NIST 800-53 REV 5 • PERSONALLY IDENTIFIABLE INFORMATION PROCESSING AND TRANSPARENCY

PT-3(2)Automation

Track processing purposes of personally identifiable information using {{ insert: param, pt-03.02_odp }}.

CMMC Practice Mapping

No direct CMMC mapping

NIST 800-171 Mapping

No direct NIST 800-171 mapping

Related Controls

Supplemental Guidance

Automated mechanisms augment tracking of the processing purposes.

Practitioner Notes

Automate the enforcement of purpose limitations so that PII is not used for purposes beyond what was originally stated. This reduces the chance of accidental purpose creep.

Example 1: Build access control rules in your application that check the data's purpose tag against the user's authorized purposes before displaying PII. A marketing team member should not see data collected solely for contract administration, even if both datasets are in the same system.

Example 2: In Microsoft Purview, set up DLP policies and Information Barriers that prevent PII collected for one purpose from being accessed by teams with a different purpose. For example, prevent the sales team from accessing HR-collected employee PII through Teams or SharePoint.

More Personally Identifiable Information Processing and Transparency Controls

PT-1 Policy and Procedures PT-2 Authority to Process Personally Identifiable Information PT-2(1) Data Tagging PT-2(2) Automation