DM-01-727 Minimization of Personally Identifiable Information

Minimization of Personally Identifiable Information

Control ID

DM-01-727

Control Name

Minimization of Personally Identifiable Information

Control Category

Data Minimization and Retention

Functional Areas

Identify

Sub-Areas

Control Oversight and Safeguard Assurance, Privacy and Confidentiality

NIST Baseline Level(s)

NOT SELECTED

NIST Priority

State Implementation Required

Agency Last Implemented Date

Risk Statement

Laws and regulations are violated as a result of lack of controls over collection of personally identifiable information (PII)

Control Description

The organization: a. Identifies the minimum personally identifiable information (PII) elements that are relevant and necessary to accomplish the legally authorized purpose of collection; b. Limits the collection and retention of PII to the minimum elements identified for the purposes described in the notice and for which the individual has provided consent; and c. Conducts an initial evaluation of PII holdings and establishes and follows a schedule for regularly reviewing those holdings [Assignment: organization-defined frequency, at least annually] to ensure that only PII identified in the notice is collected and retained, and that the PII continues to be necessary to accomplish the legally authorized purpose. (1) MINIMIZATION OF PERSONALLY IDENTIFIABLE INFORMATION | LOCATE / REMOVE / REDACT / ANONYMIZE PII The organization, where feasible and within the limits of technology, locates and removes/redacts specified PII and/or uses anonymization and de-identification techniques to permit use of the retained information while reducing its sensitivity and reducing the risk resulting from disclosure.

Control Example

A privacy impact assessment determines the extent and nature of PII in the organization, and appropriate handling mechanisms are defined.

State Implementation

No statewide control

Testing Procedures

Obtain data privacy policy and procedures; other relevant documents or records and ascertain if: (I) the organization identifies the minimum personally identifiable information (PII) elements that are relevant and necessary to accomplish the legally authorized purpose of collection; (ii) the organization limits the collection and retention of PII to the minimum elements identified for the purposes described in the notice and for which the individual has provided consent; (iii) the organization conducts an initial evaluation of PII holdings and establishes and follows a schedule for regularly reviewing those holdings at least on an annual basis to ensure that only PII identified in the notice is collected and retained, and that the PII continues to be necessary to accomplish the legally authorized purpose; and (iv) the organization, where feasible and within the limits of technology, locates and removes/redacts specified PII and/or uses anonymization and de-identification techniques to permit use of the retained information while reducing its sensitivity and reducing the risk resulting from disclosure.