NIST 800-53 REV 5 • PERSONALLY IDENTIFIABLE INFORMATION PROCESSING AND TRANSPARENCY

PT-3(1)Data Tagging

Attach data tags containing the following purposes to {{ insert: param, pt-03.01_odp.02 }}: {{ insert: param, pt-03.01_odp.01 }}.

CMMC Practice Mapping

No direct CMMC mapping

NIST 800-171 Mapping

No direct NIST 800-171 mapping

Related Controls

Supplemental Guidance

Data tags support the tracking of processing purposes by conveying the purposes along with the relevant elements of personally identifiable information throughout the system. By conveying the processing purposes in a data tag along with the personally identifiable information as the information transits a system, a system owner or operator can identify whether a change in processing would be compatible with the identified and documented purposes. Data tags may also support the use of automated tools.

Practitioner Notes

Tag PII with the specific processing purpose so that automated systems can enforce purpose limitations. This is the data tagging counterpart to documenting purposes in PT-3.

Example 1: In your CRM or customer database, add a 'purpose' field to PII records that records why each piece of data was collected. Use picklist values like 'contract fulfillment,' 'marketing with consent,' 'legal compliance' to keep tags consistent.

Example 2: Use Microsoft Purview's Exact Data Match classifiers to identify specific PII types in your environment and tag them with sensitivity labels that encode the processing purpose. This enables automated DLP enforcement based on why the data was collected.

More Personally Identifiable Information Processing and Transparency Controls

PT-1 Policy and Procedures PT-2 Authority to Process Personally Identifiable Information PT-2(1) Data Tagging PT-2(2) Automation