6. HHS Security Controls
6.4 Privacy Controls
The Privacy program class of controls for an information system provides administrative, technical, and physical safeguards within an organization to protect Personally Identifiable information (HHS Restricted and Confidential Information). This class consists of eight security policies: Authority and Purpose (AP), Accountability, Audit, and Risk Management (AR), Data Quality and Integrity (DI), Data Minimization and Retention (DM), Individual Participation and Redress (IP), Security (SE), Transparency (TR), and Use Limitation (UL).
6.4.1 (AP) Authority and Purpose Policy and Its Controls
Policy: The HHS organization requires that HHS (i) identify the legal basis that authorize a particular HHS Restricted and Confidential Information collection or activity that impacts privacy; and (ii) specify the purposes for which they collect HHS Restricted and Confidential Information in their privacy notices.
Table 22 lists the Authority and Purpose (AP) controls for moderate impact systems.
Table 22 Authority and Purpose Controls HHS
Control ID
Control
Name Priority Description of Control
AP-1 Authority to
Collect
P1 The HHS organization determines the legal authority that permits the collection, use, maintenance, and sharing of HHS Restricted and Confidential information in support of a specific program or information system need.
AP-2 Purpose Specification
P1 The HHS organization describes the purposes for which HHS
Restricted and Confidential information is collected, used, maintained, and shared in its privacy notices.
6.4.2 (AR) Accountability, Audit, and Risk Management Policy and Its Controls
Policy: The HHS organization requires that HHS is complying with all applicable privacy protection requirements and minimizing their overall privacy risk. This policy is intended to enhance public confidence through effective governance controls, monitoring controls, risk management, and assessment controls.
Table 23 lists the Accountability, Audit, and Risk controls for moderate impact systems.
Table 23 Accountability, Audit, and Risk Management Controls HHS
Control ID
Control
Name Priority Description of Control
AR-1 Governance and Privacy Program
P1 The HHS organization:
a. Appoints an Senior Agency Official for Privacy (SAOP)/Chief Privacy Officer (CPO) accountable for developing, implementing, and maintaining an Agency-wide governance and privacy program to ensure compliance with all applicable laws and regulations regarding the collection, use, maintenance, sharing, and disposal of HHS Restricted and Confidential information by programs and information systems;
b. Allocates HHS Agency-defined allocation of budget and staffing resources to implement and operate the organization-wide privacy program;
c. Develops, disseminates, and implements privacy policies and procedures that govern the appropriate privacy and security controls for programs, information systems, or technologies involving HHS Restricted and Confidential Information;
d. Develops a privacy plan for implementing applicable privacy controls, policies, and procedures; and;
e. Updates the privacy plan, policies, and procedures as defined by the Agency.
AR-2 Privacy Impact and Risk
Assessment
P1 The HHS organization:
a. Establishes a privacy risk assessment process that assesses privacy risk to individuals resulting from the collection, sharing, storing, transmitting, and use of personally identifiable information;
b. Conducts a Privacy Impact Assessment (PIA) for information systems and programs in accordance with Office of Management and Budget (OMB) policy and any existing organizational policies and procedures; and;
c. Follows a documented, repeatable process for conducting, reviewing, and approving Privacy Impact Assessments.
AR-3 Privacy Requirements for
Contractors
P2 The HHS organization:
a. Establishes and monitors compliance of privacy requirements including privacy roles and responsibilities for contractors and service providers; and;
Table 23 Accountability, Audit, and Risk Management Controls HHS
Control ID
Control
Name Priority Description of Control
AR-5 Privacy Awareness and Training
P2 The HHS organization:
a. Develops, implements, and updates (i) a comprehensive training and awareness strategy aimed at ensuring that personnel understand privacy responsibilities and procedures; and;
b. Ensures that personnel certify (manually or electronically) acceptance of responsibilities for privacy requirements.
AR-6 Privacy Reporting
P3 The HHS organization develops, disseminates, and updates reports to the Office of Management and Budget (OMB) and Congress to demonstrate accountability with specific statutory and regulatory privacy program mandates, and to senior management and other personnel with responsibility for monitoring privacy program progress and compliance.
6.4.3 (DI) Data Quality and Integrity Policy and Its Controls
Policy: The HHS organization requires compliance with Section 552a (e)(2) of the Privacy Act of 1974 and enhances public confidence that any HHS Restricted and Confidential Information collected and maintained by the organization is accurate, relevant, timely, and complete for the purpose for which it is to be used, as specified in the public notice.
Table 24 lists the Data Quality and Integrity controls for moderate impact systems.
Table 24 Data Quality and Integrity Controls HHS
Control ID
Control
Name Priority Description of Control
DI-1 Data Quality
P3 The HHS organization:
a. Confirms to the extent feasible upon collection or creation of HHS Restricted and Confidential information , the accuracy, relevance, timeliness, and completeness of that HHS Restricted and Confidential and Agency Internal information;
b. Collects HHS Restricted and Confidential information directly from the individual to the greatest extent practicable;
c. Checks for, and corrects as necessary, any inaccurate or outdated HHS Restricted and Confidential information used by its programs or systems; and;
d. Issues guidelines ensuring and maximizing the quality, utility, objectivity, and integrity of disseminated information.
(1) Where feasible, the organization’s systems are configured to record the date HHS Restricted and Confidential Information is collected, created, or updated and when HHS Restricted and Confidential and Agency Internal information is to be deleted or archived under an approved record retention schedule.
DI-2 Data Integrity
P3 The HHS organization:
a. Documents processes to ensure the integrity of HHS Restricted and Confidential Information through existing security controls; and;
b. Establishes a Data Integrity Board when appropriate, to oversee organizational computer matching agreements and to ensure that those agreements comply with the computer matching provisions of the Privacy Act.
6.4.4 (DM) Data Minimization and Retention Policy and Its Controls
Policy: The HHS organization requires that HHS implements the data minimization and retention elements of the Privacy Act, which requires organizations to collect, use, and retain only HHS Restricted and Confidential
Information that is relevant and necessary for the specified purpose for which it was originally collected. The HHS organization retains HHS Restricted and Confidential Information for only as long as necessary to fulfill the specified purposes and in accordance with a National Archives and Records Administration (NARA)-approved record retention schedule.
Table 25 lists the Data Minimization and Retention controls for moderate impact systems.
Table 25 Data Minimization and Retention Controls HHS
Control ID
Control
Name Priority Description of Control
DM-1 Minimization of
Personally Identifiable information
P1 The HHS organization:
a. Identifies the minimum HHS Restricted and Confidential and Agency Internal information elements that are relevant and necessary to accomplish the legally authorized purpose of collection;
b. Limits the collection and retention of HHS Restricted and Confidential to the minimum elements identified for the purposes described in the notice and for which the individual has provided consent; and;
c. Conducts an initial evaluation and performs periodic evaluations of its holdings of HHS Restricted and Confidential information to ensure that only HHS Restricted and Confidential Information and Agency Internal identified in the notice is collected and retained, and that the HHS Restricted and Confidential Information continues to be necessary to accomplish the legally authorized purpose.
(1) Where feasible and within the limits of technology, the organization locates and removes or redacts specified HHS Restricted and
Confidential Information and/or uses anonymization and
de-identification techniques to permit use of the retained information while reducing its sensitivity and reducing the risk resulting from disclosure.
DM-2 Data Retention and Disposal
P1 The HHS organization:
a. Retains HHS Restricted and Confidential information for only as long as is necessary to fulfill the purpose(s) identified in the notice or as required by law;
b. Appropriately disposes of HHS Restricted and Confidential information when it is no longer necessary to retain it;
c. Systematically destroys, erases, and/or anonymizes the HHS Restricted and Confidential information regardless of the method of storage (e.g., electronic, optical media, or paper-based) in accordance with a National Archives and Records Administration (NARA) approved record retention schedule and in a manner that prevents loss, theft, misuse, or unauthorized access; and;
d. Uses audits and appropriate technology to ensure secure deletion or destruction of HHS Restricted and Confidential Information (including originals, copies, and archived records).
Additional Criteria:
1. Audit Trail of Restricted Data should be archived for six (6) years.
2. Confidential log data should be archived for six (6) years.
6.4.5 (IP) Individual Participation and Redress Policy and Its Controls
Policy: The HHS organization requires that individuals are active participants in the decision-making process regarding the collection and use of their HHS Restricted and Confidential Information, as required by the Privacy Act. The controls in this family enhance public confidence in Agency decisions that are based on HHS Restricted and Confidential Information by providing individuals with access to their HHS Restricted and Confidential Information and the ability to have it corrected or amended, as appropriate.
Table 26 lists the Individual Participation and Redress controls for moderate impact systems.
Table 26 Individual Participation and Redress HHS
Control ID
Control
Name Priority Description of Control
IP-1 Consent P3 The HHS organization:
a. Provides means, where feasible and appropriate, for individuals to authorize the collection, use, maintaining, and sharing of HHS Restricted and Confidential Information prior to its collection;
b. Provides appropriate means for individuals to understand the consequences of decisions to approve or decline the authorization of the collection, use, dissemination and retention of HHS Restricted and Confidential Information ; and;
c. Obtains consent, where feasible and appropriate, from individuals prior to any new uses or disclosure of previously collected HHS Restricted and Confidential Information.
(1) Implements mechanisms to support itemized or tiered consent for specific uses of data.
IP-2 Access P3 The HHS organization provides individuals the ability to have access to their HHS Restricted and Confidential Information maintained in its systems of records in order to determine whether to have the HHS Restricted and Confidential Information corrected or amended, as appropriate.
IP-3 Redress P3 The HHS organization:
a. Provides a process for individuals to have inaccurate HHS Restricted and Confidential Information maintained by the organization corrected or amended, as appropriate; and;
b. Establishes a process for disseminating corrections or amendments of the HHS Restricted and Confidential Information to other authorized users of the HHS Restricted and Confidential Information, such as external information sharing partners, and, where feasible and appropriate, notifies affected individuals that their information has been corrected or amended.
IP-4 Complaint Management
P1 The HHS organization implements a process for receiving and responding to complaints, concerns, or questions from individuals about the organizational privacy practices.
6.4.6 (SE) Security Policy and Its Controls
Policy: The HHS organization requires administrative, technical, and physical measures are in place to protect HHS Restricted and Confidential Information collected or maintained by agencies against loss, unauthorized access, or disclosure, as required by the Privacy Act, and requires that Agency planning and responses to privacy incidents comply with OMB policies and guidance. The controls in this family are implemented in coordination with information security personnel using the existing NIST Risk Management Framework.
Table 27 lists the Individual Participation and Redress controls for moderate impact systems.
Table 27 Security Controls HHS
Control ID
Control
Name Priority Description of Control
SE-1 Inventory of
Personally Identifiable Information
P2 The HHS organization:
a. Establishes, maintains, and regularly updates a HHS Restricted and Confidential Information inventory that contains a listing of all programs and information systems identified as collecting, using, maintaining, or sharing HHS Restricted and Confidential Information; and;
b. Provides each update of the HHS Restricted and Confidential Information inventory to the CIO or other information security officials to support the establishment of appropriate information security
requirements for all new or modified information systems containing HHS Restricted and Confidential Information.
SE-2 Privacy Incident Response
P2 The HHS organization:
a. Develops and implements a Privacy Incident Response Plan; and;
b. Provides an organized and effective response to incidents of unauthorized exposure of Agency-controlled HHS Restricted and Confidential Information, in accordance with the Agency Privacy Incident Response Plan.
6.4.7 (TR) Transparency Policy and Its Controls
Policy: The HHS organization requires that agencies implement Sections 552a (e)(3) and (e)(4) of the Privacy Act and Section 208 of the E-Government Act which requires public notice of an Agency’s information practices and the privacy impact of government programs and activities.
Table 28 lists the Transparency controls for moderate impact systems.
Table 28 Transparency Controls HHS
Control ID
Control
Name Priority Description of Control
TR-1 Privacy Notice
P1 The HHS organization:
a. Provides effective notice to the public and to individuals regarding:
(i) its activities that impact privacy, including its collection, use, sharing, safeguarding, maintenance, and disposal of HHS Restricted and Confidential Information; (ii) authority for collecting HHS
Restricted and Confidential Information; (iii) the choices, if any, individuals may have regarding how the organization uses HHS Restricted and Confidential Information and the consequences of exercising or not exercising, and;
b. Describes:
(i) the HHS Restricted and Confidential Information the organization collects and the purposes for which it collects that information;
(ii) how the organization uses HHS Restricted and Confidential Information internally;
(iii) whether the organization shares HHS Restricted and Confidential Information with external entities and the purposes for such sharing;
(iv) whether individuals have the ability to consent to specific uses or sharing of HHS Restricted and Confidential Information and how to exercise any such consent;
(v) how individuals may obtain access to HHS Restricted and Confidential Information for the purpose of having it amended or corrected, where appropriate; and;
(vi) how the HHS Restricted and Confidential Information will be protected;
c. Revises its public notices to reflect changes in practice or policy that affect HHS Restricted and Confidential Information or changes in its activities that impact privacy; and;
d. Ensures (e.g., through updated public notice) that individuals are aware of and, where feasible, consent to all uses of HHS Restricted and Confidential Information not initially described in the public notice that was in effect at the time the organization collected the HHS Restricted and Confidential Information
(1) Each Agency provides real-time (i.e., at the point of collection) notice when it collects HHS Restricted and Confidential Information.
6.4.8 (UL) Use Limitation Policy and Its Controls
Policy: The HHS organization requires that agencies comply with the Privacy Act, which prohibits uses of HHS Restricted and Confidential Information that are either not specified in notices, incompatible with the specified purposes, or not otherwise permitted by law. Implementation of the controls in this family requires that the scope of HHS Restricted and Confidential Information use is limited accordingly.
Table 29 lists the Use Limitation controls for moderate impact systems.
Table 29 Use Limitation Controls HHS
Control ID
Control
Name Priority Description of Control
UL-1 Use Limitation
P2 The HHS organization uses HHS Restricted and Confidential
Information internally only for the authorized purpose(s) identified in the Privacy Act and/or in public notices.
UL-2 Information Sharing
P2 The HHS organization:
a. Shares HHS Restricted and Confidential Information with third parties, including other public and private sector entities, only for the authorized purposes identified in the Privacy Act and/or described in its notices or in a manner compatible with those purposes;
b. Where appropriate, enters into Memoranda of Understanding, Memoranda of Agreement, Letters of Intent, Computer Matching Agreements, or similar agreements, with third parties that specifically enumerate the purposes for which HHS Restricted and Confidential Information may be used;
c. Monitors, audits, and trains its staff on the authorized uses and sharing of HHS Restricted and Confidential Information with third parties; and;
d. Establishes and implements a process for evaluating any proposed new instances of sharing HHS Restricted and Confidential Information with third parties to assess whether they are authorized and whether additional or new public notice is required.
UL-3 System Design and Development
P3 The HHS organization designs information systems to collect, use, maintain, and share HHS Restricted and Confidential Information only for the authorized purposes specified in the Privacy Act and/or organizational public notice(s) or for uses compatible with those purposes.