DM-01-727 Minimization of Personally Identifiable Information

Minimization of Personally Identifiable Information

DM-01-727
Minimization of Personally Identifiable Information
Data Minimization and Retention
Identify
Control Oversight and Safeguard Assurance, Privacy and Confidentiality
NOT SELECTED
NA
No
Laws and regulations are violated as a result of lack of controls over collection of personally identifiable information (PII)
The organization: a. Identifies the minimum personally identifiable information (PII) elements that are relevant and necessary to accomplish the legally authorized purpose of collection; b. Limits the collection and retention of PII to the minimum elements identified for the purposes described in the notice and for which the individual has provided consent; and c. Conducts an initial evaluation of PII holdings and establishes and follows a schedule for regularly reviewing those holdings [Assignment: organization-defined frequency, at least annually] to ensure that only PII identified in the notice is collected and retained, and that the PII continues to be necessary to accomplish the legally authorized purpose. (1) MINIMIZATION OF PERSONALLY IDENTIFIABLE INFORMATION | LOCATE / REMOVE / REDACT / ANONYMIZE PII The organization, where feasible and within the limits of technology, locates and removes/redacts specified PII and/or uses anonymization and de-identification techniques to permit use of the retained information while reducing its sensitivity and reducing the risk resulting from disclosure.
A privacy impact assessment determines the extent and nature of PII in the organization, and appropriate handling mechanisms are defined.
No statewide control
Obtain data privacy policy and procedures; other relevant documents or records and ascertain if: (I) the organization identifies the minimum personally identifiable information (PII) elements that are relevant and necessary to accomplish the legally authorized purpose of collection; (ii) the organization limits the collection and retention of PII to the minimum elements identified for the purposes described in the notice and for which the individual has provided consent; (iii) the organization conducts an initial evaluation of PII holdings and establishes and follows a schedule for regularly reviewing those holdings at least on an annual basis to ensure that only PII identified in the notice is collected and retained, and that the PII continues to be necessary to accomplish the legally authorized purpose; and (iv) the organization, where feasible and within the limits of technology, locates and removes/redacts specified PII and/or uses anonymization and de-identification techniques to permit use of the retained information while reducing its sensitivity and reducing the risk resulting from disclosure.