DM-03-727 Minimization of PII Used In Testing, Training, And Research

Minimization of PII Used In Testing, Training, And Research

Control ID

DM-03-727

Control Name

Minimization of PII Used In Testing, Training, And Research

Control Category

Data Minimization and Retention

Functional Areas

Identify

Sub-Areas

Privacy and Confidentiality

NIST Baseline Level(s)

NOT SELECTED

NIST Priority

State Implementation Required

Agency Last Implemented Date

Risk Statement

Laws and regulations are violated as a result of lack of controls over use of personally identifiable information (PII) in testing, training and research

Control Description

The organization: a. Develops policies and procedures that minimize the use of personally identifiable information (PII) for testing, training, and research; and b. Implements controls to protect PII used for testing, training, and research.

Control Example

A privacy impact assessment determines the extent and nature of PII in the organization, and appropriate handling mechanisms are defined.

State Implementation

No statewide control

Testing Procedures

Obtain data privacy policy and procedures; other relevant documents or records and ascertain if: (I) the organization develops policies and procedures that minimize the use of personally identifiable information (PII) for testing, training, and research; and (ii) the organization implements controls to protect PII used for testing, training, and research.