Navigate

IP-2

IP-2: Individual Access

The organization:

IP-2a.: Provides individuals the ability to have access to their personally identifiable information (PII) maintained in its system(s) of records;

IP-2b.: Publishes rules and regulations governing how individuals may request access to records maintained in a Privacy Act system of records;

IP-2c.: Publishes access procedures in System of Records Notices (SORNs); and

IP-2d: Adheres to Privacy Act requirements and OMB policies and guidance for the proper processing of Privacy Act requests.

Supplemental

Access affords individuals the ability to review PII about them held within organizational systems of records. Access includes timely, simplified, and inexpensive access to data. Organizational processes for allowing access to records may differ based on resources, legal requirements, or other factors. The organization Senior Agency Official for Privacy (SAOP)/Chief Privacy Officer (CPO) is responsible for the content of Privacy Act regulations and record request processing, in consultation with legal counsel. Access to certain types of records may not be appropriate, however, and heads of agencies may promulgate rules exempting particular systems from the access provision of the Privacy Act. In addition, individuals are not entitled to access to information compiled in reasonable anticipation of a civil action or proceeding.

CIA Levels
Confidentiality	unknown
Integrity	unknown
Availability	unknown

Overlays
Privacy (High), Privacy (Low), Privacy (Mod), Privacy (PHI)

Related Controls

The controls below (if any) were marked by NIST as being related to IP-2.

Control	Description
AR-8	The organization: AR-8a.: Keeps an accurate accounting of disclosures of information held in each system of records under its control, including: AR-8a.1.: Date, nature, and purpose of each disclosure of a record; and AR-8a.2.: Name and address of the person or agency to which the disclosure was made; AR-8b.: Retains the accounting of disclosures for the life of the record or five years after the disclosure is made, whichever is longer; and AR-8c.: Makes the accounting of disclosures available to the person named in the record upon request.
IP-3	The organization: IP-3a.: Provides a process for individuals to have inaccurate personally identifiable information (PII) maintained by the organization corrected or amended, as appropriate; and IP-3b.: Establishes a process for disseminating corrections or amendments of the PII to other authorized users of the PII, such as external information-sharing partners and, where feasible and appropriate, notifies affected individuals that their information has been corrected or amended.
TR-1	The organization: TR-1a.: Provides effective notice to the public and to individuals regarding: (i) its activities that impact privacy, including its collection, use, sharing, safeguarding, maintenance, and disposal of personally identifiable information (PII); (ii) authority for collecting PII; (iii) the choices, if any, individuals may have regarding how the organization uses PII and the consequences of exercising or not exercising those choices; and (iv) the ability to access and have PII amended or corrected if necessary; TR-1b.: Describes: (i) the PII the organization collects and the purpose(s) for which it collects that information; (ii) how the organization uses PII internally; (iii) whether the organization shares PII with external entities, the categories of those entities, and the purposes for such sharing; (iv) whether individuals have the ability to consent to specific uses or sharing of PII and how to exercise any such consent; (v) how individuals may obtain access to PII; and (vi) how the PII will be protected; and TR-1c.: Revises its public notices to reflect changes in practice or policy that affect PII or changes in its activities that impact privacy, before or as soon as practicable after the change.
TR-2	The organization: TR-2a.: Publishes System of Records Notices (SORNs) in the Federal Register, subject to required oversight processes, for systems containing personally identifiable information (PII); TR-2b.: Keeps SORNs current; and TR-2c.: Includes Privacy Act Statements on its forms that collect PII, or on separate forms that can be retained by individuals, to provide additional formal notice to individuals from whom the information is being collected.

Enhancements

The controls below (if any) add on to the requirements of IP-2.

Control	Description
No controls

Related CCIs

The CCIs below are tied to IP-2.

CCI	Definition
CCI-003531	The organization provides individuals the ability to have access to their personally identifiable information (PII) maintained in its system(s) of records.
CCI-003532	The organization publishes rules and regulations governing how individuals may request access to records maintained in a Privacy Act system of records.
CCI-003533	The organization publishes regulations governing how individuals may request access to records maintained in a Privacy Act system of records.
CCI-003534	The organization publishes access procedures for Privacy Act systems of records in System of Records Notices (SORNs).
CCI-003535	The organization adheres to Privacy Act requirements for the proper processing of Privacy Act requests.
CCI-003536	The organization adheres to OMB policies and guidance for the proper processing of Privacy Act requests.