PT-5: Privacy Notice

CSF v2.0 References:

PF v1.0 References:


  • Low


  • Moderate


  • High


  • Privacy
Info icon.

Control is new to this version of the control set.

Control Statement

Provide notice to individuals about the processing of personally identifiable information that:

  1. Is available to individuals upon first interacting with an organization, and subsequently at [Assignment: organization-defined frequency];
  2. Is clear and easy-to-understand, expressing information about personally identifiable information processing in plain language;
  3. Identifies the authority that authorizes the processing of personally identifiable information;
  4. Identifies the purposes for which personally identifiable information is to be processed; and
  5. Includes [Assignment: organization-defined information].

Supplemental Guidance

Privacy notices help inform individuals about how their personally identifiable information is being processed by the system or organization. Organizations use privacy notices to inform individuals about how, under what authority, and for what purpose their personally identifiable information is processed, as well as other information such as choices individuals might have with respect to that processing and other parties with whom information is shared. Laws, executive orders, directives, regulations, or policies may require that privacy notices include specific elements or be provided in specific formats. Federal agency personnel consult with the senior agency official for privacy and legal counsel regarding when and where to provide privacy notices, as well as elements to include in privacy notices and required formats. In circumstances where laws or government-wide policies do not require privacy notices, organizational policies and determinations may require privacy notices and may serve as a source of the elements to include in privacy notices.

Privacy risk assessments identify the privacy risks associated with the processing of personally identifiable information and may help organizations determine appropriate elements to include in a privacy notice to manage such risks. To help individuals understand how their information is being processed, organizations write materials in plain language and avoid technical jargon.

Control Enhancements

PT-5(1): Just-in-time Notice


(Not part of any baseline)

Present notice of personally identifiable information processing to individuals at a time and location where the individual provides personally identifiable information or in conjunction with a data action, or [Assignment: organization-defined frequency].

PT-5(2): Privacy Act Statements


  • Privacy

Include Privacy Act statements on forms that collect information that will be maintained in a Privacy Act system of records, or provide Privacy Act statements on separate forms that can be retained by individuals.