- how PII is collected by the AHA program or activity;
- what type of PII is collected;
- where it will be collected from;
- how it will be used and shared;
- how access to PII by AHA personnel will be controlled;
- how PII is kept accurate, complete and secure;
- how long the PII will be kept and how it will be destroyed; and
- how an individual can obtain, confirm, correct, or request permanent deletion--to the extent deletion is required by law--of any PII under AHA control.
The Privacy & Security Procedures for each program or activity must be approved by Business Technology, Legal and the appropriate chief executive for that business unit before collection or use of PII begins, whether or not the PII is collected electronically or in hard copy form.