Skip to main content

PRI-05.4: Usage Restrictions of Personal Data (PD)

PRI 8 — High Identify

Mechanisms exist to restrict collecting, receiving, processing, storing, transmitting, sharing and/or updating Personal Data (PD) to: (1) The purpose(s) originally collected, consistent with the data privacy notice(s); (2) What is authorized by the data subject, or authorized agent; and (3) What is consistent with applicable laws, regulations and contractual obligations.

Control Question: Does the organization restrict collecting, receiving, processing, storing, transmitting, sharing and/or updating Personal Data (PD) to: (1) The purpose(s) originally collected, consistent with the data privacy notice(s); (2) What is authorized by the data subject, or authorized agent; and (3) What is consistent with applicable laws, regulations and contractual obligations?

General (24)
Framework Mapping Values
AICPA TSC 2017:2022 (used for SOC 2) (source) P4.0 P4.1 P4.1-POF1
CSA CCM 4 DSP-12 DSP-17
Generally Accepted Privacy Principles (GAPP) 5.2.1 9.2.2
ISO 27002 2022 5.33
ISO 27017 2015 18.1.4
ISO 29100 2024 6.6
MITRE ATT&CK 10 T1005, T1025, T1041, T1048, T1048.002, T1048.003, T1052, T1052.001, T1133, T1213, T1213.001, T1213.002, T1552.007, T1567
NIST AI 100-1 (AI RMF) 1.0 MAP 1.6
NIST Privacy Framework 1.0 CT.DM-P8 CT.DP-P4 CT.PO-P1 CT.PO-P2
NIST 800-53 R4 DM-3(1) UL-1
NIST 800-53 R5 (source) AC-23 PM-25 PT-2 PT-7
NIST 800-53B R5 (privacy) (source) PM-25 PT-2 PT-7
NIST 800-53 R5 (NOC) (source) AC-23
NIST 800-161 R1 AC-23 PM-25
NIST 800-161 R1 Flow Down AC-23
NIST 800-161 R1 Level 2 AC-23 PM-25
NIST 800-161 R1 Level 3 AC-23
OECD Privacy Principles 4
PCI DSS 4.0.1 (source) 6.5.5
PCI DSS 4.0.1 SAQ D Merchant (source) 6.5.5
PCI DSS 4.0.1 SAQ D Service Provider (source) 6.5.5
Shared Assessments SIG 2025 P.2.3
SCF CORE Mergers, Acquisitions & Divestitures (MA&D) PRI-05.4
SCF CORE AI Model Deployment PRI-05.4
US (19)
Framework Mapping Values
US CERT RMM 1.2 COMP:SG2.SP1 COMP:SG3.SP1 KIM:SG2.SP1 KIM:SG2.SP2
US CJIS Security Policy 5.9.3 (source) 4.2.2 4.2.3.1 4.2.3.2 4.3
US CMS MARS-E 2.0 DM-3(1) UL-1
US COPPA 6502
US Data Privacy Framework (DPF) II.2.c
US FERPA (source) 1232g
US FIPPS 4
US HHS 45 CFR 155.260 155.260(a)(3)(v)
US HIPAA Administrative Simplification 2013 (source) 164.502(c) 164.502(d)(1) 164.504(g)(2) 164.506(a) 164.506(c)(1) 164.506(c)(5) 164.508(a)(1) 164.508(a)(2)(i)(C) 164.510(a)(1)(i)(A) 164.510(a)(1)(i)(B) 164.510(a)(1)(i)(C) 164.510(a)(1)(i)(D) 164.510(a)(1)(ii)(A) 164.510(a)(1)(ii)(B) 164.510(b)(4) 164.512 164.512(i)(1) 164.512(j)(1) 164.512(j)(1)(i)(A) 164.512(j)(1)(i)(B) 164.512(j)(1)(ii) 164.512(j)(1)(ii)(A) 164.512(j)(1)(ii)(B) 164.512(j)(2)(i) 164.512(j)(2)(ii) 164.512(j)(3) 164.512(j)(4) 164.512(k)(1)(i) 164.512(k)(1)(i)(A) 164.512(k)(1)(i)(B) 164.512(k)(1)(ii) 164.512(k)(1)(iii) 164.512(k)(1)(iv) 164.512(k)(2) 164.512(k)(3) 164.512(k)(4) 164.512(k)(4)(i) 164.512(k)(4)(ii) 164.512(k)(4)(iii) 164.512(k)(5)(i) 164.512(k)(5)(i)(A) 164.512(k)(5)(i)(B) 164.512(k)(5)(i)(C) 164.512(k)(5)(i)(D) 164.512(k)(5)(i)(E) 164.512(k)(5)(i)(F) 164.512(k)(5)(ii) 164.512(k)(5)(iii) 164.512(k)(6)(i) 164.512(k)(6)(ii) 164.512(k)(6)(ii)(1) 164.514(f)(2)(i) 164.514(g)
US IRS 1075 AC-23 PT-2
US SSA EIESR 8.0 5.8
US - CA CCPA 2025 7023(d)(3) 7026(f) 7026(f)(1) 7027(a)
US - CO Colorado Privacy Act 6-1-1305(2) 6-1-1308(4) 6-1-1308(7)
US - IL BIPA 15(b)(2)
US - NV SB220 2.3
US - OR CPA 4(7)(b) 5(2)(a)
US - TN TIPA 47-18-3203(a)(2)(C)(i)(b) 47-18-3203(a)(2)(C)(ii) 47-18-3204(a)(6) 47-18-3207(b) 47-18-3207(c) 47-18-3207(d)
US - TX CDPA 541.052(f)(2) 541.204(a) 541.204(a)(1) 541.204(a)(2) 541.204(b)
US - VA CDPA 2025 59.1-577.1.C 59.1-578.A.2 59.1-578.F.1.c
EMEA (20)
Framework Mapping Values
EMEA EU AI Act 10.5(c) 10.5(d)
EMEA EU Cyber Resiliency Act Annexes Annex 1.1(3)(e)
EMEA Austria Sec 12
EMEA Belgium 4-7 21
EMEA Hungary 9
EMEA Israel 8
EMEA Italy 13 20
EMEA Kenya DPA 2019 44 45(a) 45(a)(i) 45(a)(ii) 45(b) 45(c)(i) 45(c)(ii) 45(c)(iii) 46(1)(a) 46(1)(b) 46(2)(a) 46(2)(b) 47(1) 47(2)(a) 47(2)(b) 47(2)(c) 47(2)(d) 47(3)
EMEA Netherlands 9
EMEA Nigeria DPR 2019 3.1(12)
EMEA Norway 9
EMEA Poland 27
EMEA Qatar PDPPL 8.2 9.4 10 16 22
EMEA Russia 6 10
EMEA Saudi Arabia PDPL 11.3
EMEA Serbia 87/2018 5.1 5.3 17 17.1 17.2 17.3 17.4 17.5 17.6 17.7 17.8 17.9 17.10 18.1 18.2 18.3 19
EMEA South Africa 15 26
EMEA Sweden 13
EMEA Turkey 6
EMEA UK DPA Chapter29-Schedule1-Part1-Principle 3
APAC (13)
Framework Mapping Values
APAC Australia Privacy Act APP Part 3
APAC Australian Privacy Principles APP 6 APP 7 APP 9
APAC China Cybersecurity Law 41 44
APAC China Privacy Law 13 13(1) 13(2) 13(3) 13(4) 13(5) 13(6) 13(7) 18 28 29 30 31 32
APAC India DPDPA 2023 7(f) 7(g) 7(h) 7(i) 8(1)
APAC Japan APPI 16-2
APAC Japan ISMAP 18.1.4
APAC Malaysia 34
APAC New Zealand Privacy Act of 2020 Principle 10 P10-(1) P10-(1)(a) P10-(1)(b)(i) P10-(1)(b)(ii) P10-(1)(c) P10-(1)(d) P10-(1)(e)(i) P10-(1)(e)(ii) P10-(1)(e)(iii) P10-(1)(e)(iv) P10-(1)(f)(i) P10-(1)(f)(ii) P10-(2)
APAC Philippines 19 22 34
APAC Singapore 14
APAC South Korea 16 18 23
APAC Taiwan 5
Americas (8)
Framework Mapping Values
Americas Argentina PPL 6 7
Americas Argentina Reg 132-2018 4.3
Americas Bahamas 12
Americas Chile 10
Americas Colombia 4 5 6 7
Americas Costa Rica 9
Americas Mexico 7 9
Americas Uruguay 5 6 18 19 20 21 22

Capability Maturity Model

Level 0 — Not Performed

There is no evidence of a capability to restrict collecting, receiving, processing, storing, transmitting, sharing and/or updating Personal Data (PD) to: (1) The purpose(s) originally collected, consistent with the data privacy notice(s); (2) What is authorized by the data subject, or authorized agent; and (3) What is consistent with applicable laws, regulations and contractual obligations.

Level 1 — Performed Informally

C|P-CMM1 is N/A, since a structured process is required to restrict collecting, receiving, processing, storing, transmitting, sharing and/or updating Personal Data (PD) to: (1) The purpose(s) originally collected, consistent with the data privacy notice(s); (2) What is authorized by the data subject, or authorized agent; and (3) What is consistent with applicable laws, regulations and contractual obligations.

Level 2 — Planned & Tracked

C|P-CMM2 is N/A, since a well-defined process is required to restrict collecting, receiving, processing, storing, transmitting, sharing and/or updating Personal Data (PD) to: (1) The purpose(s) originally collected, consistent with the data privacy notice(s); (2) What is authorized by the data subject, or authorized agent; and (3) What is consistent with applicable laws, regulations and contractual obligations.

Level 3 — Well Defined

Privacy (PRI) efforts are standardized across the organization and centrally managed, where technically feasible, to ensure consistency. CMM Level 3 control maturity would reasonably expect all, or at least most, the following criteria to exist:

  • A Chief Privacy Officer (CPO), or similar function with technical competence to address data privacy concerns, analyzes the organization's business strategy to develop and publish authoritative guidance on the organization's data privacy program.
  • A Privacy program, run by a CPO, or similar role, ensures that applicable statutory, regulatory and contractual data privacy obligations are properly identified and implemented to limit and secure Personal Data (PD) that the organization stores, transmits and processes.
  • As part of the organization's data privacy program, the CPO publishes a clear set of “data privacy principles”, based on leading data privacy practices, that systems, applications, services, processes and third-parties must adhere to.
  • A Project Management Office (PMO), or project management function, ensures both cybersecurity and data privacy principles are identified and implemented within ongoing or planned projects.
  • The Chief Information Security Officer (CISO), or similar function with technical competence to address cybersecurity concerns, analyzes the organization's business strategy to determine prioritized and authoritative guidance for cybersecurity-related data privacy practices.
  • The CISO, or similar function, develops a security-focused Concept of Operations (CONOPS) that documents management, operational and technical measures to apply defense-in-depth techniques across the enterprise for cybersecurity-related data privacy practices.
  • A Governance, Risk & Compliance (GRC) function, or similar function, provides governance oversight for the implementation of applicable statutory, regulatory and contractual cybersecurity and data protection controls to protect the confidentiality, integrity, availability and safety of the organization's applications, systems, services and data with regards to data privacy.
  • A steering committee is formally established to provide executive oversight of the cybersecurity and data privacy program.
  • Data/process owners operationalize data privacy controls into the processes they control.
  • Third-party contracts included data protection requirements, including flow-down requirements to subcontractors.
  • Data Protection Officers (DPOs) are assigned to work closely with business units and project teams to ensure data privacy principles are being implemented.
  • CPO and DPO determine and document the legal authority that permits the collection, use, maintenance and sharing of PD, either generally or in support of a specific program or system need.
Level 4 — Quantitatively Controlled

See C|P-CMM3. There are no defined C|P-CMM4 criteria, since it is reasonable to assume a quantitatively-controlled process is not necessary to restrict collecting, receiving, processing, storing, transmitting, sharing and/or updating Personal Data (PD) to: (1) The purpose(s) originally collected, consistent with the data privacy notice(s); (2) What is authorized by the data subject, or authorized agent; and (3) What is consistent with applicable laws, regulations and contractual obligations.

Level 5 — Continuously Improving

See C|P-CMM4. There are no defined C|P-CMM5 criteria, since it is reasonable to assume a continuously-improving process is not necessary to restrict collecting, receiving, processing, storing, transmitting, sharing and/or updating Personal Data (PD) to: (1) The purpose(s) originally collected, consistent with the data privacy notice(s); (2) What is authorized by the data subject, or authorized agent; and (3) What is consistent with applicable laws, regulations and contractual obligations.

Assessment Objectives

  1. PRI-05.4_A01 the authority to permit the processing of Personal Data (PD) is defined.
  2. PRI-05.4_A02 the type of processing of Personal Data (PD) is defined.
  3. PRI-05.4_A03 the type of processing of Personal Data (PD) to be restricted is defined.
  4. PRI-05.4_A04 the authority that permits the processing of Personal Data (PD) is determined and documented.
  5. PRI-05.4_A05 the processing of Personal Data (PD) is restricted to only that which is authorized.
  6. PRI-05.4_A06 processing conditions to be applied for specific categories of Personal Data (PD) are defined.
  7. PRI-05.4_A07 processing conditions are applied for specific categories of Personal Data (PD).
  8. PRI-05.4_A08 data mining prevention and detection techniques are defined.
  9. PRI-05.4_A09 data storage objects to be protected against unauthorized data mining are defined.
  10. PRI-05.4_A10 organization-defined techniques are employed for organization-defined data storage objects to detect and protect against unauthorized data mining.
  11. PRI-05.4_A11 the frequency for reviewing policies that address the use of Personal Data (PD) for internal testing, training and research is defined.
  12. PRI-05.4_A12 the frequency for updating policies that address the use of Personal Data (PD) for internal testing, training and research is defined.
  13. PRI-05.4_A13 the frequency for reviewing procedures that address the use of Personal Data (PD) for internal testing, training and research is defined.
  14. PRI-05.4_A14 the frequency for updating procedures that address the use of Personal Data (PD) for internal testing, training and research is defined.
  15. PRI-05.4_A15 policies that address the use of Personal Data (PD) for internal testing are developed and documented.
  16. PRI-05.4_A16 policies that address the use of Personal Data (PD) for internal training are developed and documented.
  17. PRI-05.4_A17 policies that address the use of Personal Data (PD) for internal research are developed and documented.
  18. PRI-05.4_A18 procedures that address the use of Personal Data (PD) for internal testing are developed and documented.
  19. PRI-05.4_A19 procedures that address the use of Personal Data (PD) for internal training are developed and documented.
  20. PRI-05.4_A20 procedures that address the use of Personal Data (PD) for internal research are developed and documented.
  21. PRI-05.4_A21 policies that address the use of Personal Data (PD) for internal testing are implemented.
  22. PRI-05.4_A22 policies that address the use of Personal Data (PD) for training are implemented.
  23. PRI-05.4_A23 policies that address the use of Personal Data (PD) for research are implemented.
  24. PRI-05.4_A24 procedures that address the use of Personal Data (PD) for internal testing are implemented.
  25. PRI-05.4_A25 procedures that address the use of Personal Data (PD) for training are implemented.
  26. PRI-05.4_A26 procedures that address the use of Personal Data (PD) for research are implemented.
  27. PRI-05.4_A27 the amount of Personal Data (PD) used for internal testing purposes is limited or minimized.
  28. PRI-05.4_A28 the amount of Personal Data (PD) used for internal training purposes is limited or minimized.
  29. PRI-05.4_A29 the amount of Personal Data (PD) used for internal research purposes is limited or minimized.
  30. PRI-05.4_A30 the required use of Personal Data (PD) for internal testing is authorized.
  31. PRI-05.4_A31 the required use of Personal Data (PD) for internal training is authorized.
  32. PRI-05.4_A32 the required use of Personal Data (PD) for internal research is authorized.
  33. PRI-05.4_A33 policies are reviewed frequently.
  34. PRI-05.4_A34 policies are updated frequently.
  35. PRI-05.4_A35 procedures are reviewed frequently.
  36. PRI-05.4_A36 procedures are updated frequently.

Technology Recommendations

Micro/Small

  • Data classification program
  • Data privacy program
  • Data Protection Impact Assessment (DPIA)
  • Product / project management

Small

  • Data classification program
  • Data privacy program
  • Data Protection Impact Assessment (DPIA)
  • Product / project management

Medium

  • Data classification program
  • Data privacy program
  • Data Protection Impact Assessment (DPIA)
  • Product / project management

Large

  • Data classification program
  • Data privacy program
  • Data Protection Impact Assessment (DPIA)
  • Product / project management

Enterprise

  • Data classification program
  • Data privacy program
  • Data Protection Impact Assessment (DPIA)
  • Product / project management

The Secure Controls Framework (SCF) is maintained by SCF Council. Use of SCF content is subject to the SCF Terms & Conditions.

Manage this control in SCF Connect

Track implementation status, collect evidence, and map controls to your compliance frameworks automatically.

Get Started Free