I. The department shall conduct a written risk assessment and mitigation remediation plan in the form of a privacy impact assessment (PIA).
II. The assessment and plan shall:

Ask a legal question, get an answer ASAP!
Click here to chat with a lawyer about your rights.


(a) Assess risks to an individual’s right to privacy within the department’s information technology systems where the individual does not possess immediate control over their information.
(b) Recommend alternatives to both mitigate the risks and achieve the stated objectives of the department’s systems.
(c) Identify those individuals and offices within the department who shall be directly accountable for the assessment and plan, the system at the time the assessment and plan are compiled, and any approved alternatives and mitigations as a result of the assessment and plan.
III. Unless otherwise required by law or applicable regulation, no personal information shall be collected prior to the completion of the assessment and plan and any subsequent measures as a result of the assessment and plan, as determined by the governance board for any systems implemented subsequent to March 31, 2025.
IV. The assessment and plan shall be approved and may be acted upon by the commissioner. All assessments and plans conducted before the date of the next data privacy and information technology security governance board meeting shall be submitted to the board for review.