PRIVACY THRESHOLD AND PRIVACY IMPACT ASSESSMENTS - 5310.8

Policy: Information asset owners shall apply all applicable statewide and state entity information privacy and security laws, policies, standards, and procedures in order to protect personal information under the information asset owner’s responsibility. This includes, but is not limited to conducting a Privacy Threshold Assessment (PTA) and if necessary, a Privacy Impact Assessment (PIA) when the collection, use, maintenance, storage, sharing, disclosure or disposal of personal information, as defined by Civil Code section 1798.3, is involved.  A PTA and PIA shall be performed upon the development or procurement of new information system, and when proposing changes to an existing system. Information systems in this context may be manual or technology based.  State entities shall use SIMM 5310-C or an equivalent tool to meet this requirement.

Governing Provisions:  Civil Code Sections 1798.21 and 1798.30

Implementation Controls:

NIST SP 800-53 Personally Identifiable Information Processing and Transparency (PT)

SIMM 5310-C