SI-18: Personally Identifiable Information Quality Operations

CSF v2.0 References:

Baselines:

  • Low

    N/A

  • Moderate

    N/A

  • High

    N/A

  • Privacy
Info icon.

Control is new to this version of the control set.

Control Statement

  1. Check the accuracy, relevance, timeliness, and completeness of personally identifiable information across the information life cycle [Assignment: organization-defined frequency]; and
  2. Correct or delete inaccurate or outdated personally identifiable information.

Supplemental Guidance

Personally identifiable information quality operations include the steps that organizations take to confirm the accuracy and relevance of personally identifiable information throughout the information life cycle. The information life cycle includes the creation, collection, use, processing, storage, maintenance, dissemination, disclosure, and disposal of personally identifiable information. Personally identifiable information quality operations include editing and validating addresses as they are collected or entered into systems using automated address verification look-up application programming interfaces. Checking personally identifiable information quality includes the tracking of updates or changes to data over time, which enables organizations to know how and what personally identifiable information was changed should erroneous information be identified. The measures taken to protect personally identifiable information quality are based on the nature and context of the personally identifiable information, how it is to be used, how it was obtained, and the potential de-identification methods employed. The measures taken to validate the accuracy of personally identifiable information used to make determinations about the rights, benefits, or privileges of individuals covered under federal programs may be more comprehensive than the measures used to validate personally identifiable information used for less sensitive purposes.

Control Enhancements

SI-18(1): Automation Support

Baseline(s):

(Not part of any baseline)

Correct or delete personally identifiable information that is inaccurate or outdated, incorrectly determined regarding impact, or incorrectly de-identified using [Assignment: organization-defined automated mechanisms].

SI-18(2): Data Tags

Baseline(s):

(Not part of any baseline)

Employ data tags to automate the correction or deletion of personally identifiable information across the information life cycle within organizational systems.

SI-18(3): Collection

Baseline(s):

(Not part of any baseline)

Collect personally identifiable information directly from the individual.

SI-18(4): Individual Requests

Baseline(s):

  • Privacy

Correct or delete personally identifiable information upon request by individuals or their designated representatives.

SI-18(5): Notice of Correction or Deletion

Baseline(s):

(Not part of any baseline)

Notify [Assignment: organization-defined recipients of personally identifiable information] and individuals that the personally identifiable information has been corrected or deleted.