Navigate

CCI-003487

CCI-003487 Definition

The organization limits the collection and retention of personally identifiable information (PII) to the minimum elements identified for the purposes described in the published privacy notice.

Status
Type	CheckType.policy

Master Assessment Datasheet

Implementation Guidance

The organization being inspected/assessed documents and implements a process to limit the collection and retention of PII to the minimum elements identified for the purposes described in the published SORN and Privacy Act Statement.

Validation Procedures

The organization conducting the inspection/assessment obtains and examines the documented process to ensure the organization being inspected/assessed limits the collection and retention of PII to the minimum elements identified for the purposes described in the published SORN and Privacy Act Statement.

Compelling Evidence

1.) Site must provide their signed and dated SORN policy document. The document must describe a process to ensure the organization limits the collection and retention of PII to the minimum elements. 2.) Reviewer will validate both the existence of the documentation and how the site implement this policy.

Related Controls

The controls below (if any) were marked by NIST as being related to CCI-003487.

Control	Description
DM-1	The organization: DM-1a.: Identifies the minimum personally identifiable information (PII) elements that are relevant and necessary to accomplish the legally authorized purpose of collection; DM-1b.: Limits the collection and retention of PII to the minimum elements identified for the purposes described in the notice and for which the individual has provided consent; and DM-1c.: Conducts an initial evaluation of PII holdings and establishes and follows a schedule for regularly reviewing those holdings [Assignment: organization-defined frequency, at least annually] to ensure that only PII identified in the notice is collected and retained, and that the PII continues to be necessary to accomplish the legally authorized purpose.

Control

Description

DM-1

The organization:

DM-1a.: Identifies the minimum personally identifiable information (PII) elements that are relevant and necessary to accomplish the legally authorized purpose of collection;

DM-1b.: Limits the collection and retention of PII to the minimum elements identified for the purposes described in the notice and for which the individual has provided consent; and

DM-1c.: Conducts an initial evaluation of PII holdings and establishes and follows a schedule for regularly reviewing those holdings [Assignment: organization-defined frequency, at least annually] to ensure that only PII identified in the notice is collected and retained, and that the PII continues to be necessary to accomplish the legally authorized purpose.