Privacy
State agencies collect and use personal information to deliver services, administer programs, and meet legal obligations.
The
Enterprise Privacy Guidance
provides statewide guidance for agency handling of personal information. This guidance is grounded in the Fair Information Practice Principles (FIPPs), the National Institutes of Science and Technology (NIST) Privacy Framework, and the Oregon Information Asset Classification Policy and provides:
- Statewide privacy principles for managing personal information
- A recommended set of privacy controls organized by information classification level
- A checklist for evaluating new or changed uses of personal information
- Recommendations for agency level privacy roles and oversight
Applicability
The Enterprise Privacy Guidance is optional but recommended to all executive branch agencies under the jurisdiction of the State Chief Information Officer and applies to:
- The collection, use, sharing, storage, and disposal of personal information for state business purposes
- Contractors or third parties processing personal data on behalf of those agencies
Where stricter legal or regulatory requirements exist those requirements take precedence.
Enterprise Privacy Principles
Oregon's Enterprise Privacy Principles provide a statewide, consistent foundation for managing personal information::
- Lawful, Fair, and Transparent Processing
- Purpose Specification and Use Limitation
- Data Minimization and Collection Limitation
- Data Quality and Accuracy
- Security Safeguards and Access Controls
- Individual Participation and Redress
- Accountability and Governance