary; the principal purpose(s) for which the information is to be used; the published routine uses to which the information is subject; the effects on the individual, if any, of not providing all or any part of the information requested; and an appropriate citation and link to the relevant system of records notice.

Federal agency personnel consult with the senior agency official for privacy and legal counsel regarding the notice provisions of the PRIVACT.

>Related Controls

PT-6

>Assessment Interview Topics

Questions assessors commonly ask

Process & Governance:

  • What policies govern privacy act statements in organizational systems?
  • Who is responsible for implementing and overseeing privacy act statements controls?
  • How does the organization ensure privacy act statements complies with privacy laws and regulations?
  • What process exists for documenting and maintaining privacy act statements?
  • What governance exists for monitoring and enforcing privacy act statements requirements?

Technical Implementation:

  • What systems or tools technically implement privacy act statements?
  • How are privacy act statements requirements enforced in PII processing systems?
  • What privacy-enhancing technologies support privacy act statements?
  • How is privacy act statements integrated with data governance and privacy tools?
  • What technical controls prevent violations of privacy act statements requirements?

Evidence & Documentation:

  • Provide documented policies and procedures for privacy act statements.
  • Provide evidence of privacy act statements implementation in PII systems.
  • Provide documentation demonstrating compliance with privacy act statements requirements.
  • Provide records of privacy act statements reviews and updates.
  • Provide privacy impact assessments or other documentation addressing privacy act statements.

Ask AI

Configure your API key to use AI features.