The American Heart Association believes that data it collects from its programs, products and services is an essential resource to furthering our mission of building healthier lives free from cardiovascular disease and stroke. Because of the potential of this significant resource to deepen our understanding of the risks, consequences and future cures for these diseases, AHA seeks to obtain data in a manner that allows the AHA to use the data it collects in the most ways beneficial to the advancement of its mission and the benefit of the public. At the same time, AHA respects the rights of individuals to understand and direct how their private information can be used.
- how PII is collected by the AHA program or activity;
- what type of PII is collected;
- where it will be collected from;
- how it will be used and shared;
- how access to PII by AHA personnel will be controlled;
- how PII is kept accurate, complete and secure;
- how long the PII will be kept and how it will be destroyed; and
- how an individual can obtain, confirm, correct, or request permanent deletion--to the extent deletion is required by law--of any PII under AHA control.
The Privacy & Security Procedures for each program or activity must be approved by Business Technology, Legal and the appropriate chief executive for that business unit before collection or use of PII begins, whether or not the PII is collected electronically or in hard copy form.
Standard 1- Compliance with Laws & Accountability:
Standard 2 – Transparency:
Standard 3 - Limitations on Disclosure:
Because AHA values and respects an individual’s desire to keep certain personal information private, AHA will not disclose PII to third parties, other than: 1) when consent is required by law, only for purposes included within the consent of the individual providing his or her PII; 2) purposes that are consistent with or are necessary to carry out the original express purpose for which the consent was granted and related to AHA’s overall mission; or 3) as otherwise authorized by law. When individual consent is required, such individual consent shall be obtained at or before the time the information is collected, or before the time the information is used in a way not covered by an individual’s prior consent.
Standard 4 - Security Measures:
The AHA will use reasonable and appropriate security measures to protect PII against unauthorized access, use, modification or disclosure, and shall ensure that all PII for which it has responsibility is maintained in a secure environment at least at the levels required by any applicable law. The AHA will use applicable reasonable industry standards when destroying PII to protect against unauthorized disclosure.