TR-02-727 System of Records Notices and Privacy Act Statements

System of Records Notices and Privacy Act Statements

Control ID

TR-02-727

Control Name

System of Records Notices and Privacy Act Statements

Control Category

Transparency

Functional Areas

Identify

Sub-Areas

Privacy and Confidentiality

NIST Baseline Level(s)

NOT SELECTED

NIST Priority

State Implementation Required

Agency Last Implemented Date

Risk Statement

Laws and regulations are violated due to an organization failing to provide notices and privacy statements on usage of customer data.

Control Description

The organization: a. Publishes System of Records Notices (SORNs) in the Federal Register, subject to required oversight processes, for systems containing personally identifiable information (PII); b. Keeps SORNs current; and c. Includes Privacy Act Statements on its forms that collect PII, or on separate forms that can be retained by individuals, to provide additional formal notice to individuals from whom the information is being collected. (1) SYSTEM OF RECORDS NOTICES AND PRIVACY ACT STATEMENTS | PUBLIC WEBSITE PUBLICATION The organization publishes SORNs on its public website.

Control Example

For applicable federal system, compliance with System of Records Notices criteria is followed.

State Implementation

No statewide control

Testing Procedures

Obtain data privacy policy and procedures; other relevant documents or records and ascertain if: (I) the organization publishes System of Records Notices (SORNs) in the Federal Register, subject to required oversight processes, for systems containing personally identifiable information (PII); (ii) the organization keeps SORNs current; (iii) the organization includes Privacy Act Statements on its forms that collect PII, or on separate forms that can be retained by individuals, to provide additional formal notice to individuals from whom the information is being collected; and (iv) the organization publishes SORNs on its public website.