Guides and playbooks
Best practices and relevant laws and regulations
Legal and regulatory guidance
- Statewide Information Management Manual (SIMM)
- Health information privacy from HIPPA
- California Confidentiality of Medical Information Act (CMIA)
- Family Educational Rights and Privacy Act (FERPA)
- California Information Practices Act of 1977
- California Financial Information Privacy Act
Privacy frameworks and best practices
- Massive Data Institute (MDI): Quick Improvements to Data Privacy
- National Institute of Standards and Technology (NIST) Privacy Framework
- International Association of Privacy Professionals on data minimization
- Actionable Intelligence for Social Policy federal data response guidance
State-specific templates and examples
- SIMM Privacy Threshold Assessment and Privacy Impact Assessment
- Standard Contract Language for Non-IT Services
Summaries of key State Administrative Manual and SIMM sections
- Information asset management (SAM 5305): Requires departments to create and maintain an inventory of all their data. This lets them understand the value and sensitivity of data. It allows departments to categorize and classify data. This is the foundation for effective security and privacy controls.
- Privacy and data minimization (SAM 5310 - 5310.8): This is the core privacy policy for state departments.
- SAM 5310 establishes that people have a right to control their personal information. Departments must have a privacy program to comply with the Information Practices Act.
- SAM 5310.2 mandates that departments must collect the least amount of data needed to do the work.
- SAM 5310.8 emphasizes that data collection, use, and retention must be reasonably necessary and proportionate to the intended purpose.
- Information security (SIMM 5300): Detailed standards and procedures for state department information security. It covers things like risk management, incident response, and technical and administrative controls. It gives a foundation for departments to protect data.
Summaries of key Civil Code statutes
- § 1798: The overarching section that establishes the Information Practices Act of 1977. It lays out the fundamental right to privacy in personal information.
- § 1798.14: This section is central to the data minimization principle. Departments must only keep personal information "relevant and necessary" to accomplish a purpose required or authorized by law.
- § 1798.24: This section outlines when a department can disclose personal information. They include disclosures for legal proceedings, to law enforcement, and with the individual's consent.