CCI-003496

The organization, where feasible and within the limits of technology, uses anonymization and de-identification techniques to permit use of the retained Privacy Act information while reducing its sensitivity and reducing the risk resulting from disclosure.

Implementation Guidance

The organization being inspected/assessed documents and implements a process to use anonymization and de-identification techniques, where feasible and within the limits of technology, to permit use of the retained Privacy Act information while reducing its sensitivity and reducing the risk resulting from disclosure.

Validation Procedures

The organization conducting the inspection/assessment obtains and examines the documented process to ensure the organization being inspected/assessed, where feasible and within the limits of technology, uses anonymization and de-identification techniques to permit use of the retained Privacy Act information while reducing its sensitivity and reducing the risk resulting from disclosure.

Compelling Evidence

1.) Site must produce a signed documented process that describes how the site uses anonymization and de-identification techniques to permit use of the retained Privacy Act information while reducing its sensitivity and reducing the risk resulting from disclosure. 2.) Reviewer will validate the existence of the documentation. 3.) Reviewer will validate that the documentation describes a process of site's usage of anonymization and de-identification techniques. 4.) Reviewer will validate that the site implements and follows a process to use anonymization and de-identification techniques.

The controls below (if any) were marked by NIST as being related to CCI-003496.