PT: Personally Identifiable Information Processing and Transparency

Develop, document, and disseminate to [Assignment: organization-defined personnel or roles]: [Assignment (one or more): organization-level, mission/business process-level, system-level] personally identifiable information processing and transparency policy that: Addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and Is consistent with applicable laws, executive orders, directives, regulations, policies, standards, and guidelines; and Procedures…

Determine and document the [Assignment: organization-defined authority] that permits the [Assignment: organization-defined processing] of personally identifiable information; and Restrict the [Assignment: organization-defined processing] of personally identifiable information to only that which is authorized.

Identify and document the [Assignment: organization-defined purpose(s)] for processing personally identifiable information; Describe the purpose(s) in the public privacy notices and policies of the organization; Restrict the [Assignment: organization-defined processing] of personally identifiable information to only that which is compatible with the identified purpose(s); and Monitor changes in processing personally identifiable information and implement [Assignment:…

Implement [Assignment: organization-defined tools or mechanisms] for individuals to consent to the processing of their personally identifiable information prior to its collection that facilitate individuals’ informed decision-making.

Provide notice to individuals about the processing of personally identifiable information that: Is available to individuals upon first interacting with an organization, and subsequently at [Assignment: organization-defined frequency]; Is clear and easy-to-understand, expressing information about personally identifiable information processing in plain language; Identifies the authority that authorizes the processing of personally identifiable information; Identifies the…

For systems that process information that will be maintained in a Privacy Act system of records: Draft system of records notices in accordance with OMB guidance and submit new and significantly modified system of records notices to the OMB and appropriate congressional committees for advance review; Publish system of records notices in the Federal Register;…

Apply [Assignment: organization-defined processing conditions] for specific categories of personally identifiable information.

When a system or organization processes information for the purpose of conducting a matching program: Obtain approval from the Data Integrity Board to conduct the matching program; Develop and enter into a computer matching agreement; Publish a matching notice in the Federal Register; Independently verify the information produced by the matching program before taking adverse…