Navigate

AR-5

AR-5: PRIVACY AWARENESS AND TRAINING

The organization: a. Develops, implements, and updates a comprehensive training and awareness strategy aimed at ensuring that personnel understand privacy responsibilities and procedures; b. Administers basic privacy training [Assignment: organization-defined frequency, at least annually] and targeted, role-based privacy training for personnel having responsibility for personally identifiable information (PII) or for activities that involve PII [Assignment: organization-defined frequency, at least annually]; and c. Ensures that personnel certify (manually or electronically) acceptance of responsibilities for privacy requirements [Assignment: organization-defined frequency, at least annually].

Supplemental

Through implementation of a privacy training and awareness strategy, the organization promotes a culture of privacy. Privacy training and awareness programs typically focus on broad topics, such as responsibilities under the Privacy Act of 1974 and E-Government Act of 2002 and the consequences of failing to carry out those responsibilities, how to identify new privacy risks, how to mitigate privacy risks, and how and when to report privacy incidents. Privacy training may also target data collection and use requirements identified in public notices, such as Privacy Impact Assessments (PIAs) or System of Records Notices (SORNs) for a program or information system. Specific training methods may include: (i) mandatory annual privacy awareness training; (ii) targeted, role-based training; (iii) internal privacy program websites; (iv) manuals, guides, and handbooks; (v) slide presentations; (vi) events (e.g., privacy awareness week, privacy clean-up day); (vii) posters and brochures; and (viii) email messages to all employees and contractors. Organizations update training based on changing statutory, regulatory, mission, program, business process, and information system requirements, or on the results of compliance monitoring and auditing. Where appropriate, organizations may provide privacy training as part of existing information security training.

CIA Levels
Confidentiality	unknown
Integrity	unknown
Availability	unknown

Overlays
Privacy (High), Privacy (Low), Privacy (Mod), Privacy (PHI)

CSF Categories
None

Related Controls

The controls below (if any) were marked by NIST as being related to AR-5.

Control	Description
AR-3	The organization: a. Establishes privacy roles, responsibilities, and access requirements for contractors and service providers; and b. Includes privacy requirements in contracts and other acquisition-related documents
AT-2	The organization provides basic security awareness training to information system users (including managers, senior executives, and contractors): a: As part of initial training for new users; b: When required by information system changes; and c: [organization-defined frequency] thereafter.
AT-3	The organization provides role-based security training to personnel with assigned security roles and responsibilities: a: Before authorizing access to the information system or performing assigned duties; b: When required by information system changes; and c: [organization-defined frequency] thereafter.
TR-1	The organization: a. Provides effective notice to the public and to individuals regarding: (i) its activities that impact privacy, including its collection, use, sharing, safeguarding, maintenance, and disposal of personally identifiable information (PII); (ii) authority for collecting PII; (iii) the choices, if any, individuals may have regarding how the organization uses PII and the consequences of exercising or not exercising those choices; and (iv) the ability to access and have PII amended or corrected if necessary; b. Describes: (i) the PII the organization collects and the purpose(s) for which it collects that information; (ii) how the organization uses PII internally; (iii) whether the organization shares PII with external entities, the categories of those entities, and the purposes for such sharing; (iv) whether individuals have the ability to consent to specific uses or sharing of PII and how to exercise any such consent; (v) how individuals may obtain access to PII; and (vi) how the PII will be protected; and c. Revises its public notices to reflect changes in practice or policy that affect PII or changes in its activities that impact privacy, before or as soon as practicable after the change.

Enhancements

The controls below (if any) add on to the requirements of AR-5.

Control	Description
No controls

Related CCIs

The CCIs below are tied to AR-5.

CCI	Definition
CCI-003440	The organization develops a comprehensive training and awareness strategy aimed at ensuring that personnel understand privacy responsibilities and procedures.
CCI-003441	The organization implements a comprehensive training and awareness strategy aimed at ensuring that personnel understand privacy responsibilities and procedures.
CCI-003442	The organization updates a comprehensive training and awareness strategy aimed at ensuring that personnel understand privacy responsibilities and procedures.
CCI-003443	The organization defines the frequency, minimally annually, for administering its basic privacy training.
CCI-003444	The organization defines the frequency, minimally annually, for administering the targeted, role-based privacy training for personnel having responsibility for personally identifiable information (PII) or for activities that involve PII.
CCI-003445	The organization administers basic privacy training per the organization-defined frequency.
CCI-003446	The organization administers, per organization-defined frequency, targeted, role-based privacy training for personnel having responsibility for personally identifiable information (PII) or for activities that involve PII.
CCI-003447	The organization defines the frequency, minimally annually, on which personnel certify acceptance of responsibilities for privacy requirements.
CCI-003448	The organization ensures personnel certify (manually or electronically) acceptance of responsibilities for privacy requirements per organization-defined frequency.