PM-25 Minimization of Personally Identifiable Information Used in Testing, Training, and Research
Program Management
Description
a. Develop, implement, and update policies and procedures that address the use of personally identifiable information for internal testing, training, and research; b. Take measures to minimize the use of personally identifiable information for internal testing, training, and research purposes; and c. Where possible, use techniques to minimize the risk to privacy of using personally identifiable information for internal testing, training, and research, including de-identification and synthetic data generation.
Supplemental Guidance
Organizations can minimize the risk to privacy of using personally identifiable information for internal testing, training, and research by implementing privacy-protective techniques such as de-identification, anonymization, synthetic data generation, and other methods that reduce the risk of exposing PII during such activities. The use of production data containing PII for testing purposes introduces risk that the PII could be misused, improperly accessed, or disclosed.
Changes from Rev 4
New control in Rev 5. PII minimization in testing/training.