NIST 800-53 REV 5 • PERSONALLY IDENTIFIABLE INFORMATION PROCESSING AND TRANSPARENCY

PT-7(2)First Amendment Information

Prohibit the processing of information describing how any individual exercises rights guaranteed by the First Amendment unless expressly authorized by statute or by the individual or unless pertinent to and within the scope of an authorized law enforcement activity.

CMMC Practice Mapping

No direct CMMC mapping

NIST 800-171 Mapping

No direct NIST 800-171 mapping

Related Controls

No related controls listed

Supplemental Guidance

The [PRIVACT](#18e71fec-c6fd-475a-925a-5d8495cf8455) limits agencies’ ability to process information that describes how individuals exercise rights guaranteed by the First Amendment. Organizations consult with the senior agency official for privacy and legal counsel regarding these requirements.

Practitioner Notes

First Amendment information relates to an individual's exercise of rights guaranteed by the First Amendment — religious beliefs, political activities, freedom of speech and association. Collecting or maintaining this information requires extreme care.

Example 1: Prohibit the collection of information about employees' or customers' religious beliefs, political affiliations, or protest activities unless there is a specific and documented legal requirement. If such information is inadvertently collected, establish procedures to delete it promptly.

Example 2: Train your HR and management staff that First Amendment activities — union membership, political donations, religious practices — are protected and must never be used as a factor in employment decisions or security determinations. Include this in your annual security and privacy awareness training.

More Personally Identifiable Information Processing and Transparency Controls

PT-1 Policy and Procedures PT-2 Authority to Process Personally Identifiable Information PT-2(1) Data Tagging PT-2(2) Automation