Privacy Strategy
Various states and country around the world have enacted privacy laws that govern the collection, maintenance, and sharing of personally identifiable information (PII). Many of these laws use the Fair Information Privacy Principles (FIPPS)1 as their guiding tenants. The Maryland Privacy Strategy has adopted these FIPPS and associated practices.
Integrating these principles and associated practices reduces the risk of unauthorized disclosure, guides proper collection, maintenance, and sharing of information.
- Transparency: The organization should be transparent and provide notice to the individual regarding its collection, use, dissemination and maintenance of personally identifiable information (PII).
Individual Participation: Consent should be sought from the individual for the collection, use, dissemination and maintenance of PII. A mechanism should also be provided for appropriate access, correction and redress regarding the organization’s use of PII. - Purpose Specification: The organization should specifically articulate the authority that permits the collection of PII and the purpose(s) for which the PII is intended to be used.
- Data Minimization: The organization should only collect PII that is directly relevant and necessary to accomplish the specified purpose(s) and only retain PII for as long as it is necessary to fulfill those purpose(s).
- Use Limitation: The organization should use PII solely for the purpose(s) specified in the notice. Sharing PII outside of the organization should be for a purpose compatible with the purpose(s) for which the PII was collected.
- Data Quality and Integrity: The organization, to the extent practicable, should ensure that PII is accurate, relevant, timely and complete.
- Security: The organization should protect PII (in all media) through appropriate security safeguards against risks such as loss, unauthorized access or use, destruction, modification, or unintended or inappropriate disclosure.
- Accountability and Auditing: The organization should be accountable for complying with these principles, providing training to all employees and contractors who use PII, and auditing the actual use of PII to demonstrate compliance with these principles and all applicable privacy protection requirements.