Data Minimization and Retention
This family assists organizations in implementing the data minimization and retention elements of the Privacy Act, which requires organizations to collect, use, and retain only PII that is relevant and necessary for the specified purpose for which it was originally collected. Organizations retain PII for only as long as necessary to fulfill the specified purpose(s) and in accordance with a National Archives and Records Administration (NARA)-approved record retention schedule.
Control: The organization:
a. Identifies the minimum PII elements (e.g., name, address, date of birth) that are relevant and necessary to accomplish the legally authorized purpose of collection;
b. Limits the collection and retention of PII to the minimum elements identified for the purposes described in the notice and for which the individual has provided consent; and
c. Conducts an initial evaluation and performs periodic evaluations of its holdings of PII to ensure that only PII identified in the notice is collected and retained, and that the PII continues to be necessary to accomplish the legally authorized purpose.
Supplemental Guidance: The collection of PII is consistent with a purpose authorized by law or regulation. The minimum set of PII elements required to support a specific organization business process may be a subset of the PII the organization is authorized to collect. Program officials consult with the SAOP/CPO and legal counsel to identify the minimum PII elements required by the information system or activity to accomplish the legally authorized purpose.
Organizations can further reduce their privacy and security risks by also reducing their inventory of PII, where appropriate. OMB Memorandum 07-16 requires organizations to conduct both an initial review, and subsequent reviews of their holdings of all PII and ensure, to the maximum extent practicable, that such holdings are accurate, relevant, timely, and complete. Organizations are also directed by OMB to reduce their holdings to the minimum necessary for the proper performance of a documented organizational business purpose. Reductions in organizational holdings of PII are consistent with NARA retention schedules.
By performing periodic evaluations, organizations reduce risk, ensure that they are collecting only the data specified in the notice, and ensure that the data collected is still relevant and necessary for the purpose(s) specified in the notice.
Related controls: AP-2, AR-4, IP-1, IP-2, IP-3, TR-1, SI-12.
(1) Where feasible and within the limits of technology, the organization locates and removes or redacts specified PII and/or uses anonymization and de-identification techniques to permit use of the retained information while reducing its sensitivity and reducing the risk resulting from disclosure.
Enhancement Supplemental Guidance: NIST Special Publication 800-122 provides guidance on anonymization.
References: The Privacy Act of 1974, Section 552a (e)(1), (e)(2); Public Law 107-347, E-Government Act of 2002, as amended, Section 208(b); OMB Memoranda 03-22, 07-16.
DATA RETENTION AND DISPOSAL
Control: The organization:
a. Retains PII for only as long as is necessary to fulfill the purpose(s) identified in the notice or as required by law;
b. Appropriately disposes of PII when it is no longer necessary to retain it;
c. Systematically destroys, erases, and/or anonymizes the PII, regardless of the method of storage (e.g., electronic, optical media, or paper-based) in accordance with a NARA-approved record retention schedule and in a manner that prevents loss, theft, misuse, or unauthorized access; and
d. Uses audits and appropriate technology to ensure secure deletion or destruction of PII (including originals, copies, and archived records).
Supplemental Guidance: NARA provides retention schedules that govern the disposition of federal records containing PII. Program officials coordinate with records officers and with NARA to identify appropriate retention periods and disposal methods. NARA may require organizations to retain PII longer than is operationally needed. In those situations, organizations describe such requirements in the notice.
Examples of ways organizations may reduce holdings include reducing the types of PII held (e.g., delete Social Security numbers if their use is no longer needed) or shortening the retention period for PII that is maintained if it is no longer necessary to keep PII for long periods of time (this effort is undertaken in consultation with an organization’s records officer to receive NARA approval). In both examples, organizations provide notice (e.g., an updated SORN) to inform the public of any changes in holdings of PII. OMB Memorandum 07-16 requires organizations to develop and publicize, either through a notice in the Federal Register or on their Websites, a schedule for periodic reviews of their holdings to supplement the initial review.
Certain read-only archiving techniques, such as DVDs, CDs, microfilm, or microfiche may not permit the removal of individual records without the destruction of the entire database contained on such media.
Related controls: AR-4, AU-11, DM-1, MP-6, SI-12, TR-1.
Control Enhancements: None.
References: The Privacy Act of 1974, 552a (e)(1); Public Law 107-347, E-Government Act of 2002, as amended, Section 208 (e); 44 U.S.C. Chapters 29, 31, 33; OMB Circular A-130; OMB Memorandum 07-16; NIST Special Publication 800-88.