PM-25 Minimization of Personally Identifiable Information Used in Testing, Training, and Research
a. Develop, document, and implement policies and procedures that address the use of personally identifiable information for internal testing, training, and research;
b. Limit or minimize the amount of personally identifiable information used for internal testing, training, and research purposes;
c. Authorize the use of personally identifiable information when such information is required for internal testing, training, and research; and
d. Review and update policies and procedures pm-25_prm_1.
| Parameter ID | Definition |
|---|---|
| pm-25_prm_1 | organization-defined frequency |
| pm-25_odp.01 | frequency |
| pm-25_odp.02 | frequency |
| pm-25_odp.03 | frequency |
| pm-25_odp.04 | frequency |
Baselines
- L
- M
- H
- P
Guidance
The use of personally identifiable information in testing, research, and training increases the risk of unauthorized disclosure or misuse of such information. Organizations consult with the senior agency official for privacy and/or legal counsel to ensure that the use of personally identifiable information in testing, training, and research is compatible with the original purpose for which it was collected. When possible, organizations use placeholder data to avoid exposure of personally identifiable information when conducting testing, training, and research.
References 1
- OMB A-130 Office of Management and Budget Memorandum Circular A-130, *Managing Information as a Strategic Resource* , July 2016.
Related controls 5
- PM-23 Data Governance Body L M H P
- PT-03 Personally Identifiable Information Processing Purposes L M H P
- SA-03 System Development Life Cycle L M H P
- SA-08 Security and Privacy Engineering Principles L M H P
- SI-12 Information Management and Retention L M H P