- Personally identifiable information may only be obtained through lawful means.
- The purposes for which personally identifiable data are collected shall be specified at or prior to the time of collection, and any subsequent use of the data shall be limited to and consistent with the fulfillment of those purposes previously specified.
- Personal data may not be disclosed, made available, or otherwise used for a purpose other than those specified, except with the consent of the subject of the data, or as required by law or regulation.
- Personal data collected shall be relevant to the purpose for which it is needed.
- The general means by which personal data is protected against loss, unauthorized access, use, modification, or disclosure shall be posted, unless the disclosure of those general means would compromise legitimate agency objectives or law enforcement purposes.
- Prominently posting the policy physically in its offices and on its Internet website, if any;
- Distributing the policy to each of its employees and contractors who have access to personal data;