Back

Establish, implement, and maintain a privacy impact assessment.


CONTROL ID
13712
CONTROL TYPE
Establish/Maintain Documentation
CLASSIFICATION
Preventive

SUPPORTING AND SUPPORTED CONTROLS



This Control directly supports the implied Control(s):
  • Establish, implement, and maintain a privacy framework that protects restricted data., CC ID: 11850

This Control has the following implementation support Control(s):
  • Include the individuals with whom information is shared in the privacy impact assessment., CC ID: 15520
  • Include how to grant consent in the privacy impact assessment., CC ID: 15519
  • Include the opportunities for individuals to consent to using their information in the privacy impact assessment., CC ID: 15518
  • Include the opportunities for opting out of information collection in the privacy impact assessment., CC ID: 15517
  • Include data handling procedures in the privacy impact assessment., CC ID: 15516
  • Include the intended use of information in the privacy impact assessment., CC ID: 15515
  • Include the reason information is being collected in the privacy impact assessment., CC ID: 15514
  • Include the type of information to be collected in the privacy impact assessment., CC ID: 15513
  • Disseminate and communicate the results of the Privacy Impact Assessment to interested personnel and affected parties., CC ID: 15458


SELECTED AUTHORITY DOCUMENTS COMPLIED WITH



  • The number of personal information being processed; (Article 33(2) (1), Personal Information Protection Act)
  • Whether the personal information is provided to a third party; (Article 33(2) (2), Personal Information Protection Act)
  • The probability to violate the rights of the data subjects and the degree of risks; (Article 33(2) (3), Personal Information Protection Act)
  • Other matters prescribed by Presidential Decree. (Article 33(2) (4), Personal Information Protection Act)
  • In the case of a probable breach of personal information of data subjects arising out of the operation of personal information files meeting the criteria prescribed by Presidential Decree, the head of a public institution shall conduct an assessment to analyze and improve risk factors (hereinafter r… (Article 33(1), Personal Information Protection Act)
  • A personal information controller other than public institutions shall proactively endeavor to conduct the privacy impact assessment, if a violation of personal information of data subjects is highly probable in operating the personal information files. (Article 33(8), Personal Information Protection Act)
  • reduce the likelihood that the adverse effect will occur; or (§ 15A.(5)(b)(ii), Singapore Personal Data Protection Act 2012 (No. 26 of 2012), Revised Edition 2021)
  • eliminate the adverse effect; (§ 15A.(5)(b)(i), Singapore Personal Data Protection Act 2012 (No. 26 of 2012), Revised Edition 2021)
  • mitigate the adverse effect; and (§ 15A.(5)(b)(iii), Singapore Personal Data Protection Act 2012 (No. 26 of 2012), Revised Edition 2021)
  • The entity performs a privacy (risk) impact assessment to identify and evaluate privacy specific risks, vulnerabilities and scenarios that could result in a system or information privacy breach situation. Privacy (risk) impact assessments are also used to identify security control weaknesses that ne… (M1.3 Privacy (risk) impact assessment, Privacy Management Framework, Updated March 1, 2020)
  • The organization should assess the need for, and implement where appropriate, a privacy impact assessment whenever new processing of PII or changes to existing processing of the PII is planned. (§ 7.2.5 Control, ISO/IEC 27701:2019, Security techniques - Extension to ISO/IEC 27001 and ISO/IEC 27002 for privacy information management - Requirements and guidelines)
  • The entity shall discuss the degree to which its policies and practices address similar issues as those outlined in the U.S. Office of Management and Budget's "Guidance for Implementing the Privacy Provisions of the E-Government Act of 2002 (M-03-22)," including use of Privacy Impact Assessments (PI… (TC-IM-220a.1. 3, Internet Media & Services Sustainability Accounting Standard, Version 2018-10, Version 2018-10)
  • The entity shall discuss the degree to which its policies and practices address similar issues as those outlined in the U.S. Office of Management and Budget's (OMB) "Guidance for Implementing the Privacy Provisions of the E- Government Act of 2002 (M-03-22)," including use of Privacy Impact Assessme… (TC-SI-220a.1. 3, Software & IT Services Sustainability Accounting Standard, Version 2018-10)
  • The entity shall discuss the degree to which its policies and practices address similar issues as those outlined in the U.S. Office of Management and Budget's "Guidance for Implementing the Privacy Provisions of the E-Government Act of 2002 (M-03-22)," including use of Privacy Impact Assessments (PI… (TC-TL-220a.1. 3, Telecommunication Services Sustainability Accounting Standard, Version 2018-10)
  • Conduct privacy impact assessments for systems, programs, or other activities before: (RA-8 Control, Control Baselines for Information Systems and Organizations, NIST SP 800-53B, Privacy Control Baseline, October 2020)
  • The agency SHALL publish a Privacy Impact Assessment (PIA) to cover such collection, as applicable. (4.4 ¶ 3 Bullet 1 Subbullet 3, Digital Identity Guidelines: Authentication and Lifecycle Management, NIST SP 800-63B)
  • The agency SHALL publish a Privacy Impact Assessment (PIA) to cover such collection, as applicable. (4.2 ¶ 1.12.g, Digital Identity Guidelines: Enrollment and Identity Proofing, NIST SP 800-63A)
  • The agency SHALL publish or identify coverage by a Privacy Impact Assessment (PIA) as applicable. (5.2 ¶ 5 4., Digital Identity Guidelines: Federation and Assertions, NIST SP 800-63C)
  • Conduct a comprehensive Privacy Impact Assessment (PIA) and a periodic review and update of the assessment on systems containing PII for the purpose of implementing PIV consistent with the methodology of [E-Gov] and the requirements of [M-03-22]. Consult with appropriate personnel responsible for pr… (2.11 ¶ 3 Bullet 2, FIPS Pub 201-3, Personal Identity Verification (PIV) of Federal Employees and Contractors)
  • Conduct privacy impact assessments of proposed rules on the privacy of personal information, including the type of personal information collected and the number of people affected (T0903, National Initiative for Cybersecurity Education (NICE) Cybersecurity Workforce Framework, NIST Special Publication 800-181)
  • Conduct Privacy Impact Assessments (PIAs) of the application's security design for the appropriate security controls, which protect the confidentiality and integrity of Personally Identifiable Information (PII). (T0032, National Initiative for Cybersecurity Education (NICE) Cybersecurity Workforce Framework, NIST Special Publication 800-181)
  • Conduct periodic information privacy impact assessments and ongoing compliance monitoring activities in coordination with the organization's other compliance and operational assessment functions (T0904, National Initiative for Cybersecurity Education (NICE) Cybersecurity Workforce Framework, NIST Special Publication 800-181)
  • Conduct Privacy Impact Assessments (PIAs) of the application's security design for the appropriate security controls, which protect the confidentiality and integrity of Personally Identifiable Information (PII). (T0032, Reference Spreadsheet for the Workforce Framework for Cybersecurity (NICE Framework)”, July 7, 2020)
  • Conduct privacy impact assessments of proposed rules on the privacy of personal information, including the type of personal information collected and the number of people affected (T0903, Reference Spreadsheet for the Workforce Framework for Cybersecurity (NICE Framework)”, July 7, 2020)
  • Conduct periodic information privacy impact assessments and ongoing compliance monitoring activities in coordination with the organization's other compliance and operational assessment functions (T0904, Reference Spreadsheet for the Workforce Framework for Cybersecurity (NICE Framework)”, July 7, 2020)
  • Conducts Privacy Impact Assessments (PIAs) for information systems, programs, or other activities that pose a privacy risk in accordance with applicable law, OMB policy, or any existing organizational policies and procedures. (AR-2b., Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, Revision 4)
  • Conduct privacy impact assessments for systems, programs, or other activities before: (RA-8 Control, Security and Privacy Controls for Information Systems and Organizations, NIST SP 800-53, Revision 5)
  • Conduct privacy impact assessments for systems, programs, or other activities before: (RA-8 Control, Security and Privacy Controls for Information Systems and Organizations, NIST SP 800-53, Revision 5.1.1)
  • As a general matter, an agency must conduct a privacy impact assessment (PIA) under section 208(b) of the E-Government Act of 2002, absent an applicable exception under that section, when the agency develops, procures, or uses information technology to create, collect, use, process, store, maintain,… (Section VII (A) ¶ 3 Agency Privacy Programs., OMB Circular No. A-123, Management’s Responsibility for Enterprise Risk Management and Internal Control)
  • As a general matter, an agency must conduct a privacy impact assessment (PIA) under section 208(b) of the E-Government Act of 2002, absent an applicable exception under that section, when the agency develops, procures, or uses information technology to create, collect, use, process, store, maintain,… (Section VII (A) ¶ 4 Privacy Impact Assessments., OMB Circular No. A-123, Management’s Responsibility for Enterprise Risk Management and Internal Control)
  • Moreover, a PIA is not a time-restricted activity that is limited to a particular milestone or stage of the information system or PII life cycles. Rather, the privacy analysis must continue throughout the information system and PII life cycles. Accordingly, a PIA must be considered a living document… (Section VII (A) ¶ 6, OMB Circular No. A-123, Management’s Responsibility for Enterprise Risk Management and Internal Control)
  • In addition to serving as an important analytical tool for agencies, a PIA also serves as notice to the public regarding the agency's practices with respect to privacy and information technology. All PIAs must be drafted in plain language and must be posted on the agency's website, unless doing so w… (Section VII (A) ¶ 7, OMB Circular No. A-123, Management’s Responsibility for Enterprise Risk Management and Internal Control)
  • A PIA is one of the most valuable tools Federal agencies use to ensure compliance with applicable privacy requirements and manage privacy risks. Agencies must conduct and draft a PIA with sufficient clarity and specificity to demonstrate that the agency fully considered privacy and incorporated appr… (Section VII (A) ¶ 5, OMB Circular No. A-123, Management’s Responsibility for Enterprise Risk Management and Internal Control)