5 USC 552a(b)
Listed by: NARA Registry, DoD Registry, Related authorities
Designation evidence
- NARA authority row: 5 USC 552a(b) | status: Basic | banner: CUI.
- NARA sanctions field: 5 USC 552a(i).
- DoD authority row: 5 USC 552a(b). DoD lists this citation for the category; this DoD detail page does not display a separate Basic/Specified field.
- Related authority evidence: 5 USC 552a(b) | status: Basic | banner: CUI | sanctions: 5 USC 552a(i)
- Related authority evidence: DoD lists this authority for the category; the linked authority text is extracted below when available.
- Registry designation context: Basic + Specified, CUI. The linked authority text contains category-scope or applicability language that helps determine when the information falls within this CUI category. The linked authority text contains disclosure, access, protection, release, dissemination, or distribution-control language relevant to handling. The linked authority text contains violation, penalty, sanction, or enforcement language that may affect consequences for mishandling.
- Registry designation for this category is Basic + Specified with banner CUI.
Extracted authority meaning
- Page 50 TITLE 5—GOVERNMENT ORGANIZATION AND EMPLOYEES § 552a
- Registry designation context: Basic + Specified, CUI. The linked authority text contains category-scope or applicability language that helps determine when the information falls within this CUI category. The linked authority text contains disclosure, access, protection, release, dissemination, or distribution-control language relevant to handling. The linked authority text contains violation, penalty, sanction, or enforcement language that may affect consequences for mishandling.
Operating conditions
- NARA category scope used with this authority: Refers to personal information, or, in some cases, "personally identifiable information," as defined in OMB M-17-12, or "means of identification" as defined in 18 USC 1028(d)(7).
- DoD category scope used with this authority: Refers to personal information, or, in some cases, "personally identifiable information," as defined in OMB M-17-12, or "means of identification" as defined in 18 USC 1028(d)(7).
- 5 USC 552a(b) | status: Basic | banner: CUI | sanctions: 5 USC 552a(i)
- DoD lists this authority for the category; the linked authority text is extracted below when available.
- NARA registry status: Basic + Specified. Per-authority NARA status values: Basic, Specified. NARA banner marking evidence: CUI, CUI//SP-PRVCY. The registry evidence is preserved here; detailed primary-law or regulation text analysis remains pending for this category.
- NARA category scope: Refers to personal information, or, in some cases, "personally identifiable information," as defined in OMB M-17-12, or "means of identification" as defined in 18 USC 1028(d)(7).
- DoD registry-required warning statement: May require a Privacy Act Statement
- Extracted authority condition: (b) C ONDITIONS OFDISCLOSURE.—No agency shall disclose any record which is contained in a system of records by any means of communica- tion to any person, or to another agency, except pursuant to a written request by, or with the prior written consent of, the individual to whom the record pertains, unless disclosure of the record would be— (1) to those officers and employees of the agency which maintains the record who have a need for the record in the performance of their duties; (2) required under section 552 of this title; (3) for a routine use as defined in subsection (a)(7) of this section and described under sub- section (e)(4)(D) of this section; (4) to the Bureau of the Census for purposes of planning or carrying out a census or survey or related activity pursuant to the provisions of title 13; (5) to a recipient who has provided the agen- cy with advance adequate written assurance that the record will be used solely as a statis- tical research or reporting record, and the record is to be transferred in a form that is not individually identifiable; (6) to the National Archives and Records Ad- ministration as a record which has sufficient historical or other value to warrant its con- tinued preservation by the United States Gov- ernment,...
- Extracted authority condition: ng number, symbol, or other identifying particular assigned to the individual; (6) the term ‘‘statistical record’’ means a record in a system of records maintained for statistical research or reporting purposes only and not used in whole or in part in making any determination about an identifiable indi- vidual, except as provided by section 8 of title 13; (7) the term ‘‘routine use’’ means,...
- Extracted authority condition: Records maintained on individuals (a) D EFINITIONS.—For purposes of this sec- tion— (1) the term ‘‘agency’’ means agency as de- fined in section 552(e) 1 of this title; (2) the term ‘‘individual’’ means a citizen of the United States or an alien lawfully admit- ted for permanent residence; (3) the term ‘‘maintain’’ includes maintain, collect, use, or disseminate; (4) the term ‘‘record’’ means any item, col- lection, or grouping of information about an individual that is maintained by an agency, including, but not limited to, his education, fi- nancial transactions, medical history, and criminal or employment history and that con- tains his name, or the identifying number, symbol, or other identifying particular as- signed to the individual, such as a finger or voice print or a photograph; (5) the term ‘‘system of records’’ means a group of any records under the control of any agency from which information is retrieved by the name of the individual or by some identi- fying number, symbol, or other identifying particular assigned to the individual; (6) the term ‘‘statistical record’’ means a record in a system of records maintained for statistical research or repo
- Extracted authority condition: (f) A GENCYRULES.—In order to carry out the provisions of this section, each agency that maintains a system of records shall promulgate rules, in accordance with the requirements (in- cluding general notice) of section 553 of this title, which shall— (1) establish procedures whereby an individ- ual can be notified in response to his request if any system of records named by the individ- ual contains a record pertaining to him; (2) define reasonable times, places, and re- quirements for identifying an individual who requests his record or information pertaining to him before the agency shall make the record or information available to the individ- ual; (3) establish procedures for the disclosure to an individual upon his request of his record or information pertaining to him, including spe- cial procedure, if deemed necessary, for the disclosure to an individual of medical records, including psychological records, pertaining to him; (4) establish procedures for reviewing a re- quest from an individual concerning the amendment of any record or information per- taining to the individual, for making a deter- mination on the request, for an appeal within the agency of an initial adverse agency deter- mination, and for whatever additional means may be necessary for each individual to be able to exercise fully his rights under this sec- tion;...
Safeguarding and dissemination controls
- NARA registry control evidence: status Basic; banner marking CUI.
- DoD required warning statement: May require a Privacy Act Statement
- DoD applicable policies: DoDI 5400.11
- Nara basic or specified: Basic + Specified
- Nara authority rows: 5 USC 552a(b) | status: Basic | banner: CUI | sanctions: 5 USC 552a(i) || 34 USC 20920(b)(2) | status: Basic | banner: CUI || 29 CFR 2400.4 | status: Basic | banner: CUI || 29 CFR 2705.9 | status: Basic | banner: CUI || 12 CFR 792.60 | status: Basic | banner: CUI || 12 CFR 792.69(c) | status: Basic | banner: CUI || 17 CFR 146.6(a) | status: Basic | banner: CUI || 18 CFR 3b.225(a) | status: Basic | banner: CUI || 5 CFR 297.401 | status: Basic | banner: CUI || OMB M-17-12 | status: Specified | banner: CUI//SP-PRVCY || 48 CFR 22.1024 | status: Basic | banner: CUI || 20 CFR 401.100 | status: Basic | banner: CUI || 20 CFR 401.105(b) | status: Basic | banner: CUI || 11 CFR 1.14 | status: Basic | banner: CUI || OMB Circular A-130 | status: Basic | banner: CUI
- Nara banner markings: CUI, CUI//SP-PRVCY
- Nara sanctions: 5 USC 552a(i)
- Dod required warning statement: May require a Privacy Act Statement
- Dod applicable policies: DoDI 5400.11
- No DoD required dissemination control is listed on the registry page. Apply approved limited dissemination controls only when required or permitted by the designating agency or governing authority.
- Use the registry assertions, NARA authority rows, DoD authorities, DoD policies, warning statements, required dissemination controls, and examples first. Where the cited authority does not specify a handling detail, apply CUI Basic safeguards and dissemination rules so long as they do not conflict with the authority or agency-specific controls.
- Extracted authority control: L. 93–579, § 2, Dec. 31, 1974, 88 Stat. 1896, provided that: ‘‘(a) The Congress finds that— ‘‘(1) the privacy of an individual is directly affected by the collection, maintenance, use, and dissemina- tion of personal information by Federal agencies; ‘‘(2) the increasing use of computers and sophisti- cated information technology, while essential to the efficient operations of the Government, has greatly magnified the harm to individual privacy that can occur from any collection, maintenance, use, or dis- semination of personal information; ‘‘(3) the opportunities for an individual to secure employment, insurance, and credit, and his right to due process, and other legal protections are endan- gered by the misuse of certain information systems; ‘‘(4) the right to privacy is a personal and fun- damental right protected by the Constitution of the United States; and ‘‘(5) in order to protect the privacy of individuals identified in information systems maintained by Fed- eral agencies, it is necessary and proper for the Con- gress to regulate the collection, maintenance, use, and dissemination of information by such agencies. ‘‘(b) The purpose of this Act [enacting this section and provisions set out as notes under this section] is to provide certain safeguards for an individual against an invasion of personal privacy by requiring Federal agen- cies,...
- Extracted authority control: (c) Except in a case where the agency finds that the public interest requires otherwise, the second sentence of subsection (b) shall not apply to any portion of an agency meeting, and the re- quirements of subsections (d) and (e) shall not apply to any information pertaining to such meeting otherwise required by this section to be disclosed to the public, where the agency prop- erly determines that such portion or portions of its meeting or the disclosure of such informa- tion is likely to— (1) disclose matters that are (A) specifically authorized under criteria established by an Executive order to be kept secret in the inter- ests of national defense or foreign policy and (B) in fact properly classified pursuant to such Executive order; (2) relate solely to the internal personnel rules and practices of an agency; (3) disclose matters specifically exempted from disclosure by statute (other than section 552 of this title), provided that such statute (A) requires that the matters be withheld from the public in such a manner as to leave no dis- cretion on the issue, or (B) establishes particu- lar criteria for withholding or refers to par- ticular types of matters to be withheld; (4) disclose trade secrets and commercial or financial information obtained from a person and privileged or confidential; (5) involve accusing any person of a crime,...
- Extracted authority control: EXTENSION OF PRIVACY ACT REMEDIES TO CITIZENS OF DESIGNATED COUNTRIES. ‘‘(a) C IVILACTION; CIVILREMEDIES.—With respect to covered records, a covered person may bring a civil ac- tion against an agency and obtain civil remedies, in the same manner, to the same extent, and subject to the same limitations, including exemptions and exceptions, as an individual may bring and obtain with respect to records under— ‘‘(1) section 552a(g)(1)(D) of title 5, United States Code, but only with respect to disclosures inten- tionally or willfully made in violation of section 552a(b) of such title; and ‘‘(2) subparagraphs (A) and (B) of section 552a(g)(1) of title 5, United States Code, but such an action may only be brought against a designated Federal agency or component. ‘‘(b) E XCLUSIVEREMEDIES.—The remedies set forth in subsection (a) are the exclusive remedies available to a covered person under this section. ‘‘(c) A PPLICATION OF THEPRIVACYACTWITHRESPECT TO ACOVEREDPERSON.—For purposes of a civil action described in subsection (a), a covered person shall have the same rights, and be subject to the same limita- tions, including exemptions and exceptions, as an indi- vidual has and is subject to under section 552a of title
- Extracted authority control: The Archivist of the United States shall not disclose the record except to the agen- cy which maintains the record, or under rules established by that agency which are not incon- sistent with the provisions of this section.
Authority excerpts
Most relevant extracted authority passage
L. 93–579, § 2, Dec. 31, 1974, 88 Stat. 1896, provided that: ‘‘(a) The Congress finds that— ‘‘(1) the privacy of an individual is directly affected by the collection, maintenance, use, and dissemina- tion of personal information by Federal agencies; ‘‘(2) the increasing use of computers and sophisti- cated information technology, while essential to the efficient operations of the Government, has greatly magnified the harm to individual privacy that can occur from any collection, maintenance, use, or dis- semination of personal information; ‘‘(3) the opportunities for an individual to secure employment, insurance, and credit, and his right to due process, and other legal protections are endan- gered by the misuse of certain information systems; ‘‘(4) the right to privacy is a personal and fun- damental right protected by the Constitution of the United States; and ‘‘(5) in order to protect the privacy of individuals identified in information systems maintained by Fed- eral agencies, it is necessary and proper for the Con- gress to regulate the collection, maintenance, use, and dissemination of information by such agencies. ‘‘(b) The purpose of this Act [enacting this section and provisions set out as notes under this section] is to provide certain safeguards for an individual against an invasion of personal privacy by requiring Federal agen- cies,...
Extracted authority passage 2
(c) Except in a case where the agency finds that the public interest requires otherwise, the second sentence of subsection (b) shall not apply to any portion of an agency meeting, and the re- quirements of subsections (d) and (e) shall not apply to any information pertaining to such meeting otherwise required by this section to be disclosed to the public, where the agency prop- erly determines that such portion or portions of its meeting or the disclosure of such informa- tion is likely to— (1) disclose matters that are (A) specifically authorized under criteria established by an Executive order to be kept secret in the inter- ests of national defense or foreign policy and (B) in fact properly classified pursuant to such Executive order; (2) relate solely to the internal personnel rules and practices of an agency; (3) disclose matters specifically exempted from disclosure by statute (other than section 552 of this title), provided that such statute (A) requires that the matters be withheld from the public in such a manner as to leave no dis- cretion on the issue, or (B) establishes particu- lar criteria for withholding or refers to par- ticular types of matters to be withheld; (4) disclose trade secrets and commercial or financial information obtained from a person and privileged or confidential; (5) involve accusing any person of a crime,...
Extracted authority passage 4
EXTENSION OF PRIVACY ACT REMEDIES TO CITIZENS OF DESIGNATED COUNTRIES. ‘‘(a) C IVILACTION; CIVILREMEDIES.—With respect to covered records, a covered person may bring a civil ac- tion against an agency and obtain civil remedies, in the same manner, to the same extent, and subject to the same limitations, including exemptions and exceptions, as an individual may bring and obtain with respect to records under— ‘‘(1) section 552a(g)(1)(D) of title 5, United States Code, but only with respect to disclosures inten- tionally or willfully made in violation of section 552a(b) of such title; and ‘‘(2) subparagraphs (A) and (B) of section 552a(g)(1) of title 5, United States Code, but such an action may only be brought against a designated Federal agency or component. ‘‘(b) E XCLUSIVEREMEDIES.—The remedies set forth in subsection (a) are the exclusive remedies available to a covered person under this section. ‘‘(c) A PPLICATION OF THEPRIVACYACTWITHRESPECT TO ACOVEREDPERSON.—For purposes of a civil action described in subsection (a), a covered person shall have the same rights, and be subject to the same limita- tions, including exemptions and exceptions, as an indi- vidual has and is subject to under section 552a of title
Extracted authority passage 5
The Archivist of the United States shall not disclose the record except to the agen- cy which maintains the record, or under rules established by that agency which are not incon- sistent with the provisions of this section.
Extracted authority passage 6
(b) C ONDITIONS OFDISCLOSURE.—No agency shall disclose any record which is contained in a system of records by any means of communica- tion to any person, or to another agency, except pursuant to a written request by, or with the prior written consent of, the individual to whom the record pertains, unless disclosure of the record would be— (1) to those officers and employees of the agency which maintains the record who have a need for the record in the performance of their duties; (2) required under section 552 of this title; (3) for a routine use as defined in subsection (a)(7) of this section and described under sub- section (e)(4)(D) of this section; (4) to the Bureau of the Census for purposes of planning or carrying out a census or survey or related activity pursuant to the provisions of title 13; (5) to a recipient who has provided the agen- cy with advance adequate written assurance that the record will be used solely as a statis- tical research or reporting record, and the record is to be transferred in a form that is not individually identifiable; (6) to the National Archives and Records Ad- ministration as a record which has sufficient historical or other value to warrant its con- tinued preservation by the United States Gov- ernment,...
5 CFR 297.401
Listed by: NARA Registry, DoD Registry, Related authorities
Designation evidence
- NARA authority row: 5 CFR 297.401 | status: Basic | banner: CUI.
- DoD authority row: 5 CFR 297.401. DoD lists this citation for the category; this DoD detail page does not display a separate Basic/Specified field.
- Related authority evidence: 5 CFR 297.401 | status: Basic | banner: CUI
- Related authority evidence: DoD lists this authority for the category; the linked authority text is extracted below when available.
- Registry designation context: Basic + Specified, CUI. The linked authority text contains category-scope or applicability language that helps determine when the information falls within this CUI category. The linked authority text contains disclosure, access, protection, release, dissemination, or distribution-control language relevant to handling. The linked authority text contains violation, penalty, sanction, or enforcement language that may affect consequences for mishandling.
- Registry designation for this category is Basic + Specified with banner CUI.
Extracted authority meaning
- 5 CFR 297.401 authority text
- Registry designation context: Basic + Specified, CUI. The linked authority text contains category-scope or applicability language that helps determine when the information falls within this CUI category. The linked authority text contains disclosure, access, protection, release, dissemination, or distribution-control language relevant to handling. The linked authority text contains violation, penalty, sanction, or enforcement language that may affect consequences for mishandling.
Operating conditions
- NARA category scope used with this authority: Refers to personal information, or, in some cases, "personally identifiable information," as defined in OMB M-17-12, or "means of identification" as defined in 18 USC 1028(d)(7).
- DoD category scope used with this authority: Refers to personal information, or, in some cases, "personally identifiable information," as defined in OMB M-17-12, or "means of identification" as defined in 18 USC 1028(d)(7).
- 5 CFR 297.401 | status: Basic | banner: CUI
- DoD lists this authority for the category; the linked authority text is extracted below when available.
- NARA registry status: Basic + Specified. Per-authority NARA status values: Basic, Specified. NARA banner marking evidence: CUI, CUI//SP-PRVCY. The registry evidence is preserved here; detailed primary-law or regulation text analysis remains pending for this category.
- NARA category scope: Refers to personal information, or, in some cases, "personally identifiable information," as defined in OMB M-17-12, or "means of identification" as defined in 18 USC 1028(d)(7).
- DoD registry-required warning statement: May require a Privacy Act Statement
- Extracted authority condition: (a) The Office may disclose, without prior consent of the data subject, speci- fied information from a system of records whenever such disclosure is pursuant to an order signed by the ap- propriate official of a court of com- petent jurisdiction or quasi-judicial agency.
- Extracted authority condition: (d) Before responding to the order or subpoena signed by a judge, an official with authority to disclose records under this subpart in consulting with legal counsel will ensure that— (1) The requested material is relevant to the subject matter of the related ju- dicial or administrative proceeding; (2) Motion is made to quash or mod- ify an order that is unreasonable or op- pressive: (3) Motion is made for a protective order when necessary to restrict the use or disclosure of any information furnished for purposes other than those of the involved proceeding; or (4) Request is made for an extension of time allowed for response, if nec- essary.
- Extracted authority condition: (g) In all situations concerning an order, subpoena signed by a judge, or other demand for an employee of the Office to produce any material or testi- mony concerning the records that are subject to the order, that are contained in the Office’s systems of records, and that are acquired as part of the em- ployee’s official duties, the employee shall not provide the information with- out the prior approval of the appro- priate Office official.
- Extracted authority condition: (e)(1) To a recipient who has provided the agency with advance adequate written assurance that the record will be used solely as a statistical research or reporting record.
Safeguarding and dissemination controls
- NARA registry control evidence: status Basic; banner marking CUI.
- DoD required warning statement: May require a Privacy Act Statement
- DoD applicable policies: DoDI 5400.11
- Nara basic or specified: Basic + Specified
- Nara authority rows: 5 USC 552a(b) | status: Basic | banner: CUI | sanctions: 5 USC 552a(i) || 34 USC 20920(b)(2) | status: Basic | banner: CUI || 29 CFR 2400.4 | status: Basic | banner: CUI || 29 CFR 2705.9 | status: Basic | banner: CUI || 12 CFR 792.60 | status: Basic | banner: CUI || 12 CFR 792.69(c) | status: Basic | banner: CUI || 17 CFR 146.6(a) | status: Basic | banner: CUI || 18 CFR 3b.225(a) | status: Basic | banner: CUI || 5 CFR 297.401 | status: Basic | banner: CUI || OMB M-17-12 | status: Specified | banner: CUI//SP-PRVCY || 48 CFR 22.1024 | status: Basic | banner: CUI || 20 CFR 401.100 | status: Basic | banner: CUI || 20 CFR 401.105(b) | status: Basic | banner: CUI || 11 CFR 1.14 | status: Basic | banner: CUI || OMB Circular A-130 | status: Basic | banner: CUI
- Nara banner markings: CUI, CUI//SP-PRVCY
- Nara sanctions: 5 USC 552a(i)
- Dod required warning statement: May require a Privacy Act Statement
- Dod applicable policies: DoDI 5400.11
- No DoD required dissemination control is listed on the registry page. Apply approved limited dissemination controls only when required or permitted by the designating agency or governing authority.
- Use the registry assertions, NARA authority rows, DoD authorities, DoD policies, warning statements, required dissemination controls, and examples first. Where the cited authority does not specify a handling detail, apply CUI Basic safeguards and dissemination rules so long as they do not conflict with the authority or agency-specific controls.
- Extracted authority control: (j) To the Comptroller General or any authorized representatives of the Comptroller General in the course of the performance of the duties of the General Accounting Office.
- Extracted authority control: (i) Notice of the issuance of the ex parte order or subpoena signed by a judge is not required if the system of records has been exempted from the no- tice requirement of 5 U.S.C. 552a(e)(8) pursuant to 5 U.S.C. 552a(j) by a Notice of Exemption published in the F EDERAL REGISTER. [53 FR 1998, Jan. 26, 1988, as amended at 57 FR 56732, Nov. 30, 1992]
- Extracted authority control: An official or employee of the Office or agency should not disclose a record retrieved from a Governmentwide sys- tem of records to any person, another agency, or other entity without the ex- press written consent of the subject in- dividual unless disclosure is— (a) To officers or employees of the Of- fice who have a need for the informa- tion in the performance of their duties.
- Extracted authority control: (g) To another agency or instrumen- tality of any governmental jurisdiction within or under the control of the United States for a civil or criminal law enforcement activity if the activ- ity is authorized by law, and if the head of the agency or instrumentality or his designated representative has made a written request to the Office or agency that maintains the record specifying the particular portion de- sired and the law enforcement activity for which the record is sought.
- Extracted authority control: (d) Before responding to the order or subpoena signed by a judge, an official with authority to disclose records under this subpart in consulting with legal counsel will ensure that— (1) The requested material is relevant to the subject matter of the related ju- dicial or administrative proceeding; (2) Motion is made to quash or mod- ify an order that is unreasonable or op- pressive: (3) Motion is made for a protective order when necessary to restrict the use or disclosure of any information furnished for purposes other than those of the involved proceeding; or (4) Request is made for an extension of time allowed for response, if nec- essary.
Authority excerpts
Most relevant extracted authority passage
(j) To the Comptroller General or any authorized representatives of the Comptroller General in the course of the performance of the duties of the General Accounting Office.
Extracted authority passage 2
(i) Notice of the issuance of the ex parte order or subpoena signed by a judge is not required if the system of records has been exempted from the no- tice requirement of 5 U.S.C. 552a(e)(8) pursuant to 5 U.S.C. 552a(j) by a Notice of Exemption published in the F EDERAL REGISTER. [53 FR 1998, Jan. 26, 1988, as amended at 57 FR 56732, Nov. 30, 1992]
Extracted authority passage 3
An official or employee of the Office or agency should not disclose a record retrieved from a Governmentwide sys- tem of records to any person, another agency, or other entity without the ex- press written consent of the subject in- dividual unless disclosure is— (a) To officers or employees of the Of- fice who have a need for the informa- tion in the performance of their duties.
Extracted authority passage 4
(g) To another agency or instrumen- tality of any governmental jurisdiction within or under the control of the United States for a civil or criminal law enforcement activity if the activ- ity is authorized by law, and if the head of the agency or instrumentality or his designated representative has made a written request to the Office or agency that maintains the record specifying the particular portion de- sired and the law enforcement activity for which the record is sought.
Extracted authority passage 5
(d) Before responding to the order or subpoena signed by a judge, an official with authority to disclose records under this subpart in consulting with legal counsel will ensure that— (1) The requested material is relevant to the subject matter of the related ju- dicial or administrative proceeding; (2) Motion is made to quash or mod- ify an order that is unreasonable or op- pressive: (3) Motion is made for a protective order when necessary to restrict the use or disclosure of any information furnished for purposes other than those of the involved proceeding; or (4) Request is made for an extension of time allowed for response, if nec- essary.
Extracted authority passage 6
(a) The Office may disclose, without prior consent of the data subject, speci- fied information from a system of records whenever such disclosure is pursuant to an order signed by the ap- propriate official of a court of com- petent jurisdiction or quasi-judicial agency.
OMB M-17-12
Listed by: NARA Registry, DoD Registry, Related authorities
Designation evidence
- NARA authority row: OMB M-17-12 | status: Specified | banner: CUI//SP-PRVCY.
- DoD authority row: OMB M-17-12. DoD lists this citation for the category; this DoD detail page does not display a separate Basic/Specified field.
- Related authority evidence: OMB M-17-12 | status: Specified | banner: CUI//SP-PRVCY
- Related authority evidence: DoD lists this authority for the category; the linked authority text is extracted below when available.
- Registry designation context: Basic + Specified, CUI. The linked authority text contains category-scope or applicability language that helps determine when the information falls within this CUI category. The linked authority text contains disclosure, access, protection, release, dissemination, or distribution-control language relevant to handling. The linked authority text contains violation, penalty, sanction, or enforcement language that may affect consequences for mishandling.
- Registry designation for this category is Basic + Specified with banner CUI.
Extracted authority meaning
- CUTIVE DEPARTMENTS AND AGENCIES
- Registry designation context: Basic + Specified, CUI. The linked authority text contains category-scope or applicability language that helps determine when the information falls within this CUI category. The linked authority text contains disclosure, access, protection, release, dissemination, or distribution-control language relevant to handling. The linked authority text contains violation, penalty, sanction, or enforcement language that may affect consequences for mishandling.
Operating conditions
- NARA category scope used with this authority: Refers to personal information, or, in some cases, "personally identifiable information," as defined in OMB M-17-12, or "means of identification" as defined in 18 USC 1028(d)(7).
- DoD category scope used with this authority: Refers to personal information, or, in some cases, "personally identifiable information," as defined in OMB M-17-12, or "means of identification" as defined in 18 USC 1028(d)(7).
- OMB M-17-12 | status: Specified | banner: CUI//SP-PRVCY
- DoD lists this authority for the category; the linked authority text is extracted below when available.
- NARA registry status: Basic + Specified. Per-authority NARA status values: Basic, Specified. NARA banner marking evidence: CUI, CUI//SP-PRVCY. The registry evidence is preserved here; detailed primary-law or regulation text analysis remains pending for this category.
- NARA category scope: Refers to personal information, or, in some cases, "personally identifiable information," as defined in OMB M-17-12, or "means of identification" as defined in 18 USC 1028(d)(7).
- DoD registry-required warning statement: May require a Privacy Act Statement
- Extracted authority condition: • Breach Response Team, including the specific agency officials who comprise the breach response team, as well as their respective roles and responsibilities when responding to a breach. • Identifying Applicable Privacy Compliance Documentation, including the responsibility to identify any applicable Privacy Act SORNs, privacy impact assessments (PIAs ), and privacy notices that may apply to the potentially compromised information. • Information Sharing to Respond to a Breach, including the potential information sharing within the agency, between agencies, or with a non-Federal entity that may arise following a breach to reconcile or eliminate duplicate records, to identify potentially affected individuals, or to obtain contact information to notify potentially affected individuals. • Reporting Requirements, including the specific agency officials responsible for reporting a breach to US-CERT, law enforcement and oversight entities, and Congress, when appropriate. • Assessing the Risk ofHarm to Individuals Potentially Affected by a Breach, including the factors the agency shall consider when assessing the risk of harm to potentially affected individuals. • Mitigating the Risk ofHarm to Individuals Potentially Affected by a Breach, including whether the agency should provide guidance to potentially affected individuals,...
- Extracted authority condition: When reviewing privacy compliance documentation in response to a breach, the agency's breach response plan shall, at a minimum, require the SAOP to consider the following: • Which SORNs, PIAs, and privacy notices apply to the potentially compromised information? • IfPII maintained as part ofa system ofrecords needs to be disclosed as part ofthe breach response, is the disclosure permissible under the Privacy Act and how will the agency account for the disclosure? • Ifadditional PII is necessary to contact or verify the identity ofindividuals potentially affected by the breach, does that information require new or revised SORN s or PIAs? • Are the relevant SORNs, PIAs, and privacy notices accurate and up-to-date? C.
- Extracted authority condition: Additionally, the Privacy Act requires agencies to protect against any anticipated threats or hazards to the security or integrity of records which could result in "substantial harm, embarrassment, inconvenience, or unfairness to any individual on whom information is maintained." 51 Agencies must consider any and all risks relevant to the breach, which may include risks to the agency, agency information systems, agency programs and operations, the Federal Government, or national security.
- Extracted authority condition: The best method for providing notification will potentially depend on the number of individuals affected, the available contact information for the potentially affected individuals, and the urgency with which the individuals need to receive the notification. • First-Class Mail: First-class mail notification to the last known mailing address of the individual in agency records should be the primary means by which notification is provided.
- Extracted authority condition: Privacy Act Routine Uses Required to Respond to a Breach The SAOP has agency-wide responsibility and accountability for the agency's privacy program and is responsible for overseeing, coordinating, and facilitating the agency's privacy compliance efforts, including those related to the Privacy Act of 1974. 32 The SAOP shall ensure that all agency Privacy Act system of records notices (SORNs) include routine uses for the disclosure of information necessary to respond to a breach either ofthe agency's PII or, as 30 See 44 U.S.C. § 3554(b).
Safeguarding and dissemination controls
- NARA registry control evidence: status Specified; banner marking CUI//SP-PRVCY.
- DoD required warning statement: May require a Privacy Act Statement
- DoD applicable policies: DoDI 5400.11
- Nara basic or specified: Basic + Specified
- Nara authority rows: 5 USC 552a(b) | status: Basic | banner: CUI | sanctions: 5 USC 552a(i) || 34 USC 20920(b)(2) | status: Basic | banner: CUI || 29 CFR 2400.4 | status: Basic | banner: CUI || 29 CFR 2705.9 | status: Basic | banner: CUI || 12 CFR 792.60 | status: Basic | banner: CUI || 12 CFR 792.69(c) | status: Basic | banner: CUI || 17 CFR 146.6(a) | status: Basic | banner: CUI || 18 CFR 3b.225(a) | status: Basic | banner: CUI || 5 CFR 297.401 | status: Basic | banner: CUI || OMB M-17-12 | status: Specified | banner: CUI//SP-PRVCY || 48 CFR 22.1024 | status: Basic | banner: CUI || 20 CFR 401.100 | status: Basic | banner: CUI || 20 CFR 401.105(b) | status: Basic | banner: CUI || 11 CFR 1.14 | status: Basic | banner: CUI || OMB Circular A-130 | status: Basic | banner: CUI
- Nara banner markings: CUI, CUI//SP-PRVCY
- Nara sanctions: 5 USC 552a(i)
- Dod required warning statement: May require a Privacy Act Statement
- Dod applicable policies: DoDI 5400.11
- No DoD required dissemination control is listed on the registry page. Apply approved limited dissemination controls only when required or permitted by the designating agency or governing authority.
- Use the registry assertions, NARA authority rows, DoD authorities, DoD policies, warning statements, required dissemination controls, and examples first. Where the cited authority does not specify a handling detail, apply CUI Basic safeguards and dissemination rules so long as they do not conflict with the authority or agency-specific controls.
- Extracted authority control: Once convened, the SAOP is responsible for leading the breach response team's response to a breach. 'Federal Information' means information created, collected, processed, maintained, disseminated, disclosed, or disposed ofby or for the Federal Government, in any medium or form.63 'Federal Information System' means an information system used or operated by an agency, by a contractor of an agency, or by another organization on behalf of an agency. 64 'Incident' means an occurrence that (1) actually or imminently jeopardizes, without lawful authority, the integrity, confidentiality, or availability of information or an information system; or (2) constitutes a violation or imminent threat of violation of law, security policies, security procedures, or acceptable use policies. 65 'Personally Identifiable Information' means information that can be used to distinguish or trace an individual's identity, either alone or when combined with other information that is linked or linkable to a specific individual. 66 'Senior Agency Official for Privacy' means the senior official, designated by the head of each agency, who has agency-wide responsibility for privacy, including implementation of privacy protections, compliance with Federal laws, regulations, and policies relating to privacy; management ofprivacy risks at the agency;...
- Extracted authority control: A-130, Managing Information as a Strategic Resource (July 28, 2016), available at; FISMA, 44 U.S.C. § 3554, provides the following: "Federal agency responsibilities (a) IN GENERAL-The head of each agency shall (1) be responsible for (A) providing information security protections commensurate with the risk and magnitude of the harm resulting from unauthorized access, use, disclosure, disruption, modification, or destruction of (i) information collected or maintained by or on behalf of the agency; and (ii) information systems used or operated by an agency or by a contractor of an agency or other organization on behalfofan agency;[...]." 27 See 44 U.S.C. § 3552. 28 See OMB Circular No.
- Extracted authority control: The agency shall ensure that any required countermeasures are consistent with OMB Memorandum M-16-14, which, except under limited circumstances, requires the use of General Services Administration's (GSA) identity protection services (IPS) blanket purchase agreements (BPAs). 37 GSA has awarded government-wide Federal Supply Schedule BPAs for identity monitoring, credit monitoring, and other related services.
- Extracted authority control: OMB Circular A-130, Managing Information as a Strategic Resource (July 28, 2016) Tip: See Appendix II, Section 5 (h) for a summary ofincident handling responsibilities for managing P II OMB Memorandum M-16-14, Category Management Policy 16-2: Providing Comprehensive Identity Protection Services, Identity Monitoring, and Data Breach Response (July 1, 2016) Tip: This Memorandum requires, with limited exceptions, that agencies use the government-wide blanket purchase agreement for Identity Monitoring Data Breach Response and Protection Services awarded by the General Services Administration.
- Extracted authority control: At a minimum, the breach response team shall always be convened when a breach constitutes a major incident, as defined in OMB guidance (see Section VII.D.3. ofthis Memorandum).
Authority excerpts
Most relevant extracted authority passage
Once convened, the SAOP is responsible for leading the breach response team's response to a breach. 'Federal Information' means information created, collected, processed, maintained, disseminated, disclosed, or disposed ofby or for the Federal Government, in any medium or form.63 'Federal Information System' means an information system used or operated by an agency, by a contractor of an agency, or by another organization on behalf of an agency. 64 'Incident' means an occurrence that (1) actually or imminently jeopardizes, without lawful authority, the integrity, confidentiality, or availability of information or an information system; or (2) constitutes a violation or imminent threat of violation of law, security policies, security procedures, or acceptable use policies. 65 'Personally Identifiable Information' means information that can be used to distinguish or trace an individual's identity, either alone or when combined with other information that is linked or linkable to a specific individual. 66 'Senior Agency Official for Privacy' means the senior official, designated by the head of each agency, who has agency-wide responsibility for privacy, including implementation of privacy protections, compliance with Federal laws, regulations, and policies relating to privacy; management ofprivacy risks at the agency;...
Extracted authority passage 2
A-130, Managing Information as a Strategic Resource (July 28, 2016), available at; FISMA, 44 U.S.C. § 3554, provides the following: "Federal agency responsibilities (a) IN GENERAL-The head of each agency shall (1) be responsible for (A) providing information security protections commensurate with the risk and magnitude of the harm resulting from unauthorized access, use, disclosure, disruption, modification, or destruction of (i) information collected or maintained by or on behalf of the agency; and (ii) information systems used or operated by an agency or by a contractor of an agency or other organization on behalfofan agency;[...]." 27 See 44 U.S.C. § 3552. 28 See OMB Circular No.
Extracted authority passage 3
The agency shall ensure that any required countermeasures are consistent with OMB Memorandum M-16-14, which, except under limited circumstances, requires the use of General Services Administration's (GSA) identity protection services (IPS) blanket purchase agreements (BPAs). 37 GSA has awarded government-wide Federal Supply Schedule BPAs for identity monitoring, credit monitoring, and other related services.
Extracted authority passage 4
OMB Circular A-130, Managing Information as a Strategic Resource (July 28, 2016) Tip: See Appendix II, Section 5 (h) for a summary ofincident handling responsibilities for managing P II OMB Memorandum M-16-14, Category Management Policy 16-2: Providing Comprehensive Identity Protection Services, Identity Monitoring, and Data Breach Response (July 1, 2016) Tip: This Memorandum requires, with limited exceptions, that agencies use the government-wide blanket purchase agreement for Identity Monitoring Data Breach Response and Protection Services awarded by the General Services Administration.
Extracted authority passage 6
• Breach Response Team, including the specific agency officials who comprise the breach response team, as well as their respective roles and responsibilities when responding to a breach. • Identifying Applicable Privacy Compliance Documentation, including the responsibility to identify any applicable Privacy Act SORNs, privacy impact assessments (PIAs ), and privacy notices that may apply to the potentially compromised information. • Information Sharing to Respond to a Breach, including the potential information sharing within the agency, between agencies, or with a non-Federal entity that may arise following a breach to reconcile or eliminate duplicate records, to identify potentially affected individuals, or to obtain contact information to notify potentially affected individuals. • Reporting Requirements, including the specific agency officials responsible for reporting a breach to US-CERT, law enforcement and oversight entities, and Congress, when appropriate. • Assessing the Risk ofHarm to Individuals Potentially Affected by a Breach, including the factors the agency shall consider when assessing the risk of harm to potentially affected individuals. • Mitigating the Risk ofHarm to Individuals Potentially Affected by a Breach, including whether the agency should provide guidance to potentially affected individuals,...