AP-02-727 Purpose Specification

Purpose Specification

Purpose Specification
Authority and Purpose
Privacy and Confidentiality, Security Assessment and Authorization / Technology Risk Assessments
January 20, 2018

The Agency's general authority to collect personal information, which includes a description of the purposes for which personal information is collected, is published at https://tti.tamu.edu/notices-policies/privacy-and-security-policy. Specific programs or information resources with authority to collect that extends beyond the Agency's general authority shall be published on that specific information resource.

Laws and regulations are violated due to an organization failing to provide notices on usage of customer data.
The organization describes the purpose(s) for which personally identifiable information (PII) is collected, used, maintained, and shared in its privacy notices.
Data classification (sensitive, non-sensitive, etc.) is conducted and the location or repositories of such is clearly defined.
No statewide control
Obtain data privacy notices, policies and procedures and ascertain if: (I) the organization expressly authorizes specific collections and uses of PII. (ii) the organization clearly describes the specific purpose for which the PII is collected in the privacy notices and other privacy related documentation including Privacy Impact Assessments (PIAs), System of Records Notices (SORNs) etc. (iii) the organization imparts training to personnel who are involved in handling of PII including collection, processing, maintenance and storage and on the contents of the notice in order to avoid unauthorized collections or uses of PII.