NIST 800-53 REV 5 • PERSONALLY IDENTIFIABLE INFORMATION PROCESSING AND TRANSPARENCY
PT-6(2) — Exemption Rules
Review all Privacy Act exemptions claimed for the system of records at {{ insert: param, pt-06.02_odp }} to ensure they remain appropriate and necessary in accordance with law, that they have been promulgated as regulations, and that they are accurately described in the system of records notice.
CMMC Practice Mapping
No direct CMMC mapping
NIST 800-171 Mapping
No direct NIST 800-171 mapping
Related Controls
No related controls listed
Supplemental Guidance
The [PRIVACT](#18e71fec-c6fd-475a-925a-5d8495cf8455) includes two sets of provisions that allow federal agencies to claim exemptions from certain requirements in the statute. In certain circumstances, these provisions allow agencies to promulgate regulations to exempt a system of records from select provisions of the [PRIVACT](#18e71fec-c6fd-475a-925a-5d8495cf8455) . At a minimum, organizations’ [PRIVACT](#18e71fec-c6fd-475a-925a-5d8495cf8455) exemption regulations include the specific name(s) of any system(s) of records that will be exempt, the specific provisions of the [PRIVACT](#18e71fec-c6fd-475a-925a-5d8495cf8455) from which the system(s) of records is to be exempted, the reasons for the exemption, and an explanation for why the exemption is both necessary and appropriate.
Practitioner Notes
Exemption rules allow agencies to exempt certain systems of records from specific provisions of the Privacy Act. These exemptions must be formally established through rulemaking and published in the Federal Register.
Example 1: If your system contains law enforcement investigative records, you may need to exempt it from the Privacy Act provision requiring disclosure to the individual (to avoid compromising an investigation). Draft the exemption rule, publish it for public comment, and finalize it in the Code of Federal Regulations.
Example 2: Maintain a record of all active exemptions, the systems they apply to, the legal basis for each exemption, and the date of the final rule. Review exemptions periodically to ensure they are still necessary and legally supportable. Document this review in your privacy program records.