CCI-004410

Retain the accounting of disclosures for the length of the time the personally identifiable information is maintained or five years after the disclosure is made, whichever is longer.

Implementation Guidance

Determine if the accounting of disclosures is retained for the length of time that the personally identifiable information is maintained or five years after the disclosure is made, whichever is longer.

Validation Procedures

Examine: [SELECT FROM: Privacy program plan; disclosure policies and procedures; records of disclosures; audit logs; Privacy Act policies and procedures; system of records notice; Privacy Act exemption rules.]. Interview: [SELECT FROM: Organizational personnel with privacy program responsibilities; organizational personnel with privacy responsibilities.]. Test: [SELECT FROM: Organizational processes for disclosures; mechanisms supporting the accounting of disclosures, including commercial services that provide notifications and alerts.].

The controls below (if any) were marked by NIST as being related to CCI-004410.