• Requirement

    Provide notice to individuals about the processing of personally identifiable information that:

    1. Is available to individuals upon first interacting with an organization, and subsequently at [Assignment: organization-defined frequency];
    2. Is clear and easy-to-understand, expressing information about personally identifiable information processing in plain language;
    3. Identifies the authority that authorizes the processing of personally identifiable information;
    4. Identifies the purposes for which personally identifiable information is to be processed; and
    5. Includes [Assignment: organization-defined information].
  • Discussion

    Privacy notices help inform individuals about how their personally identifiable information is being processed by the system or organization. Organizations use privacy notices to inform individuals about how, under what authority, and for what purpose their personally identifiable information is processed, as well as other information such as choices individuals might have with respect to that processing and other parties with whom information is shared. Laws, executive orders, directives, regulations, or policies may require that privacy notices include specific elements or be provided in specific formats. Federal agency personnel consult with the senior agency official for privacy and legal counsel regarding when and where to provide privacy notices, as well as elements to include in privacy notices and required formats. In circumstances where laws or government-wide policies do not require privacy notices, organizational policies and determinations may require privacy notices and may serve as a source of the elements to include in privacy notices.

    Privacy risk assessments identify the privacy risks associated with the processing of personally identifiable information and may help organizations determine appropriate elements to include in a privacy notice to manage such risks. To help individuals understand how their information is being processed, organizations write materials in plain language and avoid technical jargon.

More Info

  • Title

    Privacy Notice
  • Family

    PII Processing and Transparency
  • NIST 800-53B Baseline(s)

    • Privacy
  • Related NIST 800-53 ID


NIST 800-53A Assessment Guidance

CMMC Training

Our CMMC Overview Course simplifies CMMC. Enroll so you can make informed decisions!