IP-01-727 Consent

Consent

Control ID

IP-01-727

Control Name

Consent

Control Category

Individual Participation and Redress

Functional Areas

Identify

Sub-Areas

Privacy and Confidentiality

NIST Baseline Level(s)

NOT SELECTED

NIST Priority

State Implementation Required

Agency Last Implemented Date

Risk Statement

Laws and regulations are violated as a result of individuals not having the ability to choose how their personal information is to be used.

Control Description

The organization: a. Provides means, where feasible and appropriate, for individuals to authorize the collection, use, maintaining, and sharing of personally identifiable information (PII) prior to its collection; b. Provides appropriate means for individuals to understand the consequences of decisions to approve or decline the authorization of the collection, use, dissemination, and retention of PII; c. Obtains consent, where feasible and appropriate, from individuals prior to any new uses or disclosure of previously collected PII; and d. Ensures that individuals are aware of and, where feasible, consent to all uses of PII not initially described in the public notice that was in effect at the time the organization collected the PII. (1) CONSENT | MECHANISMS SUPPORTING ITEMIZED OR TIERED CONSENT The organization implements mechanisms to support itemized or tiered consent for specific uses of data.

Control Example

Users sign-off on acceptable usage guidelines for PII.

State Implementation

No statewide control

Testing Procedures

Obtain data privacy policy and procedures; other relevant documents or records and ascertain if: (I) the organization provides means, where feasible and appropriate, for individuals to authorize the collection, use, maintaining, and sharing of personally identifiable information (PII) prior to its collection; (ii) the organization provides appropriate means for individuals to understand the consequences of decisions to approve or decline the authorization of the collection, use, dissemination, and retention of PII; (iii) the organization obtains consent, where feasible and appropriate, from individuals prior to any new uses or disclosure of previously collected PII; (iv) the organization ensures that individuals are aware of and, where feasible, consent to all uses of PII not initially described in the public notice that was in effect at the time the organization collected the PII; and (v) the organization implements mechanisms to support itemized or tiered consent for specific uses of data.