Navigate

AP-1

AP-1: Authority to Collect

The organization determines and documents the legal authority that permits the collection, use, maintenance, and sharing of personally identifiable information (PII), either generally or in support of a specific program or information system need.

Supplemental

Before collecting PII, the organization determines whether the contemplated collection of PII is legally authorized. Program officials consult with the Senior Agency Official for Privacy (SAOP)/Chief Privacy Officer (CPO) and legal counsel regarding the authority of any program or activity to collect PII. The authority to collect PII is documented in the System of Records Notice (SORN) and/or Privacy Impact Assessment (PIA) or other applicable documentation such as Privacy Act Statements or Computer Matching Agreements.

CIA Levels
Confidentiality	unknown
Integrity	unknown
Availability	unknown

Overlays
Privacy (High), Privacy (Low), Privacy (Mod)

Related Controls

The controls below (if any) were marked by NIST as being related to AP-1.

Control	Description
AR-2	The organization: AR-2a.: Documents and implements a privacy risk management process that assesses privacy risk to individuals resulting from the collection, sharing, storing, transmitting, use, and disposal of personally identifiable information (PII); and AR-2b.: Conducts Privacy Impact Assessments (PIAs) for information systems, programs, or other activities that pose a privacy risk in accordance with applicable law, OMB policy, or any existing organizational policies and procedures.
DM-1	The organization: DM-1a.: Identifies the minimum personally identifiable information (PII) elements that are relevant and necessary to accomplish the legally authorized purpose of collection; DM-1b.: Limits the collection and retention of PII to the minimum elements identified for the purposes described in the notice and for which the individual has provided consent; and DM-1c.: Conducts an initial evaluation of PII holdings and establishes and follows a schedule for regularly reviewing those holdings [Assignment: organization-defined frequency, at least annually] to ensure that only PII identified in the notice is collected and retained, and that the PII continues to be necessary to accomplish the legally authorized purpose.
TR-1	The organization: TR-1a.: Provides effective notice to the public and to individuals regarding: (i) its activities that impact privacy, including its collection, use, sharing, safeguarding, maintenance, and disposal of personally identifiable information (PII); (ii) authority for collecting PII; (iii) the choices, if any, individuals may have regarding how the organization uses PII and the consequences of exercising or not exercising those choices; and (iv) the ability to access and have PII amended or corrected if necessary; TR-1b.: Describes: (i) the PII the organization collects and the purpose(s) for which it collects that information; (ii) how the organization uses PII internally; (iii) whether the organization shares PII with external entities, the categories of those entities, and the purposes for such sharing; (iv) whether individuals have the ability to consent to specific uses or sharing of PII and how to exercise any such consent; (v) how individuals may obtain access to PII; and (vi) how the PII will be protected; and TR-1c.: Revises its public notices to reflect changes in practice or policy that affect PII or changes in its activities that impact privacy, before or as soon as practicable after the change.
TR-2	The organization: TR-2a.: Publishes System of Records Notices (SORNs) in the Federal Register, subject to required oversight processes, for systems containing personally identifiable information (PII); TR-2b.: Keeps SORNs current; and TR-2c.: Includes Privacy Act Statements on its forms that collect PII, or on separate forms that can be retained by individuals, to provide additional formal notice to individuals from whom the information is being collected.

Enhancements

The controls below (if any) add on to the requirements of AP-1.

Control	Description
No controls

Related CCIs

The CCIs below are tied to AP-1.

CCI	Definition
CCI-003392	The organization determines and documents the legal authority that permits the collection of personally identifiable information (PII), either generally or in support of a specific program or information system need.
CCI-003393	The organization determines and documents the legal authority that permits the use of personally identifiable information (PII), either generally or in support of a specific program or information system need.
CCI-003394	The organization determines and documents the legal authority that permits the maintenance of personally identifiable information (PII), either generally or in support of a specific program or information system need.
CCI-003395	The organization determines and documents the legal authority that permits the sharing of personally identifiable information (PII), either generally or in support of a specific program or information system need.