NIST 800-53 REV 5 • PROGRAM MANAGEMENT
PM-20 — Dissemination of Privacy Program Information
Maintain a central resource webpage on the organization’s principal public website that serves as a central source of information about the organization’s privacy program and that: Ensures that the public has access to information about organizational privacy activities and can communicate with its senior agency official for privacy; Ensures that organizational privacy practices and reports are publicly available; and Employs publicly facing email addresses and/or phone lines to enable the public to provide feedback and/or direct questions to privacy offices regarding privacy practices.
Supplemental Guidance
For federal agencies, the webpage is located at www.[agency].gov/privacy. Federal agencies include public privacy impact assessments, system of records notices, computer matching notices and agreements, [PRIVACT](#18e71fec-c6fd-475a-925a-5d8495cf8455) exemption and implementation rules, privacy reports, privacy policies, instructions for individuals making an access or amendment request, email addresses for questions/complaints, blogs, and periodic publications.
Practitioner Notes
Make your privacy program information available to the public and to your employees. People should be able to easily find out how you handle their personal information.
Example 1: Publish a clear, plain-language privacy policy on your website that explains what data you collect, why, how you protect it, and how people can exercise their privacy rights (access, correction, deletion). Update it whenever your data practices change.
Example 2: Create an internal privacy page on your company intranet or SharePoint site with FAQs for employees: how to handle customer PII, what to do if they suspect a data breach, and who the privacy contact is. Make this part of new employee onboarding.