myctrl.tools
Compare

PM-27Privacy Reporting

PRIVACY

>Control Description

a

Develop organization-defined privacy reports and disseminate to:

1.

organization-defined oversight bodies to demonstrate accountability with statutory, regulatory, and policy privacy mandates; and

2.

organization-defined officials and other personnel with responsibility for monitoring privacy program compliance; and

b

Review and update privacy reports organization-defined frequency.

>Cross-Framework Mappings

SCF

PRI-14
Compare

>Supplemental Guidance

Through internal and external reporting, organizations promote accountability and transparency in organizational privacy operations. Reporting can also help organizations to determine progress in meeting privacy compliance requirements and privacy controls, compare performance across the federal government, discover vulnerabilities, identify gaps in policy and implementation, and identify models for success. For federal agencies, privacy reports include annual senior agency official for privacy reports to OMB, reports to Congress required by Implementing Regulations of the 9/11 Commission Act, and other public reports required by law, regulation, or policy, including internal policies of organizations.

The senior agency official for privacy consults with legal counsel, where appropriate, to ensure that organizations meet all applicable privacy reporting requirements.

>Related Controls

IR-9
PM-19

>Assessment Interview Topics

Questions assessors commonly ask

Process & Governance:

  • What is the process for providing privacy notices to individuals?
  • How does the organization ensure privacy notices are clear, accessible, and timely?
  • Who reviews and approves privacy notices?
  • How frequently are privacy notices reviewed and updated?
  • What governance exists for ensuring privacy notices remain current and compliant?

Technical Implementation:

  • How are privacy notices delivered to individuals (web, email, physical)?
  • What systems manage and track privacy notice dissemination?
  • How are privacy notices maintained and updated?
  • What accessibility features ensure privacy notices reach all individuals?

Evidence & Documentation:

  • Provide current privacy notices used by the organization.
  • Provide evidence of privacy notice delivery to individuals.
  • Provide records of privacy notice reviews and updates.
  • Provide documentation of privacy notice accessibility features.

Ask AI

Configure your API key to use AI features.