10-229 AICPA CICA Privacy Maturity Model Finale Book

8/2/2019 10-229 AICPA CICA Privacy Maturity Model Finale Book

1/42

AICPA/CICAPrivacy Maturity ModelMarch 2011


2/42

Notice to Reader

DISCLAIMER: This document has not been approved, disapproved, or otherwise acted upon by any senior technical committees o, and does not represent an

ofcial position o the American Institute o Certifed Public Accountants (AICPA) or the Canadian Institute o Chartered Accountants (CICA). It is distributed with

the understanding that the contributing authors and editors, and the publisher, are not rendering legal, accounting, or other proessional services in this document.

The services o a competent proessional should be sought when legal advice or other expert assistance is required.

Neither the authors, the publishers nor any person involved in the preparation o this document accept any contractual, tortious or other orm o liability or itscontents or or any consequences arising rom its use. This document is provided or suggested best practices and is not a substitute or legal advice. Obtain legal

advice in each particular situation to ensure compliance with applicable laws and regulations and to ensure that procedures and policies are current as legislation

and regulations may be amended.

Copyright 2011 by

American Institute o Certifed Public Accountants, Inc.

and Canadian Institute o Chartered Accountants.

All rights reserved. Checklists and sample documents contained herein may be reproduced and distributed as part o proessional services or within the context o

proessional practice, provided that reproduced materials are not in any way directly oered or sale or proft. For inormation about the procedure or requesting

permission to make copies o any part o this work, please visit www.copyright.com or call (978) 750-8400.
https://nje01.aicpa.org/exchweb/bin/redir.asp?URL=http://www.copyright.com/https://nje01.aicpa.org/exchweb/bin/redir.asp?URL=http://www.copyright.com/


3/42

iii

AICPA/CICA Privacy Maturity Model

AICPA/CICA Privacy Task Force

ChairEverett C. Johnson, CPA

Vice ChairKenneth D. Askelson, CPA, CITP, CIA

Eric Federing

Philip M. Juravel, CPA, CITP

Sagi Leizerov, Ph.D., CIPP

Rena Mears, CPA, CITP, CISSP, CISA, CIPP

Robert Parker, FCA, CACISA, CMC

Marilyn Prosch, Ph.D., CIPP

Doron M. Rotman, CPA (Israel), CISA, CIA, CISM, CIPP

Kerry Shackelord, CPA

Donald E. Sheehy, CACISA, CIPP/C

Staff Contacts:

Nicholas F. Cheung, CA, CIPP/CCICA

Principal, Guidance and Support

and

Nancy A. Cohen, CPA, CITP, CIPP

AICPA

Senior Technical Manager, Specialized Communities and Practice Management


4/42

iv


Acknowledgements

The AICPA and CICA appreciate the contributions o the volunteers who devoted signifcant time and eort to this project. The institutes also acknowledge the

support that the ollowing organization has provided to the development o the Privacy Maturity Model:


5/42

v


Table of Contents

1 Introduction 1

2 AICPA/CICA Privacy Resources 1Generally Accepted Privacy Principles (GAPP). . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1

Privacy Maturity Model . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2

3 Advantages of Using the Privacy Maturity Model 2

4 Using the Privacy Maturity Model 2Getting Started. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3

Document Findings against GAPP. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3

Assessing Maturity Using the PMM . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3

5 Privacy Maturity Model Reporting 3

6 Summary 4

AICPA/CICA PRIVACY MATURITY MODEL

Based on Generally Accepted Privacy Principles (GAPP) 5


6/42

vi


This page intentionally let blank.


7/42

1


AICPA/CICA

Privacy MaturityModel User Guide

1 IduIPrivacy related considerations are signifcant business requirements that

must be addressed by organizations that collect, use, retain and disclose per-

sonal inormation about customers, employees and others about whom they

have such inormation. Pronal information is inormation that is about, or

can be related to, an identifable individual, such as name, date o birth, homeaddress, home telephone number or an employee number. Personal inor-

mation also includes medical inormation, physical eatures, behaviour and

other traits.

Priac can be defned as the rights and obligations o individuals and organi-

zations with respect to the collection, use, retention, disclosure, and disposal

o personal inormation.

Becoming privacy compliant is a journey. Legislation and regulations con-

tinue to evolve resulting in increasing restrictions and expectations being

placed on employers, management and boards o directors. Measuring prog-

ress along the journey is oten difcult and establishing goals, objectives,

timelines and measurable criteria can be challenging. However, establishing

appropriate and recognized benchmarks, then monitoring progress against

them, can ensure the organizations privacy compliance is properly ocused.

2 AIPA/IA PIvAy esuesThe American Institute o Certifed Public Accountants (AICPA) and the

Canadian Institute o Chartered Accountants (CICA) have developed tools,

processes and guidance based on Generally Accepted Privacy Principles

(GAPP) to assist organizations in strengthening their privacy policies, proce-

dures and practices. GAPP and other tools and guidance such as the AICPA/

CICA Privacy Risk Assessment Tool, are available at www.aicpa.org/privacyand www.cica.ca/privacy.

Generally Accepted Privacy Principles (GAPP)Generally Accepted Privacy Principles has been developed rom a business

perspective, reerencing some but by no means all signifcant local, national

and international privacy regulations. GAPP converts complex privacy

requirements into a single privacy objective supported by 10 privacy prin-

ciples. Each principle is supported by objective, measurable criteria (73 in all)

that orm the basis or eective management o privacy risk and compliance.

Illustrative policy requirements, communications and controls, including their

monitoring, are provided as support or the criteria.

GAPP can be used by any organization as part o its privacy program. GAPP

has been developed to help management create an eective privacy program

that addresses privacy risks and obligations as well as business opportunities.

It can also be a useul tool to boards and others charged with governance and

the provision o oversight. It includes a defnition o privacy and an explana-

tion o why privacy is a business issue and not solely a compliance issue. Also

illustrated are how these principles can be applied to outsourcing arrange-

ments and the types o privacy initiatives that can be undertaken or the

beneft o organizations, their customers and related persons.

The ten principles that comprise GAPP:

Managmnt. The entity defnes, documents, communicates and assigns

accountability or its privacy policies and procedures.

otic. The entity provides notice about its privacy policies and pro-

cedures and identifes the purposes or which personal inormation is

collected, used, retained and disclosed.

oic an connt. The entity describes the choices available to the

individual and obtains implicit or explicit consent with respect to the col-

lection, use and disclosure o personal inormation.

ollction. The entity collects personal inormation only or the pur-

poses identifed in the notice.

u, rtntion an ipoal. The entity limits the use o personal inorma-

tion to the purposes identifed in the notice and or which the individual

has provided implicit or explicit consent. The entity retains personal

inormation or only as long as necessary to ulfll the stated purposes or

as required by law or regulations and thereater appropriately disposes

o such inormation.

Acc. The entity provides individuals with access to their personal

inormation or review and update.

diclor to tir parti. The entity discloses personal inormation to

third parties only or the purposes identifed in the notice and with theimplicit or explicit consent o the individual.
http://www.aicpa.org/privacyhttp://h/2010-2011/Publications/Specialized/10-229_AICPA-CICA%20Privacy%20Maturity%20Model/EN/Manuscript/www.cica.ca/privacyhttp://h/2010-2011/Publications/Specialized/10-229_AICPA-CICA%20Privacy%20Maturity%20Model/EN/Manuscript/www.cica.ca/privacyhttp://www.aicpa.org/privacy


8/42

2


scrit for priac. The entity protects personal inormation against

unauthorized access (both physical and logical).

Qalit. The entity maintains accurate, complete and relevant personal

inormation or the purposes identifed in the notice.

Monitoring an nforcmnt. The entity monitors compliance with its

privacy policies and procedures and has procedures to address privacy-related complaints and disputes.

Since GAPP orms the basis or the Privacy Maturity Model (PMM), an under-

standing o GAPP is required. In addition, an understanding o the entitys

privacy program and any specifc privacy initiatives is also required. The

reviewer should also be amiliar with the privacy environment in which the

entity operates, including legislative, regulatory, industry and other jurisdic-

tional privacy requirements.

Privacy Maturity ModelMaturity models are a recognized means by which organizations can measure

their progress against established benchmarks. As such, they recognize that: becoming compliant is a journey and progress along the way strength-

ens the organization, whether or not the organization has achieved all o

the requirements;

in certain cases, such as security-ocused maturity models, not every

organization, or every security application, needs to be at the maximum

or the organization to achieve an acceptable level o security; and

creation o values or benefts may be possible i they achieve a higher

maturity level.

The AICPA/CICA Privacy Maturity Model1 is based on GAPP and the Capabil-

ity Maturity Model (CMM) which has been in use or almost 20 years.

The PMM uses fve maturity levels as ollows:

1. Ad hoc procedures or processes are generally inormal, incomplete,

and inconsistently applied.

2. Repeatable procedures or processes exist; however, they are not ully

documented and do not cover all relevant aspects.

1 This model is based on Technical Report, CMU/SEI-93TR- 024 ESC-TR-93-177, Capability MaturityModel SM or Sotware, Version 1.1, Copyright 1993 Carnegie Mellon University, with special permis-sion rom the Sotware Engineering Institute. Any material o Carnegie Mellon University and/or itsSotware Engineering Institute contained herein is urnished on an as-is basis. Carnegie Mellon Uni-versity makes no warranties o any kind, either expressed or implied, as to any matter including, butnot limited to, warranty o ftness or purpose or merchantability, exclusivity, or results obtained romuse o material. Carnegie Mellon University does not make any warranty o any kind with respect toreedom rom patent, trademark, or copyright inringement. This model has not been reviewed nor is

it endorsed by Carnegie Mellon University or its Sotware Engineering Institute. Capability MaturityModel, CMM, and CMMI are registered in the U.S. Patent and Trademark Ofce by Carnegie MellonUniversity.

3. Defned procedures and processes are ully documented and imple-

mented, and cover all relevant aspects.

4. Managed reviews are conducted to assess the eectiveness o the

controls in place.

5. Optimized regular review and eedback are used to ensure continuous

improvement towards optimization o the given process.

In developing the PMM, it was recognized that each organizations personal

inormation privacy practices may be at various levels, whether due to leg-

islative requirements, corporate policies or the status o the organizations

privacy initiatives. It was also recognized that, based on an organizations

approach to risk, not all privacy initiatives would need to reach the highest

level on the maturity model.

Each o the 73 GAPP criteria is broken down according to the fve maturity lev-

els. This allows entities to obtain a picture o their privacy program or initiatives

both in terms o their status and, through successive reviews, their progress.

3 AdvAAGes usIG hePIvAy MAuIy Mde

The PMM provides entities with a useul and eective means o assessing

their privacy program against a recognized maturity model and has the

added advantage o identiying the next steps required to move the privacy

program ahead. The PMM can also measure progress against both internal

and external benchmarks. Further, it can be used to measure the progress o

both specifc projects and the entitys overall privacy initiative.

4 usIG he PIvAy MAuIy MdeThe PMM can be used to provide: the status o privacy initiatives

a comparison o the organizations privacy program among business or

geographical units, or the enterprise as a whole

a time series analysis or management

a basis or benchmarking to other comparable entities.

To be eective, users o the PMM must consider the ollowing:

maturity o the entitys privacy program

ability to obtain complete and accurate inormation on the entitys pri-

vacy initiatives

agreement on the Privacy Maturity assessment criteria

level o understanding o GAPP and the PMM.


9/42

3


Getting StartedWhile the PMM can be used to set benchmarks or organizations establishing a

privacy program, it is designed to be used by organizations that have an exist-

ing privacy unction and some components o a privacy program. The PMM

provides structured means to assist in identiying and documenting current

privacy initiatives, determining status and assessing it against the PMM criteria.

Start-up activities could include:

identiying a project sponsor (Chie Privacy Ofcer or equivalent)

appointing a project lead with sufcient privacy knowledge and author-

ity to manage the project and assess the fndings

orming an oversight committee that includes representatives rom legal,

human resources, risk management, internal audit, inormation technol-

ogy and the privacy ofce

considering whether the committee requires outside privacy expertise

assembling a team to obtain and document inormation and perorm the

initial assessment o the maturity level

managing the project by providing status reports and the opportunity tomeet and assess overall progress

providing a means to ensure that identifable risk and compliance issues

are appropriately escalated

ensuring the project sponsor and senior management are aware o all

fndings

identiying the desired maturity level by principle and/or or the entire

organization or benchmarking purposes.

Document Findings against GAPPThe maturity o the organizations privacy program can be assessed when

fndings are:

documented and evaluated under each o the 73 GAPP criteria

reviewed with those responsible or their accuracy and completeness

reective o the current status o the entitys privacy initiatives and pro-

gram. Any plans to implement additional privacy activities and initiatives

should be captured on a separate document or use in the fnal report.

As inormation on the status o the entitys privacy program is documented

or each o the 73 privacy criteria, it should be reviewed with the providers o

the inormation and, once confrmed, reviewed with the project committee.

Assessing Maturity Using the PMM

Once inormation on the status o the entitys privacy program has beendetermined, the next task is to assess that inormation against the PMM.

Users o the PMM should review the descriptions o the activities, documents,

policies, procedures and other inormation expected or each level o matu-

rity and compare them to the status o the organizations privacy initiatives.

In addition, users should review the next-higher classifcation and determine

whether the entity could or should strive to reach it.

It should be recognized that an organization may decide or a number o rea-

sons not to be at maturity level 5. In many cases a lower level o maturity will

sufce. Each organization needs to determine the maturity level that best

meets their needs, according to its circumstances and the relevant legislation.

Once the maturity level or each criterion has been determined, the organi-

zation may wish to summarize the fndings by calculating an overall maturity

score by principle and one or the entire organization. In developing such a

score, the organization should consider the ollowing:

sufciency o a simple mathematical average; i insufcient, determina-

tion o the weightings to be given to the various criteria

documentation o the rationale or weighting each criterion or use inuture benchmarking.

5 PIvAy MAuIy Mde ePIGThe PMM can be used as the basis or reporting on the status o the entitys

privacy program and initiatives. It provides a means o reporting status and,

i assessed over time, reporting progress made.

In addition, by documenting requirements o the next-higher level on the

PMM, entities can determine whether and when they should initiate new

privacy projects to raise their maturity level. Further, the PMM can identiy

situations where the maturity level has allen and identiy opportunities andrequirements or remedial action.

Privacy maturity reports can be in narrative orm; a more visual orm can be

developed using graphs and charts to indicate the level o maturity at the

principle or criterion level.

The ollowing examples based on internal reports intended or management

use graphical representations.


10/42

4


Figure 1 Privacy Maturity Report by GAPP Principle

Figure 1 shows a sam-ple graph that couldbe used to illustratethe maturity o theorganizations privacyprogram by each o the10 principles in GAPP.

The report also indicatesthe desired maturitylevel or the enterprise.

Reports like this areuseul in provid-ing management withan overview o theentitys privacy pro-gram and initiatives.

Maturity Reporting by Principle

MaturityLevel

5

4

3

2

1

0

Management

Notice

Choice&

Consent

Collection

Use,Retention

&Disposal

Access

Disclosure

to3rdParties

Securityfor

Privacy

Quality

Monitoring&

Enforcement

Entitys Desired

Maturity Level

Figure 2 Maturity Report by Criteria within a Specic GAPP Principle

Figure 2 shows the

maturity o each crite-rion within a specifcprinciple in this case,the Notice principle.

The report indicates theactual maturity levelor each criterion.

The report also indicatesthe actual and desiredmaturity level or theprinciple as a whole.

Reports like this pro-vide useul insight intospecifc criteria withina privacy principle.

Maturity Reporting by Criteria

MaturityLevel

5

4

3

2

1

0

2.1.0Privacy

Policies

2.1.1Communication

toIndividuals

2.2.1Provision

ofNotice

2.2.2.Entities&

Activities

2.2.3Clear&

Conspicuous

Entitys Desired

Maturity Level

Entitys Actual

Maturity Level

Figure 3 Maturity Report by Criteria within a GAPP Principle Over Time

Figure 3 shows thematurity o each cri-terion within theCollection principleor three time periods.

The report indicates theactual maturity level oreach criterion or threedierent time periods.

Reports like this pro-vide useul insight intoprogress being madeby the entitys privacyinitiatives over time.

Maturity Reporting by Criteria by Time Period

MaturityLev

el

5

4

3

2

1

0

4.1.0PrivacyPolicies

4.1.1Communication

toIndividuals

4.1.2TypesandMethods

ofCollection

4.2.1CollectionLimited

toPurposeinNotice

4.2.2CollectionbyFair

&LawfulMeans

4.2.3CollectionFrom

3rdParties

4.2.4Information

DevelopedAbout

Individuals

Entitys Desired

Maturity Level

Entitys Actual

Maturity Level

6 suMMAyThe AICPA/CICA Privacy Maturity Model provides entities with an oppor-

tunity to assess their privacy initiatives against criteria that reect the

maturity o their privacy program and their level o compliance with Gener-

ally Accepted Privacy Principles.

The PMM can be a useul tool or management, consultants and auditors and

should be considered throughout the entitys journey to develop a strong pri-

vacy program and benchmark its progress.


11/42

5


AICPA/CICA PRIVACY MATURITY MODEL1Based on Generally Accepted Privacy Principles (GAPP)2

GAPP - 73

IeIA

IeIA

desIPI

MAuIy eves

Ad h ePeAAbe deIed MAAGed PIMIzed

MAAGeMe(14 critria)

ntit n, ocmnt, commnicat, an aign accontailit for it priac polici an procr.

Priac Polici(1.1.0)

The entity denes anddocuments its privacy poli-cies with respect to notice;choice and consent; col-lection; use, retention anddisposal; access; disclosureto third parties; security forprivacy; quality; and mon-itoring and enforcement

Some aspects oprivacy policiesexist inormally.

Privacy policies existbut may not be com-plete, and are notully documented.

Policies are defnedor: notice, choiceand consent; collec-tion; use, retentionand disposal; access;disclosure; securityor privacy; qual-ity; and monitoringand enorcement.

Compliance withprivacy policies ismonitored and theresults o such mon-itoring are used toreinorce key pri-vacy messages.

Management monitorscompliance with poli-cies and proceduresconcerning personalinormation. Issues onon-compliance areidentifed and reme-dial action taken toensure compliancein a timely ashion.

ommnication to

Intrnal Pronnl(1.1.1)

Privacy policies and the

consequences of non- com-pliance with such policiesare communicated, at leastannually, to the entitysinternal personnel respon-sible for collecting, using,retaining and disclos-ing personal information

Changes in privacy poli-cies are communicated tosuch personnel shortly afterthe changes are approved

Employees may

be inormed aboutthe entitys privacypolicies; however,communications areinconsistent, sporadicand undocumented.

Employees are pro-

vided guidance onthe entitys privacypolicies and pro-cedures throughvarious means; how-ever, ormal policies,where they exist,are not complete.

The entity has a pro-

cess in place tocommunicate pri-vacy policies andprocedures to employ-ees through initialawareness and train-ing sessions and anongoing communi-cations program.

Privacy policies and

the consequenceso non-complianceare communicatedat least annually;understanding is mon-itored and assessed.

Changes and improve-

ments to messagingand communicationstechniques are madein response to peri-odic assessments andeedback. Changesin privacy policiesare communicatedto personnel shortlyater the changesare approved.

1 This model is based on Technical Report, CMU/SEI -93TR-024 ESC-TR-93-177, Capability Maturity Model SM or Sotware, Version 1.1, Copyright 1993 Carnegie Mellon University, with special permission rom theSotware Engineering Institute. Any material o Carnegie Mellon University and/or its Sotware Engineering Institute contained herein is urnished on an as-is basis. Carnegie Mellon University makes no warranties oany kind, either expressed or implied, as to any matter including, but not limited to, warranty o ftness or purpose or merchantability, exclusivity, or results obtained rom use o material. Carnegie Mellon Universitydoes not make any warranty o any kind with respect to reedom rom patent, trademark, or copyright inringement. This model has not been reviewed nor is it endorsed by Carnegie Mellon University or its SotwareEngineering Institute. Capability Maturity Model, CMM, and CMMI are registered in the U.S. Patent and Trademark Ofce by Carnegie Mellon University.

2 Published by the American Institute o Certifed Public Accountants (AICPA) and Canadian Institute o Chartered Accountants (CICA)


12/42

6


GAPP - 73

IeIA

IeIA

desIPI

MAuIy eves


MAAGeMe(14 critria) cont.


poniilit an

Accontailit forPolici (1.1.2)

Responsibility and account-

ability are assigned to aperson or group for devel-oping, documenting,implementing, enforcing,monitoring and updatingthe entitys privacy policiesThe names of such personor group and their respon-sibilities are communicatedto internal personnel

Management is

becoming aware oprivacy issues but hasnot yet identifed a keysponsor or assignedresponsibility.Privacy issues areaddressed reactively.

Management under-

stands the risks,requirements (includ-ing legal, regulatoryand industry) and theirresponsibilities withrespect to privacy.

There is an under-standing thatappropriate pri-vacy management isimportant and needsto be considered.Responsibility oroperation o the enti-tys privacy programis assigned; how-

ever, the approachesare oten inormaland ragmented withlimited authority orresources allocated.

Defned roles and

responsibilities havebeen developed andassigned to variousindividuals / groupswithin the entity andemployees are awareo those assign-ments. The approachto developing privacypolicies and proce-dures is ormalizedand documented.

Management moni-

tors the assignment oroles and responsibili-ties to ensure they arebeing perormed, thatthe appropriate inor-mation and materialsare developed andthat those responsibleare communicatingeectively. Privacy ini-tiatives have seniormanagement support.

The entity (such as

a committee o theboard o directors)regularly monitorsthe processes andassignments o thoseresponsible or pri-vacy and analyzesthe progress todetermine its eec-tiveness. Whererequired, changesand improvementsare made in a timelyand eective ashion.

iw an Approal(1.2.1)

Privacy policies and pro-cedures, and changesthereto, are reviewed andapproved by management

Reviews are inormaland not undertakenon a consistent basis.

Management under-takes periodic reviewo privacy policiesand procedures; how-ever, little guidancehas been developedor such reviews.

Management ollowsa defned processthat requires theirreview and approvalo privacy policiesand procedures.

The entity hassupplemented man-agement review andapproval with peri-odic reviews by bothinternal and externalprivacy specialists.

Managements reviewand approval o pri-vacy policies alsoinclude periodicassessments o theprivacy program toensure all changesare warranted,made and approved;i necessary, theapproval process

will be revised.

onitnc ofPriac Polician Procrwit aw anglation (1.2.2)

Policies and procedures arereviewed and compared tothe requirements of appli-cable laws and regulationsat least annually and when-ever changes to such lawsand regulations are made

Privacy policies and pro-cedures are revised toconform with the require-ments of applicablelaws and regulations

Reviews and com-parisons withapplicable laws andregulations are per-ormed inconsistentlyand are incomplete.

Privacy policies andprocedures have beenreviewed to ensuretheir compliance withapplicable laws andregulations; however,documented guid-ance is not provided.

A process has beenimplemented thatrequires privacy poli-cies to be periodicallyreviewed and main-tained to reectchanges in privacylegislation and reg-ulations; however,there is no proactivereview o legislation.

Changes to privacylegislation and regu-lations are reviewedby management andchanges are made tothe entitys privacypolicies and proce-dures as required.Management maysubscribe to a privacyservice that regu-larly inorms themo such changes.

Management assessesthe degree to whichchanges to legisla-tion are reected intheir privacy policies.


13/42

7


GAPP - 73

IeIA

IeIA

desIPI

MAuIy eves




Pronal Information

Intication anlaication (1.2.3)

The types of personal

information and sensitivepersonal information andthe related processes, sys-tems, and third partiesinvolved in the handling ofsuch information are iden-tied Such information iscovered by the entitys pri-vacy and related securitypolicies and procedures

The identifcation o

personal inormation isirregular, incomplete,inconsistent, andpotentially out o date.

Personal inorma-tion is not adequatelyaddressed in theentitys privacy andrelated security poli-cies and procedures.

Personal inorma-tion may not bedierentiated romother inormation.

Basic categories o

personal inormationhave been identifedand covered in theentitys security andprivacy policies; how-ever, the classifcationmay not have beenextended to all per-sonal inormation.

All personal inor-

mation collected,used, stored and dis-closed within theentity has been clas-sifed and risk rated.

All personal inorma-

tion is covered by theentitys privacy andrelated security poli-cies and procedures.Procedures exist tomonitor compliance.

Personal inormationrecords are reviewedto ensure appropri-ate classifcation.

Management main-

tains a record o allinstances and uses opersonal inormation.In addition, processesare in place to ensurechanges to busi-ness processes andprocedures and anysupporting comput-erized systems, wherepersonal inormationis involved, result in anupdating o personalinormation records.Personal inormationrecords are reviewedto ensure appropri-

ate classifcation.

ik Amnt(1.2.4)

A risk assessment process isused to establish a risk base-line and, at least annually,to identify new or changedrisks to personal informationand to develop and updateresponses to such risks

Privacy risks may havebeen identifed, butsuch identifcation isnot the result o anyormal process. Theprivacy risks identi-fed are incompleteand inconsistent.

A privacy risk assess-ment has not likelybeen completed andprivacy risks not or-mally documented.

Employees are awareo and consider vari-ous privacy risks. Riskassessments may notbe conducted regu-larly, are not part oa more thorough riskmanagement pro-gram and may notcover all areas.

Processes have beenimplemented orrisk identifcation,risk assessment andreporting. A docu-mented ramework isused and risk appe-tite is established.

For risk assess-ment, organizationsmay wish to use theAICPA/CICA PrivacyRisk Assessment Tool.

Privacy risks arereviewed annu-ally both internallyand externally.

Changes to privacypolicies and proce-dures and the privacyprogram are updatedas necessary.

The entity has a or-mal risk managementprogram that includesprivacy risks whichmay be customizedby jurisdiction, busi-ness unit or unction.The program main-tains a risk log that isperiodically assessed.A ormal annual riskmanagement reviewis undertaken toassess the eective-ness o the programand changes are madewhere necessary.A risk manage-ment plan has beenimplemented.

onitnc ofommitmnt witPriac Polici anProcr (1.2.5)

Internal personnel or advis-ers review contracts forconsistency with privacypolicies and procedures andaddress any inconsistencies

Reviews o contractsor privacy consider-ations are incompleteand inconsistent.

Procedures exist toreview contracts andother commitmentsor instances wherepersonal inormationmay be involved; how-ever, such reviewsare inormal and notconsistently used.

A log o contractsexists and all con-tracts are reviewedor privacy consider-ations and concernsprior to execution.

Existing contractsare reviewed uponrenewal to ensure con-tinued compliancewith the privacy poli-cies and procedures.

Changes in the enti-tys privacy policieswill trigger a reviewo existing contracts

or compliance.

Contracts arereviewed on a regu-lar basis and tracked.An automated processhas been set up toag which contractsrequire immediatereview when changesto privacy poli-cies and procedures

are implemented.


14/42

8


GAPP - 73

IeIA

IeIA

desIPI

MAuIy eves




Infratrctr an

stm Managmnt(1.2.6)

The potential privacy impact

is assessed when new pro-cesses involving personalinformation are imple-mented, and when changesare made to such processes(including any such activ-ities outsourced to thirdparties or contractors), andpersonal information con-tinues to be protected inaccordance with the privacypolicies For this purpose,processes involving personalinformation include thedesign, acquisition, devel-opment, implementation,conguration, modica-

tion and management ofthe following:

Infrastructure

Systems

Applications

Web sites

Procedures

Products and services

Data bases andinformation repositories

Mobile computing andother similar electronicdevices

The use of personal infor-

mation in process andsystem test and develop-ment is prohibited unlesssuch information is ano-nymized or otherwiseprotected in accordancewith the entitys privacypolicies and procedures

Changes to exist-

ing processes or theimplementation onew business and sys-tem processes orprivacy issues is notconsistently assessed.

Privacy impact is

considered duringchanges to businessprocesses and/or sup-porting applicationsystems; however,these processes arenot ully documentedand the proceduresare inormal andinconsistently applied.

The entity has imple-

mented ormalprocedures to assessthe privacy impact onew and signifcantlychanged products,services, businessprocesses and inra-structure (sometimesreerred to as aprivacy impact assess-ment). The entity usesa documented sys-tems developmentand change manage-ment process or allinormation systemsand related tech-

nology employed tocollect, use, retain,disclose and destroypersonal inormation.

Management mon-

itors and reviewscompliance with poli-cies and proceduresthat require a privacyimpact assessment.

Through quality

reviews and otherindependent assess-ments, management isinormed o the eec-tiveness o the processor considering pri-vacy requirementsin all new and modi-fed processes andsystems. Such inor-mation is analyzedand, where neces-sary, changes made.


15/42

9


GAPP - 73

IeIA

IeIA

desIPI

MAuIy eves




Priac Incint an

brac Managmnt(1.2.7)

A documented privacy

incident and breach man-agement program hasbeen implemented thatincludes, but is not lim-ited to, the following:

Procedures forthe identication,management andresolution of privacyincidents and breaches

Dened responsibilities

A process to identifyincident severity anddetermine required actionsand escalation procedures

A process for complying

with breach laws andregulations, includingstakeholder breachnotication, if required

An accountability processfor employees or thirdparties responsible forincidents or breaches withremediation, penalties ordiscipline, as appropriate

A process for periodicreview (at least annually)of actual incidentsto identify necessaryprogram updates based onthe following:

Incident patterns androot cause

Changes in the internalcontrol environment orexternal requirements(regulation orlegislation)

Periodic testing orwalkthrough process (atleast on an annual basis)and associated programremediation as needed

Few procedures exist

to identiy and man-age privacy incidents;however, they are notdocumented and areapplied inconsistently.

Procedures have

been developed onhow to deal with aprivacy incident;however, they arenot comprehensiveand/or inadequateemployee traininghas increased thelikelihood o unstruc-tured and inconsistentresponses.

A documented

breach manage-ment plan has beenimplemented thatincludes: accountabil-ity, identifcation, riskassessment, response,containment, commu-nications (includingpossible notifcationto aected individu-als and appropriateauthorities, i requiredor deemed neces-sary), remediation(including post-breachanalysis o thebreach response)

and resumption.

A walkthrough o

the breach man-agement plan isperormed period-ically and updatesto the program aremade as needed.

The internal and

external privacyenvironments aremonitored or issuesaecting breachrisk and breachresponse, evaluatedand improvementsare made. Manage-ment assessmentsare provided aterany privacy breachand analyzed;changes and improve-ments are made.


16/42

10


GAPP - 73

IeIA

IeIA

desIPI

MAuIy eves




spporting

orc (1.2.8)

Resources are provided by

the entity to implement andsupport its privacy policies

Resources are only

allocated on an asneeded basis toaddress privacyissues as they arise.

Privacy procedures

exist; however, theyhave been devel-oped within smallunits or groups with-out support romprivacy specialists.

Individuals with

responsibility and/or accountabil-ity or privacy areempowered withappropriate authorityand resources. Suchresources are madeavailable through-out the entity.

Management ensures

that adequately quali-fed privacy resourcesare identifed andmade availablethroughout the entityto support its vari-ous privacy initiatives.

Management annu-

ally reviews its privacyprogram and seeksways to improve theprograms peror-mance, includingassessing the ade-quacy, availabilityand perormanceo resources.

Qalication ofIntrnal Pronnl(1.2.9)

The entity establishes qual-ications for personnelresponsible for protectingthe privacy and security ofpersonal information andassigns such responsibili-ties only to those personnel

who meet these qualica-tions and have receivedthe necessary training

The entity has notormally establishedqualifcations orpersonnel who col-lect, use, disclose orotherwise handle per-sonal inormation.

The entity has someestablished qualif-cations or personnelwho collect, disclose,use or otherwisehandle personal inor-mation, but are not

ully documented.Employees receivesome training onhow to deal with per-sonal inormation.

The entity defnesqualifcations or per-sonnel who perormor manage the enti-tys collection, useand disclosure o per-sonal inormation.

Persons responsi-ble or the protectionand security o per-sonal inormation havereceived appropri-ate training and havethe necessary knowl-edge to manage theentitys collection, useand disclosure o per-sonal inormation.

The entity has ormeda nucleus o privacy-qualifed individualsto provide privacysupport to assistwith specifc issues,including training

and job assistance.

The entity annuallyassesses the peror-mance o their privacyprogram, includingthe perormance andqualifcations o theirprivacy-designated

specialists . An analy-sis is perormed o theresults and changesor improvementsmade, as required.

Priac Awarnan raining (1.2.10)

A privacy awarenessprogram about the enti-tys privacy policies andrelated matters, and spe-cic training for selected

personnel depending ontheir roles and responsi-bilities, are provided

Formal privacy train-ing is not providedto employees; how-ever some knowledgeo privacy may be

obtained rom otheremployees or anec-dotal sources.

The entity has a pri-vacy awarenessprogram, but train-ing is sporadic andinconsistent.

Personnel who handlepersonal inorma-tion have receivedappropriate privacyawareness and train-

ing to ensure theentity meets obliga-tions in its privacynotice and applica-ble laws. Training isscheduled, timelyand consistent.

An enterprise-wideprivacy awarenessand training programexists and is moni-tored by management

to ensure compliancewith specifc train-ing requirements. Theentity has determinedwhich employeesrequire privacy train-ing and tracks theirparticipation dur-ing such training.

A strong privacyculture exists. Com-pulsory privacyawareness and train-ing is provided. Such

training requiresemployees to com-plete assignments tovalidate their under-standing. Whenprivacy incidents orbreaches occur, reme-dial training as well aschanges to the train-ing curriculum is madein a timely ashion.


17/42

11


GAPP - 73

IeIA

IeIA

desIPI

MAuIy eves




ang in

glatoran binqirmnt (1.2.11)

For each jurisdiction in

which the entity oper-ates, the effect on privacyrequirements from changesin the following factors isidentied and addressed:

Legal and regulatory

Contracts, includingservice-level agreements

Industry requirements

Business operations andprocesses

People, roles, andresponsibilities

Technology

Privacy policies and proce-

dures are updated to reectchanges in requirements

Changes in busi-

ness and regulatoryenvironments areaddressed sporadi-cally in any privacyinitiatives the entitymay contemplate.Any privacy-relatedissues or concernsthat are identi-fed only occur in aninormal manner.

The entity is aware

that certain changesmay impact theirprivacy initiatives;however, the pro-cess is not ullydocumented.

The entity has imple-

mented policies andprocedures designedto monitor and actupon changes in thebusiness and/or reg-ulatory environment.The procedures areinclusive and employ-ees receive trainingin their use as part oan enterprise-wideprivacy program.

The entity has estab-

lished a process tomonitor the privacyenvironment and iden-tiy items that mayimpact its privacy pro-gram. Changes areconsidered in termso the entitys legal,contracting, busi-ness, human resourcesand technology.

The entity has estab-

lished a process tocontinually moni-tor and update anyprivacy obligationsthat may arise romchanges to legis-lation, regulations,industry-specifcrequirements andbusiness practices.

Ie (5 critria) ntit proi notic aot it priac polici an procr an inti t prpo for wic pronal information i collct, ,rtain, an iclo.

Priac Polici(2.1.0)

The entitys privacy pol-icies address providingnotice to individuals

Notice policiesand proceduresexist inormally.

Notice provisionsexist in privacy poli-cies and proceduresbut may not cover allaspects and are notully documented.

Notice provisionsin privacy policiescover all relevantaspects and areully documented.

Compliance withnotice provisions inprivacy policies andprocedures is moni-tored and the resultso such monitoring areused to reinorce keyprivacy messages.

Management moni-tors compliance withprivacy policies andprocedures relatingto notice. Issues onon-compliance areidentifed and reme-dial action taken toensure compliance.

ommnication toIniial (2.1.1)

Notice is provided to indi-viduals regarding thefollowing privacy policies:purpose; choice/consent;collection; use/retention/disposal; access; disclosureto third parties; security forprivacy; quality; and mon-itoring/enforcement

If personal informationis collected from sourcesother than the individ-ual, such sources aredescribed in the notice

Notice to individu-als is not providedin a consistent man-ner and may notinclude all aspects oprivacy, such as pur-pose; choice/consent;collection; use, reten-tion and disposal;access; disclosure;security or privacy;quality; and monitor-ing/enorcement.

Notice is provided toindividuals regardingsome o the ollow-ing privacy policiesat or beore the timeo collection: pur-pose; choice/consent;collection; use, reten-tion and disposal;access; disclosure;security or privacy;quality; and monitor-ing/enorcement.

Notice is provided toindividuals regard-ing all o the ollowingprivacy policies at orbeore collection andis documented: pur-pose; choice/consent;collection; use, reten-tion and disposal;access; disclosure;security or privacy;quality; and monitor-ing/enorcement.

Privacy policiesdescribe the conse-quences, i any, onot providing therequested inorma-tion and indicate thatcertain inormationmay be developedabout individuals,such as buying pat-terns, or collectedrom other sources.

Changes and improve-ments to messagingand communicationstechniques are madein response to peri-odic assessmentsand eedback.


18/42

12


GAPP - 73

IeIA

IeIA

desIPI

MAuIy eves


Ie (5 critria)cont.

ntit proi notic aot it priac polici an procr an inti t prpo for wic pronal information i collct, ,rtain, an iclo.

Proiion of otic

(2.2.1)

Notice is provided to the

individual about the enti-tys privacy policies andprocedures (a) at or beforethe time personal infor-mation is collected, or assoon as practical thereafter,(b) at or before the entitychanges its privacy policiesand procedures, or as soonas practical thereafter, or (c)before personal informationis used for new purposesnot previously identied

Notice may not

be readily acces-sible nor providedon a timely basis.

Notice provided to

individuals is gener-ally accessible butis not provided on atimely basis. Noticemay not be providedin all cases when per-sonal inormationis collected or usedor new purposes.

The privacy notice isdocumented, read-ily accessible andavailable, providedin a timely ashionand clearly dated.

The entity tracksprevious iterationso the privacy poli-cies and individualsare inormed aboutchanges to a previ-ously communicatedprivacy notice. Theprivacy notice isupdated to reectchanges to policiesand procedures.

The entity solicitsinput rom relevantstakeholders regard-ing the appropriatemeans o provid-ing notice and makeschanges as deemedappropriate.

Notice is providedusing various tech-niques to meet thecommunicationstechnologies o theirconstituents (e.g.social media, mobilecommunications, etc).

entiti an

Actiiti or(2.2.2)

An objective descrip-

tion of the entities andactivities covered by pri-vacy policies is includedin the privacy notice

The privacy notice

may not includeall relevant enti-ties and activities.

The privacy notice

describes some othe particular entities,business segments,locations, and types oinormation covered.

The privacy notice

objectively describesand encompassesall relevant entities,business segments,locations, and types oinormation covered.

The entity perorms

a periodic review toensure the entities andactivities covered byprivacy policies areupdated and accurate.

Management ollows

a ormal documentedprocess to considerand take appropriateaction as necessary toupdate privacy poli-cies and the privacynotice prior to anychange in the enti-tys business structureand activities.

lar anonpico (2.2.3)

The privacy notice isconspicuous and usesclear language

Privacy policies areinormal, not doc-umented and maybe phrased dier-ently when orallycommunicated.

The privacy noticemay be inormally pro-vided but is not easilyunderstood, nor is iteasy to see or eas-ily available at pointso data collection. I aormal privacy noticeexists, it may not beclear and conspicuous.

The privacy notice isin plain and simplelanguage, appropri-ately labeled, easyto see, and not insmall print. Privacynotices provided elec-tronically are easy toaccess and navigate.

Similar ormats areused or dierentand relevant subsid-iaries or segmentso an entity to avoidconusion and allowconsumers to iden-tiy any dierences.Notice ormatsare periodicallyreviewed or clar-ity and consistency.

Feedback aboutimprovements to thereadability and con-tent o the privacypolicies are analyzedand incorporated intouture versions othe privacy notice.


19/42

13


GAPP - 73

IeIA

IeIA

desIPI

MAuIy eves


hIe anse (7 critria)

ntit cri t coic aailal to t iniial an otain implicit or xplicit connt wit rpct to t collction, , aniclor of pronal information.

Priac Polici(3.1.0)

The entitys privacy poli-cies address the choicesto individuals and the con-sent to be obtained

Choice and consentpolicies and proce-dures exist inormally.

Choice and consentprovisions in privacypolicies and pro-cedures exist butmay not cover allaspects, and are notully documented.

Choice and consentprovisions in pri-vacy policies andprocedures cover allrelevant aspects andare ully documented.

Compliance withchoice and consentprovisions in privacypolicies and proce-dures is monitoredand the results o suchmonitoring are usedto reinorce key pri-vacy messages.

Management moni-tors compliance withprivacy policies andprocedures relating tochoice and consent.Issues o non-compli-ance are identifed andremedial action takento ensure compliance.


Individuals are informedabout (a) the choices avail-able to them with respectto the collection, use, anddisclosure of personalinformation, and (b) thatimplicit or explicit con-sent is required to collect,

use, and disclose personalinformation, unless a lawor regulation specicallyrequires or allows otherwise

Individuals may beinormed about thechoices available tothem; however, com-munications areinconsistent, sporadicand undocumented.

The entitys privacynotice describesin a clear and con-cise manner someo the ollowing: 1)choices available tothe individual regard-ing collection, use,

and disclosure o per-sonal inormation, 2)the process an indi-vidual should ollowto exercise thesechoices, 3) the abilityo, and process or, anindividual to changecontact preerencesand 4) the conse-quences o ailingto provide personalinormation required.

The entitys privacynotice describes, ina clear and concisemanner, all o the ol-lowing: 1) choicesavailable to the indi-vidual regardingcollection, use, and

disclosure o per-sonal inormation, 2)the process an indi-vidual should ollowto exercise thesechoices, 3) the abilityo, and process or, anindividual to changecontact preerencesand 4) the conse-quences o ailingto provide personalinormation required.

Privacy policiesand procedures arereviewed periodicallyto ensure the choicesavailable to individ-uals are updated asnecessary and the useo explicit or implicit

consent is appropri-ate with regard tothe personal inor-mation being usedor disclosed.

Changes and improve-ments to messagingand communicationstechniques and tech-nologies are madein response to peri-odic assessmentsand eedback.

onqncof dning orWitrawing

onnt (3.1.2)

When personal informa-tion is collected, individualsare informed of the con-

sequences of refusing toprovide personal informationor of denying or withdraw-ing consent to use personalinformation for purposesidentied in the notice

Individuals may notbe inormed con-sistently about the

consequences oreusing, denyingor withdrawing.

Consequences may beidentifed but may notbe ully documented

or consistently dis-closed to individuals.

Individuals areinormed about theconsequences o

reusing to providepersonal inormationor denying or with-drawing consent.

Processes are in placeto review the statedconsequences peri-

odically to ensurecompleteness, accu-racy and relevance.

Processes are imple-mented to reducethe consequences

o denying consent,such as increas-ing the granularityo the application osuch consequences.


20/42

14


GAPP - 73

IeIA

IeIA

desIPI

MAuIy eves


hIe anse (7 critria)cont.


Implicit or explicitonnt (3.2.1)

Implicit or explicit con-sent is obtained from theindividual at or before thetime personal informa-tion is collected or soonafter The individuals pref-erences expressed in hisor her consent are con-rmed and implemented

Consent is neitherdocumented nor con-sistently obtained ator beore collection opersonal inormation.

Consent is consis-tently obtained, butmay not be docu-mented or obtainedin a timely ashion.

Consent is obtainedbeore or at thetime personal inor-mation is collectedand preerences areimplemented (suchas making appropri-ate database changesand ensuring that pro-grams that access thedatabase test or thepreerence). Explicitconsent is docu-mented and implicitconsent processesare appropriate. Pro-cesses are in place to

ensure that consentis recorded by theentity and reerencedprior to uture use.

An individuals preer-ences are confrmedand any changesare documentedand reerencedprior to uture use.

Consent processes areperiodically reviewedto ensure the individ-uals preerences arebeing appropriatelyrecorded and actedupon and, where nec-essary, improvementsmade. Automatedprocesses are ol-lowed to test consentprior to use o per-sonal inormation.

onnt for wPrpo an u(3.2.2)

If information that was pre-viously collected is to beused for purposes not pre-viously identied in theprivacy notice, the new pur-pose is documented, theindividual is notied andimplicit or explicit con-sent is obtained prior tosuch new use or purpose

Individuals are notconsistently notifedabout new proposeduses o personalinormation previ-ously collected.

Individuals are consis-tently notifed aboutnew purposes notpreviously specifed.A process exists tonotiy individuals butmay not be ully doc-umented and consentmight not be obtainedbeore new uses.

Consent is obtainedand documentedprior to using per-sonal inormation orpurposes other thanthose or which it wasoriginally collected.

Processes are in placeto ensure personalinormation is usedonly in accordancewith the purposes orwhich consent hasbeen obtained and toensure it is not usedi consent is with-drawn. Monitoringis in place to ensurepersonal inormationis not used with-out proper consent.

Consent processes areperiodically reviewedto ensure consentor new purposes isbeing appropriatelyrecorded and actedupon and where nec-essary, improvementsmade. Automatedprocesses are ol-lowed to test consentprior to use o per-sonal inormation.

explicit onnt forsniti Information(3.2.3)

Explicit consent is obtaineddirectly from the individ-ual when sensitive personalinformation is collected,used, or disclosed, unlessa law or regulation speci-cally requires otherwise

Explicit consentis not consistentlyobtained prior to col-lection o sensitivepersonal inormation.

Employees whocollect personal inor-mation are aware thatexplicit consent isrequired when obtain-ing sensitive personalinormation; how-ever, the process isnot well defned orully documented.

A documented or-mal process has beenimplemented requir-ing explicit consent beobtained directly romthe individual prior to,or as soon as practi-cally possible, atercollection o sensitivepersonal inormation.

The process isreviewed and com-pliance monitored toensure explicit con-sent is obtained priorto, or as soon as prac-tically possible, atercollection o sensitivepersonal inormation.

For procedures thatcollect sensitive per-sonal inormationand do not obtainexplicit consent, reme-diation plans areidentifed and imple-mented to ensureexplicit consent hasbeen obtained.


21/42

15


GAPP - 73

IeIA

IeIA

desIPI

MAuIy eves


hIe anse (7 critria)cont.


onnt for nlindata ranfr o orrom an Iniialomptr or trsimilar elctronicdic (3.2.4)

Consent is obtainedbefore personal infor-mation is transferred to/from an individuals com-puter or similar device

Consent is not consis-tently obtained beorepersonal inormationis transerred to/romanother computer orother similar device.

Sotware enables anindividual to provideconsent beore per-sonal inormation istranserred to/romanother computer orother similar device.

The application isdesigned to con-sistently solicit andobtain consent beorepersonal inormationis transerred to/romanother computer orother similar deviceand does not makeany such transers iconsent has not beenobtained. Such con-sent is documented.

The process isreviewed and com-pliance monitoredto ensure consent isobtained beore anypersonal inormation istranserred to/rom anindividuals computeror other similar device.

Where procedureshave been identifedthat do not obtainconsent beore per-sonal inormation istranserred to/roman individuals com-puter or other similardevice, remediationplans are identifedand implemented.

eI(7 critria)

ntit collct pronal information onl for t prpo inti in t notic.

Priac Polici(4.1.0)

The entitys privacy poli-cies address the collectionof personal information

Collection poli-cies and proceduresexist inormally.

Collection provisionsin privacy policies andprocedures exist butmight not cover allaspects, and are notully documented.

Collection provi-sions in privacypolicies cover all rel-evant aspects ocollection and areully documented.

Compliance with col-lection provisions inprivacy policies andprocedures is moni-tored and the resultso such monitoring areused to reinorce keyprivacy messages.

Management moni-tors compliance withprivacy policies andprocedures relating tocollection. Issues onon-compliance areidentifed and reme-dial action taken toensure compliance.


Individuals are informed thatpersonal information is col-lected only for the purposesidentied in the notice

Individuals may beinormed that per-sonal inormation iscollected only or pur-poses identifed inthe notice; however,communications are

inconsistent, sporadicand undocumented.

Individuals areinormed that per-sonal inormation iscollected only or thepurposes identifedin the notice. Suchnotifcation is gener-

ally not documented.

Individuals areinormed that per-sonal inormation iscollected only or thepurposes identifedin the notice and thesources and methods

used to collect thispersonal inormationare identifed. Suchnotifcation is avail-able in written ormat.

Privacy policies arereviewed periodi-cally to ensure theareas related to col-lection are updatedas necessary.

Changes and improve-ments to messagingand communicationsmethods and tech-niques are made inresponse to peri-odic assessments

and eedback.


22/42

16


GAPP - 73

IeIA

IeIA

desIPI

MAuIy eves


eI(7 critria) cont.


p of PronalInformationollct anMto ofollction (4.1.2)

The types of personalinformation collectedand the methods of col-lection, including theuse of cookies or othertracking techniques, aredocumented and describedin the privacy notice

Individuals may beinormed about thetypes o personalinormation collectedand the methods ocollection; however,communications areinormal, may not becomplete and maynot ully describe themethods o collection.

The types o personalinormation collectedand the methods ocollection, includingthe use o cookies orother tracking tech-niques, are neitherully documentednor ully described inthe privacy notice.

The types o per-sonal inormationcollected and themethods o collec-tion, including the useo cookies or othertracking techniques,are ully documentedand ully described inthe privacy notice.

The notice also dis-closes whetherinormation is devel-oped or acquiredabout individuals,such as buying pat-terns. The noticealso describes theconsequences i thecookie is reused.

Management monitorsbusiness processesto identiy new typeso personal inorma-tion collected andnew methods o col-lection to ensurethey are described inthe privacy notice.

The privacy noticeis reviewed regu-larly and updated ina timely ashion todescribe all the typeso personal inorma-tion being collectedand the methodsused to collect them.

ollction imit toInti Prpo(4.2.1)

The collection of personalinformation is limited to thatnecessary for the purposesidentied in the notice

Inormal and undoc-umented proceduresare relied uponto ensure collec-tion is limited to thatnecessary or the pur-poses identifed inthe privacy notice.

Policies and proce-dures, may not:

be ullydocumented;

distinguish thepersonal inormationessential or thepurposes identifedin the notice;

dierentiatepersonal inormationrom optionalinormation.

Policies and proce-dures that have beenimplemented areully documented toclearly distinguishthe personal inor-mation essential orthe purposes iden-tifed in the noticeand dierentiate itrom optional inor-mation. Collection opersonal inormation

is limited to inorma-tion necessary or thepurposes identifed inthe privacy notice.

Policies and proce-dures are in place toperiodically review theentitys needs or per-sonal inormation.

Policies, proceduresand business pro-cesses are updateddue to changes inthe entitys needs orpersonal inorma-tion. Corrective actionis undertaken wheninormation not neces-sary or the purposesidentifed is collected.


23/42

17


GAPP - 73

IeIA

IeIA

desIPI

MAuIy eves


eI(7 critria) cont.


ollction airan awfl Man(4.2.2)

Methods of collecting per-sonal information arereviewed by managementbefore they are imple-mented to conrm thatpersonal information isobtained (a) fairly, withoutintimidation or deception,and (b) lawfully, adher-ing to all relevant rules oflaw, whether derived fromstatute or common law,relating to the collectionof personal information

Inormal proceduresexist limiting the col-lection o personalinormation to thatwhich is air and law-ul; however, they maybe incomplete andinconsistently applied.

Management mayconduct reviews ohow personal inor-mation is collected,but such reviewsare inconsistent anduntimely. Policies andprocedures related tothe collection o per-sonal inormation areeither not ully docu-mented or incomplete.

Methods o collectingpersonal inorma-tion are reviewed bymanagement beorethey are implementedto confrm that per-sonal inormation isobtained (a) airly,without intimidationor deception, and (b)lawully, adhering toall relevant rules olaw, whether derivedrom statute or com-mon law, relating tothe collection o per-sonal inormation.

Methods o col-lecting personalinormation are peri-odically reviewed bymanagement aterimplementation toconfrm personal inor-mation is obtainedairly and lawully.

Complaints to theentity are reviewedto identiy whereunlawul or decep-tive practices exist.Such complaints arereviewed, analyzedand changes to poli-cies and proceduresto correct such prac-tices are implemented.

ollction from irParti (4.2.3) Management conrmsthat third parties fromwhom personal informa-tion is collected (that is,sources other than theindividual) are reliablesources that collect infor-mation fairly and lawfully

Limited guidanceand direction exist toassist in the review othird-party practicesregarding collection opersonal inormation.

Reviews o third-party practices areperormed but suchprocedures are notully documented.

The entity consis-tently reviews privacypolicies, collectionmethods, and types oconsents o third par-ties beore acceptingpersonal inorma-tion rom third-partydata sources. Clausesare included in agree-ments that requirethird-parties to collectinormation airly andlawully and in accor-dance with the entitysprivacy policies.

Once agreementshave been imple-mented, the entityconducts a periodicreview o third-partycollection o per-sonal inormation.Corrective actionsare discussed withthird parties.

Lessons learned romcontracting and con-tract managementprocesses are ana-lyzed and, whereappropriate, improve-ments are made toexisting and uturecontracts involvingcollection o personalinormation involv-ing third parties.

Informationdlop AotIniial (4.2.4)

Individuals are informedif the entity develops oracquires additional informa-tion about them for its use

Policies and pro-cedures inormingindividuals that addi-tional inormationabout them is beingcollected or used areinormal, inconsis-tent and incomplete.

Policies and proce-dures exist to inormindividuals when theentity develops oracquires additionalpersonal inorma-tion about them orits use; however, pro-cedures are not ullydocumented or con-sistently applied.

The entitys pri-vacy notice indicatesthat, i applicable, itmay develop and/or acquire inorma-tion about individualsby using third-partysources, brows-ing, e-mail content,credit and purchas-ing history. Additionalconsent is obtainedwhere necessary.

The entity monitorsinormation collectionprocesses, includingthe collection o addi-tional inormation, toensure appropriatenotifcation and con-sent requirements arecomplied with. Wherenecessary, changesare implemented.

The entitys pri-vacy notice providestransparency in thecollection, use anddisclosure o per-sonal inormation.Individuals are givenmultiple opportunitiesto learn how personalinormation is devel-oped or acquired.


24/42

18


GAPP - 73

IeIA

IeIA

desIPI

MAuIy eves


use, eeIAd dIsPsA(5 critria)

The entity limits the use of personal information to the purposes identied in the notice and for which the individual has provided implicit or explicitconsent The entity retains personal information for only as long as necessary to fulll the stated purposes or as required by law or regulations andthereafter appropriately disposes of such information

Priac Polici(5.1.0)

The entitys privacy pol-icies address the use,retention, and disposal ofpersonal information

Procedures or theuse, retention anddisposal o personalinormation are adhoc, inormal andlikely incomplete.

Use, retention anddisposal provisionsin privacy policiesand procedures existbut may not cover allaspects, and are notully documented.

Use, retention and dis-posal provisions inprivacy policies andprocedures cover allrelevant aspects andare ully documented.

Compliance with use,retention and disposalprovisions in privacypolicies and proce-dures is monitored.

Management moni-tors compliance withprivacy policies andprocedures relatingto use, retention anddisposal. Issues onon-compliance areidentifed and reme-dial action taken toensure compliancein a timely ashion.


Individuals are informedthat personal informa-tion is (a) used only for thepurposes identied in thenotice and only if the indi-

vidual has provided implicitor explicit consent, unlessa law or regulation specif-ically requires otherwise,(b) retained for no longerthan necessary to fulll thestated purposes, or for aperiod specically requiredby law or regulation, and (c)disposed of in a manner thatprevents loss, theft, mis-use or unauthorized access

Individuals may beinormed aboutthe uses, reten-tion and disposal otheir personal inor-

mation; however,communications areinconsistent, sporadicand undocumented.

Individuals areinormed about theuse, retention anddisposal o per-sonal inormation,

but this communica-tion may not coverall aspects and is notully documented.

Retention periodsare not uniormlycommunicated.

Individuals areconsistently and uni-ormly inormedabout use, retentionand disposal o per-

sonal inormation.Data retention peri-ods are identifedand communicatedto individuals.

Methods are in placeto update communi-cations to individualswhen changes occurto use, retention and

disposal practices.

Individuals generallevel o understand-ing o use, retentionand disposal o per-sonal inormation is

assessed. Feedback isused to continuouslyimprove communi-cation methods.

u of PronalInformation (5.2.1)

Personal information isused only for the purposesidentied in the noticeand only if the individ-

ual has provided implicitor explicit consent, unlessa law or regulation speci-cally requires otherwise

The use o personalinormation may beinconsistent with thepurposes identifed

in the notice. Con-sent is not alwaysobtained consistently.

Policies and proce-dures regarding theuse o inormationhave been adopted;

however, they arenot documentedand may not be con-sistently applied.

Use o personal inor-mation is consistentwith the purposesidentifed in the pri-

vacy notice. Consentor these uses is con-sistently obtained.Uses o personalinormation through-out the entity are inaccordance with theindividuals preer-ences and consent.

Uses o personalinormation aremonitored and peri-odically reviewed

or appropriateness.Management ensuresthat any discrepan-cies are correctedon a timely basis.

The uses o per-sonal inormation aremonitored and peri-odically assessed or

appropriateness; ver-ifcations o consentand usage are con-ducted through theuse o automation.Any discrepancies areremediated in a timelyashion. Changes tolaws and regulationsare monitored andthe entitys policiesand procedures areamended as required.


25/42

19


GAPP - 73

IeIA

IeIA

desIPI

MAuIy eves


use, eeIAd dIsPsA(5 critria) cont.

The entity limits the use of personal information to the purposes identied in the notice and for which the individual has provided implicit or explicitconsent The entity retains personal information for only as long as necessary to fulll the stated purposes or as required by law or regulations andthereafter appropriately disposes of such information

tntion of PronalInformation (5.2.2)

Personal information isretained for no longer thannecessary to fulll thestated purposes unless alaw or regulation speci-cally requires otherwise

The retention opersonal inorma-tion is irregularand inconsistent.

Policies and proce-dures or identiyingretention periods opersonal inormationhave been adopted,but may not be ullydocumented or coverall relevant aspects.

The entity has docu-mented its retentionpolicies and proce-dures and consistentlyretains personal inor-mation in accordancewith such poli-cies and practices.

Retention prac-tices are periodicallyreviewed or compli-ance with policies andchanges implementedwhen necessary.

The retention o per-sonal inormation ismonitored and peri-odically assessed orappropriateness, andverifcations o reten-tion are conducted.Such processes areautomated to theextent possible.

Any discrepanciesound are remediatedin a timely ashion.

dipoal, dtrctionan action ofPronal Information(5.2.3)

Personal information nolonger retained is ano-nymized, disposed of ordestroyed in a manner thatprevents loss, theft, mis-use or unauthorized access

The disposal, destruc-tion and redaction opersonal inormationis irregular, inconsis-tent and incomplete.

Policies and proce-dures or identiyingappropriate and cur-rent processes andtechniques or theappropriate dis-posal, destructionand redaction o per-sonal inormationhave been adoptedbut are not ully docu-mented or complete.

The entity has docu-mented its policiesand proceduresregarding the dis-posal, destructionand redaction o per-sonal inormation,implemented suchpractices and ensuresthat these practicesare consistent withthe privacy notice.

The disposal, destruc-tion, and redactiono personal inorma-tion are consistentlydocumented and peri-odically reviewedor compliancewith policies andappropriateness.

The disposal, destruc-tion, and redaction opersonal inormationare monitored andperiodically assessedor appropriateness,and verifcation othe disposal, destruc-tion and redactionconducted. Such pro-cesses are automatedto the extent possible.

Any discrepanciesound are remediatedin a timely ashion.

Aess (8 critria) The entity provides individuals with access to their personal information for review and updatePriac Polici(6.1.0)

The entitys privacy pol-icies address providingindividuals with access totheir personal information

Inormal accesspolicies and pro-cedures exist.

Access provisions inprivacy policies andprocedures exist butmay not cover allaspects, and are notully documented.

Access provisions inprivacy policies andprocedures exist butmay not cover allaspects, and are notully documented.

Compliance withaccess provi-sions in privacypolicies and proce-dures is monitored.

Management moni-tors compliance withprivacy policies andprocedures relatingto access. Issues onon-compliance areidentifed and reme-dial action taken toensure compliance.


26/42

20


GAPP - 73

IeIA

IeIA

desIPI

MAuIy eves


Aess (8 critria)cont.

The entity provides individuals with access to their personal information for review and update


Individuals are informedabout how they mayobtain access to theirpersonal information toreview, update and cor-rect that information

Individuals may beinormed about howthey may obtainaccess to their per-sonal inormation;however, communica-tions are inconsistent,sporadic and undoc-umented.

Individuals are usuallyinormed about pro-cedures available tothem to access theirpersonal inormation,but this communi-cation process maynot cover all aspectsand is not ully docu-mented. Update andcorrection optionsmay not be uniormlycommunicated.

Individuals are usuallyinormed about pro-cedures available tothem to access theirpersonal inormation,but this communi-cation process maynot cover all aspectsand is not ully docu-mented. Update andcorrection optionsmay not be uniormlycommunicated.

Processes are in placeto update communi-cations to individualswhen changes occurto access policies, pro-cedures and practices.

The entity ensuresthat individuals areinormed about theirpersonal inorma-tion access rights,including update andcorrection options,through channelssuch as direct com-munication programs,notifcation on state-ments and othermailings and train-ing and awarenessprograms or sta.

Management mon-itors and assessesthe eects o its var-ious initiatives andseeks to continuouslyimprove methodso communicationand understanding.

Acc Iniialto tir PronalInformation (6.2.1)

Individuals are able todetermine whether theentity maintains per-sonal information aboutthem and, upon request,may obtain access to theirpersonal information

The entity has inor-mal proceduresgranting individualsaccess to their inor-mation; however,such procedures arenot be documentedand may not be con-sistently applied.

Some proceduresare in place to allowindividuals to accesstheir personal inor-mation, but they maynot cover all aspectsand may not beully documented.

Procedures to searchor an individuals per-sonal inormationand to grant individ-uals access to theirinormation havebeen documented,implemented andcover all relevantaspects. Employ-

ees have been trainedin how to respondto these requests,including record-ing such requests.

Procedures are inplace to ensure indi-viduals receive timelycommunication owhat inormationthe entity maintainsabout them andhow they can obtainaccess. The entitymonitors inormation

and access requeststo ensure appropri-ate access to suchpersonal inorma-tion is provided.

The entity identi-fes and implementsmeasures to improvethe efciency oits searches or anindividuals per-sonal inormation.

The entity reviewsthe processes usedto handle accessrequests to determinewhere improve-ments may be madeand implementssuch improvements.Access to per-sonal inormation is

automated and sel-service when possibleand appropriate.


27/42

21


GAPP - 73

IeIA

IeIA

desIPI

MAuIy eves




onrmation of anIniial Intit(6.2.2)

The identity of individu-als who request accessto their personal infor-mation is authenticatedbefore they are givenaccess to that information

Procedures to authen-ticate individualsrequesting accessto their inorma-tion are inormal,not documentedand may not be con-sistently applied.

Procedures are inplace to confrm theidentity o individu-als requesting accessto their personal inor-mation beore theyare granted access,but do not cover allaspects and maynot be documented.Level o authentica-tion required may notbe appropriate to thepersonal inorma-tion being accessed.

Confrmation/authen-tication methods havebeen implemented touniormly and con-sistently confrm theidentity o individu-als requesting accessto their personal inor-mation, including thetraining o employees.

Procedures are inplace to track andmonitor the confrma-tion/authentication oindividuals beore theyare granted accessto personal inorma-tion, and to review thevalidity o grantingaccess to such per-sonal inormation.

The success-ul confrmation/authentication o indi-viduals beore theyare granted access topersonal inormationis monitored and peri-odically assessed ortype 1 (where errorsare not caught) andtype 2 (where an errorhas been incorrectlyidentifed) errors.Remediation plansto lower the errorrates are ormulatedand implemented.

unrtanalPronal Information,im ram, anot (6.2.3)

Personal information is pro-vided to the individual in anunderstandable form, in areasonable timeframe, andat a reasonable cost, if any

The entity has someinormal proce-dures designed toprovide inorma-tion to individuals inan understandableorm. Timeramesand costs chargedmay be inconsistentand unreasonable.

Procedures are inplace requiring thatpersonal inormationbe provided to theindividual in an under-standable orm, in areasonable timerameand at a reasonablecost, but may not beully documented orcover all aspects.

Procedures havebeen implementedthat consistently anduniormly providepersonal inorma-tion to the individualin an understandableorm, in a reason-able timerame andat a reasonable cost.

Procedures are inplace to track andmonitor the responsetime in providing per-sonal inormation,the associated costsincurred by the entityand any charges tothe individual makingthe request. Peri-odic assessmentso the understand-ability o the ormator inormation pro-vided to individualsare conducted.

Reports o responsetimes in providingpersonal inormationare monitored andassessed. The asso-ciated costs incurredby the entity and anycharges to the indi-vidual making therequest are peri-odically assessed.Periodic assessmentso the understand-ability o the ormator inormation pro-vided to individualsare conducted. Reme-

diation plans are madeand implementedor unacceptableresponse time, exces-sive or inconsistentcharges and dif-cult-to-read personalinormation report or-mats. Conversion opersonal inormationto an understandableorm is automatedwhere possibleand appropriate.


28/42

22


GAPP - 73

IeIA

IeIA

desIPI

MAuIy eves




dnial of Acc(6.2.4)

Individuals are informed,in writing, of the reason arequest for access to theirpersonal information wasdenied, the source of theentitys legal right to denysuch access, if applica-ble, and the individualsright, if any, to challengesuch denial, as speci-cally permitted or requiredby law or regulation

Inormal proceduresare used to inormindividuals, o thereason a request oraccess to their per-sonal inormation wasdenied; however theyare incomplete andinconsistently applied.

Procedures are inplace to inorm indi-viduals o the reason arequest or access totheir personal inor-mation was denied,but they may not bedocumented or coverall aspects. Notifca-tion may not be inwriting or include theentitys legal rights todeny such access andthe individuals rightto challenge denials.

Consistently appliedand uniorm pro-cedures have beenimplemented toinorm individuals inwriting o the rea-son a request oraccess to their per-sonal inormation wasdenied. The entityslegal rights to denysuch access have beenidentifed as well asthe individuals rightto challenge denials.

Procedures are inplace to review theresponse time to indi-viduals whose accessrequest has beendenied, reasons orsuch denials, as well asany communicationsregarding challenges.

Reports o denialreasons, responsetimes and challengecommunicationsare monitored andassessed. Remediationplans are identifedand implementedor unacceptableresponse time andinappropriate deni-als o access.

The denial processis automated andincludes electronicresponses where pos-sible and appropriate.

upating ororrcting PronalInformation (6.2.5)

Individuals are able toupdate or correct per-sonal information held bythe entity If practical andeconomically feasible todo so, the entity providessuch updated or correctedinformation to third par-ties that previously wereprovided with the individu-als personal information

Inormal and undoc-umented proceduresexist that provideindividuals with inor-mation on how toupdate or correct per-sonal inormationheld by the entity;however, they areincomplete and incon-sistently applied.

Some procedures arein place or individualsto update or correctpersonal inormationheld by the entity, butthey are not completeand may not be ullydocumented. A pro-cess exists to reviewand confrm the valid-ity o such requestsand inorm thirdparties o changesmade; however, notall o the processesare documented.

Documented policieswith supporting pro-cedures have beenimplemented to con-sistently and uniormlyinorm individualso how to update orcorrect personal inor-mation held by theentity. Procedureshave been imple-mented to consistentlyand uniormly provideupdated inormationto third parties thatpreviously received

the individuals per-sonal inormation.

Procedures are inplace to track dataupdate and correctionrequests and to vali-date the accuracy andcompleteness o suchdata. Documenta-tion or justifcation iskept or n

10-229 AICPA CICA Privacy Maturity Model Finale Book

Documents

Transcript of 10-229 AICPA CICA Privacy Maturity Model Finale Book