Aicpa Cica Privacy Maturity Model Final-2011 PDF

AICPA/CICA
Privacy Maturity Model

March 2011
Notice to Reader
DISCLAIMER: This document has not been approved, disapproved, or otherwise acted upon by any senior technical committees of, and does not represent an
official position of the American Institute of Certified Public Accountants (AICPA) or the Canadian Institute of Chartered Accountants (CICA). It is distributed with
the understanding that the contributing authors and editors, and the publisher, are not rendering legal, accounting, or other professional services in this document.
The services of a competent professional should be sought when legal advice or other expert assistance is required.
Neither the authors, the publishers nor any person involved in the preparation of this document accept any contractual, tortious or other form of liability for its
contents or for any consequences arising from its use. This document is provided for suggested best practices and is not a substitute for legal advice. Obtain legal
advice in each particular situation to ensure compliance with applicable laws and regulations and to ensure that procedures and policies are current as legislation
and regulations may be amended.
Copyright © 2011 by
American Institute of Certified Public Accountants, Inc.
and Canadian Institute of Chartered Accountants.
All rights reserved. Checklists and sample documents contained herein may be reproduced and distributed as part of professional services or within the context of
professional practice, provided that reproduced materials are not in any way directly offered for sale or profit. For information about the procedure for requesting
permission to make copies of any part of this work, please visit www.copyright.com or call (978) 750-8400.
AICPA/CICA Privacy Maturity Model
AICPA/CICA Privacy Task Force
Chair
Everett C. Johnson, CPA
Vice Chair
Kenneth D. Askelson, CPA, CITP, CIA
Eric Federing
Philip M. Juravel, CPA, CITP
Sagi Leizerov, Ph.D., CIPP
Rena Mears, CPA, CITP, CISSP, CISA, CIPP
Robert Parker, FCA, CA•CISA, CMC
Marilyn Prosch, Ph.D., CIPP
Doron M. Rotman, CPA (Israel), CISA, CIA, CISM, CIPP
Kerry Shackelford, CPA
Donald E. Sheehy, CA•CISA, CIPP/C
Staff Contacts:
Nicholas F. Cheung, CA, CIPP/C
CICA
Principal, Guidance and Support
and
Nancy A. Cohen, CPA, CITP, CIPP

AICPA
Senior Technical Manager, Specialized Communities and Practice Management
iii
Acknowledgements
The AICPA and CICA appreciate the contributions of the volunteers who devoted significant time and effort to this project. The institutes also acknowledge the
support that the following organization has provided to the development of the Privacy Maturity Model:
iv
Table of Contents
1 Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1
2 AICPA/CICA Privacy Resources . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1

Generally Accepted Privacy Principles (GAPP) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1
Privacy Maturity Model . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2
3 Advantages of Using the Privacy Maturity Model . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2
4 Using the Privacy Maturity Model . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2

Getting Started . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3
Document Findings against GAPP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3
Assessing Maturity Using the PMM . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3
5 Privacy Maturity Model Reporting . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3
6 Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4
AICPA/CICA PRIVACY MATURITY MODEL

Based on Generally Accepted Privacy Principles (GAPP) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5
v
This page intentionally left blank.
vi
AICPA/CICA Generally Accepted Privacy Principles (GAPP)

Generally Accepted Privacy Principles has been developed from a business
perspective, referencing some but by no means all significant local, national
Privacy Maturity and international privacy regulations. GAPP converts complex privacy
requirements into a single privacy objective supported by 10 privacy prin-
Model User Guide

ciples. Each principle is supported by objective, measurable criteria (73 in all)
that form the basis for effective management of privacy risk and compliance.
Illustrative policy requirements, communications and controls, including their
monitoring, are provided as support for the criteria.
GAPP can be used by any organization as part of its privacy program. GAPP
1 Introduction has been developed to help management create an effective privacy program
that addresses privacy risks and obligations as well as business opportunities.
Privacy related considerations are significant business requirements that
must be addressed by organizations that collect, use, retain and disclose per- It can also be a useful tool to boards and others charged with governance and
sonal information about customers, employees and others about whom they the provision of oversight. It includes a definition of privacy and an explana-
have such information. Personal information is information that is about, or tion of why privacy is a business issue and not solely a compliance issue. Also
can be related to, an identifiable individual, such as name, date of birth, home illustrated are how these principles can be applied to outsourcing arrange-
address, home telephone number or an employee number. Personal infor- ments and the types of privacy initiatives that can be undertaken for the
mation also includes medical information, physical features, behaviour and benefit of organizations, their customers and related persons.
other traits. The ten principles that comprise GAPP:
Privacy can be defined as the rights and obligations of individuals and organi- • Management. The entity defines, documents, communicates and assigns
zations with respect to the collection, use, retention, disclosure, and disposal accountability for its privacy policies and procedures.
of personal information. • Notice. The entity provides notice about its privacy policies and pro-
cedures and identifies the purposes for which personal information is
Becoming privacy compliant is a journey. Legislation and regulations con- collected, used, retained and disclosed.
tinue to evolve resulting in increasing restrictions and expectations being • Choice and consent. The entity describes the choices available to the
placed on employers, management and boards of directors. Measuring prog- individual and obtains implicit or explicit consent with respect to the col-
ress along the journey is often difficult and establishing goals, objectives, lection, use and disclosure of personal information.
timelines and measurable criteria can be challenging. However, establishing • Collection. The entity collects personal information only for the pur-
appropriate and recognized benchmarks, then monitoring progress against poses identified in the notice.
them, can ensure the organization’s privacy compliance is properly focused. • Use, retention and disposal. The entity limits the use of personal informa-
tion to the purposes identified in the notice and for which the individual
2 AICPA/CICA Privacy Resources

has provided implicit or explicit consent. The entity retains personal
information for only as long as necessary to fulfill the stated purposes or
The American Institute of Certified Public Accountants (AICPA) and the as required by law or regulations and thereafter appropriately disposes
Canadian Institute of Chartered Accountants (CICA) have developed tools, of such information.
processes and guidance based on Generally Accepted Privacy Principles • Access. The entity provides individuals with access to their personal
(GAPP) to assist organizations in strengthening their privacy policies, proce- information for review and update.
dures and practices. GAPP and other tools and guidance such as the AICPA/ • Disclosure to third parties. The entity discloses personal information to
CICA Privacy Risk Assessment Tool, are available at www.aicpa.org/privacy third parties only for the purposes identified in the notice and with the
and www.cica.ca/privacy. implicit or explicit consent of the individual.
1
• Security for privacy. The entity protects personal information against 3. Defined – procedures and processes are fully documented and imple-
unauthorized access (both physical and logical). mented, and cover all relevant aspects.
• Quality. The entity maintains accurate, complete and relevant personal 4. Managed – reviews are conducted to assess the effectiveness of the
information for the purposes identified in the notice. controls in place.
• Monitoring and enforcement. The entity monitors compliance with its 5. Optimized – regular review and feedback are used to ensure continuous
privacy policies and procedures and has procedures to address privacy- improvement towards optimization of the given process.
related complaints and disputes.
In developing the PMM, it was recognized that each organization’s personal
Since GAPP forms the basis for the Privacy Maturity Model (PMM), an under- information privacy practices may be at various levels, whether due to leg-
standing of GAPP is required. In addition, an understanding of the entity’s islative requirements, corporate policies or the status of the organization’s
privacy program and any specific privacy initiatives is also required. The privacy initiatives. It was also recognized that, based on an organization’s
reviewer should also be familiar with the privacy environment in which the approach to risk, not all privacy initiatives would need to reach the highest
entity operates, including legislative, regulatory, industry and other jurisdic- level on the maturity model.
tional privacy requirements.
Each of the 73 GAPP criteria is broken down according to the five maturity lev-
Privacy Maturity Model els. This allows entities to obtain a picture of their privacy program or initiatives
Maturity models are a recognized means by which organizations can measure both in terms of their status and, through successive reviews, their progress.
their progress against established benchmarks. As such, they recognize that:
• becoming compliant is a journey and progress along the way strength-
ens the organization, whether or not the organization has achieved all of 3 Advantages of Using the
the requirements; Privacy Maturity Model
• in certain cases, such as security-focused maturity models, not every The PMM provides entities with a useful and effective means of assessing
organization, or every security application, needs to be at the maximum their privacy program against a recognized maturity model and has the
for the organization to achieve an acceptable level of security; and added advantage of identifying the next steps required to move the privacy
• creation of values or benefits may be possible if they achieve a higher program ahead. The PMM can also measure progress against both internal
maturity level. and external benchmarks. Further, it can be used to measure the progress of
both specific projects and the entity’s overall privacy initiative.
The AICPA/CICA Privacy Maturity Model1 is based on GAPP and the Capabil-
ity Maturity Model (CMM) which has been in use for almost 20 years.
The PMM uses five maturity levels as follows: 4 Using the Privacy Maturity Model
1. Ad hoc – procedures or processes are generally informal, incomplete, The PMM can be used to provide:
and inconsistently applied. • the status of privacy initiatives
2. Repeatable – procedures or processes exist; however, they are not fully • a comparison of the organization’s privacy program among business or
documented and do not cover all relevant aspects. geographical units, or the enterprise as a whole
• a time series analysis for management
• a basis for benchmarking to other comparable entities.
1 This model is based on Technical Report, CMU/SEI-93TR-024 ESC-TR-93-177, “Capability Maturity
Model SM for Software, Version 1.1,” Copyright 1993 Carnegie Mellon University, with special permis-
sion from the Software Engineering Institute. Any material of Carnegie Mellon University and/or its To be effective, users of the PMM must consider the following:
Software Engineering Institute contained herein is furnished on an “as-is” basis. Carnegie Mellon Uni-
versity makes no warranties of any kind, either expressed or implied, as to any matter including, but • maturity of the entity’s privacy program
not limited to, warranty of fitness for purpose or merchantability, exclusivity, or results obtained from • ability to obtain complete and accurate information on the entity’s pri-
use of material. Carnegie Mellon University does not make any warranty of any kind with respect to
freedom from patent, trademark, or copyright infringement. This model has not been reviewed nor is vacy initiatives
it endorsed by Carnegie Mellon University or its Software Engineering Institute. Capability Maturity • agreement on the Privacy Maturity assessment criteria
Model, CMM, and CMMI are registered in the U.S. Patent and Trademark Office by Carnegie Mellon
University. • level of understanding of GAPP and the PMM.
2
Getting Started Users of the PMM should review the descriptions of the activities, documents,
While the PMM can be used to set benchmarks for organizations establishing a policies, procedures and other information expected for each level of matu-
privacy program, it is designed to be used by organizations that have an exist- rity and compare them to the status of the organization’s privacy initiatives.
ing privacy function and some components of a privacy program. The PMM In addition, users should review the next-higher classification and determine
provides structured means to assist in identifying and documenting current whether the entity could or should strive to reach it.
privacy initiatives, determining status and assessing it against the PMM criteria.
It should be recognized that an organization may decide for a number of rea-
Start-up activities could include: sons not to be at maturity level 5. In many cases a lower level of maturity will
• identifying a project sponsor (Chief Privacy Officer or equivalent) suffice. Each organization needs to determine the maturity level that best
• appointing a project lead with sufficient privacy knowledge and author- meets their needs, according to its circumstances and the relevant legislation.
ity to manage the project and assess the findings
• forming an oversight committee that includes representatives from legal, Once the maturity level for each criterion has been determined, the organi-
human resources, risk management, internal audit, information technol- zation may wish to summarize the findings by calculating an overall maturity
ogy and the privacy office score by principle and one for the entire organization. In developing such a
• considering whether the committee requires outside privacy expertise score, the organization should consider the following:
• assembling a team to obtain and document information and perform the • sufficiency of a simple mathematical average; if insufficient, determina-
initial assessment of the maturity level tion of the weightings to be given to the various criteria
• managing the project by providing status reports and the opportunity to • documentation of the rationale for weighting each criterion for use in
meet and assess overall progress future benchmarking.
• providing a means to ensure that identifiable risk and compliance issues
5 Privacy Maturity Model Reporting

are appropriately escalated
• ensuring the project sponsor and senior management are aware of all
findings The PMM can be used as the basis for reporting on the status of the entity’s
• identifying the desired maturity level by principle and/or for the entire privacy program and initiatives. It provides a means of reporting status and,
organization for benchmarking purposes. if assessed over time, reporting progress made.
Document Findings against GAPP In addition, by documenting requirements of the next-higher level on the
The maturity of the organization’s privacy program can be assessed when PMM, entities can determine whether and when they should initiate new
findings are: privacy projects to raise their maturity level. Further, the PMM can identify
• documented and evaluated under each of the 73 GAPP criteria situations where the maturity level has fallen and identify opportunities and
• reviewed with those responsible for their accuracy and completeness requirements for remedial action.
• reflective of the current status of the entity’s privacy initiatives and pro- Privacy maturity reports can be in narrative form; a more visual form can be
gram. Any plans to implement additional privacy activities and initiatives developed using graphs and charts to indicate the level of maturity at the
should be captured on a separate document for use in the final report. principle or criterion level.
As information on the status of the entity’s privacy program is documented The following examples based on internal reports intended for management
for each of the 73 privacy criteria, it should be reviewed with the providers of use graphical representations.
the information and, once confirmed, reviewed with the project committee.
Assessing Maturity Using the PMM

Once information on the status of the entity’s privacy program has been
determined, the next task is to assess that information against the PMM.
3
Figure 1 – Privacy Maturity Report by GAPP Principle Figure 3 – Maturity Report by Criteria within a GAPP Principle Over Time
Figure 1 shows a sam- Maturity Reporting by Principle Figure 3 shows the Maturity Reporting by Criteria by Time Period
ple graph that could Entity’s Desired maturity of each cri-
Maturity Level
be used to illustrate 5
terion within the Entity’s Actual
Entity’s Desired
Maturity Level
the maturity of the ‘Collection’ principle Maturity Level
5
organization’s privacy 4 for three time periods.
Maturity Level
program by each of the
Maturity Level
3 The report indicates the 4
10 principles in GAPP. actual maturity level for 3
The report also indicates 2 each criterion for three
the desired maturity different time periods. 2
1
level for the enterprise. Reports like this pro- 1
Reports like this are 0 vide useful insight into
useful in provid- progress being made
Management
Notice
Choice &
0
Collection
Use, Retention
Consent
to 3 rd Parties
Security for
Monitoring &
Enforcement
Quality
Access
ing management with by the entity’s privacy
4.1.0 Privacy Policies
to Individuals
to Purpose in Notice
& Lawful Means
3 rd Parties
Individuals
4.1.1 Communication
4.2.1 Collection Limited
4.2.2 Collection by Fair
4.2.4 Information
Developed About
4.2.3 Collection From
Disclosure
4.1.2 Types and Methods

of Collection
& Disposal
an overview of the initiatives over time.
Privacy
entity’s privacy pro-
gram and initiatives.
Figure 2 – Maturity Report by Criteria within a Specific GAPP Principle

Figure 2 shows the Maturity Reporting by Criteria
maturity of each crite-
Entity’s Actual
rion within a specific Maturity Level Entity’s Desired
principle – in this case,
6 Summary
5 Maturity Level
the ‘Notice’ principle.
4
Maturity Level
The report indicates the

3
actual maturity level The AICPA/CICA Privacy Maturity Model provides entities with an oppor-
for each criterion. 2
tunity to assess their privacy initiatives against criteria that reflect the
The report also indicates
the actual and desired
1 maturity of their privacy program and their level of compliance with Gener-
maturity level for the 0 ally Accepted Privacy Principles.
principle as a whole.
Policies
to Individuals
of Notice
Activities
Conspicuous
2.1.1 Communication
2.2.1 Provision
2.2.2. Entities &
2.2.3 Clear &

2.1.0 Privacy
Reports like this pro- The PMM can be a useful tool for management, consultants and auditors and
vide useful insight into should be considered throughout the entity’s journey to develop a strong pri-
specific criteria within
a privacy principle. vacy program and benchmark its progress.
4
AICPA/CICA PRIVACY MATURITY MODEL1

Based on Generally Accepted Privacy Principles (GAPP)2
GAPP - 73 Criteria Maturity Levels
Criteria Description Ad Hoc Repeatable Defined Managed Optimized
MANAGEMENT The entity defines, documents, communicates, and assigns accountability for its privacy policies and procedures.
(14 criteria)
Privacy Policies The entity defines and Some aspects of Privacy policies exist Policies are defined Compliance with Management monitors
(1.1.0) documents its privacy poli- privacy policies but may not be com- for: notice, choice privacy policies is compliance with poli-
cies with respect to notice; exist informally. plete, and are not and consent; collec- monitored and the cies and procedures
choice and consent; col- fully documented. tion; use, retention results of such mon- concerning personal
lection; use, retention and and disposal; access; itoring are used to information. Issues of
disposal; access; disclosure disclosure; security reinforce key pri- non-compliance are
to third parties; security for for privacy; qual- vacy messages. identified and reme-
privacy; quality; and mon- ity; and monitoring dial action taken to
itoring and enforcement. and enforcement. ensure compliance
in a timely fashion.
Communication to Privacy policies and the Employees may Employees are pro- The entity has a pro- Privacy policies and Changes and improve-
Internal Personnel consequences of non- com- be informed about vided guidance on cess in place to the consequences ments to messaging
(1.1.1) pliance with such policies the entity’s privacy the entity’s privacy communicate pri- of non-compliance and communications
are communicated, at least policies; however, policies and pro- vacy policies and are communicated techniques are made
annually, to the entity’s communications are cedures through procedures to employ- at least annually; in response to peri-
internal personnel respon- inconsistent, sporadic various means; how- ees through initial understanding is mon- odic assessments and
sible for collecting, using, and undocumented. ever, formal policies, awareness and train- itored and assessed. feedback. Changes
retaining and disclos- where they exist, ing sessions and an in privacy policies
ing personal information. are not complete. ongoing communi- are communicated
Changes in privacy poli- cations program. to personnel shortly
cies are communicated to after the changes
such personnel shortly after are approved.
the changes are approved.
1 This model is based on Technical Report, CMU/SEI-93TR-024 ESC-TR-93-177, “Capability Maturity Model SM for Software, Version 1.1,” Copyright 1993 Carnegie Mellon University, with special permission from the
Software Engineering Institute. Any material of Carnegie Mellon University and/or its Software Engineering Institute contained herein is furnished on an “as-is” basis. Carnegie Mellon University makes no warranties of
any kind, either expressed or implied, as to any matter including, but not limited to, warranty of fitness for purpose or merchantability, exclusivity, or results obtained from use of material. Carnegie Mellon University
does not make any warranty of any kind with respect to freedom from patent, trademark, or copyright infringement. This model has not been reviewed nor is it endorsed by Carnegie Mellon University or its Software
Engineering Institute. ® Capability Maturity Model, CMM, and CMMI are registered in the U.S. Patent and Trademark Office by Carnegie Mellon University.
2 Published by the American Institute of Certified Public Accountants (AICPA) and Canadian Institute of Chartered Accountants (CICA)
5

(14 criteria) cont.
Responsibility and Responsibility and account- Management is Management under- Defined roles and Management moni- The entity (such as
Accountability for ability are assigned to a becoming aware of stands the risks, responsibilities have tors the assignment of a committee of the
Policies (1.1.2) person or group for devel- privacy issues but has requirements (includ- been developed and roles and responsibili- board of directors)
oping, documenting, not yet identified a key ing legal, regulatory assigned to various ties to ensure they are regularly monitors
implementing, enforcing, sponsor or assigned and industry) and their individuals / groups being performed, that the processes and
monitoring and updating responsibility. responsibilities with within the entity and the appropriate infor- assignments of those
the entity’s privacy policies. Privacy issues are respect to privacy. employees are aware mation and materials responsible for pri-
The names of such person addressed reactively. There is an under- of those assign- are developed and vacy and analyzes
or group and their respon- standing that ments. The approach that those responsible the progress to
sibilities are communicated appropriate pri- to developing privacy are communicating determine its effec-
to internal personnel. vacy management is policies and proce- effectively. Privacy ini- tiveness. Where
important and needs dures is formalized tiatives have senior required, changes
to be considered. and documented. management support. and improvements
Responsibility for are made in a timely
operation of the enti- and effective fashion.
ty’s privacy program
is assigned; how-
ever, the approaches
are often informal
and fragmented with
limited authority or
resources allocated.
Review and Approval Privacy policies and pro- Reviews are informal Management under- Management follows The entity has Management’s review
(1.2.1) cedures, and changes and not undertaken takes periodic review a defined process supplemented man- and approval of pri-
thereto, are reviewed and on a consistent basis. of privacy policies that requires their agement review and vacy policies also
approved by management. and procedures; how- review and approval approval with peri- include periodic
ever, little guidance of privacy policies odic reviews by both assessments of the
has been developed and procedures. internal and external privacy program to
for such reviews. privacy specialists. ensure all changes
are warranted,
made and approved;
if necessary, the
approval process
will be revised.
Consistency of Policies and procedures are Reviews and com- Privacy policies and A process has been Changes to privacy Management assesses
Privacy Policies reviewed and compared to parisons with procedures have been implemented that legislation and regu- the degree to which
and Procedures the requirements of appli- applicable laws and reviewed to ensure requires privacy poli- lations are reviewed changes to legisla-
with Laws and cable laws and regulations regulations are per- their compliance with cies to be periodically by management and tion are reflected in
Regulations (1.2.2) at least annually and when- formed inconsistently applicable laws and reviewed and main- changes are made to their privacy policies.
ever changes to such laws and are incomplete. regulations; however, tained to reflect the entity’s privacy
and regulations are made. documented guid- changes in privacy policies and proce-
Privacy policies and pro- ance is not provided. legislation and reg- dures as required.
cedures are revised to ulations; however, Management may
conform with the require- there is no proactive subscribe to a privacy
ments of applicable review of legislation. service that regu-
laws and regulations. larly informs them
of such changes.
6

Personal Information The types of personal The identification of Basic categories of All personal infor- All personal informa- Management main-
Identification and information and sensitive personal information is personal information mation collected, tion is covered by the tains a record of all
Classification (1.2.3) personal information and irregular, incomplete, have been identified used, stored and dis- entity’s privacy and instances and uses of
the related processes, sys- inconsistent, and and covered in the closed within the related security poli- personal information.
tems, and third parties potentially out of date. entity’s security and entity has been clas- cies and procedures. In addition, processes
involved in the handling of Personal informa- privacy policies; how- sified and risk rated. Procedures exist to are in place to ensure
such information are iden- tion is not adequately ever, the classification monitor compliance. changes to busi-
tified. Such information is addressed in the may not have been Personal information ness processes and
covered by the entity’s pri- entity’s privacy and extended to all per- records are reviewed procedures and any
vacy and related security related security poli- sonal information. to ensure appropri- supporting comput-
policies and procedures. cies and procedures. ate classification. erized systems, where
personal information
Personal informa- is involved, result in an
tion may not be updating of personal
differentiated from information records.
other information. Personal information
records are reviewed
to ensure appropri-
ate classification.
Risk Assessment A risk assessment process is Privacy risks may have Employees are aware Processes have been Privacy risks are The entity has a for-
(1.2.4) used to establish a risk base- been identified, but of and consider vari- implemented for reviewed annu- mal risk management
line and, at least annually, such identification is ous privacy risks. Risk risk identification, ally both internally program that includes
to identify new or changed not the result of any assessments may not risk assessment and and externally. privacy risks which
risks to personal information formal process. The be conducted regu- reporting. A docu- Changes to privacy may be customized
and to develop and update privacy risks identi- larly, are not part of mented framework is policies and proce- by jurisdiction, busi-
responses to such risks. fied are incomplete a more thorough risk used and risk appe- dures and the privacy ness unit or function.
and inconsistent. management pro- tite is established. program are updated The program main-
A privacy risk assess- gram and may not For risk assess- as necessary. tains a risk log that is
ment has not likely cover all areas. ment, organizations periodically assessed.
been completed and may wish to use the A formal annual risk
privacy risks not for- AICPA/CICA Privacy management review
mally documented. Risk Assessment Tool. is undertaken to
assess the effective-
ness of the program
and changes are made
where necessary.
A risk manage-
ment plan has been
implemented.
Consistency of Internal personnel or advis- Reviews of contracts Procedures exist to A log of contracts Existing contracts Contracts are
Commitments with ers review contracts for for privacy consider- review contracts and exists and all con- are reviewed upon reviewed on a regu-
Privacy Policies and consistency with privacy ations are incomplete other commitments tracts are reviewed renewal to ensure con- lar basis and tracked.
Procedures (1.2.5) policies and procedures and and inconsistent. for instances where for privacy consider- tinued compliance An automated process
address any inconsistencies. personal information ations and concerns with the privacy poli- has been set up to
may be involved; how- prior to execution. cies and procedures. flag which contracts
ever, such reviews Changes in the enti- require immediate
are informal and not ty’s privacy policies review when changes
consistently used. will trigger a review to privacy poli-
of existing contracts cies and procedures
for compliance. are implemented.
7

Infrastructure and The potential privacy impact Changes to exist- Privacy impact is The entity has imple- Management mon- Through quality
Systems Management is assessed when new pro- ing processes or the considered during mented formal itors and reviews reviews and other
(1.2.6) cesses involving personal implementation of changes to business procedures to assess compliance with poli- independent assess-
information are imple- new business and sys- processes and/or sup- the privacy impact of cies and procedures ments, management is
mented, and when changes tem processes for porting application new and significantly that require a privacy informed of the effec-
are made to such processes privacy issues is not systems; however, changed products, impact assessment. tiveness of the process
(including any such activ- consistently assessed. these processes are services, business for considering pri-
ities outsourced to third not fully documented processes and infra- vacy requirements
parties or contractors), and and the procedures structure (sometimes in all new and modi-
personal information con- are informal and referred to as a fied processes and
tinues to be protected in inconsistently applied. privacy impact assess- systems. Such infor-
accordance with the privacy ment). The entity uses mation is analyzed
policies. For this purpose, a documented sys- and, where neces-
processes involving personal tems development sary, changes made.
information include the and change manage-
design, acquisition, devel- ment process for all
opment, implementation, information systems
configuration, modifica- and related tech-
tion and management of nology employed to
the following: collect, use, retain,
• Infrastructure disclose and destroy
• Systems personal information.
• Applications
• Web sites
• Procedures
• Products and services
• Data bases and
information repositories
• Mobile computing and
other similar electronic
devices
The use of personal infor-
mation in process and
system test and develop-
ment is prohibited unless
such information is ano-
nymized or otherwise
protected in accordance
with the entity’s privacy
policies and procedures.
8

Privacy Incident and A documented privacy Few procedures exist Procedures have A documented A walkthrough of The internal and
Breach Management incident and breach man- to identify and man- been developed on breach manage- the breach man- external privacy
(1.2.7) agement program has age privacy incidents; how to deal with a ment plan has been agement plan is environments are
been implemented that however, they are not privacy incident; implemented that performed period- monitored for issues
includes, but is not lim- documented and are however, they are includes: accountabil- ically and updates affecting breach
ited to, the following: applied inconsistently. not comprehensive ity, identification, risk to the program are risk and breach
• Procedures for and/or inadequate assessment, response, made as needed. response, evaluated
the identification, employee training containment, commu- and improvements
management and has increased the nications (including are made. Manage-
resolution of privacy likelihood of unstruc- possible notification ment assessments
incidents and breaches tured and inconsistent to affected individu- are provided after
• Defined responsibilities responses. als and appropriate any privacy breach
authorities, if required and analyzed;
• A process to identify or deemed neces- changes and improve-
incident severity and sary), remediation ments are made.
determine required actions (including post-breach
and escalation procedures analysis of the
• A process for complying breach response)
with breach laws and and resumption.
regulations, including
stakeholder breach
notification, if required
• An accountability process
for employees or third
parties responsible for
incidents or breaches with
remediation, penalties or
discipline, as appropriate
• A process for periodic
review (at least annually)
of actual incidents
to identify necessary
program updates based on
the following:
—— Incident patterns and
root cause
—— Changes in the internal
control environment or
external requirements
(regulation or
legislation)
• Periodic testing or
walkthrough process (at
least on an annual basis)
and associated program
remediation as needed
9

Supporting Resources are provided by Resources are only Privacy procedures Individuals with Management ensures Management annu-
Resources (1.2.8) the entity to implement and allocated on an “as exist; however, they responsibility and/ that adequately quali- ally reviews its privacy
support its privacy policies. needed” basis to have been “devel- or accountabil- fied privacy resources program and seeks
address privacy oped” within small ity for privacy are are identified and ways to improve the
issues as they arise. units or groups with- empowered with made available program’s perfor-
out support from appropriate authority throughout the entity mance, including
privacy specialists. and resources. Such to support its vari- assessing the ade-
resources are made ous privacy initiatives. quacy, availability
available through- and performance
out the entity. of resources.
Qualifications of The entity establishes qual- The entity has not The entity has some The entity defines The entity has formed The entity annually
Internal Personnel ifications for personnel formally established established qualifi- qualifications for per- a nucleus of privacy- assesses the perfor-
(1.2.9) responsible for protecting qualifications for cations for personnel sonnel who perform qualified individuals mance of their privacy
the privacy and security of personnel who col- who collect, disclose, or manage the enti- to provide privacy program, including
personal information and lect, use, disclose or use or otherwise ty’s collection, use support to assist the performance and
assigns such responsibili- otherwise handle per- handle personal infor- and disclosure of per- with specific issues, qualifications of their
ties only to those personnel sonal information. mation, but are not sonal information. including training privacy-designated
who meet these qualifica- fully documented. Persons responsi- and job assistance. specialists. An analy-
tions and have received Employees receive ble for the protection sis is performed of the
the necessary training. some training on and security of per- results and changes
how to deal with personal information have or improvements
sonal information. received appropri- made, as required.
ate training and have
the necessary knowl-
edge to manage the
entity’s collection, use
and disclosure of per-
sonal information.
Privacy Awareness A privacy awareness Formal privacy train- The entity has a pri- Personnel who handle An enterprise-wide A strong privacy
and Training (1.2.10) program about the enti- ing is not provided vacy awareness personal informa- privacy awareness culture exists. Com-
ty’s privacy policies and to employees; how- program, but train- tion have received and training program pulsory privacy
related matters, and spe- ever some knowledge ing is sporadic and appropriate privacy exists and is moni- awareness and train-
cific training for selected of privacy may be inconsistent. awareness and train- tored by management ing is provided. Such
personnel depending on obtained from other ing to ensure the to ensure compliance training requires
their roles and responsi- employees or anec- entity meets obliga- with specific train- employees to com-
bilities, are provided. dotal sources. tions in its privacy ing requirements. The plete assignments to
notice and applica- entity has determined validate their under-
ble laws. Training is which employees standing. When
scheduled, timely require privacy train- privacy incidents or
and consistent. ing and tracks their breaches occur, reme-
participation dur- dial training as well as
ing such training. changes to the train-
ing curriculum is made
10

Changes in For each jurisdiction in Changes in busi- The entity is aware The entity has imple- The entity has estab- The entity has estab-
Regulatory which the entity oper- ness and regulatory that certain changes mented policies and lished a process to lished a process to
and Business ates, the effect on privacy environments are may impact their procedures designed monitor the privacy continually moni-
Requirements (1.2.11) requirements from changes addressed sporadi- privacy initiatives; to monitor and act environment and iden- tor and update any
in the following factors is cally in any privacy however, the pro- upon changes in the tify items that may privacy obligations
identified and addressed: initiatives the entity cess is not fully business and/or reg- impact its privacy pro- that may arise from
—— Legal and regulatory may contemplate. documented. ulatory environment. gram. Changes are changes to legis-
—— Contracts, including Any privacy-related The procedures are considered in terms lation, regulations,
service-level agreements issues or concerns inclusive and employ- of the entity’s legal, industry-specific
that are identi- ees receive training contracting, busi- requirements and
—— Industry requirements fied only occur in an in their use as part of ness, human resources business practices.
—— Business operations and informal manner. an enterprise-wide and technology.
processes privacy program.
—— People, roles, and
responsibilities
—— Technology
Privacy policies and proce-
dures are updated to reflect
changes in requirements.
NOTICE (5 criteria) The entity provides notice about its privacy policies and procedures and identifies the purposes for which personal information is collected, used,
retained, and disclosed.
Privacy Policies The entity’s privacy pol- Notice policies Notice provisions Notice provisions Compliance with Management moni-
(2.1.0) icies address providing and procedures exist in privacy poli- in privacy policies notice provisions in tors compliance with
notice to individuals. exist informally. cies and procedures cover all relevant privacy policies and privacy policies and
but may not cover all aspects and are procedures is moni- procedures relating
aspects and are not fully documented. tored and the results to notice. Issues of
fully documented. of such monitoring are non-compliance are
used to reinforce key identified and reme-
privacy messages. dial action taken to
ensure compliance.
Communication to Notice is provided to indi- Notice to individu- Notice is provided to Notice is provided to Privacy policies Changes and improve-
Individuals (2.1.1) viduals regarding the als is not provided individuals regarding individuals regard- describe the conse- ments to messaging
following privacy policies: in a consistent man- some of the following all of the following quences, if any, of and communications
purpose; choice/consent; ner and may not ing privacy policies privacy policies at or not providing the techniques are made
collection; use/retention/ include all aspects of at or before the time before collection and requested informa- in response to peri-
disposal; access; disclosure privacy, such as pur- of collection: pur- is documented: pur- tion and indicate that odic assessments
to third parties; security for pose; choice/consent; pose; choice/consent; pose; choice/consent; certain information and feedback.
privacy; quality; and mon- collection; use, reten- collection; use, reten- collection; use, reten- may be developed
itoring/enforcement. tion and disposal; tion and disposal; tion and disposal; about individuals,
If personal information access; disclosure; access; disclosure; access; disclosure; such as buying pat-
is collected from sources security for privacy; security for privacy; security for privacy; terns, or collected
other than the individ- quality; and monitor- quality; and monitor- quality; and monitor- from other sources.
ual, such sources are ing/enforcement. ing/enforcement. ing/enforcement.
described in the notice.
11

NOTICE (5 criteria) The entity provides notice about its privacy policies and procedures and identifies the purposes for which personal information is collected, used,
cont. retained, and disclosed.
Provision of Notice Notice is provided to the Notice may not Notice provided to The privacy notice is The entity tracks The entity solicits
(2.2.1) individual about the enti- be readily acces- individuals is gener- documented, read- previous iterations input from relevant
ty’s privacy policies and sible nor provided ally accessible but ily accessible and of the privacy poli- stakeholders regard-
procedures (a) at or before on a timely basis. is not provided on a available, provided cies and individuals ing the appropriate
the time personal infor- timely basis. Notice in a timely fashion are informed about means of provid-
mation is collected, or as may not be provided and clearly dated. changes to a previ- ing notice and makes
soon as practical thereafter, in all cases when per- ously communicated changes as deemed
(b) at or before the entity sonal information privacy notice. The appropriate.
changes its privacy policies is collected or used privacy notice is Notice is provided
and procedures, or as soon for new purposes. updated to reflect using various tech-
as practical thereafter, or (c) changes to policies niques to meet the
before personal information and procedures. communications
is used for new purposes technologies of their
not previously identified. constituents (e.g.
social media, mobile
communications, etc).
Entities and An objective descrip- The privacy notice The privacy notice The privacy notice The entity performs Management follows
Activities Covered tion of the entities and may not include describes some of objectively describes a periodic review to a formal documented
(2.2.2) activities covered by pri- all relevant enti- the particular entities, and encompasses ensure the entities and process to consider
vacy policies is included ties and activities. business segments, all relevant entities, activities covered by and take appropriate
in the privacy notice. locations, and types of business segments, privacy policies are action as necessary to
information covered. locations, and types of updated and accurate. update privacy poli-
information covered. cies and the privacy
notice prior to any
change in the enti-
ty’s business structure
and activities.
Clear and The privacy notice is Privacy policies are The privacy notice The privacy notice is Similar formats are Feedback about
Conspicuous (2.2.3) conspicuous and uses informal, not doc- may be informally pro- in plain and simple used for different improvements to the
clear language. umented and may vided but is not easily language, appropri- and relevant subsid- readability and con-
be phrased differ- understood, nor is it ately labeled, easy iaries or segments tent of the privacy
ently when orally easy to see or eas- to see, and not in of an entity to avoid policies are analyzed
communicated. ily available at points small print. Privacy confusion and allow and incorporated into
of data collection. If a notices provided elec- consumers to iden- future versions of
formal privacy notice tronically are easy to tify any differences. the privacy notice.
exists, it may not be access and navigate. Notice formats
clear and conspicuous. are periodically
reviewed for clar-
ity and consistency.
12

CHOICE and The entity describes the choices available to the individual and obtains implicit or explicit consent with respect to the collection, use, and
CONSENT (7 criteria) disclosure of personal information.
Privacy Policies The entity’s privacy poli- Choice and consent Choice and consent Choice and consent Compliance with Management moni-
(3.1.0) cies address the choices policies and proce- provisions in privacy provisions in pri- choice and consent tors compliance with
to individuals and the con- dures exist informally. policies and pro- vacy policies and provisions in privacy privacy policies and
sent to be obtained. cedures exist but procedures cover all policies and proce- procedures relating to
may not cover all relevant aspects and dures is monitored choice and consent.
aspects, and are not are fully documented. and the results of such Issues of non-compli-
fully documented. monitoring are used ance are identified and
to reinforce key pri- remedial action taken
vacy messages. to ensure compliance.
Communication to Individuals are informed Individuals may be The entity’s privacy The entity’s privacy Privacy policies Changes and improve-
Individuals (3.1.1) about (a) the choices avail- informed about the notice describes notice describes, in and procedures are ments to messaging
able to them with respect choices available to in a clear and con- a clear and concise reviewed periodically and communications
to the collection, use, and them; however, com- cise manner some manner, all of the fol- to ensure the choices techniques and tech-
disclosure of personal munications are of the following: 1) lowing: 1) choices available to individ- nologies are made
information, and (b) that inconsistent, sporadic choices available to available to the indi- uals are updated as in response to peri-
implicit or explicit con- and undocumented. the individual regard- vidual regarding necessary and the use odic assessments
sent is required to collect, ing collection, use, collection, use, and of explicit or implicit and feedback.
use, and disclose personal and disclosure of per- disclosure of per- consent is appropri-
information, unless a law sonal information, 2) sonal information, 2) ate with regard to
or regulation specifically the process an indi- the process an indi- the personal infor-
requires or allows otherwise. vidual should follow vidual should follow mation being used
to exercise these to exercise these or disclosed.
choices, 3) the ability choices, 3) the ability
of, and process for, an of, and process for, an
individual to change individual to change
contact preferences contact preferences
and 4) the conse- and 4) the conse-
quences of failing quences of failing
to provide personal to provide personal
information required. information required.
Consequences When personal informa- Individuals may not Consequences may be Individuals are Processes are in place Processes are imple-
of Denying or tion is collected, individuals be informed con- identified but may not informed about the to review the stated mented to reduce
Withdrawing are informed of the consistently about the be fully documented consequences of consequences peri- the consequences
Consent (3.1.2) sequences of refusing to consequences of or consistently dis- refusing to provide odically to ensure of denying consent,
provide personal information refusing, denying closed to individuals. personal information completeness, accu- such as increas-
or of denying or withdraw- or withdrawing. or denying or with- racy and relevance. ing the granularity
ing consent to use personal drawing consent. of the application of
information for purposes such consequences.
identified in the notice.
13

cont.
Implicit or Explicit Implicit or explicit con- Consent is neither Consent is consis- Consent is obtained An individual’s prefer- Consent processes are
Consent (3.2.1) sent is obtained from the documented nor con- tently obtained, but before or at the ences are confirmed periodically reviewed
individual at or before the sistently obtained at may not be docu- time personal infor- and any changes to ensure the individ-
time personal informa- or before collection of mented or obtained mation is collected are documented ual’s preferences are
tion is collected or soon personal information. in a timely fashion. and preferences are and referenced being appropriately
after. The individual’s pref- implemented (such prior to future use. recorded and acted
erences expressed in his as making appropri- upon and, where nec-
or her consent are con- ate database changes essary, improvements
firmed and implemented. and ensuring that pro- made. Automated
grams that access the processes are fol-
database test for the lowed to test consent
preference). Explicit prior to use of per-
consent is docu- sonal information.
mented and implicit
consent processes
are appropriate. Pro-
cesses are in place to
ensure that consent
is recorded by the
entity and referenced
prior to future use.
Consent for New If information that was pre- Individuals are not Individuals are consis- Consent is obtained Processes are in place Consent processes are
Purposes and Uses viously collected is to be consistently notified tently notified about and documented to ensure personal periodically reviewed
(3.2.2) used for purposes not pre- about new proposed new purposes not prior to using per- information is used to ensure consent
viously identified in the uses of personal previously specified. sonal information for only in accordance for new purposes is
privacy notice, the new pur- information previ- A process exists to purposes other than with the purposes for being appropriately
pose is documented, the ously collected. notify individuals but those for which it was which consent has recorded and acted
individual is notified and may not be fully doc- originally collected. been obtained and to upon and where nec-
implicit or explicit con- umented and consent ensure it is not used essary, improvements
sent is obtained prior to might not be obtained if consent is with- made. Automated
such new use or purpose. before new uses. drawn. Monitoring processes are fol-
is in place to ensure lowed to test consent
personal information prior to use of per-
is not used with- sonal information.
out proper consent.
Explicit Consent for Explicit consent is obtained Explicit consent Employees who A documented for- The process is For procedures that
Sensitive Information directly from the individ- is not consistently collect personal informal process has been reviewed and com- collect sensitive per-
(3.2.3) ual when sensitive personal obtained prior to col- mation are aware that implemented requir- pliance monitored to sonal information
information is collected, lection of sensitive explicit consent is ing explicit consent be ensure explicit con- and do not obtain
used, or disclosed, unless personal information. required when obtain- obtained directly from sent is obtained prior explicit consent, reme-
a law or regulation specifi- ing sensitive personal the individual prior to, to, or as soon as prac- diation plans are
cally requires otherwise. information; how- or as soon as practi- tically possible, after identified and imple-
ever, the process is cally possible, after collection of sensitive mented to ensure
not well defined or collection of sensitive personal information. explicit consent has
fully documented. personal information. been obtained.
14

cont.
Consent for Online Consent is obtained Consent is not consis- Software enables an The application is The process is Where procedures
Data Transfers To or before personal infor- tently obtained before individual to provide designed to con- reviewed and com- have been identified
From an Individual’s mation is transferred to/ personal information consent before per- sistently solicit and pliance monitored that do not obtain
Computer or Other from an individual’s com- is transferred to/from sonal information is obtain consent before to ensure consent is consent before per-
Similar Electronic puter or similar device. another computer or transferred to/from personal information obtained before any sonal information is
Devices (3.2.4) other similar device. another computer or is transferred to/from personal information is transferred to/from
other similar device. another computer or transferred to/from an an individual’s com-
other similar device individual’s computer puter or other similar
and does not make or other similar device. device, remediation
any such transfers if plans are identified
consent has not been and implemented.
obtained. Such con-
sent is documented.
COLLECTION The entity collects personal information only for the purposes identified in the notice.
(7 criteria)
Privacy Policies The entity’s privacy poli- Collection poli- Collection provisions Collection provi- Compliance with col- Management moni-
(4.1.0) cies address the collection cies and procedures in privacy policies and sions in privacy lection provisions in tors compliance with
of personal information. exist informally. procedures exist but policies cover all rel- privacy policies and privacy policies and
might not cover all evant aspects of procedures is moni- procedures relating to
aspects, and are not collection and are tored and the results collection. Issues of
fully documented. fully documented. of such monitoring are non-compliance are
used to reinforce key identified and reme-
privacy messages. dial action taken to
ensure compliance.
Communication to Individuals are informed that Individuals may be Individuals are Individuals are Privacy policies are Changes and improve-
Individuals (4.1.1) personal information is col- informed that per- informed that per- informed that per- reviewed periodi- ments to messaging
lected only for the purposes sonal information is sonal information is sonal information is cally to ensure the and communications
identified in the notice. collected only for pur- collected only for the collected only for the areas related to col- methods and tech-
poses identified in purposes identified purposes identified lection are updated niques are made in
the notice; however, in the notice. Such in the notice and the as necessary. response to peri-
communications are notification is gener- sources and methods odic assessments
inconsistent, sporadic ally not documented. used to collect this and feedback.
and undocumented. personal information
are identified. Such
notification is avail-
able in written format.
15

Types of Personal The types of personal Individuals may be The types of personal The types of per- Management monitors The privacy notice
Information information collected informed about the information collected sonal information business processes is reviewed regu-
Collected and and the methods of col- types of personal and the methods of collected and the to identify new types larly and updated in
Methods of lection, including the information collected collection, including methods of collec- of personal informa- a timely fashion to
Collection (4.1.2) use of cookies or other and the methods of the use of cookies or tion, including the use tion collected and describe all the types
tracking techniques, are collection; however, other tracking tech- of cookies or other new methods of col- of personal informa-
documented and described communications are niques, are neither tracking techniques, lection to ensure tion being collected
in the privacy notice. informal, may not be fully documented are fully documented they are described in and the methods
complete and may nor fully described in and fully described in the privacy notice. used to collect them.
not fully describe the the privacy notice. the privacy notice.
methods of collection. The notice also dis-
closes whether
information is devel-
oped or acquired
about individuals,
such as buying pat-
terns. The notice
also describes the
consequences if the
cookie is refused.
Collection Limited to The collection of personal Informal and undoc- Policies and proce- Policies and proce- Policies and proce- Policies, procedures
Identified Purpose information is limited to that umented procedures dures, may not: dures that have been dures are in place to and business pro-
(4.2.1) necessary for the purposes are relied upon • be fully implemented are periodically review the cesses are updated
identified in the notice. to ensure collec- documented; fully documented to entity’s needs for per- due to changes in
tion is limited to that • distinguish the clearly distinguish sonal information. the entity’s needs for
necessary for the pur- personal information the personal infor- personal informa-
poses identified in essential for the mation essential for tion. Corrective action
the privacy notice. purposes identified the purposes iden- is undertaken when
in the notice; tified in the notice information not neces-
and differentiate it sary for the purposes
• differentiate from optional infor- identified is collected.
personal information mation. Collection of
from optional personal information
information. is limited to informa-
tion necessary for the
purposes identified in
the privacy notice.
16

Collection by Fair Methods of collecting per- Informal procedures Management may Methods of collecting Methods of col- Complaints to the
and Lawful Means sonal information are exist limiting the col- conduct reviews of personal informa- lecting personal entity are reviewed
(4.2.2) reviewed by management lection of personal how personal infor- tion are reviewed by information are peri- to identify where
before they are imple- information to that mation is collected, management before odically reviewed by unlawful or decep-
mented to confirm that which is fair and law- but such reviews they are implemented management after tive practices exist.
personal information is ful; however, they may are inconsistent and to confirm that per- implementation to Such complaints are
obtained (a) fairly, without be incomplete and untimely. Policies and sonal information is confirm personal infor- reviewed, analyzed
intimidation or deception, inconsistently applied. procedures related to obtained (a) fairly, mation is obtained and changes to poli-
and (b) lawfully, adher- the collection of per- without intimidation fairly and lawfully. cies and procedures
ing to all relevant rules of sonal information are or deception, and (b) to correct such prac-
law, whether derived from either not fully docu- lawfully, adhering to tices are implemented.
statute or common law, mented or incomplete. all relevant rules of
relating to the collection law, whether derived
of personal information. from statute or com-
mon law, relating to
the collection of per-
sonal information.
Collection from Third Management confirms Limited guidance Reviews of third- The entity consis- Once agreements Lessons learned from
Parties (4.2.3) that third parties from and direction exist to party practices are tently reviews privacy have been imple- contracting and con-
whom personal informa- assist in the review of performed but such policies, collection mented, the entity tract management
tion is collected (that is, third-party practices procedures are not methods, and types of conducts a periodic processes are ana-
sources other than the regarding collection of fully documented. consents of third par- review of third-party lyzed and, where
individual) are reliable personal information. ties before accepting collection of per- appropriate, improve-
sources that collect infor- personal informa- sonal information. ments are made to
mation fairly and lawfully. tion from third-party Corrective actions existing and future
data sources. Clauses are discussed with contracts involving
are included in agree- third parties. collection of personal
ments that require information involv-
third-parties to collect ing third parties.
information fairly and
lawfully and in accor-
dance with the entity’s
privacy policies.
Information Individuals are informed Policies and pro- Policies and proce- The entity’s pri- The entity monitors The entity’s pri-
Developed About if the entity develops or cedures informing dures exist to inform vacy notice indicates information collection vacy notice provides
Individuals (4.2.4) acquires additional informa- individuals that addi- individuals when the that, if applicable, it processes, including transparency in the
tion about them for its use. tional information entity develops or may develop and/ the collection of addi- collection, use and
about them is being acquires additional or acquire informa- tional information, to disclosure of per-
collected or used are personal information about individuals ensure appropriate sonal information.
informal, inconsis- tion about them for by using third-party notification and con- Individuals are given
tent and incomplete. its use; however, pro- sources, brows- sent requirements are multiple opportunities
cedures are not fully ing, e-mail content, complied with. Where to learn how personal
documented or con- credit and purchas- necessary, changes information is devel-
sistently applied. ing history. Additional are implemented. oped or acquired.
consent is obtained
where necessary.
17

USE, RETENTION The entity limits the use of personal information to the purposes identified in the notice and for which the individual has provided implicit or explicit
AND DISPOSAL consent. The entity retains personal information for only as long as necessary to fulfill the stated purposes or as required by law or regulations and
(5 criteria) thereafter appropriately disposes of such information.
Privacy Policies The entity’s privacy pol- Procedures for the Use, retention and Use, retention and dis- Compliance with use, Management moni-
(5.1.0) icies address the use, use, retention and disposal provisions posal provisions in retention and disposal tors compliance with
retention, and disposal of disposal of personal in privacy policies privacy policies and provisions in privacy privacy policies and
personal information. information are ad and procedures exist procedures cover all policies and proce- procedures relating
hoc, informal and but may not cover all relevant aspects and dures is monitored. to use, retention and
likely incomplete. aspects, and are not are fully documented. disposal. Issues of
fully documented. non-compliance are
identified and reme-
dial action taken to
ensure compliance
Communication to Individuals are informed Individuals may be Individuals are Individuals are Methods are in place Individuals’ general
Individuals (5.1.1) that personal informa- informed about informed about the consistently and uni- to update communi- level of understand-
tion is (a) used only for the the uses, reten- use, retention and formly informed cations to individuals ing of use, retention
purposes identified in the tion and disposal of disposal of per- about use, retention when changes occur and disposal of per-
notice and only if the indi- their personal infor- sonal information, and disposal of per- to use, retention and sonal information is
vidual has provided implicit mation; however, but this communica- sonal information. disposal practices. assessed. Feedback is
or explicit consent, unless communications are tion may not cover Data retention peri- used to continuously
a law or regulation specif- inconsistent, sporadic all aspects and is not ods are identified improve communi-
ically requires otherwise, and undocumented. fully documented. and communicated cation methods.
(b) retained for no longer Retention periods to individuals.
than necessary to fulfill the are not uniformly
stated purposes, or for a communicated.
period specifically required
by law or regulation, and (c)
disposed of in a manner that
prevents loss, theft, mis-
use or unauthorized access.
Use of Personal Personal information is The use of personal Policies and proce- Use of personal infor- Uses of personal The uses of per-
Information (5.2.1) used only for the purposes information may be dures regarding the mation is consistent information are sonal information are
identified in the notice inconsistent with the use of information with the purposes monitored and peri- monitored and peri-
and only if the individ- purposes identified have been adopted; identified in the pri- odically reviewed odically assessed for
ual has provided implicit in the notice. Con- however, they are vacy notice. Consent for appropriateness. appropriateness; ver-
or explicit consent, unless sent is not always not documented for these uses is con- Management ensures ifications of consent
a law or regulation specifi- obtained consistently. and may not be consistently obtained. that any discrepan- and usage are con-
cally requires otherwise. sistently applied. Uses of personal cies are corrected ducted through the
information through- on a timely basis. use of automation.
out the entity are in Any discrepancies are
accordance with the remediated in a timely
individual’s prefer- fashion. Changes to
ences and consent. laws and regulations
are monitored and
the entity’s policies
and procedures are
amended as required.
18

USE, RETENTION The entity limits the use of personal information to the purposes identified in the notice and for which the individual has provided implicit or explicit
AND DISPOSAL consent. The entity retains personal information for only as long as necessary to fulfill the stated purposes or as required by law or regulations and
(5 criteria) cont. thereafter appropriately disposes of such information.
Retention of Personal Personal information is The retention of Policies and proce- The entity has docu- Retention prac- The retention of per-
Information (5.2.2) retained for no longer than personal informa- dures for identifying mented its retention tices are periodically sonal information is
necessary to fulfill the tion is irregular retention periods of policies and proce- reviewed for compli- monitored and peri-
stated purposes unless a and inconsistent. personal information dures and consistently ance with policies and odically assessed for
law or regulation specifi- have been adopted, retains personal infor- changes implemented appropriateness, and
cally requires otherwise. but may not be fully mation in accordance when necessary. verifications of reten-
documented or cover with such poli- tion are conducted.
all relevant aspects. cies and practices. Such processes are
automated to the
extent possible.
Any discrepancies
found are remediated
Disposal, Destruction Personal information no The disposal, destruc- Policies and proce- The entity has docu- The disposal, destruc- The disposal, destruc-
and Redaction of longer retained is ano- tion and redaction of dures for identifying mented its policies tion, and redaction tion, and redaction of
Personal Information nymized, disposed of or personal information appropriate and cur- and procedures of personal informa- personal information
(5.2.3) destroyed in a manner that is irregular, inconsis- rent processes and regarding the dis- tion are consistently are monitored and
prevents loss, theft, mis- tent and incomplete. techniques for the posal, destruction documented and peri- periodically assessed
use or unauthorized access. appropriate dis- and redaction of per- odically reviewed for appropriateness,
posal, destruction sonal information, for compliance and verification of
and redaction of per- implemented such with policies and the disposal, destruc-
sonal information practices and ensures appropriateness. tion and redaction
have been adopted that these practices conducted. Such pro-
but are not fully docu- are consistent with cesses are automated
mented or complete. the privacy notice. to the extent possible.
Any discrepancies
found are remediated
ACCESS (8 criteria) The entity provides individuals with access to their personal information for review and update.
Privacy Policies The entity’s privacy pol- Informal access Access provisions in Access provisions in Compliance with Management moni-
(6.1.0) icies address providing policies and pro- privacy policies and privacy policies and access provi- tors compliance with
individuals with access to cedures exist. procedures exist but procedures exist but sions in privacy privacy policies and
their personal information. may not cover all may not cover all policies and proce- procedures relating
aspects, and are not aspects, and are not dures is monitored. to access. Issues of
fully documented. fully documented. non-compliance are
ensure compliance.
19

cont.
Communication to Individuals are informed Individuals may be Individuals are usually Individuals are usually Processes are in place The entity ensures
Individuals (6.1.1) about how they may informed about how informed about pro- informed about pro- to update communi- that individuals are
obtain access to their they may obtain cedures available to cedures available to cations to individuals informed about their
personal information to access to their per- them to access their them to access their when changes occur personal informa-
review, update and cor- sonal information; personal information, personal information, to access policies, pro- tion access rights,
rect that information. however, communica- but this communi- but this communi- cedures and practices. including update and
tions are inconsistent, cation process may cation process may correction options,
sporadic and undoc- not cover all aspects not cover all aspects through channels
umented. and is not fully docu- and is not fully docu- such as direct com-
mented. Update and mented. Update and munication programs,
correction options correction options notification on state-
may not be uniformly may not be uniformly ments and other
communicated. communicated. mailings and train-
ing and awareness
programs for staff.
Management mon-
itors and assesses
the effects of its var-
ious initiatives and
seeks to continuously
improve methods
of communication
and understanding.
Access by Individuals Individuals are able to The entity has infor- Some procedures Procedures to search Procedures are in The entity reviews
to their Personal determine whether the mal procedures are in place to allow for an individual’s per- place to ensure indi- the processes used
Information (6.2.1) entity maintains per- granting individuals individuals to access sonal information viduals receive timely to handle access
sonal information about access to their infor- their personal infor- and to grant individ- communication of requests to determine
them and, upon request, mation; however, mation, but they may uals access to their what information where improve-
may obtain access to their such procedures are not cover all aspects information have the entity maintains ments may be made
personal information. not be documented and may not be been documented, about them and and implements
and may not be con- fully documented. implemented and how they can obtain such improvements.
sistently applied. cover all relevant access. The entity Access to per-
aspects. Employ- monitors information sonal information is
ees have been trained and access requests automated and self-
in how to respond to ensure appropri- service when possible
to these requests, ate access to such and appropriate.
including record- personal informa-
ing such requests. tion is provided.
The entity identi-
fies and implements
measures to improve
the efficiency of
its searches for an
individual’s per-
sonal information.
20

cont.
Confirmation of an The identity of individu- Procedures to authen- Procedures are in Confirmation/authen- Procedures are in The success-
Individual’s Identity als who request access ticate individuals place to confirm the tication methods have place to track and ful confirmation/
(6.2.2) to their personal infor- requesting access identity of individu- been implemented to monitor the confirma- authentication of indi-
mation is authenticated to their informa- als requesting access uniformly and con- tion/authentication of viduals before they
before they are given tion are informal, to their personal infor- sistently confirm the individuals before they are granted access to
access to that information. not documented mation before they identity of individu- are granted access personal information
and may not be con- are granted access, als requesting access to personal informa- is monitored and peri-
sistently applied. but do not cover all to their personal infor- tion, and to review the odically assessed for
aspects and may mation, including the validity of granting type 1 (where errors
not be documented. training of employees. access to such per- are not caught) and
Level of authentica- sonal information. type 2 (where an error
tion required may not has been incorrectly
be appropriate to the identified) errors.
personal informa- Remediation plans
tion being accessed. to lower the error
rates are formulated
and implemented.
Understandable Personal information is pro- The entity has some Procedures are in Procedures have Procedures are in Reports of response
Personal Information, vided to the individual in an informal proce- place requiring that been implemented place to track and times in providing
Time Frame, and understandable form, in a dures designed to personal information that consistently and monitor the response personal information
Cost (6.2.3) reasonable timeframe, and provide informa- be provided to the uniformly provide time in providing per- are monitored and
at a reasonable cost, if any. tion to individuals in individual in an under- personal informa- sonal information, assessed. The asso-
an understandable standable form, in a tion to the individual the associated costs ciated costs incurred
form. Timeframes reasonable timeframe in an understandable incurred by the entity by the entity and any
and costs charged and at a reasonable form, in a reason- and any charges to charges to the indi-
may be inconsistent cost, but may not be able timeframe and the individual making vidual making the
and unreasonable. fully documented or at a reasonable cost. the request. Peri- request are peri-
cover all aspects. odic assessments odically assessed.
of the understand- Periodic assessments
ability of the format of the understand-
for information pro- ability of the format
vided to individuals for information pro-
are conducted. vided to individuals
are conducted. Reme-
diation plans are made
and implemented
for unacceptable
response time, exces-
sive or inconsistent
charges and diffi-
cult-to-read personal
information report for-
mats. Conversion of
personal information
to an understandable
form is automated
where possible
and appropriate.
21

cont.
Denial of Access Individuals are informed, Informal procedures Procedures are in Consistently applied Procedures are in Reports of denial
(6.2.4) in writing, of the reason a are used to inform place to inform indi- and uniform pro- place to review the reasons, response
request for access to their individuals, of the viduals of the reason a cedures have been response time to indi- times and challenge
personal information was reason a request for request for access to implemented to viduals whose access communications
denied, the source of the access to their per- their personal infor- inform individuals in request has been are monitored and
entity’s legal right to deny sonal information was mation was denied, writing of the rea- denied, reasons for assessed. Remediation
such access, if applica- denied; however they but they may not be son a request for such denials, as well as plans are identified
ble, and the individual’s are incomplete and documented or cover access to their per- any communications and implemented
right, if any, to challenge inconsistently applied. all aspects. Notifica- sonal information was regarding challenges. for unacceptable
such denial, as specifi- tion may not be in denied. The entity’s response time and
cally permitted or required writing or include the legal rights to deny inappropriate deni-
by law or regulation. entity’s legal rights to such access have been als of access.
deny such access and identified as well as The denial process
the individual’s right the individual’s right is automated and
to challenge denials. to challenge denials. includes electronic
responses where pos-
sible and appropriate.
Updating or Individuals are able to Informal and undoc- Some procedures are Documented policies Procedures are in Reports of updates
Correcting Personal update or correct per- umented procedures in place for individuals with supporting pro- place to track data and correction
Information (6.2.5) sonal information held by exist that provide to update or correct cedures have been update and correction requests and response
the entity. If practical and individuals with infor- personal information implemented to con- requests and to vali- time to update records
economically feasible to mation on how to held by the entity, but sistently and uniformly date the accuracy and are monitored and
do so, the entity provides update or correct per- they are not complete inform individuals completeness of such assessed. Documenta-
such updated or corrected sonal information and may not be fully of how to update or data. Documenta- tion or justification for
information to third par- held by the entity; documented. A pro- correct personal infor- tion or justification is not providing infor-
ties that previously were however, they are cess exists to review mation held by the kept for not providing mation updates to
provided with the individu- incomplete and incon- and confirm the valid- entity. Procedures information updates to relevant third par-
al’s personal information. sistently applied. ity of such requests have been imple- relevant third parties. ties is monitored and
and inform third mented to consistently assessed to deter-
parties of changes and uniformly provide mine whether the
made; however, not updated information economically feasible
all of the processes to third parties that requirement was met.
are documented. previously received Updating is automated
the individual’s per- and self-service where
sonal information. possible and appro-
priate. Distribution of
updated information
to third parties is also
automated where pos-
sible and appropriate.
22

cont.
Statement of Individuals are informed, Procedures used Procedures are in Documented policies Procedures are in Cases that involve
Disagreement (6.2.6) in writing, about the to inform individu- place to inform indi- and procedures that place to track and disagreements over
reason a request for als of the reason a viduals about the cover relevant aspects review the reasons a the accuracy and
correction of personal infor- request for correction reason a request for have been imple- request for correction completeness of
mation was denied, and of personal informa- correction of per- mented to inform of personal informa- personal informa-
how they may appeal. tion was denied, and sonal information individuals in writ- tion was denied. tion are reviewed
how they may appeal was denied, and how ing about the reason a and remediation
are inconsistent and they may appeal, but request for correction plans are identified
undocumented. they are not com- of personal informa- and implemented as
plete or documented. tion was denied, and appropriate. The
how they may appeal. process to com-
plete a Statement of
Disagreement is auto-
mated where possible
and appropriate.
DISCLOSURE TO The entity discloses personal information to third parties only for the purposes identified in the notice and with the implicit or explicit consent of the
THIRD PARTIES individual.
(7 criteria)
Privacy Policies The entity’s privacy poli- Informal disclosure Disclosure provi- Disclosure provi- Compliance with dis- Management moni-
(7.1.0) cies address the disclosure policies and pro- sions in privacy sions in privacy closure provisions tors compliance with
of personal information cedures exist but policies exist but policies cover all rel- in privacy policies privacy policies and
to third parties. may not be con- may not cover all evant aspects and are is monitored. procedures relat-
sistently applied. aspects, and are not fully documented. ing to disclosure to
fully documented. third parties. Issues
of non-compliance are
ensure compliance.
Communication to Individuals are informed Individuals may be Procedures are in Documented proce- Procedures exist Issues identified or
Individuals (7.1.1) that personal information informed that per- place to inform indi- dures that cover all to review new or communicated to the
is disclosed to third parties sonal information viduals that personal relevant aspects, and changed business pro- entity with respect
only for the purposes iden- is disclosed to third information is dis- in accordance with cesses, third parties to the disclosure of
tified in the notice and for parties only for the closed to third parties; relevant laws and reg- or regulatory bodies personal informa-
which the individual has pro- purposes identified in however, limited doc- ulations are in place to requiring compliance tion to third parties
vided implicit or explicit the notice; however, umentation exists inform individuals that to ensure appropri- are monitored and,
consent unless a law or reg- communications are and the procedures personal information is ate communications where necessary,
ulation specifically allows inconsistent, sporadic may not be per- disclosed to third par- to individuals are changes and improve-
or requires otherwise. and undocumented. formed consistently ties, but only for the provided and con- ments made to the
or in accordance purposes identified sent obtained where policies and pro-
with relevant laws in the privacy notice necessary. cedures to better
and regulations. and for which the indi- inform individuals.
vidual has provided
consent. Third parties
or classes of third par-
ties to whom personal
information is dis-
closed are identified.
23

Communication to Privacy policies or other Procedures to com- Procedures are in Documented poli- A review is periodi- Contracts and other
Third Parties (7.1.2) specific instructions or municate to third place to communi- cies and procedures cally performed to agreements involving
requirements for han- parties their respon- cate to third parties exist and are consis- ensure third parties personal informa-
dling personal information sibilities with respect the entity’s privacy tently and uniformly have received the tion provided to third
are communicated to third to personal informa- policies or other spe- applied to communi- entity’s privacy poli- parties are reviewed
parties to whom personal tion provided to them cific instructions or cate to third parties cies, instructions and to ensure the appro-
information is disclosed. are informal, inconsis- requirements for the privacy policies or other requirements priate information
tent and incomplete. handling personal other specific instruc- relating to personal has been communi-
information, but tions or requirements information that has cated and agreement
they are inconsis- for handling per- been disclosed. has been obtained.
tently applied and not sonal information. Acknowledgement Remediation plans
fully documented. Written agreements of the receipt of the are developed
with third parties are above is monitored. and implemented
in place confirming where required.
their adherence to the
entity’s privacy poli-
cies and procedures.
Disclosure of Personal information is dis- Procedures regarding Procedures are in Documented pro- Procedures are in Reports of personal
Personal Information closed to third parties only the disclosure of per- place to ensure dis- cedures covering all place to test and information provided
(7.2.1) for the purposes described sonal information to closure of personal relevant aspects have review whether dis- to third parties are
in the notice, and for which third parties are infor- information to third been implemented closure to third maintained and such
the individual has pro- mal, incomplete and parties is only for the to ensure disclosure parties is in compli- reports are reviewed
vided implicit or explicit applied inconsistently. purposes described of personal informa- ance with the entity’s to ensure only infor-
consent, unless a law or reg- in the privacy notice tion to third parties privacy policies. mation that has
ulation specifically requires and for which the indi- is only for the pur- consent has been pro-
or allows otherwise. vidual has provided poses described in vided to third parties.
consent, unless laws or the privacy notice and Remediation plans
regulations allow oth- for which the indi- are developed and
erwise; however, such vidual has provided implemented where
procedures may not consent, unless laws inappropriate disclo-
be fully documented or regulations allow sure has occurred or
or consistently and otherwise. They are where third parties
uniformly evaluated. uniformly and con- are not in compliance
sistently applied. with their commit-
ments. Disclosure
to third parties may
be automated.
24

Protection of Personal information is Procedures used to Procedures are in Documented poli- An assessment of Changes in a third-
Personal Information disclosed only to third par- ensure third-party place to ensure per- cies and procedures third party proce- party environment
(7.2.2) ties who have agreements agreements are in sonal information covering all rele- dures is periodically are monitored to
with the entity to protect place to protect per- is disclosed only to vant aspects have performed to ensure ensure the third
personal information in a sonal information third parties that been implemented to such procedures con- party can continue
manner consistent with prior to disclosing to have agreements with ensure personal infor- tinue to meet the to meet its obliga-
the relevant aspects of the third parties are infor- the entity to protect mation is disclosed entity’s requirements. tions with respect to
entity’s privacy policies mal, incomplete and personal informa- only to third parties Such assessments personal information
or other specific instruc- inconsistently applied. tion in a manner that have agreements may be performed disclosed to them.
tions or requirements. The The entity does not consistent with the with the entity to by the entity or an Remediation plans
entity has procedures in have procedures to relevant aspects of protect personal infor- independent qual- are developed and
place to evaluate that the evaluate the effec- the entity’s privacy mation in a manner ified third party. implemented where
third parties have effective tiveness of third-party policies or other spe- consistent with the necessary. The entity
controls to meet the terms controls to protect cific instructions or relevant aspects of evaluates compliance
of the agreement, instruc- personal information. requirements, but are the entity’s privacy using a number of
tions, or requirements. not consistently and policies or other spe- approaches to obtain
uniformly applied or cific instructions or an increasing level of
fully documented. requirements. The assurance depending
Some procedures entity has procedures on its risk assessment.
are in place to deter- to evaluate whether
mine whether third third parties have
parties have rea- effective controls to
sonable controls; meet the terms of the
however, they are not agreement, instruc-
consistently and uni- tions or requirements.
formly assessed.
New Purposes and Personal information is Procedures to ensure Procedures exist to Documented pro- Monitoring proce- Reports of disclosure
Uses (7.2.3) disclosed to third par- the proper disclosure ensure the proper dis- cedures covering dures are in place to of personal informa-
ties for new purposes or of personal informa- closure of personal all relevant aspects ensure proper dis- tion to third parties
uses only with the prior tion to third parties for information to third have been imple- closure of personal for new purposes
implicit or explicit con- new purposes or uses parties for new pur- mented to ensure the information to third and uses, as well as
sent of the individual. are informal, inconsis- poses; however, they proper disclosure of parties for new pur- the associated con-
tent and incomplete. may not be consis- personal informa- poses. The entity sent by the individual,
tently and uniformly tion to third parties monitors to ensure the where applicable,
applied and not for new purposes. newly disclosed infor- are monitored and
fully documented. Such procedures are mation is only being assessed, to ensure
uniformly and con- used for the new pur- appropriate consent
sistently applied. poses or as specified. has been obtained
Consent from individ- and documented.
uals prior to disclosure Collection of con-
is documented. Exist- sent for new purposes
ing agreements with and uses is auto-
third parties are mated where possible
reviewed and updated and appropriate.
to reflect the new
purposes and uses.
25

Misuse of Personal The entity takes reme- Procedures to deter- Procedures are in Documented poli- Monitoring proce- Exception reports
Information by a dial action in response to mine and address place to require reme- cies and procedures dures are in place to are used to record
Third Party (7.2.4) misuse of personal infor- misuse of personal dial action in response covering all relevant track the response inappropriate or unac-
mation by a third party to information by a third to misuse of personal aspects are in place to to misuse of per- ceptable activities by
whom the entity has trans- party are informal, information by a third take remedial action sonal information by third parties and to
ferred such information. incomplete and incon- party, but they are in response to misuse a third party from ini- monitor the status of
sistently applied. not consistently and of personal informa- tial discovery through remedial activities.
uniformly applied or tion by a third party. to remedial action. Remediation plans are
fully documented. Such procedures are developed and proce-
consistently and uni- dures implemented to
formly applied. address unacceptable
or inappropriate use.
SECURITY FOR The entity protects personal information against unauthorized access (both physical and logical).
PRIVACY (9 criteria)
Privacy Policies The entity’s privacy pol- Security policies and Security provisions Security provisions Compliance with Management moni-
(8.1.0) icies (including any procedures exist in privacy policies in privacy policies security provisions in tors compliance with
relevant security poli- informally; however, and procedures exist cover all relevant privacy policies and privacy policies and
cies) address the security they are based on but may not cover all aspects and are procedures is evalu- procedures relating
of personal information. ad hoc and incon- aspects, and are not fully documented. ated and monitored. to security. Issues of
sistent processes. fully documented. non-compliance are
ensure compliance.
Communication to Individuals are informed Individuals may be Individuals are Individuals are The entity manages Communications
Individuals (8.1.1) that precautions are informed about secu- informed about secu- informed about the its security program explain to individuals
taken to protect per- rity of personal rity practices to entity’s security prac- through periodic the need for secu-
sonal information. information; however, protect personal tices for the protection reviews and security rity, the initiatives the
communications are information, but of personal informa- assessments. Inci- entity takes to ensure
inconsistent, sporadic such disclosures tion. Security policies, dents and violations that personal infor-
and undocumented. may not cover all procedures and prac- of its communications mation is protected
aspects and are not tices are documented policy for security and informs individu-
fully documented. and implemented. are investigated. als of other activities
they may want to
take to further pro-
tect their information.
26

cont.
Information Security A security program has been There have been some The entity has a secu- The entity has devel- Management mon- The entity under-
Program (8.2.1) developed, documented, thoughts of a pri- rity program in place oped, documented itors weaknesses, takes annual reviews
approved, and implemented vacy-focused security that may not address and promulgated periodically reviews of its security pro-
that includes administrative, program, but limited all areas or be fully its comprehen- its security program gram, including
technical and physical safe- in scope and per- documented. sive enterprise-wide as it applies to per- external reviews,
guards to protect personal haps undocumented. security program. sonal information and and determines the
information from loss, mis- The entity has establishes perfor- effectiveness of its
use, unauthorized access, addressed specific mance benchmarks. procedures. The
disclosure, alteration and privacy-focused secu- results of such reviews
destruction. The security rity requirements. are used to update
program should address, and improve the
but not be limited to, the security program.
following areas3 insofar as
they relate to the security
of personal information:
a. Risk assessment and
treatment [1.2.4]
b. Security policy [8.1.0]
c. Organization of
information security
[sections 1, 7, and 10]
d. Asset management
[section 1]
e. Human resources security
[section 1]
f. Physical and
environmental security
[8.2.3 and 8.2.4]
g. Communications and
operations management
[sections 1, 7, and 10]
h. Access control [sections
1, 8.2, and 10]
i. Information systems
acquisition, development,
and maintenance [1.2.6]
j. Information security
incident management
[1.2.7]
k. Business continuity
management
[section 8.2]
l. Compliance [sections
1 and 10]
3 These areas are drawn from ISO/IEC 27002:2005, Information technology—Security techniques—Code of practice for information security management. Permission is granted by the American National Standards
Institute (ANSI) on behalf of the International Organization for Standardization (ISO). Copies of ISO/IEC 27002 can be purchased from ANSI in the United States at http://webstore.ansi.org/ and in Canada from the
Standards Council of Canada at www.standardsstore.ca/eSpecs/index.jsp. It is not necessary to meet all of the criteria of ISO/IEC 27002:2005 to satisfy Generally Accepted Privacy Principles’ criterion 8.2.1. The refer-
ences associated with each area indicate the most relevant Generally Accepted Privacy Principles’ criteria for this purpose.
27

cont.
Logical Access Logical access to personal Controls over access The entity has basic The entity has doc- Management monitors Access and viola-
Controls (8.2.2) information is restricted by and privileges to files security procedures; umented and logical access con- tion attempts are
procedures that address and databases con- however, they do implemented security trols, including access assessed to deter-
the following matters: taining personal not include specific policies and proce- attempts and violation mine root causes and
a. Authorizing and information are infor- requirements govern- dures that sufficiently reports for files, data- potential exposures
registering internal mal, inconsistent ing logical access to control access to per- bases and resources and remedial action
personnel and individuals and incomplete. personal information sonal information. containing personal plans are developed
b. Identifying and and may not provide Access to per- information to iden- and implemented to
authenticating internal an appropriate level of sonal information is tify areas where increase the level of
personnel and individuals access or control over restricted to employ- additional security protection of personal
personal information. ees with a need needs improvement. information. Logical
c. Making changes and access controls are
updating access profiles for such access. Irregular access of
authorized person- continually assessed
d. Granting privileges and and improved.
permissions for access nel is also monitored.
to IT infrastructure Irregular access of
components and personal authorized personnel
information is monitored, assessed
and investigated
e. Preventing individuals where necessary.
from accessing anything
other than their own
personal or sensitive
information
f. Limiting access to
personal information only
to authorized internal
personnel based upon
their assigned roles and
responsibilities
g. Distributing output only
to authorized internal
personnel
h. Restricting logical access
to offline storage, backup
data, systems and media
i. Restricting access to
system configurations,
superuser functionality,
master passwords,
powerful utilities, and
security devices (for
example, firewalls)
j. Preventing the
introduction of viruses,
malicious code, and
unauthorized software
28

cont.
Physical Access Physical access is Controls over physi- The entity has basic The entity has imple- Management moni- Where physical access
Controls (8.2.3) restricted to personal cal access to personal physical security pro- mented formal tors physical access or attempted violation
information in any form information are infor- cedures; however, they physical security controls. Personal of personal informa-
(including the components mal, incomplete do not include specific policies and pro- information is physi- tion has occurred, the
of the entity’s system(s) and inconsistent. requirements govern- cedures that form cally stored in secure events are analyzed
that contain or protect ing physical access to the basis of specific locations. Access and remedial action
personal information). personal information privacy-related secu- to such locations is including changes to
maintained or stored rity procedures for restricted and moni- policies and proce-
in various media. physical access to per- tored. Unauthorized dures is adopted. This
Accordingly, inconsis- sonal information. access is investi- may include imple-
tent approaches are Physical access to gated and appropriate menting increased
taken throughout the personal informa- action taken. use of technology,
entity with respect to tion is restricted to as necessary. Physi-
physically securing employees with a cal access controls are
personal information. need for such access. continually assessed
and improved.
Environmental Personal information, in all Some policies and The entity has a busi- The entity has imple- Management monitors Management risk and
Safeguards (8.2.4) forms, is protected against procedures exist to ness continuity plan mented a formal threats and vulner- vulnerability assess-
accidental disclosure due ensure adequate safe- addressing cer- business-continuity abilities as part of a ments with respect to
to natural disasters and guards over personal tain aspects of the and disaster-recov- business risk man- personal information
environmental hazards. information in the business. Such a ery plan that address agement program result in improvements
event of disasters or plan may not spe- all aspects of the busi- and, where appropri- to the protection of
other environmental cifically address ness and identified ate, includes personal such information.
hazards; however, they personal informa- critical and essential information as a spe-
are incomplete and tion. Accordingly, resources, including cific category.
inconsistently applied. personal information personal informa-
The entity may lack may not be appro- tion in all forms and
a business continu- priately protected. media, and provides
ity plan that would Business continu- for specifics thereof.
require an assess- ity plans are not well Protection includes
ment of threats documented and have protection against
and vulnerabili- not been tested. accidental, unauthor-
ties and appropriate ized or inappropriate
protection of per- access or disclosure
sonal information. of personal infor-
mation. The plan
has been tested.
Transmitted Personal Personal information is pro- The protection of per- Policies and proce- Documented proce- The entity’s policies Management reviews
Information (8.2.5) tected when transmitted sonal information dures exist for the dures that cover all and procedures for the advances in security
by mail or other physical when being trans- protection of informa- relevant aspects have transmission of per- technology and tech-
means. Personal information mitted or sent to tion during transmittal been implemented sonal information are niques and updates
collected and transmitted another party is infor- but are not fully doc- and are working monitored to ensure their security poli-
over the Internet, over pub- mal, incomplete and umented; however, effectively to protect that they meet mini- cies and procedures
lic and other non-secure inconsistently applied. they may not spe- personal information mum industry security and supporting tech-
networks, and wireless Security restrictions cifically address when transmitted. standards and the nologies to afford
networks is protected by may not be applied personal information entity is in compliance the entity the most
deploying industry-stan- when using differ- or types of media. with such standards effective protection
dard encryption technology ent types of media and their own poli- of personal informa-
for transferring and receiv- to transmit per- cies and procedures. tion while it is being
ing personal information. sonal information. Issues of non-compli- transmitted, regard-
ance are dealt with. less of the media used.
29

cont.
Personal Information Personal information Controls over portable Procedures are in The entity has imple- Prior to issuance of Management moni-
on Portable Media stored on portable media devices that contain place to protect per- mented documented portable or removable tors new technologies
(8.2.6) or devices is protected personal information sonal information on policies and proce- devices, employees to enhance the secu-
from unauthorized access. are informal, incom- portable devices; how- dures, supported by are required to read rity of personal
plete and inconsistent. ever, they are not fully technology, that cover and acknowledge information stored
documented. Employ- all relevant aspects their responsibili- on portable devices.
ees are aware of the and restrict the use ties for such devices They ensure the use
additional risks and of portable or remov- and recognize the of new technolo-
vulnerabilities asso- able devices to store consequences of vio- gies meets security
ciated with the use personal information. lations of security requirements for the
of portable and The entity autho- policies and pro- protection of per-
removable devices. rizes the devices cedures. Where sonal information,
Awareness of require- and requires man- portable devices are monitor adoption
ments to protect datory encryption. used, only autho- and implementation
personal informa- rized and registered of such technolo-
tion are known and devices such as por- gies and, where such
certain procedures table flash drives that monitoring identi-
exist to preclude or require encryption fies deficiencies or
restrict the use of por- are permitted. Use exposures, imple-
table and removal of unregistered and ment remedial action.
devices to record, unencrypted portable
transfer and archive devices is not allowed
personal information. in the entity’s com-
puting environment.
Testing Security Tests of the effectiveness Tests of security Periodic tests of secu- Periodic and appro- Management monitors Test results are ana-
Safeguards (8.2.7) of the key administrative, safeguards for per- rity safeguards are priate tests of security the testing process, lyzed, through a
technical, and physical safe- sonal information performed by the IT safeguards for per- ensures tests are con- defined root-cause
guards protecting personal are undocumented, function; however, sonal information are ducted as required analysis, and remedial
information are con- incomplete and their scope varies. performed in all sig- by policy, and takes measures documented
ducted at least annually. inconsistent. nificant areas of the remedial action for and implemented to
business. Test work is deficiencies identified. improve the entity’s
completed by quali- security program.
fied personnel such
as Certified Public
Accountants, Char-
tered Accountants,
Certified Informa-
tion System Auditors,
or internal audi-
tors. Test results are
documented and
shared with appro-
priate stakeholders.
Tests are performed
at least annually.
30

QUALITY (4 criteria) The entity maintains accurate, complete and relevant personal information for the purposes identified in the notice.
Privacy Policies The entity’s privacy poli- Quality control poli- Quality provisions in Quality provisions Compliance with Management moni-
(9.1.0) cies address the quality cies and procedures privacy policies and in privacy policies quality provisions in tors compliance with
of personal information. exist informally. procedures exist, cover all relevant privacy policies and privacy policies and
but may not cover all aspects and are procedures is moni- procedures relating
aspects and are not fully documented. tored and the results to quality. Issues of
fully documented. are used to reinforce non-compliance are
key privacy messages. identified and reme-
ensure compliance.
Communication to Individuals are informed Individuals may be Individuals are Individuals are Communications are Communications are
Individuals (9.1.1) that they are responsi- informed about their informed of their informed of their monitored to ensure monitored and ana-
ble for providing the entity responsibility to pro- responsibility to responsibility for pro- individuals are ade- lyzed to ensure the
with accurate and com- vide accurate and provide accurate viding accurate and quately informed of messaging is appro-
plete personal information complete personal information; how- complete personal their responsibili- priate and meeting the
and for contacting the information; however, ever, communications information and for ties and the remedies needs of individuals
entity if correction of such communications are may not cover all contacting the entity available to them and changes are being
information is required. inconsistent, sporadic aspects and may not if corrections are should they have com- made where required.
and undocumented. be fully documented. necessary. Such complaints or issues.
munications cover all
relevant aspects and
are documented.
Accuracy and Personal information is Procedures exist to Procedures are in Documented policies, Processes are Processes are in place
Completeness of accurate and complete for ensure the complete- place to ensure the procedures and pro- designed and man- to monitor and mea-
Personal Information the purposes for which ness and accuracy of accuracy and com- cesses that cover all aged to ensure the sure the accuracy of
(9.2.1) it is to be used. information provided pleteness of personal relevant aspects have integrity of personal personal information.
to the entity; how- information; however, been implemented to information is main- Results are analyzed
ever, they are informal, they are not fully doc- ensure the accuracy tained. Benchmarks and modifications and
incomplete and incon- umented and may not of personal informa- have been estab- improvements made.
sistently applied. cover all aspects. tion. Individuals are lished and compliance
provided with infor- measured. Methods
mation on how to are used to verify the
correct data the entity accuracy and com-
maintains about them. pleteness of personal
information obtained,
whether from indi-
viduals directly or
from third parties.
31

QUALITY (4 criteria) The entity maintains accurate, complete and relevant personal information for the purposes identified in the notice.
cont.
Relevance of Personal information is rel- Some procedures are Procedures are in Documented poli- Processes are Processes are in place
Personal Information evant to the purposes for in place to ensure the place to ensure that cies and procedures designed and to monitor the rel-
(9.2.2) which it is to be used. personal informa- personal information that cover all relevant reviewed to ensure evance of personal
tion being collected is relevant to the pur- aspects, supported by the relevance of the information collected,
is relevant to the poses for which it is effective processes, personal informa- used and disclosed.
defined purpose, but to be used, but these have been imple- tion collected, used Results are analyzed
they are incomplete, procedures are not mented to ensure that and disclosed. and modifications
informal and incon- fully documented nor only personal infor- and improvements
sistently applied. cover all aspects. mation relevant to the made as necessary.
stated purposes is
used and to minimize
the possibility that
inappropriate informa-
tion is used to make
business decisions
about the individual.
MONITORING and The entity monitors compliance with its privacy policies and procedures and has procedures to address privacy-related inquiries, complaints and disputes.
ENFORCEMENT
(7 criteria)
Privacy Policies The entity’s privacy poli- Monitoring and Monitoring and Monitoring and Compliance with Management moni-
(10.1.0) cies address the monitoring enforcement of pri- enforcement pro- enforcement pro- monitoring and tors compliance with
and enforcement of privacy vacy policies and visions in privacy visions in privacy enforcement pro- privacy policies and
policies and procedures. procedures are infor- policies and pro- policies cover all rel- visions in privacy procedures relat-
mal and ad hoc. cedures exist but evant aspects and are policies is monitored ing to monitoring and
Guidance on con- may not cover all fully documented. and results are used enforcement. Issues
ducting such reviews aspects, and are not to reinforce key pri- of non-compliance are
is not documented. fully documented. vacy messages. identified and reme-
ensure compliance.
Communication to Individuals are informed Individuals may be Procedures are in Individuals are Communications Communications are
Individuals (10.1.1) about how to contact the informed about place to inform indi- informed about are monitored to monitored and ana-
entity with inquiries, com- how to contact the viduals about how how to contact the ensure that individ- lyzed to ensure the
plaints and disputes. entity with inqui- to contact the entity entity with inquiries, uals are adequately messaging is appro-
ries, complaints and with inquiries, com- complaints and dis- informed about how priate and meeting the
disputes; however, plaints, and disputes putes and to whom to contact the entity needs of individuals
communications are but may not cover all the individual can with inquiries, com- and changes are being
inconsistent, sporadic aspects and are not direct complaints. plaints and disputes. made where required.
and undocumented. fully documented. Policies and proce- Remedial action is
dures are documented taken when required.
and implemented.
32

MONITORING and The entity monitors compliance with its privacy policies and procedures and has procedures to address privacy-related inquiries, complaints and disputes.
ENFORCEMENT
Inquiry, Complaint A process is in place to An informal pro- Processes to address Documented poli- Inquiries, complaints Management moni-
and Dispute Process address inquiries, com- cess exists to address inquiries, complaints cies and procedures and disputes are tors and analyzes the
(10.2.1) plaints and disputes. inquiries, complaints and disputes exist, covering all relevant recorded, responsi- process to address
and disputes; however, but are not fully doc- aspects have been bilities assigned and inquiries, complaints
it is incomplete and umented and do not implemented to deal addressed through and disputes and
inconsistently applied. cover all aspects. with inquiries, com- a managed process. makes changes to
plaints and disputes. Recourse and a formal the process, where
escalation process are appropriate.
in place to review and
approve any recourse
offered to individuals.
Dispute Resolution Each complaint is Complaints are han- Processes are in place Documented policies Privacy complaints Privacy complaints are
and Recourse addressed, and the res- dled informally and to address complaints, and procedures cover- are reviewed to ensure monitored and ana-
(10.2.2) olution is documented inconsistently. Ade- but they are not fully ing all relevant aspects they are addressed lyzed and the results
and communicated quate documentation documented and may have been imple- within a specific time- used to redesign and
to the individual. is not available. not cover all aspects. mented to handle frame in a satisfactory improve the privacy
privacy complaints. manner; satisfac- complaint process.
Resolution of the com- tion is monitored and
plaints is documented. managed. Unre-
solved complaints are
escalated for review
by management.
Compliance Review Compliance with privacy Review of compliance Policies and pro- Documented poli- Management mon- Management ana-
(10.2.3) policies and procedures, with privacy poli- cedures to monitor cies and procedures itors activities to lyzes and monitors
commitments and applicable cies and procedures, compliance with pri- that cover all rele- ensure the entity’s pri- results of compli-
laws, regulations, service- laws, regulations and vacy policies and vant aspects have vacy program remains ance reviews of the
level agreements and contracts is infor- procedures, legisla- been implemented in compliance with entity’s privacy pro-
other contracts is reviewed mal, inconsistently tive and regulatory that require man- laws, regulations and gram and proactively
and documented and the and incomplete. requirements and con- agement to review other requirements. initiates remedia-
results of such reviews are tracts are in place, but compliance with the tion efforts to ensure
reported to management. are not fully docu- entity’s privacy poli- ongoing and sustain-
If problems are identified, mented and may not cies and procedures, able compliance.
remediation plans are devel- cover all aspects. laws, regulations, and
oped and implemented. other requirements.
Instances of Instances of noncompli- Processes to handle Policies and proce- Documented poli- Management monitors Non-compliance
Noncompliance ance with privacy policies instances of non- dures are in place to cies and procedures noncompliance with results in disciplinary
(10.2.4) and procedures are docu- compliance exist, document non-com- covering all rele- privacy policies and action and remedial
mented and reported and, but are incomplete, pliance with privacy vant aspects have procedures and takes training to correct
if needed, corrective and informal and incon- policies and proce- been implemented appropriate corrective individual behavior.
disciplinary measures are sistently applied. dures, but are not fully to handle instances and disciplinary action In addition policies
taken on a timely basis. documented or do of non-compliance in a timely fashion. and procedures are
not cover all relevant with privacy poli- improved to assist
aspects. Corrective cies and procedures. in full understand-
and disciplinary mea- Corrective and disci- ing and compliance.
sures may not always plinary measures of
be documented. non-compliance are
fully documented.
33

MONITORING and The entity monitors compliance with its privacy policies and procedures and has proce-
ENFORCEMENT dures to address privacy-related inquiries, complaints and disputes.
Ongoing Monitoring Ongoing procedures are Ongoing monitor- Monitoring of privacy The entity has imple- Monitoring of controls Monitoring is per-
(10.2.5) performed for monitoring of privacy controls controls is not fully mented documented over personal infor- formed and the
ing the effectiveness of over personal infor- documented and does policies and proce- mation is performed analyzed results are
controls over personal mation is informal, not cover all aspects. dures covering all in accordance with the used to improve the
information based on a incomplete and incon- relevant aspects to entity’s monitoring entity’s privacy pro-
risk assessment and for sistently applied. monitor its privacy guidelines and results gram. The entity
taking timely corrective controls. Selection of analyzed and pro- monitors external
actions where necessary. controls to be moni- vided to management. sources to obtain
tored and frequency information about
with which they are their privacy “perfor-
monitored are based mance” and initiates
on a risk assessment. changes as required.
34
NOTES
35

Aicpa Cica Privacy Maturity Model Final-2011 PDF

Hochgeladen von

Dokumentinformationen

Originaltitel

Copyright

Verfügbare Formate

Dieses Dokument teilen

Dokument teilen oder einbetten

Freigabeoptionen

Stufen Sie dieses Dokument als nützlich ein?

Sind diese Inhalte unangemessen?

Copyright:

Verfügbare Formate

Aicpa Cica Privacy Maturity Model Final-2011 PDF

Hochgeladen von

Copyright:

Verfügbare Formate

AICPA/CICA

Privacy Maturity Model

AICPA/CICA Privacy Task Force

Philip M. Juravel, CPA, CITP

Sagi Leizerov, Ph.D., CIPP

Rena Mears, CPA, CITP, CISSP, CISA, CIPP

Robert Parker, FCA, CA•CISA, CMC

Marilyn Prosch, Ph.D., CIPP

Doron M. Rotman, CPA (Israel), CISA, CIA, CISM, CIPP

Kerry Shackelford, CPA

Donald E. Sheehy, CA•CISA, CIPP/C

Nancy A. Cohen, CPA, CITP, CIPP

2 AICPA/CICA Privacy Resources . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1

3 Advantages of Using the Privacy Maturity Model . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2

4 Using the Privacy Maturity Model . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2

5 Privacy Maturity Model Reporting . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3

AICPA/CICA PRIVACY MATURITY MODEL

This page intentionally left blank.

AICPA/CICA Generally Accepted Privacy Principles (GAPP)

Model User Guide

2 AICPA/CICA Privacy Resources

5 Privacy Maturity Model Reporting

Assessing Maturity Using the PMM

4.1.0 Privacy Policies

& Lawful Means

4.2.1 Collection Limited

4.2.2 Collection by Fair

4.1.2 Types and Methods

Figure 2 – Maturity Report by Criteria within a Specific GAPP Principle

The report indicates the

2.2.2. Entities &

2.2.3 Clear &

AICPA/CICA PRIVACY MATURITY MODEL1

GAPP - 73 Criteria Maturity Levels

GAPP - 73 Criteria Maturity Levels

GAPP - 73 Criteria Maturity Levels

GAPP - 73 Criteria Maturity Levels

GAPP - 73 Criteria Maturity Levels

GAPP - 73 Criteria Maturity Levels

GAPP - 73 Criteria Maturity Levels

GAPP - 73 Criteria Maturity Levels

GAPP - 73 Criteria Maturity Levels

GAPP - 73 Criteria Maturity Levels

GAPP - 73 Criteria Maturity Levels

GAPP - 73 Criteria Maturity Levels

GAPP - 73 Criteria Maturity Levels

GAPP - 73 Criteria Maturity Levels

GAPP - 73 Criteria Maturity Levels

GAPP - 73 Criteria Maturity Levels

GAPP - 73 Criteria Maturity Levels

GAPP - 73 Criteria Maturity Levels

GAPP - 73 Criteria Maturity Levels

GAPP - 73 Criteria Maturity Levels

GAPP - 73 Criteria Maturity Levels

GAPP - 73 Criteria Maturity Levels

GAPP - 73 Criteria Maturity Levels

GAPP - 73 Criteria Maturity Levels

GAPP - 73 Criteria Maturity Levels

GAPP - 73 Criteria Maturity Levels

GAPP - 73 Criteria Maturity Levels

GAPP - 73 Criteria Maturity Levels

GAPP - 73 Criteria Maturity Levels

Das könnte Ihnen auch gefallen