myctrl.tools
Compare

PT-7Specific Categories Of Personally Identifiable Information

PRIVACY

>Control Description

Apply organization-defined processing conditions for specific categories of personally identifiable information.

>Control Enhancements(2)

PT-7(1)
PT-7(2)

>Cross-Framework Mappings

SOC 2 TSC

P1.2
Compare

SCF

PRI-05.4
Compare
PRI-05.7
Compare

>Supplemental Guidance

Organizations apply any conditions or protections that may be necessary for specific categories of personally identifiable information. These conditions may be required by laws, executive orders, directives, regulations, policies, standards, or guidelines. The requirements may also come from the results of privacy risk assessments that factor in contextual changes that may result in an organizational determination that a particular category of personally identifiable information is particularly sensitive or raises particular privacy risks.

Organizations consult with the senior agency official for privacy and legal counsel regarding any protections that may be necessary.

>Related Controls

IR-9
PT-2
PT-3
RA-3

>Assessment Interview Topics

Questions assessors commonly ask

Process & Governance:

  • What is the process for implementing specific privacy controls for PII processing?
  • How does the organization determine which privacy controls are required for different systems?
  • Who is responsible for selecting and implementing privacy controls?
  • How are privacy controls validated and tested for effectiveness?
  • What governance exists for maintaining and updating privacy controls?

Technical Implementation:

  • What specific privacy-enhancing technologies are implemented?
  • How are privacy controls integrated into system architectures?
  • What technical controls minimize PII collection and retention?
  • How is PII de-identified or anonymized when required?
  • What encryption or access controls specifically protect PII?

Evidence & Documentation:

  • Provide documentation of specific privacy controls implemented in systems.
  • Provide privacy impact assessments identifying required controls.
  • Provide evidence of privacy control implementation and testing.
  • Provide privacy control assessment results.
  • Provide documentation of privacy-enhancing technologies deployed.

Ask AI

Configure your API key to use AI features.