What does control A.1.5.5 require?
The organisation shall record disclosures of PII to third parties, including which PII has been disclosed, to whom and at what time.
This is the final control in the PII transfer objective (A.1.5) within the PII controller controls. While A.1.5.4 Records of PII Transfer focuses on recording formal transfers, A.1.5.5 broadens the scope to capture all disclosures, including those that fall outside the typical transfer framework.
What does the implementation guidance say?
Annex B (section B.1.5.5) provides the following guidance:
- Normal operational disclosures should be recorded, such as sharing PII with a processor, a business partner, or a service provider as part of routine operations
- Additional disclosures outside normal operations should also be recorded, such as disclosures made in response to legal investigations, audit requests from supervisory authorities, or court orders
- Records should include the source of the disclosure — the person or system that initiated or authorised the disclosure
- Records should include the authority to make the disclosure — the legal basis, contractual obligation or internal authorisation that permitted it
The distinction between “normal” and “additional” disclosures is important. Many organisations track routine data sharing but fail to record ad hoc disclosures made under pressure, such as responding to a law enforcement request. Both must be captured.
How does this map to GDPR?
Control A.1.5.5 maps to GDPR Article 30(1)(d), which requires that records of processing activities include the categories of recipients to whom personal data has been or will be disclosed, including recipients in third countries or international organisations.
This goes beyond simply listing recipient categories. The combination of A.1.5.4 Records of PII Transfer and A.1.5.5 ensures organisations can demonstrate, on a granular level, exactly what was shared with whom and when.
How does this relate to ISO 29100 privacy principles?
This control supports the ISO 29100 principle of Use, retention and disclosure limitation. Recording every disclosure creates the evidence base to demonstrate that PII is only shared where there is a documented and justified reason, and that unnecessary or unauthorised disclosures can be identified and investigated.
Get started easily with a personal product demo
One of our onboarding specialists will walk you through our platform to help you get started with confidence.
What evidence do auditors expect?
When assessing compliance with A.1.5.5, auditors will typically look for:
- Disclosure register — A structured log of all PII disclosures showing the PII disclosed, the recipient, the date/time, and the authority for the disclosure
- Authorisation records — Evidence of who authorised each disclosure, particularly for non-routine disclosures such as law enforcement requests
- Process documentation — Defined procedures for recording disclosures, including who is responsible for maintaining the register
- Coverage of non-routine disclosures — Evidence that the process captures disclosures outside normal operations, not just routine data sharing
- Consistency with transfer records — That disclosure records align with the transfer records maintained under A.1.5.4 Records of PII Transfer
What are the related controls?
| Control | Relationship |
|---|---|
| A.1.5.4 Records of transfer of PII | Transfer records cover formal transfers; disclosure records capture the broader picture including ad hoc disclosures |
| A.1.5.2 Identify basis for PII transfer | The legal basis for transfers also applies to disclosures that involve cross-border data flows |
| A.1.5.3 Countries for PII transfer | Disclosures to parties in other jurisdictions should align with the approved destination list |
| A.1.2.9 Records of Processing PII | Disclosure records are a component of the overall records of processing activities |
| A.1.3.3 Information for PII Principals Determining information for PII principals | PII principals may need to be informed about disclosures of their data |
| A.1.3.8 Obligations to Inform Third Parties | Certain disclosures may trigger notification obligations to PII principals |
What changed from ISO 27701:2019?
In the 2019 edition, this requirement was covered under Clause 7.5.4 (records of PII disclosure to third parties). The 2025 version retains the same core requirements but the restructured Annex B guidance now more explicitly distinguishes between normal operational disclosures and additional disclosures (legal investigations, audits). The requirement to record the source and authority for each disclosure is also given greater prominence. See the Annex F correspondence table for the full mapping.
Free yourself from a mountain of spreadsheets
Embed, expand and scale your compliance, without the mess. IO gives you the resilience and confidence to grow securely.
Why choose ISMS.online for tracking PII disclosures?
ISMS.online makes it straightforward to maintain a complete disclosure record:
- Disclosure register — Log every PII disclosure with structured fields for recipient, PII categories, date/time, source and authorisation
- Workflow for non-routine disclosures — Built-in approval workflows for law enforcement requests and other exceptional disclosures, ensuring proper authorisation is captured before data is shared
- Linked records — Connect disclosure entries to the relevant data processing agreements, transfer records and PII principal profiles
- Audit trail — Every disclosure record includes a full history of who created, modified or reviewed it
- Reporting — Generate disclosure reports by recipient, time period, PII category or authorisation type for management review and audits
FAQs
What is the difference between a transfer and a disclosure?
A transfer typically refers to the systematic movement of PII from one jurisdiction or organisation to another under a defined arrangement (e.g. a data processing agreement). A disclosure is broader and includes any sharing of PII with a third party, whether routine or one-off. All transfers are disclosures, but not all disclosures are transfers. For example, providing PII to a law enforcement agency in response to a court order is a disclosure but may not be a transfer in the traditional sense.
How should we handle disclosures to law enforcement?
Law enforcement disclosures should follow a defined procedure. Record the request received, the legal authority cited, who in the organisation authorised the disclosure, what PII was shared, when, and to which authority. If the request is informal (e.g. a verbal request without a court order), document the decision-making process and the basis on which the disclosure was made or refused.
Do we need to notify PII principals about disclosures?
It depends on the jurisdiction and the nature of the disclosure. Under GDPR, data subjects have the right to know the categories of recipients. For specific disclosures, notification may be required under A.1.3.8 Obligations to Inform Third Parties (notification of modification, processing or disclosure). However, certain disclosures, particularly to law enforcement, may be exempt from notification requirements where informing the PII principal would prejudice the investigation.
