LIMITING USE AND DISCLOSURE - 5310.3
Policy: Information asset owners, custodians and users shall not disclose, use, or make available personal information collected from individuals for purposes other than those for which it was originally collected, except in the following situations:
- The disclosure is made to the individual who is the subject of the information;
- The nature of the disclosure is included in the Privacy Notice on Collection provided at or before the time of collection;
- The individual who is the subject of the information, subsequent to collection, provides explicit consent to the disclosure or use; or
- The use or disclosure is explicitly allowed under Civil Code section 1798.24.
Accounting of Disclosures
Information asset owners shall keep an accurate accounting of the date, nature, and purpose of each disclosure of a record made under exception number 4 above. The accounting shall include the date of the disclosure, and the name, title, and business address of the individual or state entity to which the disclosure was made.
Information asset owners shall retain the above referenced accounting for at least three years after the disclosure for which the accounting is made, or until the record is destroyed in accordance with the state entity record retention policy, whichever is shorter.
Information asset owners shall inform any individual or state entity to whom a record containing personal information has been disclosed during the preceding three years of any correction of an error in the record or notation of a dispute about its accuracy.
Use of Information by Third Parties
Information asset owners and users shall apply the requirements of this policy to any third party who handles personal information collected by the state entity, in order to accomplish a state entity function that is consistent with the original purposes for which it was collected. Any such third party and its personnel or agent with access to the personal information shall formally agree to be subject to the state entity’s privacy policies and practices in the same manner as an employee of the state entity.
Social Security Numbers
Information asset owners shall minimize the collection and use of Social Security numbers. Information asset owners shall not publicly post or publicly display in any manner an individual's Social Security number or otherwise permit handling of Social Security numbers in any manner inconsistent with the Privacy Individual Access Standard (SIMM 5310-B).
Information asset owners shall not permit Social Security numbers to be either entered into systems as authentication credentials or used as user unique identifiers within systems. This requirement shall apply to all new systems, and major changes or upgrades to existing systems.Implementation Controls: NIST SP 800-53: Appendix J-Privacy Control Catalog, and SIMM 5310-B
No Revisions for this item.