Laws and regulations are violated as a result of individuals not having the ability to choose how their personal information is to be used.
The organization:
a. Provides means, where feasible and appropriate, for individuals to authorize the collection, use, maintaining, and sharing of personally identifiable information (PII) prior to its collection;
b. Provides appropriate means for individuals to understand the consequences of decisions to approve or decline the authorization of the collection, use, dissemination, and retention of PII;
c. Obtains consent, where feasible and appropriate, from individuals prior to any new uses or disclosure of previously collected PII; and
d. Ensures that individuals are aware of and, where feasible, consent to all uses of PII not initially described in the public notice that was in effect at the time the organization collected the PII.
(1) CONSENT | MECHANISMS SUPPORTING ITEMIZED OR TIERED CONSENT
The organization implements mechanisms to support itemized or tiered consent for specific uses of data.
Users sign-off on acceptable usage guidelines for PII.
No statewide control
Obtain data privacy policy and procedures; other relevant documents or records and ascertain if:
(I) the organization provides means, where feasible and appropriate, for individuals to authorize the collection, use, maintaining, and sharing of personally identifiable information (PII) prior to its collection;
(ii) the organization provides appropriate means for individuals to understand the consequences of decisions to approve or decline the authorization of the collection, use, dissemination, and retention of PII;
(iii) the organization obtains consent, where feasible and appropriate, from individuals prior to any new uses or disclosure of previously collected PII;
(iv) the organization ensures that individuals are aware of and, where feasible, consent to all uses of PII not initially described in the public notice that was in effect at the time the organization collected the PII; and
(v) the organization implements mechanisms to support itemized or tiered consent for specific uses of data.