CCI-004434

Implementation Guidance

Determine if: - policies are reviewed [PM-25_ODP[01]; the frequency for reviewing policies that address the use of personally identifiable information for internal testing, training, and research is defined]. - policies are updated [PM-25_ODP[02]; the frequency for updating policies that address the use of personally identifiable information for internal testing, training, and research is defined]. - procedures are reviewed [PM-25_ODP[03]; the frequency for reviewing procedures that address the use of personally identifiable information for internal testing, training, and research is defined]. - procedures are updated [PM-25_ODP[04]; the frequency for updating procedures that address the use of personally identifiable information for internal testing, training, and research is defined].

Validation Procedures

Examine: [SELECT FROM: Privacy program plan; policies and procedures for the minimization of personally identifiable information used in testing, training, and research; documentation supporting policy implementation (e.g., templates for testing, training, and research; privacy threshold analysis; privacy risk assessment); data sets used for testing, training, and research]. Interview: [SELECT FROM: Organizational personnel with privacy program responsibilities; organizational personnel with privacy responsibilities; system developers; personnel with IRB responsibilities]. Test: [SELECT FROM: Organizational processes for data quality and personally identifiable information management; mechanisms supporting data quality management and personally identifiable information management to minimize the use of personally identifiable information].