NIST 800-53 REV 5 • PROGRAM MANAGEMENT
PM-21 — Accounting of Disclosures
Develop and maintain an accurate accounting of disclosures of personally identifiable information, including: Date, nature, and purpose of each disclosure; and Name and address, or other contact information of the individual or organization to which the disclosure was made; Retain the accounting of disclosures for the length of the time the personally identifiable information is maintained or five years after the disclosure is made, whichever is longer; and Make the accounting of disclosures available to the individual to whom the personally identifiable information relates upon request.
Supplemental Guidance
The purpose of accounting of disclosures is to allow individuals to learn to whom their personally identifiable information has been disclosed, to provide a basis for subsequently advising recipients of any corrected or disputed personally identifiable information, and to provide an audit trail for subsequent reviews of organizational compliance with conditions for disclosures. For federal agencies, keeping an accounting of disclosures is required by the [PRIVACT](#18e71fec-c6fd-475a-925a-5d8495cf8455) ; agencies should consult with their senior agency official for privacy and legal counsel on this requirement and be aware of the statutory exceptions and OMB guidance relating to the provision. Organizations can use any system for keeping notations of disclosures, if it can construct from such a system, a document listing of all disclosures along with the required information. Automated mechanisms can be used by organizations to determine when personally identifiable information is disclosed, including commercial services that provide notifications and alerts. Accounting of disclosures may also be used to help organizations verify compliance with applicable privacy statutes and policies governing the disclosure or dissemination of information and dissemination restrictions.
Practitioner Notes
You must track when you disclose PII to third parties and be able to account for those disclosures if an individual asks. This is a Privacy Act requirement for federal agencies and a best practice for any organization handling PII.
Example 1: Maintain a disclosure log that records every time PII is shared with an outside party — who received it, what data was shared, the date, the purpose, and the legal authority. Review this log quarterly with your privacy officer.
Example 2: In Microsoft Purview, use Data Subject Requests to track and respond to individuals asking what disclosures have been made about their data. Automate the search across Exchange, SharePoint, and Teams to compile a complete picture of where a person's data has been shared.