Establish, implement, and maintain a personal data use limitation program.
CONTROL ID 13428
CONTROL TYPE Establish/Maintain Documentation
CLASSIFICATION Preventive
SUPPORTING AND SUPPORTED CONTROLS
This Control directly supports the implied Control(s):
Establish, implement, and maintain a privacy framework that protects restricted data., CC ID: 11850
This Control has the following implementation support Control(s):
Establish, implement, and maintain a personal data use purpose specification., CC ID: 00093
Establish, implement, and maintain data access procedures., CC ID: 00414
Establish, implement, and maintain restricted data use limitation procedures., CC ID: 00128
Establish, implement, and maintain data disclosure procedures., CC ID: 00133
SELECTED AUTHORITY DOCUMENTS COMPLIED WITH
An organisation must not use or disclose a government related identifier of an individual unless: (Schedule 1 Part 3 Clause 9 Subclause 9.2, Australian Privacy Act 1988, Compilation No. 77)
Privacy. Personal information is collected, used, retained, disclosed, and disposed of to meet the entity's objectives. (¶ 1.48 e., SOC 2® Reporting on an Examination of Controls at a Service Organization Relevant to Security, Availability, Processing Integrity, Confidentiality, or Privacy, October 15, 2022)
Use and release of contractor attributional/proprietary information created by or for DoD. Information that is obtained from the contractor (or derived from information obtained from the contractor) under this clause that is created by or for DoD (including the information submitted pursuant to para… (§ 252.204-7012(j), 252.204-7012, SAFEGUARDING COVERED DEFENSE INFORMATION AND CYBER INCIDENT REPORTING (DEC 2019))
For any type of disclosure that it makes on a routine and recurring basis, a covered entity must implement policies and procedures (which may be standard protocols) that limit the protected health information disclosed to the amount reasonably necessary to achieve the purpose of the disclosure. (§ 164.514(d)(3)(i), 45 CFR Part 164 - Security and Privacy, current as of July 6, 2020)
Assure that the use of technologies maintains, and does not erode, privacy protections on use, collection and disclosure of personal information (T0901, National Initiative for Cybersecurity Education (NICE) Cybersecurity Workforce Framework, NIST Special Publication 800-181)
Assure that the use of technologies maintains, and does not erode, privacy protections on use, collection and disclosure of personal information (T0901, Reference Spreadsheet for the Workforce Framework for Cybersecurity (NICE Framework)â, July 7, 2020)
Conducts an initial evaluation of PII holdings and establishes and follows a schedule for regularly reviewing those holdings [Assignment: organization-defined frequency, at least annually] to ensure that only PII identified in the notice is collected and retained, and that the PII continues to be ne… (DM-1c., Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, Revision 4)
