- 
  
    a: Develop, document, and implement policies and procedures that address the use of personally identifiable information for internal testing, training, and research;
  
  
      - 
  
    b: Limit or minimize the amount of personally identifiable information used for internal testing, training, and research purposes;
  
  
      - 
  
    c: Authorize the use of personally identifiable information when such information is required for internal testing, training, and research; and
  
  
      - 
  
    d: Review and update policies and procedures [one of ].
  
  
Supplemental
    The use of personally identifiable information in testing, research, and training increases the risk of unauthorized disclosure or misuse of such information. Organizations consult with the senior agency official for privacy and/or legal counsel to ensure that the use of personally identifiable information in testing, training, and research is compatible with the original purpose for which it was collected. When possible, organizations use placeholder data to avoid exposure of personally identifiable information when conducting testing, training, and research.