NIST 800-53 REV 5 • PERSONALLY IDENTIFIABLE INFORMATION PROCESSING AND TRANSPARENCY
PT-7 — Specific Categories of Personally Identifiable Information
Apply {{ insert: param, pt-07_odp }} for specific categories of personally identifiable information.
Supplemental Guidance
Organizations apply any conditions or protections that may be necessary for specific categories of personally identifiable information. These conditions may be required by laws, executive orders, directives, regulations, policies, standards, or guidelines. The requirements may also come from the results of privacy risk assessments that factor in contextual changes that may result in an organizational determination that a particular category of personally identifiable information is particularly sensitive or raises particular privacy risks. Organizations consult with the senior agency official for privacy and legal counsel regarding any protections that may be necessary.
Practitioner Notes
Certain categories of PII — Social Security numbers, health records, financial data, biometrics — require additional safeguards due to their sensitivity. This control requires you to identify and apply extra protection to these data types.
Example 1: Classify PII by sensitivity tier. Tier 1 might be publicly available information (business email). Tier 2 might be internal PII (home address, phone number). Tier 3 would be highly sensitive PII (SSN, medical records, biometrics). Apply progressively stronger controls — encryption, access restrictions, audit logging — as the tier increases.
Example 2: In Microsoft Purview, create Sensitive Information Types for each category and configure DLP policies that apply stricter rules to higher-sensitivity types. For example, SSNs trigger automatic encryption and block external sharing, while business email addresses only generate a policy tip.