Section 5: Privacy



This section discusses how TxDOT safeguards private information as part of its Information Protection Policy. Protection begins when private information is collected and remains in effect through the information’s life cycle until disposition. This section describes collecting only the minimum, authorized, necessary information and provides information for curating a tiered, content-based approach to address the “Protect” objective of the Texas CyberSecurity Framework.



TxDOT administers a Privacy Protection Program to ensure that its employees, business programs, and information systems safeguard the collection, use, maintenance, sharing, and disposal of personally identifiable information (PII). To accomplish this, the Agency must:

  • identify the least amount of PII elements relevant to its business processes
  • evaluate and review its PII assets regularly
  • remove or redact PII in the appropriate, secure manner.

General Responsibilities

All individuals who collect PII on behalf of TxDOT must:

  • request the least amount of PII necessary, confirming its accuracy, relevance, timeliness, and completeness
  • protect the confidentiality of PII
  • provide access to collected PII only to the person it identifies or through legally-binding shared agreements.

Information custodian must:

  • ensure PII is used for the authorized purposes only
  • remove or redact PII identified as unnecessary
  • curate PII to better manage risks.

Information owners must:

  • document the legal authority to collect, use, maintain, and share PII
  • create process to obtain both tiered and blanket approval from individuals before collecting PII
  • help individuals understand they are approving or denying TxDOT collection of PII.

Records Management Officer must ensure records that contain PII are maintained securely throughout their lifetime.

Information Security Officer must:

  • survey the PII holdings to identify and dispose of information that is no longer necessary
  • provide techniques to remove or redact PII
  • implement cryptographic mechanisms to prevent unauthorized disclosure and to detect changes to information including:
    • establishing controls for the collection, confidentiality, integrity of PII
    • restricting access to, sharing of, and transmission of PII
    • ensuring proper retention and disposal of PII
    • managing responses to PII security incidents.

Compliance and Standards

See the “Privacy Standards” in the Information Security Standards manual for a list of the minimum standards necessary to comply with this objective of the Information Protection Policy.

Previous page  Next page   Title page