Navigate

CCI-003521

CCI-003521 Definition

The organization provides means, where feasible and appropriate, for individuals to authorize the maintaining of personally identifiable information (PII) prior to its collection.

Status
Type	CheckType.policy

Master Assessment Datasheet

Implementation Guidance

The organization being inspected/assessed documents and implements a procedure for individuals to authorize the maintaining of personally identifiable information (PII) prior to its collection. Minimally, where individual authorization is not feasible or appropriate, the organization will notify users that PII is being maintained.

Validation Procedures

The organization conducting the inspection/assessment obtains and examines the documented procedure as well as a sampling of artifacts related to the authorization of the maintaining of PII to ensure the organization being inspected/assessed provides means, where feasible and appropriate, for individuals to authorize the maintaining of PII prior to its collection. Where authorization is not feasible or appropriate, the organization conducting the inspection/assessment ensures that the organization notifies users that PII is being maintained.

Compelling Evidence

Supply documentation and reference the procedure for individuals to authorize the maintaining of PII prior to its collection.

Related Controls

The controls below (if any) were marked by NIST as being related to CCI-003521.

Control	Description
IP-1	The organization: a. Provides means, where feasible and appropriate, for individuals to authorize the collection, use, maintaining, and sharing of personally identifiable information (PII) prior to its collection; b. Provides appropriate means for individuals to understand the consequences of decisions to approve or decline the authorization of the collection, use, dissemination, and retention of PII; c. Obtains consent, where feasible and appropriate, from individuals prior to any new uses or disclosure of previously collected PII; and d. Ensures that individuals are aware of and, where feasible, consent to all uses of PII not initially described in the public notice that was in effect at the time the organization collected the PII.

Control

Description

IP-1

The organization: a. Provides means, where feasible and appropriate, for individuals to authorize the collection, use, maintaining, and sharing of personally identifiable information (PII) prior to its collection; b. Provides appropriate means for individuals to understand the consequences of decisions to approve or decline the authorization of the collection, use, dissemination, and retention of PII; c. Obtains consent, where feasible and appropriate, from individuals prior to any new uses or disclosure of previously collected PII; and d. Ensures that individuals are aware of and, where feasible, consent to all uses of PII not initially described in the public notice that was in effect at the time the organization collected the PII.