PII Collection, Use, Disclosure and Sharing Policy

The PII Collection, Use, Disclosure and Sharing Policy defines operational requirements for how personally identifiable information is collected, used, disclosed and shared within the PIMS scope. Its stated purpose is to ensure that PII is handled only for documented, approved, limited and accountable purposes. The policy applies across controller, joint controller, processor and subprocessor contexts, and covers collection through direct, indirect, automated, manual, internal, external and third-party channels. It also addresses approved internal use by business processes, systems and applications, secondary use for new or materially changed purposes, external disclosure to recipients and third parties, and both recurring data-sharing arrangements and one-off disclosures. A central feature of the policy is its use of evidence registers to connect privacy decisions to auditable records. REG02 is used for PII processing inventory, approved purposes, collection rules, use rules and secondary-use compatibility checks. REG08 is used for processor, subprocessor and data-sharing records, including recipient identity, recipient role, disclosure purpose, PII categories, sharing frequency, processing location and authority source. REG09 is used when sharing involves a new country, international organization, remote access location, recipient location or onward transfer location. REG12 is used for exceptions, nonconformities, audit findings, corrective actions, implementation blocking issues and policy review records. The policy sets clear control points before processing starts. Process Owners or Business Owners must record collection purposes, sources or channels, PII categories, PII principal categories and minimum data elements in REG02 before new collection or material change begins. They must also document a necessity justification for each PII data element before collection. System Owners or Application Owners may implement only approved collection fields, workflow fields, reports, exports or disclosure outputs that match REG02 or REG08 approval. In processor contexts, customer-instruction alignment must be recorded before customer PII is collected, used or disclosed. Secondary use is treated as a governed decision rather than an informal extension of an existing activity. Before PII is used for a purpose not already approved in REG02, the Process Owner or Business Owner must record a compatibility check covering the original purpose, proposed purpose, lawful-basis dependency, PII categories, PII principal expectations, minimization rationale, disclosure or transfer impact and routing to other PIMS policies where needed. The Privacy Lead or PIMS Manager must record an approval or rejection before the secondary use begins. Where sensitive recurring sharing, vulnerable PII principals, high-impact records or materially changed expectations are involved, Data Protection Officer or Privacy Advisor advice must be recorded before approval. Governance, measurement and enforcement are built into the policy. The Privacy Lead or PIMS Manager reviews approved-use rules at least annually, reconciles REG02 approved purposes with REG08 active sharing records at least annually and records outcomes in REG12. Vendor or Procurement Owners reconcile REG08 active sharing entries with active processor, subprocessor, recipient and data-sharing relationships at least quarterly. Internal Audit or Compliance Reviewers sample REG02, REG08 and REG09 evidence annually and record results in REG12. Unapproved collection, use, disclosure or sharing must be recorded as a nonconformity within five business days, and processing may be suspended within one business day where approved evidence is absent.