CCI-003399
CCI-003399 Definition
Status | |
Type | CheckType.policy |
Master Assessment Datasheet
Implementation Guidance
The organization being inspected/assessed ensures the PII collected by the specific program or information system is related to, and compatible with, the purpose and scope of the authority described in the privacy documentation, for example, but not limited to, the Privacy Act system of records notice (SORN) or Privacy Impact Assessment (PIA). The privacy documentation shall be IAW 5 USC 552a, DoDD 5400.11, DoD 5400.11-R, Section 208 of the E-Gov Act of 2002 (Public Law 107-347) and DoDI 5400.16.
Validation Procedures
The organization conducting the inspection/assessment obtains and examines the applicable privacy notices and privacy impact assessment to ensure the organization being inspected/assessed describes, in its privacy notices, the purpose(s) for which PII is maintained.
Compelling Evidence
1.) Site must produce signed and/or published PII documentation which describes PII policy on the purpose(s) for which PII is maintained by the site. Such PII documentation may include, but is not limited to, the relevant Privacy Act system of records notice, the DD 2930 (Privacy Impact Assessment), the system privacy plan (SPP), and the Privacy Act Statement.