PII Processing and Transparency Plan

Approach basics → §4.x

Roles and locations that anchor the rest of the plan.

PII-in-scope determination * — Select — Yes — system processes PII (PT family fully applicable) Yes — system processes a limited set of PII (some PT controls scoped) Pending determination — PIA under review No — system does not process PII (PT family non-applicable; documented determination per RA-8)

Privacy-program role (one-liner) * Role accountable for the privacy program (e.g., 'Senior Agency Official for Privacy (SAOP)', 'Chief Privacy Officer', 'Privacy Officer + delegate to ISSO').

Privacy-program documentation location Where privacy-program policy, procedures, and registers are maintained.

PIA location (RA-8 cross-reference) Where the system's Privacy Impact Assessment lives. Per E-Government Act Section 208 + OMB M-03-22.

SORN(s) location Where applicable System of Records Notices (SORNs) are published / cited. Per Privacy Act § (e)(4).

Individual-rights workflow (one-liner) Brief phrase describing how individuals exercise rights of access / amendment / complaint (e.g., 'Privacy Act request portal at agency.gov/privacy', 'Mailbox privacy@agency.gov triaged by Privacy Office').

Third-party-dissemination governance role Role accountable for third-party agreements involving PII (e.g., 'Privacy Officer with General Counsel concurrence').

Third-party agreements register location Where MOUs / DSAs / Computer Matching Agreements / Routine Use authorizations are registered.

Authority and Purpose (PT-2) → §4.x

Legal authority and lawful purpose for PII processing.

Legal authority for PII processing Statute / regulation / executive order authorizing PII processing (e.g., '5 U.S.C. § 301 housekeeping authority + agency-specific statute X'). Reference Privacy Act § (e)(3)(A).

Authorized processing purposes

Add item

Suggested: + Personnel administration (HR, payroll) + Benefits administration + Tax administration + Law-enforcement investigation + Public-health surveillance + Statistical research (de-identified) + Service delivery to authorized recipient + Eligibility determination

Purpose-limitation enforcement (PT-2(1)) Per PT-2(1) — how the system enforces use only for authorized purposes. Access-control mapping, query restrictions, masking for non-authorized roles.

External-disclosure basis (PT-2(2)) Per PT-2(2) — basis on which PII is disclosed externally (statute, routine use under SORN, individual consent, court order).

Data Minimization and Consent (PT-3, PT-4) → §4.x

Data-element minimization and individual consent.

PII categories collected

Direct identifiers (name, SSN, EIN) Contact information (address, email, phone) Government-issued IDs (PIV, driver's license) Financial information (account numbers, tax records) Health information (PHI per HIPAA) Biometric data (fingerprints, voice, face) Location data (GPS, IP address) Behavioral / usage data (clickstream, query history) Education / employment history Family / relationship data Sensitive personal characteristics (race, religion, sexual orientation)

Minimization practices (PT-3(2))

Collect only data required for authorized purpose Anonymize / pseudonymize where purpose allows Aggregate where individual-level not required Periodic data-element review for continued necessity Test / training environments use synthesized data (SI-12(2)) Quick-purge of data once retention expires (SI-12) Differential privacy / noise injection (research contexts)

PII data-element inventory location Where the data-element-level inventory of PII processed by the system lives. Reference RA-8.

Consent basis — Select — Explicit / opt-in consent obtained at collection Implied consent based on system context (e.g., job-application submission) Statutory authority (no consent required) Mixed by data category Consent not applicable (involuntary processing under law)

Consent-revocation mechanism (PT-4(1)) Per PT-4(1) — how individuals revoke consent and consequences (some processing may continue under independent legal authority; some must stop).

Consent-record management (PT-4(2)) Per PT-4(2) — how consent records are managed (timestamp, method, scope, retention).

Privacy Notice (PT-5) → §4.x

Notice provided to data subjects.

Privacy-notice content elements

Authority for collection Purpose of collection Routine uses (Privacy Act systems) Whether disclosure is mandatory or voluntary Effects of failing to provide information How to exercise individual rights (access / amendment) Privacy contact info Effective date and version

Notice delivery modalities

At point of collection (form / interface) Layered notice (short summary + detailed link) Privacy policy page on agency website Just-in-time notice for specific data uses Annual privacy-notice reaffirmation Push notification on policy change

Notice review cadence (PT-5 ODV) How often the privacy notice is reviewed for currency. PT-5 ODV. Common: 'Annually + on substantive change to processing'.

Just-in-time notices (PT-5(1)) Per PT-5(1) — when JIT notices are presented (e.g., when collecting data for a new purpose, when broadening dissemination).

Privacy Act statements (PT-5(2)) Per PT-5(2) and Privacy Act § (e)(3) — Privacy Act statement provided when collecting from individuals.

System of Records Notices (PT-6) → §4.x

Privacy Act SORN compliance.

Privacy Act applicability — Select — System of Records under Privacy Act (SORN required) Records about individuals but not retrieved by personal identifier (no SORN required) Privacy Act not applicable (not covered system) Pending determination

SORN publication status If SORN required: when last published in Federal Register, citation, current applicability.

Routine uses defined List of routine uses authorized in the SORN. Reference Privacy Act § (a)(7).

Routine-use inventory location (PT-6(1)) Per PT-6(1) — where routine-use inventory is maintained for SORN currency.

Privacy Act records practices (PT-6(2)) Per PT-6(2) — practices for maintaining records of disclosures and accountings.

Systems-of-records inventory If multiple SORNs apply, where the inventory is tracked.

Specific Categories of PII (PT-7) → §4.x

Special handling for sensitive PII categories.

Special categories handled

Social Security Numbers (SSN) Health information (PHI / HIPAA) Education records (FERPA) Tax records (IRS Pub 1075) Genetic information (GINA) Sensitive personal characteristics (race, religion, sexual orientation) Children's information (COPPA) Financial / banking records (GLBA) Substance-abuse treatment records (42 CFR Part 2) None — no special-category PII

Special-handling procedures Special protections applied to sensitive categories (encryption, restricted access, additional consent, additional notice, statutory floor).

SSN-alternative use (PT-7(1)) Per PT-7(1) — when SSN use is required vs alternatives (employee ID, tax ID, internal identifiers). Reference OMB M-07-16 SSN reduction.

First-Amendment-protected information (PT-7(2)) Per PT-7(2) — handling of First-Amendment-protected information (political beliefs, religion, association). Generally collected only when expressly authorized.

Computer Matching Requirements (PT-8) → §4.x

Computer-matching agreement governance.

Computer-matching in scope? — Select — Yes — system performs matching covered by Privacy Act § (a)(8) Yes — internal match only (within agency, may not require formal CMA) No — no matching activities Pending review

CMA register location Where Computer Matching Agreements are registered (if applicable).

Data Integrity Board reference Federal-agency DIB role if matching applies.

Match-results notification process How individuals are notified of adverse match results before agency action (per Privacy Act § (p)(3)).

Individual Rights of Access and Amendment → §4.x

Privacy Act / regulatory rights administration.

Request-intake channels

Online privacy portal Postal mail to Privacy Officer Email to privacy mailbox In-person at agency office Phone (with verification)

Response SLA (Privacy Act) Time-to-respond per Privacy Act § (d) and agency policy. Common: 'Acknowledgment within 10 business days; substantive response within 30 days'.

Identity verification process How requester identity is verified before disclosure. Privacy Act § (e)(1) prohibits release without verification.

Rights-request records retention How long rights-request records are retained per NARA / Privacy Act § (c).

Privacy Scope and Coverage → §2.x

Quantitative scope numbers that anchor metrics later in the plan.

Approximate data-subject population Order-of-magnitude count of individuals whose PII is processed (anchors breach-impact analysis).

Distinct PII data-element count Approximate count of distinct PII data elements collected.

Third-party PII recipients Count of external organizations receiving PII through SORN routine uses or other agreements.

Quarterly individual-rights requests Approximate volume of individual-rights requests per quarter.

Privacy Metrics & KPIs → §6.x

Metrics tracked to demonstrate PT control effectiveness.

Tracked metrics

Add item

Suggested: + PIA currency (last review date) + SORN currency (last Federal Register publication) + Privacy-notice currency rate + Individual-rights-request response-time SLA compliance + Individual-rights-request volume trend + Consent-completion rate (where applicable) + Third-party agreements current rate + Privacy incidents per quarter (target: 0) + Time-to-breach-notification (per OMB M-17-12 timeline) + PII data-element inventory currency rate + SSN-alternative-use compliance (where alternatives exist) + Open POA&M items linked to PT controls

Privacy Incident Handling → §6.x

Coordination with the IR plan for privacy incidents.

Privacy-incident types in scope

Unauthorized PII disclosure Loss of PII-bearing media (overlaps MP) Unauthorized access by personnel (overlaps PS-8) Vendor PII breach Misuse of PII for unauthorized purpose Failure to honor consent revocation Failure to respond to access request

Notification obligations Notification obligations per OMB M-17-12 (federal), state breach laws, GDPR if applicable. Timing, recipients, content.

DIB / privacy-program role in incident response How the privacy program coordinates with IR — typically privacy officer joins incident-handling team for PII-involving incidents.

Cross-references to other RMF artifacts → §7

Where this plan plugs into the broader RMF package.

SSP section reference Where in the SSP the PT control implementations are summarized (e.g., 'SSP §13.17').

POA&M ID prefix for PT findings Convention for PT-related POA&M items (e.g., 'POAM-PT-' for general).

RA handoff How RA-8 PIA is the entry point. PIA initiation triggers PT plan review; PT implementation feeds PIA conclusions.

AC handoff How PT-2 / PT-3 processing limits are enforced through AC-2 / AC-3 / AC-6 access-control mechanisms.

AT handoff How privacy-related awareness and role-based training (PT-3) is delivered through AT-2 / AT-3.

AU handoff How PT-4 / PT-5 records overlap with the audit pipeline. Privacy Act accountings (§ (c)) recorded in audit.

SI handoff How PT-3(2) data minimization aligns with SI-12(1) PII limitation and SI-12(2) test-data minimization.

IR handoff How privacy incidents trigger the IR plan workflow under OMB M-17-12 breach-notification timelines.

CA-7 continuous-monitoring strategy reference Pointer to the CA-7 monitoring strategy document tying PT continuous-monitoring metrics to the broader ConMon plan.