EXECUTIVE DIRECTIVE No. 2010-3

TO: Department Directors and Autonomous Agency Heads
FROM: Governor Jennifer M. Granholm
DATE: December 21, 2010
SUBJECT: Implementation of Recommendations of the Michigan Information Privacy Protection Council

The Michigan Information Privacy Protection Council established by Executive Order 2009-18 (“Council”) has adopted several generally accepted privacy principles and recommended that each state department and agency implement procedures to address these general principles consistent with each department’s and agency’s mission, business practices, organization, applicable laws, and regulations. Accordingly, I direct the following:

A. Consistent with the recommendations of the Council, each state department and agency shall adopt policies and procedures to assure compliance with applicable state and federal privacy laws and the promotion of effective information security and privacy protection, including all of the following general accepted privacy principles:

1. Management. Define, communicate, and assign accountability for departmental or agency privacy policies and procedures relating to personal identifying information and personal information.

2. Notice. Provide notice of departmental or agency privacy policies and procedures and identify the purposes for which personal identifying information and personal information is collected, used, retained, and disclosed.

3. Choice and consent. Describe the choices available to an individual and obtain implicit or explicit consent with respect to the collection, use, and disclosure of personal identifying information and personal information.

4. Collection. Collect personal identifying information and personal information only for the purposes identified in the notice.

5. Use, retention, and disposal. Limit the use of personal identifying information and personal information to the purposes identified in the notice and for which an individual has provided implicit or explicit consent. Retain personal identifying information and personal information only for the purposes identified in the notice. Appropriately dispose of retained personal identifying information and personal information.

6. Access. Provide an individual with access to his or her personal identifying information and personal information for review and update.

7. Disclosure. Disclose personal identifying information and personal information to third parties only for the purposes identified in the notice and with the implicit or explicit consent of the individual.

8. Security. Protect personal identifying information and personal information against unauthorized access.

9. Quality. Maintain complete and relevant personal identifying information and personal information for the purposes identified in the notice.

10. Monitoring and enforcement. Monitor compliance with departmental or agency privacy policies and procedures and develop procedures to address privacy-related complaints and disputes.

B. The Council, assisted by the Department of Technology, Management, and Budget shall coordinate state efforts to implement this Directive.

C. As used in this Directive, “personal identifying information” and personal information” mean those terms as defined under Section 3 of the Identity Theft Protection Act, 2004 PA 452, MCL 445.63.

This Directive is effective upon issuance.

______________________________
JENNIFER M. GRANHOLM
GOVERNOR