For systems that process personally identifiable information:
(a) Apply the following processing rules to data elements of personally identifiable information: [Assignment: organization-defined processing rules];
(b) Monitor for permitted processing at the external interfaces to the system and at key internal boundaries within the system;
(c) Document each processing exception; and
(d) Review and remove exceptions that are no longer supported.
Managing the processing of personally identifiable information is an important aspect of protecting an individualÃ¢â‚¬â„¢s privacy. Applying, monitoring for, and documenting exceptions to processing rules ensure that personally identifiable information is processed only in accordance with established privacy requirements.