What is the focus of SE-1 Inventory of Personally Identifiable Information?

The focus is using a Privacy Impact Assessment to create and maintain an inventory of PII. A PIA describes what PII is collected, how it’s used, where it’s stored, and who has access for each information system. By extracting that information from PIAs, the organization can map out all PII across its information systems, detailing types of PII, where it resides, data owners, and retention. This inventory is essential for privacy risk management, accountability, and ensuring controls are in place to protect PII. Other options relate to governance or privacy goals rather than building an actual inventory. Privacy policy updates are about policy changes, not the cataloging of PII. Reporting to OMB is an oversight activity, not the inventory itself. Reducing PII collection is a privacy principle and strategy, not the act of cataloging existing PII across systems.