Navigate

TR-1

TR-1: Privacy Notice

The organization:

TR-1a.: Provides effective notice to the public and to individuals regarding: (i) its activities that impact privacy, including its collection, use, sharing, safeguarding, maintenance, and disposal of personally identifiable information (PII); (ii) authority for collecting PII; (iii) the choices, if any, individuals may have regarding how the organization uses PII and the consequences of exercising or not exercising those choices; and (iv) the ability to access and have PII amended or corrected if necessary;

TR-1b.: Describes: (i) the PII the organization collects and the purpose(s) for which it collects that information; (ii) how the organization uses PII internally; (iii) whether the organization shares PII with external entities, the categories of those entities, and the purposes for such sharing; (iv) whether individuals have the ability to consent to specific uses or sharing of PII and how to exercise any such consent; (v) how individuals may obtain access to PII; and (vi) how the PII will be protected; and

TR-1c.: Revises its public notices to reflect changes in practice or policy that affect PII or changes in its activities that impact privacy, before or as soon as practicable after the change.

Supplemental

Effective notice, by virtue of its clarity, readability, and comprehensiveness, enables individuals to understand how an organization uses PII generally and, where appropriate, to make an informed decision prior to providing PII to an organization. Effective notice also demonstrates the privacy considerations that the organization has addressed in implementing its information practices. The organization may provide general public notice through a variety of means, as required by law or policy, including System of Records Notices (SORNs), Privacy Impact Assessments (PIAs), or in a website privacy policy. As required by the Privacy Act, the organization also provides direct notice to individuals via Privacy Act Statements on the paper and electronic forms it uses to collect PII, or on separate forms that can be retained by the individuals. The organization Senior Agency Official for Privacy (SAOP)/Chief Privacy Officer (CPO) is responsible for the content of the organization’s public notices, in consultation with legal counsel and relevant program managers. The public notice requirement in this control is satisfied by an organization’s compliance with the public notice provisions of the Privacy Act, the E-Government Act’s PIA requirement, with OMB guidance related to federal agency privacy notices, and, where applicable, with policy pertaining to participation in the Information Sharing Environment (ISE). 124 Changing PII practice or policy without prior notice is disfavored and should only be undertaken in consultation with the SAOP/CPO and counsel.

CIA Levels
Confidentiality	unknown
Integrity	unknown
Availability	unknown

Overlays
Privacy (High), Privacy (Low), Privacy (Mod), Privacy (PHI)

Related Controls

The controls below (if any) were marked by NIST as being related to TR-1.

Control	Description
AP-1	The organization determines and documents the legal authority that permits the collection, use, maintenance, and sharing of personally identifiable information (PII), either generally or in support of a specific program or information system need.
AP-2	The organization describes the purpose(s) for which personally identifiable information (PII) is collected, used, maintained, and shared in its privacy notices.
AR-1	The organization: AR-1a.: Appoints a Senior Agency Official for Privacy (SAOP)/Chief Privacy Officer (CPO) accountable for developing, implementing, and maintaining an organization-wide governance and privacy program to ensure compliance with all applicable laws and regulations regarding the collection, use, maintenance, sharing, and disposal of personally identifiable information (PII) by programs and information systems; AR-1b.: Monitors federal privacy laws and policy for changes that affect the privacy program; AR-1c.: Allocates [Assignment: organization-defined allocation of budget and staffing] sufficient resources to implement and operate the organization-wide privacy program; AR-1d.: Develops a strategic organizational privacy plan for implementing applicable privacy controls, policies, and procedures; AR-1e.: Develops, disseminates, and implements operational privacy policies and procedures that govern the appropriate privacy and security controls for programs, information systems, or technologies involving PII; and AR-1f.: Updates privacy plan, policies, and procedures [Assignment: organization-defined frequency, at least biennially].
AR-2	The organization: AR-2a.: Documents and implements a privacy risk management process that assesses privacy risk to individuals resulting from the collection, sharing, storing, transmitting, use, and disposal of personally identifiable information (PII); and AR-2b.: Conducts Privacy Impact Assessments (PIAs) for information systems, programs, or other activities that pose a privacy risk in accordance with applicable law, OMB policy, or any existing organizational policies and procedures.
IP-1	The organization: IP-1a.: Provides means, where feasible and appropriate, for individuals to authorize the collection, use, maintaining, and sharing of personally identifiable information (PII) prior to its collection; IP-1b.: Provides appropriate means for individuals to understand the consequences of decisions to approve or decline the authorization of the collection, use, dissemination, and retention of PII; IP-1c.: Obtains consent, where feasible and appropriate, from individuals prior to any new uses or disclosure of previously collected PII; and IP-1d.: Ensures that individuals are aware of and, where feasible, consent to all uses of PII not initially described in the public notice that was in effect at the time the organization collected the PII.
IP-2	The organization: IP-2a.: Provides individuals the ability to have access to their personally identifiable information (PII) maintained in its system(s) of records; IP-2b.: Publishes rules and regulations governing how individuals may request access to records maintained in a Privacy Act system of records; IP-2c.: Publishes access procedures in System of Records Notices (SORNs); and IP-2d: Adheres to Privacy Act requirements and OMB policies and guidance for the proper processing of Privacy Act requests.
IP-3	The organization: IP-3a.: Provides a process for individuals to have inaccurate personally identifiable information (PII) maintained by the organization corrected or amended, as appropriate; and IP-3b.: Establishes a process for disseminating corrections or amendments of the PII to other authorized users of the PII, such as external information-sharing partners and, where feasible and appropriate, notifies affected individuals that their information has been corrected or amended.
UL-1	The organization uses personally identifiable information (PII) internally only for the authorized purpose(s) identified in the Privacy Act and/or in public notices.
UL-2	The organization: UL-2a.: Shares personally identifiable information (PII) externally, only for the authorized purposes identified in the Privacy Act and/or described in its notice(s) or for a purpose that is compatible with those purposes; UL-2b.: Where appropriate, enters into Memoranda of Understanding, Memoranda of Agreement, Letters of Intent, Computer Matching Agreements, or similar agreements, with third parties that specifically describe the PII covered and specifically enumerate the purposes for which the PII may be used; UL-2c.: Monitors, audits, and trains its staff on the authorized sharing of PII with third parties and on the consequences of unauthorized use or sharing of PII; and UL-2d.: Evaluates any proposed new instances of sharing PII with third parties to assess whether the sharing is authorized and whether additional or new public notice is required.

Enhancements

The controls below (if any) add on to the requirements of TR-1.

Control	Description
TR-1 (1)	The organization provides real-time and/or layered notice when it collects PII.

Related CCIs

The CCIs below are tied to TR-1.

CCI	Definition
CCI-003556	The organization provides effective notice to the public regarding its activities that impact privacy, including its collection, use, sharing, safeguarding, maintenance, and disposal of personally identifiable information (PII).
CCI-003557	The organization provides effective notice to individuals regarding its activities that impact privacy, including its collection, use, sharing, safeguarding, maintenance, and disposal of personally identifiable information (PII).
CCI-003558	The organization provides effective notice to the public regarding its authority for collecting personally identifiable information (PII).
CCI-003559	The organization provides effective notice to individuals regarding its authority for collecting personally identifiable information (PII).
CCI-003560	The organization provides effective notice to the public regarding the choices, if any, individuals may have regarding how the organization uses personally identifiable information (PII).
CCI-003561	The organization provides effective notice to individuals regarding the choices, if any, individuals may have regarding how the organization uses personally identifiable information (PII).
CCI-003562	The organization provides effective notice to the public regarding the consequences of exercising or not exercising the choices regarding how the organization uses personally identifiable information (PII).
CCI-003563	The organization provides effective notice to individuals regarding the consequences of exercising or not exercising the choices regarding how the organization uses personally identifiable information (PII).
CCI-003564	The organization provides effective notice to the public regarding the ability of individuals to access personally identifiable information (PII).
CCI-003565	The organization provides effective notice to individuals regarding the ability to access personally identifiable information (PII).
CCI-003566	The organization provides effective notice to the public regarding the ability to have personally identifiable information (PII) amended or corrected if necessary.
CCI-003567	The organization provides effective notice to individuals regarding the ability to have personally identifiable information (PII) amended or corrected if necessary.
CCI-003568	The organization describes the personally identifiable information (PII) the organization collects.
CCI-003569	The organization describes the purpose(s) for which it collects the personally identifiable information (PII).
CCI-003570	The organization describes how the organization uses personally identifiable information (PII) internally.
CCI-003571	The organization describes whether the organization shares personally identifiable information (PII) with external entities.
CCI-003572	The organization describes the categories of those external entities with whom personally identifiable information (PII) is shared.
CCI-003573	The organization describes the purposes for sharing personally identifiable information (PII) with external entities.
CCI-003574	The organization describes whether individuals have the ability to consent to specific uses or sharing of personally identifiable information (PII).
CCI-003575	The organization describes how individuals may exercise their consent regarding specific uses or sharing of personally identifiable information (PII).
CCI-003576	The organization describes how individuals may obtain access to personally identifiable information (PII).
CCI-003577	The organization describes how the personally identifiable information (PII) will be protected.
CCI-003578	The organization revises its public notices to reflect changes in practice or policy that affect personally identifiable information (PII), before or as soon as practicable after the change.
CCI-003579	The organization revises its public notices to reflect changes in practice or policy that impact privacy, before or as soon as practicable after the change.