CCI-004646

Conduct privacy impact assessments for systems, programs, or other activities before initiating a new collection of personally identifiable information that will be processes using information technology.

Implementation Guidance

Determine if: - privacy impact assessments are conducted for systems, programs, or other activities before initiating a collection of personally identifiable information that will be processed using information technology. - privacy impact assessments are conducted for systems, programs, or other activities before initiating a collection of personally identifiable information that includes personally identifiable information permitting the physical or virtual (online) contacting of a specific individual, if identical questions have been posed to, or identical reporting requirements imposed on, ten or more individuals, other than agencies, instrumentalities, or employees of the federal government.

Validation Procedures

Examine: [SELECT FROM: Risk assessment policy; security and privacy risk assessment reports; acquisitions documents; system security plan; privacy plan; other relevant documents or records]. Interview: [SELECT FROM: Organizational personnel with assessment and auditing responsibilities; system/network administrators; system developers; program managers; legal counsel; organizational personnel with security and privacy responsibilities]. Test: [SELECT FROM: Organizational processes for assessments and audits; mechanisms/tools supporting and/or implementing assessments and auditing].

The controls below (if any) were marked by NIST as being related to CCI-004646.