PT-7: Specific Categories of Personally Identifiable Information
Control is new to this version of the control set.
Control Statement
Apply [Assignment: organization-defined processing conditions] for specific categories of personally identifiable information.
Supplemental Guidance
Organizations apply any conditions or protections that may be necessary for specific categories of personally identifiable information. These conditions may be required by laws, executive orders, directives, regulations, policies, standards, or guidelines. The requirements may also come from the results of privacy risk assessments that factor in contextual changes that may result in an organizational determination that a particular category of personally identifiable information is particularly sensitive or raises particular privacy risks. Organizations consult with the senior agency official for privacy and legal counsel regarding any protections that may be necessary.
Control Enhancements
PT-7(1): Social Security Numbers
Baseline(s):
- Privacy
When a system processes Social Security numbers: Eliminate unnecessary collection, maintenance, and use of Social Security numbers, and explore alternatives to their use as a personal identifier; Do not deny any individual any right, benefit, or privilege provided by law because of such individual’s refusal to disclose his or her Social Security number; and Inform…
PT-7(2): First Amendment Information
Baseline(s):
- Privacy
Prohibit the processing of information describing how any individual exercises rights guaranteed by the First Amendment unless expressly authorized by statute or by the individual or unless pertinent to and within the scope of an authorized law enforcement activity.