Authority Document - Unified Compliance

Back

Asia > Parliament of Singapore

Singapore Personal Data Protection Act 2012 (No. 26 of 2012), Revised Edition 2021

AD ID

0003342

AD STATUS

Singapore Personal Data Protection Act 2012 (No. 26 of 2012), Revised Edition 2021

ORIGINATOR

Parliament of Singapore

TYPE

Regulation or Statute

AVAILABILITY

Free

SYNONYMS

Singapore Personal Data Protection Act 2012 (No. 26 of 2012) Revised Edition 2021

Singapore Personal Data Protection Act 2012 (No. 26 of 2012)

EFFECTIVE

2021-08-25

ADDED

The document as a whole was last reviewed and released on 2021-09-30T00:00:00-0700.

URL

Click here

AD ID

0003342

AD STATUS

Free

ORIGINATOR

Parliament of Singapore

TYPE

Regulation or Statute

AVAILABILITY

SYNONYMS

Singapore Personal Data Protection Act 2012 (No. 26 of 2012) Revised Edition 2021

Singapore Personal Data Protection Act 2012 (No. 26 of 2012)

EFFECTIVE

2021-08-25

ADDED

The document as a whole was last reviewed and released on 2021-09-30T00:00:00-0700.

URL

Click here

Important Notice

This Authority Document In Depth Report is copyrighted - © 2024 - Network Frontiers LLC. All rights reserved. Copyright in the Authority Document analyzed herein is held by its authors. Network Frontiers makes no claims of copyright in this Authority Document.

This Authority Document In Depth Report is provided for informational purposes only and does not constitute, and should not be construed as, legal advice. The reader is encouraged to consult with an attorney experienced in these areas for further explanation and advice.

This Authority Document In Depth Report provides analysis and guidance for use and implementation of the Authority Document but it is not a substitute for the original authority document itself. Readers should refer to the original authority document as the definitive resource on obligations and compliance requirements.

The process we used to tag and map this document

This document has been mapped into the Unified Compliance Framework using a patented methodology and patented tools (you can research our patents HERE). The mapping team has taken every effort to ensure the quality of mapping is of the highest degree. To learn more about the process we use to map Authority Documents, or to become involved in that process, click HERE.

Controls and asociated Citations breakdown

When the UCF Mapping Teams tag Citations and their associated mandates within an Authority Document, those Citations and Mandates are tied to Common Controls. In addition, and by virtue of those Citations and mandates being tied to Common Controls, there are three sets of meta data that are associated with each Citation; Controls by Impact Zone, Controls by Type, and Controls by Classification.

The online version of the mapping analysis you see here is just a fraction of the work the UCF Mapping Team has done. The downloadable version of this document, available within the Common Controls Hub (available HERE) contains the following:

Document implementation analysis – statistics about the document’s alignment with Common Controls as compared to other Authority Documents and statistics on usage of key terms and non-standard terms.

Citation and Mandate Tagging and Mapping – A complete listing of each and every Citation we found within Singapore Personal Data Protection Act 2012 (No. 26 of 2012), Revised Edition 2021 that have been tagged with their primary and secondary nouns and primary and secondary verbs in three column format. The first column shows the Citation (the marker within the Authority Document that points to where we found the guidance). The second column shows the Citation guidance per se, along with the tagging for the mandate we found within the Citation. The third column shows the Common Control ID that the mandate is linked to, and the final column gives us the Common Control itself.

Dictionary Terms – The dictionary terms listed for Singapore Personal Data Protection Act 2012 (No. 26 of 2012), Revised Edition 2021 are based upon terms either found within the Authority Document’s defined terms section(which most legal documents have), its glossary, and for the most part, as tagged within each mandate. The terms with links are terms that are the standardized version of the term.

Common Controls and
mandates by Impact Zone 172 Mandated Controls - bold
59 Implied Controls - italic 800 Implementation

Number of Controls

1031 Total

Audits and risk management

Mandated - bold Implied - italic Implementation - regular	TYPE	CLASS
KEY: Primary Verb Primary Noun Secondary Verb Secondary Noun Limiting Term
Audits and risk management CC ID 00677	IT Impact Zone	IT Impact Zone
Establish, implement, and maintain a risk management program. CC ID 12051	Establish/Maintain Documentation	Preventive
Establish, implement, and maintain the risk assessment framework. CC ID 00685	Establish/Maintain Documentation	Preventive
Establish, implement, and maintain a risk assessment program. CC ID 00687	Establish/Maintain Documentation	Preventive
Establish, implement, and maintain Data Protection Impact Assessments. CC ID 14830 [For the purposes of subsection (2)(a), the organisation must, before collecting, using or disclosing any personal data about the individual — conduct an assessment to determine that the proposed collection, use or disclosure of the personal data is not likely to have an adverse effect on the individual; § 15A.(4)(a) {legitimate interest}For the purposes of sub-paragraph (1), the organisation must — conduct an assessment, before collecting, using or disclosing the personal data (as the case may be), to determine whether sub-paragraph (1) is satisfied; and FIRST SCHEDULE PART 3 § 1.(2)(a) {legitimate interest}For the purposes of sub-paragraph (1), the organisation must — conduct an assessment, before collecting, using or disclosing the personal data (as the case may be), to determine whether sub-paragraph (1) is satisfied; and FIRST SCHEDULE PART 3 § 1.(2)(a) {legitimate interest}For the purposes of sub-paragraph (1), the organisation must — conduct an assessment, before collecting, using or disclosing the personal data (as the case may be), to determine whether sub-paragraph (1) is satisfied; and FIRST SCHEDULE PART 3 § 1.(2)(a)]	Process or Activity	Preventive
Include a Data Protection Impact Assessment in the risk assessment program. CC ID 12630	Establish/Maintain Documentation	Preventive
Include an assessment of the necessity and proportionality of the processing operations in relation to the purposes in the Data Protection Impact Assessment. CC ID 12681	Establish/Maintain Documentation	Preventive
Include an assessment of the relationship between the data subject and the parties processing the data in the Data Protection Impact Assessment. CC ID 16371	Establish/Maintain Documentation	Preventive
Include a risk assessment of data subject's rights in the Data Protection Impact Assessment. CC ID 12674	Establish/Maintain Documentation	Preventive
Include the description and purpose of processing restricted data in the Data Protection Impact Assessment. CC ID 12673	Establish/Maintain Documentation	Preventive
Disseminate and communicate the Data Protection Impact Assessment to interested personnel and affected parties. CC ID 15313	Communicate	Preventive
Include consideration of the data subject's expectations in the Data Protection Impact Assessment. CC ID 16370	Establish/Maintain Documentation	Preventive
Include monitoring unsecured areas in the Data Protection Impact Assessment. CC ID 12671	Establish/Maintain Documentation	Preventive
Include security measures for protecting restricted data in the Data Protection Impact Assessment. CC ID 12635 [{legitimate interest}The organisation must, in respect of the assessment mentioned in sub-paragraph (2)(a) — identify and implement reasonable measures — to eliminate the adverse effect; FIRST SCHEDULE PART 3 § 1.(3)(b)(i) {legitimate interest}The organisation must, in respect of the assessment mentioned in sub-paragraph (2)(a) — identify and implement reasonable measures — to reduce the likelihood that the adverse effect will occur; or FIRST SCHEDULE PART 3 § 1.(3)(b)(ii) {legitimate interest}The organisation must, in respect of the assessment mentioned in sub-paragraph (2)(a) — identify and implement reasonable measures — to mitigate the adverse effect; and FIRST SCHEDULE PART 3 § 1.(3)(b)(iii)]	Establish/Maintain Documentation	Preventive

Human Resources management

Mandated - bold Implied - italic Implementation - regular	TYPE	CLASS
KEY: Primary Verb Primary Noun Secondary Verb Secondary Noun Limiting Term
Human Resources management CC ID 00763	IT Impact Zone	IT Impact Zone
Define and assign workforce roles and responsibilities. CC ID 13267	Human Resources Management	Preventive
Identify and define all critical roles. CC ID 00777	Establish Roles	Preventive
Define and assign the data controller's roles and responsibilities. CC ID 00471 [An organisation is responsible for personal data in its possession or under its yle="background-color:#F0BBBC;" class="term_primary-noun">control. § 11.(2)]	Establish Roles	Preventive
Assign the role of data controller to be the Point of Contact for the supervisory authority. CC ID 12616	Human Resources Management	Preventive
Assign the role of the Data Controller to cooperate with the supervisory authority. CC ID 12615	Human Resources Management	Preventive
Assign the data controller to facilitate the exercise of the data subject's rights. CC ID 12666	Human Resources Management	Preventive
Assign the role of data controller to applicable controls. CC ID 00354	Establish Roles	Preventive
Assign the role of data controller to provide advice, when requested. CC ID 12611	Human Resources Management	Preventive
Assign the role of data controller to additional personnel, as necessary. CC ID 00473	Establish Roles	Preventive
Establish and maintain the staff structure in line with the strategic plan. CC ID 00764	Establish Roles	Preventive
Assign and staff all roles appropriately. CC ID 00784	Testing	Detective
Delegate authority for specific processes, as necessary. CC ID 06780 [An individual designated under subsection (3) may delegate to another individual the responsibility conferred by that BBBC;" class="term_primary-noun">designation. § 11.(4)]	Behavior	Preventive

Operational management

288

Mandated - bold Implied - italic Implementation - regular	TYPE	CLASS
KEY: Primary Verb Primary Noun Secondary Verb Secondary Noun Limiting Term
Operational management CC ID 00805	IT Impact Zone	IT Impact Zone
Establish, implement, and maintain a Governance, Risk, and Compliance framework. CC ID 01406 [An organisation shall — develop and implement policies and practices that are necessary for the organisation to meet the obligations of the organisation under this Act; § 12.(a)]	Establish/Maintain Documentation	Preventive
Include enterprise architecture in the Governance, Risk, and Compliance framework. CC ID 13266	Establish/Maintain Documentation	Preventive
Disseminate and communicate updates to the Governance, Risk, and Compliance framework to interested personnel and affected parties. CC ID 06955	Behavior	Preventive
Establish, implement, and maintain security requirements based on applicable regulations. CC ID 16283	Establish/Maintain Documentation	Preventive
Acquire resources necessary to support Governance, Risk, and Compliance. CC ID 12861	Acquisition/Sale of Assets or Services	Preventive
Establish, implement, and maintain a prioritized plan for updating the Governance, Risk, and Compliance framework. CC ID 12853	Establish/Maintain Documentation	Preventive
Integrate the use of technology in supporting the Governance, Risk, and Compliance capabilities. CC ID 12915	Process or Activity	Preventive
Evaluate the use of technology in supporting Governance, Risk, and Compliance capabilities. CC ID 12895	Process or Activity	Preventive
Analyze the effect of the Governance, Risk, and Compliance capability to achieve organizational objectives. CC ID 12809	Audits and Risk Management	Preventive
Assign accountability for maintaining the Governance, Risk, and Compliance framework. CC ID 12523	Human Resources Management	Preventive
Assign defining the program for disseminating and communicating the Governance, Risk, and Compliance framework. CC ID 12524	Human Resources Management	Preventive
Establish, implement, and maintain a compliance policy. CC ID 14807	Establish/Maintain Documentation	Preventive
Include the standard of conduct and accountability in the compliance policy. CC ID 14813	Establish/Maintain Documentation	Preventive
Include the scope in the compliance policy. CC ID 14812	Establish/Maintain Documentation	Preventive
Include roles and responsibilities in the compliance policy. CC ID 14811	Establish/Maintain Documentation	Preventive
Include a commitment to continual improvement in the compliance policy. CC ID 14810	Establish/Maintain Documentation	Preventive
Disseminate and communicate the compliance policy to interested personnel and affected parties. CC ID 14809	Communicate	Preventive
Include management commitment in the compliance policy. CC ID 14808	Establish/Maintain Documentation	Preventive
Establish, implement, and maintain a governance policy. CC ID 15587	Establish/Maintain Documentation	Preventive
Disseminate and communicate the governance policy to all interested personnel and affected parties. CC ID 15625	Communicate	Preventive
Include a commitment to continuous improvement in the governance policy. CC ID 15595	Establish/Maintain Documentation	Preventive
Include roles and responsibilities in the governance policy. CC ID 15594	Establish/Maintain Documentation	Preventive
Establish, implement, and maintain a positive information control environment. CC ID 00813	Business Processes	Preventive
Make compliance and governance decisions in a timely manner. CC ID 06490	Behavior	Preventive
Establish, implement, and maintain an internal control framework. CC ID 00820	Establish/Maintain Documentation	Preventive
Define the scope for the internal control framework. CC ID 16325	Business Processes	Preventive
Measure policy compliance when reviewing the internal control framework. CC ID 06442	Actionable Reports or Measurements	Corrective
Review the relevance of information supporting internal controls. CC ID 12420	Business Processes	Detective
Assign ownership of the internal control framework to the appropriate organizational role. CC ID 06437	Establish Roles	Preventive
Assign resources to implement the internal control framework. CC ID 00816	Business Processes	Preventive
Define and assign the roles and responsibilities for interested personnel and affected parties when establishing, implementing, and maintaining the internal control framework. CC ID 07146	Establish Roles	Preventive
Establish, implement, and maintain a baseline of internal controls. CC ID 12415	Business Processes	Preventive
Include the business need justification for excluding controls in the baseline of internal controls. CC ID 16129	Establish/Maintain Documentation	Preventive
Include the implementation status of controls in the baseline of internal controls. CC ID 16128	Establish/Maintain Documentation	Preventive
Leverage actionable information to support internal controls. CC ID 12414	Business Processes	Preventive
Include procedures for continuous quality improvement in the internal control framework. CC ID 00819	Establish/Maintain Documentation	Preventive
Include continuous service account management procedures in the internal control framework. CC ID 13860	Establish/Maintain Documentation	Preventive
Include threat assessment in the internal control framework. CC ID 01347	Establish/Maintain Documentation	Preventive
Automate threat assessments, as necessary. CC ID 06877	Configuration	Preventive
Include vulnerability management and risk assessment in the internal control framework. CC ID 13102	Establish/Maintain Documentation	Preventive
Automate vulnerability management, as necessary. CC ID 11730	Configuration	Preventive
Include personnel security procedures in the internal control framework. CC ID 01349	Establish/Maintain Documentation	Preventive
Include continuous security warning monitoring procedures in the internal control framework. CC ID 01358	Establish/Maintain Documentation	Preventive
Include incident alert thresholds in the continuous security warning monitoring procedures. CC ID 13205	Establish/Maintain Documentation	Preventive
Include security information sharing procedures in the internal control framework. CC ID 06489	Establish/Maintain Documentation	Preventive
Share security information with interested personnel and affected parties. CC ID 11732	Communicate	Preventive
Evaluate information sharing partners, as necessary. CC ID 12749	Process or Activity	Preventive
Include security incident response procedures in the internal control framework. CC ID 01359	Establish/Maintain Documentation	Preventive
Include incident response escalation procedures in the internal control framework. CC ID 11745	Establish/Maintain Documentation	Preventive
Include continuous user account management procedures in the internal control framework. CC ID 01360	Establish/Maintain Documentation	Preventive
Include emergency response procedures in the internal control framework. CC ID 06779	Establish/Maintain Documentation	Detective
Authorize and document all exceptions to the internal control framework. CC ID 06781	Establish/Maintain Documentation	Preventive
Disseminate and communicate the internal control framework to all interested personnel and affected parties. CC ID 15229	Communicate	Preventive
Disseminate and communicate the cybersecurity policy to interested personnel and affected parties. CC ID 16835	Communicate	Preventive
Establish, implement, and maintain a cybersecurity policy. CC ID 16833	Establish/Maintain Documentation	Preventive
Establish, implement, and maintain an information security program. CC ID 00812	Establish/Maintain Documentation	Preventive
Include physical safeguards in the information security program. CC ID 12375	Establish/Maintain Documentation	Preventive
Include technical safeguards in the information security program. CC ID 12374	Establish/Maintain Documentation	Preventive
Include administrative safeguards in the information security program. CC ID 12373	Establish/Maintain Documentation	Preventive
Include system development in the information security program. CC ID 12389	Establish/Maintain Documentation	Preventive
Include system maintenance in the information security program. CC ID 12388	Establish/Maintain Documentation	Preventive
Include system acquisition in the information security program. CC ID 12387	Establish/Maintain Documentation	Preventive
Include access control in the information security program. CC ID 12386	Establish/Maintain Documentation	Preventive
Review and approve access controls, as necessary. CC ID 13074	Process or Activity	Detective
Include operations management in the information security program. CC ID 12385	Establish/Maintain Documentation	Preventive
Include communication management in the information security program. CC ID 12384	Establish/Maintain Documentation	Preventive
Include environmental security in the information security program. CC ID 12383	Establish/Maintain Documentation	Preventive
Include physical security in the information security program. CC ID 12382	Establish/Maintain Documentation	Preventive
Include human resources security in the information security program. CC ID 12381	Establish/Maintain Documentation	Preventive
Include asset management in the information security program. CC ID 12380	Establish/Maintain Documentation	Preventive
Include a continuous monitoring program in the information security program. CC ID 14323	Establish/Maintain Documentation	Preventive
Include change management procedures in the continuous monitoring plan. CC ID 16227	Establish/Maintain Documentation	Preventive
include recovery procedures in the continuous monitoring plan. CC ID 16226	Establish/Maintain Documentation	Preventive
Include mechanisms for decommissioning a system in the continuous monitoring plan. CC ID 16225	Establish/Maintain Documentation	Preventive
Include mechanisms for appeal and override in the continuous monitoring plan. CC ID 16223	Establish/Maintain Documentation	Preventive
Include how the information security department is organized in the information security program. CC ID 12379	Establish/Maintain Documentation	Preventive
Include risk management in the information security program. CC ID 12378	Establish/Maintain Documentation	Preventive
Include mitigating supply chain risks in the information security program. CC ID 13352	Establish/Maintain Documentation	Preventive
Provide management direction and support for the information security program. CC ID 11999	Process or Activity	Preventive
Monitor and review the effectiveness of the information security program. CC ID 12744	Monitor and Evaluate Occurrences	Preventive
Establish, implement, and maintain an information security policy. CC ID 11740	Establish/Maintain Documentation	Preventive
Align the information security policy with the organization's risk acceptance level. CC ID 13042	Business Processes	Preventive
Include business processes in the information security policy. CC ID 16326	Establish/Maintain Documentation	Preventive
Include the information security strategy in the information security policy. CC ID 16125	Establish/Maintain Documentation	Preventive
Include a commitment to continuous improvement in the information security policy. CC ID 16123	Establish/Maintain Documentation	Preventive
Include roles and responsibilities in the information security policy. CC ID 16120	Establish/Maintain Documentation	Preventive
Include a commitment to the information security requirements in the information security policy. CC ID 13496	Establish/Maintain Documentation	Preventive
Include information security objectives in the information security policy. CC ID 13493	Establish/Maintain Documentation	Preventive
Include the use of Cloud Services in the information security policy. CC ID 13146	Establish/Maintain Documentation	Preventive
Include notification procedures in the information security policy. CC ID 16842	Establish/Maintain Documentation	Preventive
Approve the information security policy at the organization's management level or higher. CC ID 11737	Process or Activity	Preventive
Establish, implement, and maintain information security procedures. CC ID 12006	Business Processes	Preventive
Describe the group activities that protect restricted data in the information security procedures. CC ID 12294	Establish/Maintain Documentation	Preventive
Disseminate and communicate the information security procedures to all interested personnel and affected parties. CC ID 16303	Communicate	Preventive
Document the roles and responsibilities for all activities that protect restricted data in the information security procedures. CC ID 12304	Establish/Maintain Documentation	Preventive
Define thresholds for approving information security activities in the information security program. CC ID 15702	Process or Activity	Preventive
Assign ownership of the information security program to the appropriate role. CC ID 00814	Establish Roles	Preventive
Assign the responsibility for establishing, implementing, and maintaining the information security program to the appropriate role. CC ID 11884	Human Resources Management	Preventive
Assign information security responsibilities to interested personnel and affected parties in the information security program. CC ID 11885	Establish/Maintain Documentation	Preventive
Assign the responsibility for distributing the information security program to the appropriate role. CC ID 11883	Human Resources Management	Preventive
Disseminate and communicate the information security policy to interested personnel and affected parties. CC ID 11739	Communicate	Preventive
Establish, implement, and maintain a social media governance program. CC ID 06536	Establish/Maintain Documentation	Preventive
Refrain from requiring supervision when users are accessing social media applications. CC ID 14011	Business Processes	Preventive
Refrain from requiring users to disclose social media account usernames or authenticators. CC ID 14009	Business Processes	Preventive
Refrain from accepting instant messages from unknown senders. CC ID 12537	Behavior	Preventive
Include instant messaging, texting, and tweeting in the social media acceptable use policy. CC ID 04578	Establish/Maintain Documentation	Preventive
Include explicit restrictions in the social media acceptable use policy. CC ID 06655	Establish/Maintain Documentation	Preventive
Include contributive content sites in the social media acceptable use policy. CC ID 06656	Establish/Maintain Documentation	Preventive
Perform social network analysis, as necessary. CC ID 14864	Investigate	Detective
Establish, implement, and maintain operational control procedures. CC ID 00831	Establish/Maintain Documentation	Preventive
Include assigning and approving operations in operational control procedures. CC ID 06382	Establish/Maintain Documentation	Preventive
Include startup processes in operational control procedures. CC ID 00833	Establish/Maintain Documentation	Preventive
Include change control processes in the operational control procedures. CC ID 16793	Establish/Maintain Documentation	Preventive
Establish and maintain a data processing run manual. CC ID 00832	Establish/Maintain Documentation	Preventive
Establish, implement, and maintain a Standard Operating Procedures Manual. CC ID 00826	Establish/Maintain Documentation	Preventive
Use systems in accordance with the standard operating procedures manual. CC ID 15049	Process or Activity	Preventive
Include metrics in the standard operating procedures manual. CC ID 14988	Establish/Maintain Documentation	Preventive
Include maintenance measures in the standard operating procedures manual. CC ID 14986	Establish/Maintain Documentation	Preventive
Include the expected lifetime of the system in the standard operating procedures manual. CC ID 14984	Establish/Maintain Documentation	Preventive
Include technical measures used to interpret output in the standard operating procedures manual. CC ID 14982	Establish/Maintain Documentation	Preventive
Include predetermined changes in the standard operating procedures manual. CC ID 14977	Establish/Maintain Documentation	Preventive
Include specifications for input data in the standard operating procedures manual. CC ID 14975	Establish/Maintain Documentation	Preventive
Include risks to health and safety or fundamental rights in the standard operating procedures manual. CC ID 14973	Establish/Maintain Documentation	Preventive
Include circumstances that may impact the system in the standard operating procedures manual. CC ID 14972	Establish/Maintain Documentation	Preventive
Include what the system was tested and validated for in the standard operating procedures manual. CC ID 14969	Establish/Maintain Documentation	Preventive
Include the intended purpose in the standard operating procedures manual. CC ID 14967	Establish/Maintain Documentation	Preventive
Include information on system performance in the standard operating procedures manual. CC ID 14965	Establish/Maintain Documentation	Preventive
Include contact details in the standard operating procedures manual. CC ID 14962	Establish/Maintain Documentation	Preventive
Include information sharing procedures in standard operating procedures. CC ID 12974	Records Management	Preventive
Establish, implement, and maintain information sharing agreements. CC ID 15645	Business Processes	Preventive
Provide support for information sharing activities. CC ID 15644	Process or Activity	Preventive
Adhere to operating procedures as defined in the Standard Operating Procedures Manual. CC ID 06328	Business Processes	Preventive
Update operating procedures that contribute to user errors. CC ID 06935	Establish/Maintain Documentation	Corrective
Disseminate and communicate the Standard Operating Procedures Manual to all interested personnel and affected parties. CC ID 12026	Communicate	Preventive
Establish, implement, and maintain a job scheduling methodology. CC ID 00834	Establish/Maintain Documentation	Preventive
Establish and maintain a job schedule exceptions list. CC ID 00835	Establish/Maintain Documentation	Preventive
Establish, implement, and maintain a data processing continuity plan. CC ID 00836	Establish/Maintain Documentation	Preventive
Establish, implement, and maintain Voice over Internet Protocol operating procedures. CC ID 04583	Establish/Maintain Documentation	Preventive
Establish, implement, and maintain the Acceptable Use Policy. CC ID 01350	Establish/Maintain Documentation	Preventive
Include that explicit management authorization must be given for the use of all technologies and their documentation in the Acceptable Use Policy. CC ID 01351	Establish/Maintain Documentation	Preventive
Include requiring users to protect restricted data in accordance with the Governance, Risk, and Compliance framework in the Acceptable Use Policy. CC ID 11894	Establish/Maintain Documentation	Preventive
Include Bring Your Own Device agreements in the Acceptable Use Policy. CC ID 15703	Establish/Maintain Documentation	Preventive
Include the obligations of users in the Bring Your Own Device agreement. CC ID 15708	Establish/Maintain Documentation	Preventive
Include the rights of the organization in the Bring Your Own Device agreement. CC ID 15707	Establish/Maintain Documentation	Preventive
Include the circumstances in which the organization may confiscate, audit, or inspect assets in the Bring Your Own Device agreement. CC ID 15706	Establish/Maintain Documentation	Preventive
Include the circumstances in which the organization may manage assets in the Bring Your Own Device agreement. CC ID 15705	Establish/Maintain Documentation	Preventive
Include Bring Your Own Device usage in the Acceptable Use Policy. CC ID 12293	Establish/Maintain Documentation	Preventive
Include a web usage policy in the Acceptable Use Policy. CC ID 16496	Establish/Maintain Documentation	Preventive
Include Bring Your Own Device security guidelines in the Acceptable Use Policy. CC ID 01352	Establish/Maintain Documentation	Preventive
Include asset tags in the Acceptable Use Policy. CC ID 01354	Establish/Maintain Documentation	Preventive
Specify the owner of applicable assets in the Acceptable Use Policy. CC ID 15699	Establish/Maintain Documentation	Preventive
Include asset use policies in the Acceptable Use Policy. CC ID 01355	Establish/Maintain Documentation	Preventive
Include authority for access authorization lists for assets in all relevant Acceptable Use Policies. CC ID 11872	Establish/Maintain Documentation	Preventive
Include access control mechanisms in the Acceptable Use Policy. CC ID 01353	Establish/Maintain Documentation	Preventive
Include temporary activation of remote access technologies for third parties in the Acceptable Use Policy. CC ID 11892	Technical Security	Preventive
Include prohibiting the copying or moving of restricted data from its original source onto local hard drives or removable storage media in the Acceptable Use Policy. CC ID 11893	Establish/Maintain Documentation	Preventive
Include a removable storage media use policy in the Acceptable Use Policy. CC ID 06772	Data and Information Management	Preventive
Correlate the Acceptable Use Policy with the network security policy. CC ID 01356	Establish/Maintain Documentation	Preventive
Include appropriate network locations for each technology in the Acceptable Use Policy. CC ID 11881	Establish/Maintain Documentation	Preventive
Correlate the Acceptable Use Policy with the approved product list. CC ID 01357	Establish/Maintain Documentation	Preventive
Include facility access and facility use in the Acceptable Use Policy. CC ID 06441	Establish/Maintain Documentation	Preventive
Include disciplinary actions in the Acceptable Use Policy. CC ID 00296	Establish/Maintain Documentation	Corrective
Include the usage restrictions of mobile code technologies in the Acceptable Use Policy. CC ID 15311	Establish/Maintain Documentation	Preventive
Include a software installation policy in the Acceptable Use Policy. CC ID 06749	Establish/Maintain Documentation	Preventive
Document idle session termination and logout for remote access technologies in the Acceptable Use Policy. CC ID 12472	Establish/Maintain Documentation	Preventive
Disseminate and communicate the Acceptable Use Policy to all interested personnel and affected parties. CC ID 12431	Communicate	Preventive
Require interested personnel and affected parties to sign Acceptable Use Policies. CC ID 06661	Establish/Maintain Documentation	Preventive
Require interested personnel and affected parties to re-sign Acceptable Use Policies, as necessary. CC ID 06663	Establish/Maintain Documentation	Preventive
Establish, implement, and maintain an Intellectual Property Right program. CC ID 00821	Establish/Maintain Documentation	Preventive
Establish, implement, and maintain domain name registration and renewal procedures. CC ID 07075	Business Processes	Preventive
Establish, implement, and maintain Intellectual Property Rights protection procedures. CC ID 11512	Establish/Maintain Documentation	Preventive
Protect against circumvention of the organization's Intellectual Property Rights. CC ID 11513	Establish/Maintain Documentation	Preventive
Establish, implement, and maintain an e-mail policy. CC ID 06439	Establish/Maintain Documentation	Preventive
Include business use of personal e-mail in the e-mail policy. CC ID 14381	Establish/Maintain Documentation	Preventive
Identify the sender in all electronic messages. CC ID 13996 [{be clear}{be accurate}Subject to section 48(2), a person must not send a specified message addressed to a Singapore telephone number unless — the specified message includes clear and accurate information identifying the individual or organisation that sent or authorised the sending of the specified message; § 44.(a) {be clear}{be accurate}Subject to section 48(2), a person must not send a specified message addressed to a Singapore telephone number unless — the specified message includes clear and accurate information about how the recipient can readily contact that individual or organisation; § 44.(b) Subject to section 48(3), a person that makes a voice call containing a specified message or causes a voice call containing a specified message to be made or authorises the making of a voice call containing a specified message, addressed to a Singapore telephone number, from a telephone number or fax number, must not do any of the following: conceal or withhold from the recipient the calling line identity of the sender; § 45.(a) Subject to section 48(3), a person that makes a voice call containing a specified message or causes a voice call containing a specified message to be made or authorises the making of a voice call containing a specified message, addressed to a Singapore telephone number, from a telephone number or fax number, must not do any of the following: perform any operation or issue any instruction in connection with the sending of the specified message for the purpose of, or that has the effect of, concealing or withholding from the recipient the calling line identity of the sender. § 45.(b)]	Data and Information Management	Preventive
Protect policies, standards, and procedures from unauthorized modification or disclosure. CC ID 10603	Establish/Maintain Documentation	Preventive
Establish, implement, and maintain nondisclosure agreements. CC ID 04536	Establish/Maintain Documentation	Preventive
Disseminate and communicate nondisclosure agreements to interested personnel and affected parties. CC ID 16191	Communicate	Preventive
Require interested personnel and affected parties to sign nondisclosure agreements. CC ID 06667	Establish/Maintain Documentation	Preventive
Require interested personnel and affected parties to re-sign nondisclosure agreements, as necessary. CC ID 06669	Establish/Maintain Documentation	Preventive
Establish, implement, and maintain a use of information agreement. CC ID 06215	Establish/Maintain Documentation	Preventive
Include use limitations in the use of information agreement. CC ID 06244	Establish/Maintain Documentation	Preventive
Include disclosure requirements in the use of information agreement. CC ID 11735	Establish/Maintain Documentation	Preventive
Include information recipients in the use of information agreement. CC ID 06245	Establish/Maintain Documentation	Preventive
Include reporting out of scope use of information in the use of information agreement. CC ID 06246	Establish/Maintain Documentation	Preventive
Include disclosure of information in the use of information agreement. CC ID 11830	Establish/Maintain Documentation	Preventive
Include information security procedures assigned to the information recipient in the use of information agreement. CC ID 07130	Establish/Maintain Documentation	Preventive
Include information security procedures assigned to the originator in the use of information agreement. CC ID 14418	Establish/Maintain Documentation	Preventive
Include a do not contact rule for the individuals identified in a data set in the use of information agreement. CC ID 07131	Establish/Maintain Documentation	Preventive
Include the information recipient's third parties accepting the agreement in the use of information agreement. CC ID 07132	Establish/Maintain Documentation	Preventive
Implement and comply with the Governance, Risk, and Compliance framework. CC ID 00818	Business Processes	Preventive
Analyze how policies used to create management boundaries relates to the Governance, Risk, and Compliance approach. CC ID 12821	Process or Activity	Preventive
Analyze how the organization sets limits in policies relating to the Governance, Risk, and Compliance approach. CC ID 12819	Process or Activity	Preventive
Analyze how the Board of Directors' and senior management's tone influences the Governance, Risk, and Compliance approach. CC ID 12818	Process or Activity	Preventive
Analyze the degree to which the governing body is engaged in the Governance, Risk, and Compliance approach. CC ID 12817	Process or Activity	Preventive
Analyze the Governance, Risk, and Compliance approach. CC ID 12816	Process or Activity	Preventive
Analyze the organizational culture. CC ID 12899	Process or Activity	Preventive
Include individual commitment to the organization's Governance, Risk, and Compliance framework in the analysis of the organizational culture. CC ID 12922	Process or Activity	Detective
Include the organizational climate in the analysis of the organizational culture. CC ID 12921	Process or Activity	Detective
Include consistency of leadership actions to mission, vision, and values in the analysis of the organizational culture. CC ID 12920	Process or Activity	Detective
Include employee engagement in the analysis of the organizational culture. CC ID 12914	Behavior	Preventive
Include contractual relationships with workforce members in the analysis of the organizational culture. CC ID 15674	Business Processes	Preventive
Include the number of workforce members who are not employees in the analysis of the organizational culture. CC ID 15673	Business Processes	Preventive
Include the type of work performed by workforce members in the analysis of the organizational culture. CC ID 15675	Business Processes	Preventive
Include skill development in the analysis of the organizational culture. CC ID 12913	Behavior	Preventive
Include employee turnover rates in the analysis of the organizational culture. CC ID 12912	Behavior	Preventive
Include demographic characteristics of employees in the analysis of the organizational culture. CC ID 15671	Business Processes	Preventive
Include employee loyalty in the analysis of the organizational culture. CC ID 12911	Behavior	Preventive
Include employee satisfaction in the analysis of the organizational culture. CC ID 12910	Behavior	Preventive
Establish, implement, and maintain consequences for non-compliance with the organizational compliance framework. CC ID 11747	Process or Activity	Corrective
Comply with all implemented policies in the organization's compliance framework. CC ID 06384 [{reasonable and appropriate measure} In meeting its responsibilities under this Act, an organisation shall "term_primary-verb">consider what a reasonable person would consider appropriate in the circumstances. § 11.(1) {reasonable and appropriate measure} In meeting its responsibilities under this Act, an organisation shall "term_primary-verb">consider what a reasonable person would consider appropriate in the circumstances. § 11.(1) The designation of an individual by an organisation under subsection (3) shall not relieve the organisation of any of its obligations under this Act. § 11.(6) {legitimate interest}{personal data}The organisation must, in respect of the assessment mentioned in sub-paragraph (2)(a) — comply with any other prescribed requirements. FIRST SCHEDULE PART 3 § 1.(3)(c)]	Establish/Maintain Documentation	Preventive
Provide assurance to interested personnel and affected parties that the Governance, Risk, and Compliance capability is reliable, effective, efficient, and responsive. CC ID 12788	Communicate	Preventive
Review systems for compliance with organizational information security policies. CC ID 12004	Business Processes	Preventive
Disseminate and communicate the Governance, Risk, and Compliance framework to all interested personnel and affected parties. CC ID 00815 [An organisation shall — communicate to its staff information about the organisation's policies and practices referred to in paragraph (a); and § 12.(c) An organisation shall — make information available on request about— the policies and practices referred to in paragraph (a); and § 12.(d)(i)]	Behavior	Preventive
Establish, implement, and maintain a customer service program. CC ID 00846	Establish/Maintain Documentation	Preventive
Establish, implement, and maintain an Incident Management program. CC ID 00853	Business Processes	Preventive
Include detection procedures in the Incident Management program. CC ID 00588	Establish/Maintain Documentation	Preventive
Share incident information with interested personnel and affected parties. CC ID 01212 [{data breach} The notification under subsection (1) must be made in the form and submitted in the manner required by the Commission. § 26D.(4)]	Data and Information Management	Corrective
Share data loss event information with the media. CC ID 01759	Behavior	Corrective
Comply with privacy regulations and civil liberties requirements when sharing data loss event information. CC ID 10036	Data and Information Management	Preventive
Share data loss event information with interconnected system owners. CC ID 01209	Establish/Maintain Documentation	Corrective
Notify interested personnel and affected parties of an extortion payment in the event of a cybersecurity event. CC ID 16539	Communicate	Preventive
Notify interested personnel and affected parties of the reasons for the extortion payment, along with any alternative solutions. CC ID 16538	Communicate	Preventive
Document the justification for not reporting incidents to interested personnel and affected parties. CC ID 16547	Establish/Maintain Documentation	Preventive
Report data loss event information to breach notification organizations. CC ID 01210 [Where an organisation assesses, in accordance with section 26C, that a data breach is a notifiable data breach, the organisation must notify the Commission as soon as is practicable, but in any case no later than 3 calendar days after the day the organisation makes that assessment. § 26D.(1)]	Data and Information Management	Corrective
Submit an incident management audit log to the proper authorities for each security breach that affects a predefined number of individuals, as necessary. CC ID 06326	Log Management	Detective
Report to breach notification organizations the reasons for a delay in sending breach notifications. CC ID 16797	Communicate	Preventive
Report to breach notification organizations the distribution list to which the organization will send data loss event notifications. CC ID 16782	Communicate	Preventive
Report to breach notification organizations the time frame in which the organization will send data loss event notifications to interested personnel and affected parties. CC ID 04731	Behavior	Corrective
Include data loss event notifications in the Incident Response program. CC ID 00364	Establish/Maintain Documentation	Preventive
Notify interested personnel and affected parties of the privacy breach that affects their personal data. CC ID 00365 [Where a data intermediary (other than a data intermediary mentioned in section 26E) has reason to believe that a data breach has occurred in relation to personal data that the data intermediary is processing on behalf of and for the purposes of another organisation — the data intermediary must, without undue delay, notify that other organisation of the occurrence of the data breach; and § 26C.(3)(a) Subject to subsections (5), (6) and (7), on or after notifying the Commission under subsection (1), the organisation must also notify each affected individual affected by a notifiable data breach mentioned in section 26B(1)(a) in any manner that is reasonable in the circumstances. § 26D.(2) {refrain from delaying} the organisation must, without undue delay, notify the public agency of the occurrence of the data breach. § 26E. ¶ 1]	Behavior	Corrective
Determine whether or not incident response notifications are necessary during the privacy breach investigation. CC ID 00801 [Where a data intermediary (other than a data intermediary mentioned in section 26E) has reason to believe that a data breach has occurred in relation to personal data that the data intermediary is processing on behalf of and for the purposes of another organisation — that other organisations must, upon notification by the data intermediary, conduct an assessment of whether the data breach is a notifiable data breach. § 26C.(3)(b) {reasonable manner}{be efficient} Subject to subsection (3), where an organisation has reason to believe that a data breach affecting personal data in its possession or under its control has occurred, the organisation must conduct, in a reasonable and expeditious manner, an assessment of whether the data breach is a notifiable data breach. § 26C.(2)]	Behavior	Detective
Delay sending incident response notifications under predetermined conditions. CC ID 00804	Behavior	Corrective
Include required information in the written request to delay the notification to affected parties. CC ID 16785	Establish/Maintain Documentation	Preventive
Submit written requests to delay the notification of affected parties. CC ID 16783	Communicate	Preventive
Revoke the written request to delay the notification. CC ID 16843	Process or Activity	Preventive
Design the text of the notice for all incident response notifications to be no smaller than 10-point type. CC ID 12985	Establish/Maintain Documentation	Preventive
Avoid false positive incident response notifications. CC ID 04732	Behavior	Detective
Establish, implement, and maintain incident response notifications. CC ID 12975 [{data breach} The notification under subsection (1) must be made in the form and submitted in the manner required by the Commission. § 26D.(4)]	Establish/Maintain Documentation	Corrective
Refrain from charging for providing incident response notifications. CC ID 13876	Business Processes	Preventive
Include information required by law in incident response notifications. CC ID 00802 [The notification under subsection (1) or (2) must contain, to the best of the knowledge and belief of the organisation at the time it notifies the Commission or affected individual (as the case may be), all the information that is prescribed for this purpose. § 26D.(3)]	Establish/Maintain Documentation	Detective
Title breach notifications "Notice of Data Breach". CC ID 12977	Establish/Maintain Documentation	Preventive
Display titles of incident response notifications clearly and conspicuously. CC ID 12986	Establish/Maintain Documentation	Preventive
Display headings in incident response notifications clearly and conspicuously. CC ID 12987	Establish/Maintain Documentation	Preventive
Design the incident response notification to call attention to its nature and significance. CC ID 12984	Establish/Maintain Documentation	Preventive
Use plain language to write incident response notifications. CC ID 12976	Establish/Maintain Documentation	Preventive
Include directions for changing the user's authenticator or security questions and answers in the breach notification. CC ID 12983	Establish/Maintain Documentation	Preventive
Refrain from including restricted information in the incident response notification. CC ID 16806	Actionable Reports or Measurements	Preventive
Include the affected parties rights in the incident response notification. CC ID 16811	Establish/Maintain Documentation	Preventive
Include details of the investigation in incident response notifications. CC ID 12296	Establish/Maintain Documentation	Preventive
Include the issuer's name in incident response notifications. CC ID 12062	Establish/Maintain Documentation	Preventive
Include a "What Happened" heading in breach notifications. CC ID 12978	Establish/Maintain Documentation	Preventive
Include a general description of the data loss event in incident response notifications. CC ID 04734	Establish/Maintain Documentation	Preventive
Include time information in incident response notifications. CC ID 04745	Establish/Maintain Documentation	Preventive
Include the identification of the data source in incident response notifications. CC ID 12305	Establish/Maintain Documentation	Preventive
Include a "What Information Was Involved" heading in the breach notification. CC ID 12979	Establish/Maintain Documentation	Preventive
Include the type of information that was lost in incident response notifications. CC ID 04735	Establish/Maintain Documentation	Preventive
Include the type of information the organization maintains about the affected parties in incident response notifications. CC ID 04776	Establish/Maintain Documentation	Preventive
Include a "What We Are Doing" heading in the breach notification. CC ID 12982	Establish/Maintain Documentation	Preventive
Include what the organization has done to enhance data protection controls in incident response notifications. CC ID 04736	Establish/Maintain Documentation	Preventive
Include what the organization is offering or has already done to assist affected parties in incident response notifications. CC ID 04737	Establish/Maintain Documentation	Preventive
Include a "For More Information" heading in breach notifications. CC ID 12981	Establish/Maintain Documentation	Preventive
Include details of the companies and persons involved in incident response notifications. CC ID 12295	Establish/Maintain Documentation	Preventive
Include the credit reporting agencies' contact information in incident response notifications. CC ID 04744	Establish/Maintain Documentation	Preventive
Include the reporting individual's contact information in incident response notifications. CC ID 12297	Establish/Maintain Documentation	Preventive
Include any consequences in the incident response notifications. CC ID 12604	Establish/Maintain Documentation	Preventive
Include whether the notification was delayed due to a law enforcement investigation in incident response notifications. CC ID 04746	Establish/Maintain Documentation	Preventive
Include a "What You Can Do" heading in the breach notification. CC ID 12980	Establish/Maintain Documentation	Preventive
Include how the affected parties can protect themselves from identity theft in incident response notifications. CC ID 04738	Establish/Maintain Documentation	Detective
Provide enrollment information for identity theft prevention services or identity theft mitigation services. CC ID 13767	Communicate	Corrective
Offer identity theft prevention services or identity theft mitigation services at no cost to the affected parties. CC ID 13766	Business Processes	Corrective
Include contact information in incident response notifications. CC ID 04739	Establish/Maintain Documentation	Preventive
Include a copy of the incident response notification in breach notifications, as necessary. CC ID 13085	Communicate	Preventive
Send paper incident response notifications to affected parties, as necessary. CC ID 00366	Behavior	Corrective
Post the incident response notification on the organization's website. CC ID 16809	Process or Activity	Preventive
Determine if a substitute incident response notification is permitted if notifying affected parties. CC ID 00803	Behavior	Corrective
Document the determination for providing a substitute incident response notification. CC ID 16841	Process or Activity	Preventive
Use a substitute incident response notification to notify interested personnel and affected parties of the privacy breach that affects their personal data. CC ID 00368	Behavior	Corrective
Telephone incident response notifications to affected parties, as necessary. CC ID 04650	Behavior	Corrective
Send electronic substitute incident response notifications to affected parties, as necessary. CC ID 04747	Behavior	Preventive
Include contact information in the substitute incident response notification. CC ID 16776	Establish/Maintain Documentation	Preventive
Post substitute incident response notifications to the organization's website, as necessary. CC ID 04748	Establish/Maintain Documentation	Preventive
Send substitute incident response notifications to breach notification organizations, as necessary. CC ID 04750	Behavior	Preventive
Publish the incident response notification in a general circulation periodical. CC ID 04651	Behavior	Corrective
Publish the substitute incident response notification in a general circulation periodical, as necessary. CC ID 04769	Behavior	Preventive
Send electronic incident response notifications to affected parties, as necessary. CC ID 00367	Behavior	Corrective
Notify interested personnel and affected parties of the privacy breach about any recovered restricted data. CC ID 13347	Communicate	Corrective

Privacy protection for information and data

716

Mandated - bold Implied - italic Implementation - regular	TYPE	CLASS
KEY: Primary Verb Primary Noun Secondary Verb Secondary Noun Limiting Term
Privacy protection for information and data CC ID 00008	IT Impact Zone	IT Impact Zone
Establish, implement, and maintain a privacy framework that protects restricted data. CC ID 11850	Establish/Maintain Documentation	Preventive
Establish, implement, and maintain a personal data transparency program. CC ID 00375	Data and Information Management	Preventive
Establish, implement, and maintain opt-out notices. CC ID 13448 [A subscriber may apply to the Commission, in the form and manner prescribed — to remove his Singapore y-verb">oun">telephone numberspan> from a register. § 40.(1)(b)]	Establish/Maintain Documentation	Preventive
Include how opt out directions for joint consumers are treated in the opt-out notice. CC ID 13465	Establish/Maintain Documentation	Preventive
Include the opt out method for data subjects in the opt-out notice. CC ID 13467	Establish/Maintain Documentation	Preventive
Include the data subject's right to opt out of personal data disclosure in the opt-out notice. CC ID 13463	Establish/Maintain Documentation	Preventive
Explain the right to opt out in the opt-out notice. CC ID 13462	Establish/Maintain Documentation	Preventive
Include the organization's right to share personal data in the opt-out notice. CC ID 13450	Establish/Maintain Documentation	Preventive
Establish, implement, and maintain adequate openness procedures. CC ID 00377 [{absent consent} An organisation, on or before collecting personal data about an individual from another organisation without the consent of the individual, shall provide the other organisation with sufficient :#CBD0E5;" class="term_secondary-verb">ary-noun">informationpan> regarding the purpose of the an style="background-color:#F0BBBC;" class="term_primary-noun">collection to allow that other organisation to determine whether the disclosure would be in accordance with this Act. § 20.(2) An organisation shall — make information available on request about — § 12.(d)]	Data and Information Management	Preventive
Provide public proof the organization participates in a privacy program. CC ID 12349	Communicate	Preventive
Publish a description of processing activities in an official register. CC ID 00379	Establish/Maintain Documentation	Preventive
Establish and maintain a records request manual. CC ID 00381	Establish/Maintain Documentation	Preventive
Establish and maintain a description of voluntary disclosure and automatic availability of certain records. CC ID 00382	Establish/Maintain Documentation	Preventive
Register with public bodies and notify the Data Commissioner before processing personal data. CC ID 00383	Behavior	Preventive
Define what is included in registration notices. CC ID 00386	Establish/Maintain Documentation	Preventive
Include roles and responsibilities in the registration notice. CC ID 16803	Establish Roles	Preventive
Include the verification method in the registration notice. CC ID 16798	Establish/Maintain Documentation	Preventive
Include the statutory authority in the registration notice. CC ID 16799	Establish/Maintain Documentation	Preventive
Include the address where the file or hardware supporting the data processing is located in the registration notice. CC ID 00387	Establish/Maintain Documentation	Preventive
Include a purpose specification description in the registration notice. CC ID 00388	Establish/Maintain Documentation	Preventive
Include information about the dispute resolution body in the registration notice. CC ID 16800	Establish/Maintain Documentation	Preventive
Include the data subject category being processed in the registration notice. CC ID 00389	Establish/Maintain Documentation	Preventive
Include the time period for data processing in the registration notice. CC ID 00390	Establish/Maintain Documentation	Preventive
Include procedures for when the registration notice for processing personal data is insufficient in the registration notice. CC ID 00392	Establish/Maintain Documentation	Preventive
Provide legal authorities access to personal data, upon request. CC ID 06818	Data and Information Management	Preventive
Provide the data subject with information about automated decision-making during personal data processing. CC ID 12609	Process or Activity	Preventive
Provide the data subject with information about obtaining automated decision-making used during personal data processing. CC ID 12618	Establish/Maintain Documentation	Preventive
Provide the data subject with the name, title, and address of the individual accountable for the organizational policies. CC ID 00394 [For the purposes of sections 14(1)(a) and 18(b), an organisation shall inform the individual of— on request by the individual, the business contact information of a person who is able to econdary-verb">answer on behalf of the organisation the individual's questions about the collection, use or disclosure of the personal data. § 20.(1)(c) An organisation shall make available to the public the business contact information of at least one of the individuals designated under subsection (3) or delegated under subsection (4). § 11.(5) Without limiting subsection (5), an organisation is deemed to have satisfied that subsection if the organisation makes available the business contact information of any individual mentioned in subsection (3) in any prescribed manner. 11.(5A)]	Establish/Maintain Documentation	Preventive
Provide the data subject with a copy of any brochures or other information that explain policies, standards, or codes. CC ID 00398 [An organisation shall — make information available on request about — the complaint process referred to in paragraph (b). § 12.(d).(ii)]	Establish/Maintain Documentation	Preventive
Provide the data subject with contractual requirements requiring the provision of personal data. CC ID 12588 [{person]A checker must — provide the applicable information to P in accordance with any prescribed requirements. § 43A.(2)(b)]	Process or Activity	Preventive
Document the countries where restricted data may be stored. CC ID 12750	Data and Information Management	Preventive
Protect the rights of students and their parents or legal representatives. CC ID 00222	Data and Information Management	Preventive
Refrain from allowing access rights to education records maintained by another educational institution. CC ID 13014	Technical Security	Preventive
Refrain from allowing students the right to inspect the financial records of their parent or legal representative. CC ID 13025	Records Management	Preventive
Refrain from allowing students the right to inspect confidential letters and confidential letters of recommendation. CC ID 13019	Records Management	Preventive
Amend education records within a reasonable period after receiving a record amendment request. CC ID 12998	Records Management	Corrective
Decide whether to amend education records based on evidence presented during a hearing. CC ID 13020	Records Management	Corrective
Define the criteria for waivers of data subjects' rights. CC ID 16858	Behavior	Preventive
Revoke waivers of data subject's rights, as necessary. CC ID 16859	Behavior	Preventive
Disseminate and communicate the notification of rights to students and their parent or legal representative. CC ID 12996	Establish/Maintain Documentation	Preventive
Include the criteria for determining what constitutes a legitimate educational interest in the notification of rights. CC ID 13004	Establish/Maintain Documentation	Preventive
Include the criteria for determining what constitutes a school official in the notification of rights. CC ID 13003	Establish/Maintain Documentation	Preventive
Disclose educational data, as necessary. CC ID 00223 [{disclose}{without consent} The disclosure of personal data about an individual who is a current or former student of an educational institution to a public agency for the purposes of policy formulation or review. SECOND SCHEDULE PART 3 Division 1 § 2.]	Data and Information Management	Preventive
Grant access to education records in support of educational program audits. CC ID 13032	Records Management	Preventive
Grant access to education records in support of external requirements. CC ID 13033	Records Management	Preventive
Disclose statements added to education records, as necessary. CC ID 12990	Communicate	Preventive
Obtain explicit consent from students or their parent or legal representative prior to using or disclosing educational data. CC ID 00220	Data and Information Management	Preventive
Disclose education records when written consent is received. CC ID 00224	Data and Information Management	Preventive
Specify the parties to whom education records may be disclosed in the written consent. CC ID 13002	Establish/Maintain Documentation	Preventive
Specify the purpose of the disclosure in the written consent. CC ID 13001	Establish/Maintain Documentation	Preventive
Specify which education records may be disclosed in the written consent. CC ID 13000	Establish/Maintain Documentation	Preventive
Document the conditions when consent is not required to disclose educational data. CC ID 00225	Establish/Maintain Documentation	Preventive
Disclose educational data absent consent when disclosure is in connection with a disciplinary proceeding. CC ID 13005	Communicate	Preventive
Refrain from disclosing disciplinary proceeding results unless the student has violated the institution's rules or policies. CC ID 13023	Communicate	Preventive
Disclose educational data absent consent when it concerns sex offenders. CC ID 13013	Communicate	Preventive
Disclose educational data absent consent to other school officials. CC ID 00226	Data and Information Management	Preventive
Disclose educational data absent consent to another institution's school officials. CC ID 00227	Data and Information Management	Preventive
Disclose educational data absent consent in connection with financial aid. CC ID 00229	Data and Information Management	Preventive
Disclose educational data absent consent to organizations conducting studies on tests. CC ID 00230	Data and Information Management	Preventive
Disclose educational data absent consent to organizations conducting studies if educational data is destroyed when no longer required. CC ID 12995	Communicate	Preventive
Disclose educational data absent consent to accrediting organizations. CC ID 00231	Data and Information Management	Preventive
Disclose educational data absent consent to a dependent student's parent or legal representative. CC ID 00232	Data and Information Management	Preventive
Disclose educational data absent consent in order to comply with a judicial order. CC ID 00233	Data and Information Management	Preventive
Disclose educational data absent consent for a health and safety emergency. CC ID 00234	Data and Information Management	Preventive
Disclose educational data absent consent when it is merely directory information. CC ID 00235	Data and Information Management	Preventive
Disclose educational data absent consent to a crime victim. CC ID 00236	Data and Information Management	Preventive
Record the health and safety threats of students when disclosing personal data. CC ID 12997	Establish/Maintain Documentation	Preventive
Refrain from providing information to the data subject, as necessary. CC ID 12625 [An organisation is not required to provide information under section 21(1) in respect of— any examination conducted by an education institution, und-color:#F0BBBC;" class="term_primary-noun">examination scripts and, prior to the release of examination results, lass="term_primary-noun">examination results; FIFTH SCHEDULE § 1.(b) An organisation is not required to provide information under section 21(1) in respect of— the personal data of the beneficiaries of a F0BBBC;" class="term_primary-noun">private trust ss="term_primary-verb">kept solely for the purpose of administering the trust; FIFTH SCHEDULE § 1.(c) An organisation is not required to provide information under section 21(1) in respect of— personal data kept by an arbitral institution or a mediation centre solely for the >purposespan> of an style="background-color:#F0BBBC;" class="term_primary-noun">arbitration or mediation proceedings administered by the arbitral institution or mediation centre; FIFTH SCHEDULE § 1.(d) An organisation is not required to provide information under section 21(1) in respect of— a document related to a prosecution if all 0BBBC;" class="term_primary-noun">proceedings related to the prosecution haground-color:#CBD0E5;" class="term_secondary-verb">ve n style="background-color:#B7D8ED;" class="term_primary-verb">not been completed; FIFTH SCHEDULE § 1.(e) An organisation is not required to provide information under section 21(1) in respect of— personal data which is primary-verb">subjectspan> to an style="background-color:#F0BBBC;" class="term_primary-noun">legal privilege; FIFTH SCHEDULE § 1.(f) An organisation is not required to provide information under section 21(1) in respect of— personal data kept by an arbitral institution or a mediation centre solely for the >purposespan> of an style="background-color:#F0BBBC;" class="term_primary-noun">arbitration or mediation proceedings administered by the arbitral institution or mediation centre; SIXTH SCHEDULE § 1.(d) {notifiable data breach}An organisation must not notify any affected individual in accordance with subsection (2) if — the Commission so directs. § 26D.(6)(b) An organisation is not required to provide information under section 21(1) in respect of — derived personal data. SIXTH SCHEDULE § 1.(f)]	Communicate	Preventive
Refrain from providing information to the data subject when it is forbidden by law. CC ID 12651 [{notifiable data breach}An organisation must not notify any affected individual in accordance with subsection (2) if — a prescribed law enforcement agency so instructs; or § 26D.(6)(a)]	Communicate	Preventive
Refrain from providing information to the data subject when it proves impossible due to statistical purposes. CC ID 12645	Communicate	Preventive
Provide the data subject with information about lifting any restriction of processing, as necessary. CC ID 12634	Communicate	Preventive
Refrain from providing information to the data subject when it proves impossible due to historical research purposes. CC ID 12633	Communicate	Preventive
Refrain from providing information to the data subject when it proves impossible due to scientific research purposes. CC ID 12632	Communicate	Preventive
Refrain from providing information to the data subject when it proves impossible due to archival purposes. CC ID 12631	Communicate	Preventive
Refrain from providing information to the data subject when providing information involves disproportionate effort. CC ID 12629	Communicate	Preventive
Refrain from providing information to the data subject when the data subject has the information. CC ID 12628	Communicate	Preventive
Provide adequate structures, policies, procedures, and mechanisms to support direct access by the data subject to personal data that is provided upon request. CC ID 00393	Establish/Maintain Documentation	Preventive
Provide the data subject with the means of gaining access to personal data held by the organization. CC ID 00396 [{legitimate interest}For the purposes of sub-paragraph (1), the organisation must — provide the individual with reasonable access to information about the organisation's collection, use or disclosure of personal data (as the case may be) in accordance with sub-paragraph (1). FIRST SCHEDULE PART 3 § 1.(2)(b)]	Data and Information Management	Preventive
Refrain from requiring the data subject to create an account in order to submit a consumer request. CC ID 13780	Business Processes	Preventive
Provide the data subject with the data protection officer's contact information. CC ID 12573	Business Processes	Preventive
Notify the data subject of the right to data portability. CC ID 12603	Process or Activity	Preventive
Provide the data subject with information about the right to erasure. CC ID 12602	Process or Activity	Preventive
Provide the data subject with a description of the type of information held by the organization and a general account of its use. CC ID 00397 [Any person may apply to the Commission, in the form and manner required by the Commission, to confirm whether any Singapore ;" class="term_primary-noun">telephone number is listed in a oun">register. § 40.(2)]	Establish/Maintain Documentation	Preventive
Provide the data subject with what personal data is made available to related organizations or subsidiaries. CC ID 00399	Data and Information Management	Preventive
Establish and maintain a disclosure accounting record. CC ID 13022	Establish/Maintain Documentation	Preventive
Include what information was disclosed and to whom in the disclosure accounting record. CC ID 04680	Establish/Maintain Documentation	Preventive
Include the disclosure purpose in the disclosure accounting record. CC ID 07135 [For the purposes of subsection (2)(a), the organisation must, before collecting, using or disclosing any personal data about the individual — take reasonable steps to bring the following information to the attention of the individual: the organisation's intention to collect, use or disclose the personal data; § 15A.(4)(b)(i)]	Establish/Maintain Documentation	Preventive
Disseminate and communicate the disclosure accounting record to interested personnel and affected parties. CC ID 14433 [For the purposes of subsection (2)(a), the organisation must, before collecting, using or disclosing any personal data about the individual — take reasonable steps to bring the following information to the attention of the individual: the purpose for which the personal data will be collected, used or disclosed; § 15A.(4)(b)(ii)]	Communicate	Preventive
Establish, implement, and maintain personal data choice and consent program. CC ID 12569 [A subscriber may apply to the Commission, in the form and manner prescribed — to add his Singapore y-verb">">telephone numbern> to a register; or § 40.(1)(a) A person does not contravene subsection (1) if the subscriber or user of the Singapore telephone number to which a specified message is sent — gave clear and unambiguous consent to the sending of the specified message to that Singapore telephone number; and § 43.(4)(a)]	Establish/Maintain Documentation	Preventive
Establish, implement, and maintain data request procedures. CC ID 16546	Establish/Maintain Documentation	Preventive
Refrain from discriminating against data subjects who have exercised privacy rights. CC ID 13435	Human Resources Management	Preventive
Refrain from charging a fee to implement an opt-out request. CC ID 13877	Business Processes	Preventive
Establish and maintain disclosure authorization forms for authorization of consent to use personal data. CC ID 13433 [A person does not contravene subsection (1) if the subscriber or user of the Singapore telephone number to which a specified message is sent — the consent is evidenced in written or other form so as to be accessible for subsequent reference. § 43.(4)(b)]	Establish/Maintain Documentation	Preventive
Include procedures for revoking authorization of consent to use personal data in the disclosure authorization form. CC ID 13438	Establish/Maintain Documentation	Preventive
Include the identity of the person seeking consent in the disclosure authorization. CC ID 13999	Establish/Maintain Documentation	Preventive
Include the recipients of the disclosed personal data in the disclosure authorization form. CC ID 13440	Establish/Maintain Documentation	Preventive
Include the signature of the data subject and the signing date in the disclosure authorization form. CC ID 13439	Establish/Maintain Documentation	Preventive
Include the identity of the data subject in the disclosure authorization form. CC ID 13436	Establish/Maintain Documentation	Preventive
Include the types of personal data to be disclosed in the disclosure authorization form. CC ID 13442	Establish/Maintain Documentation	Preventive
Include how personal data will be used in the disclosure authorization form. CC ID 13441	Establish/Maintain Documentation	Preventive
Include agreement termination information in the disclosure authorization form. CC ID 13437	Establish/Maintain Documentation	Preventive
Offer incentives for consumers to opt-in to provide their personal data to the organization. CC ID 13781	Business Processes	Preventive
Refrain from using coercive financial incentive programs to entice opt-in consent. CC ID 13795	Business Processes	Preventive
Allow data subjects to opt out and refrain from granting an authorization of consent to use personal data. CC ID 00391	Data and Information Management	Preventive
Treat an opt-out direction by an individual joint consumer as applying to all associated joint consumers. CC ID 13452	Business Processes	Preventive
Treat opt-out directions separately for each customer relationship the data subject establishes with the organization. CC ID 13454	Business Processes	Preventive
Establish, implement, and maintain an opt-out method in accordance with organizational standards. CC ID 16526	Data and Information Management	Preventive
Comply with opt-out directions by the data subject, unless otherwise directed by compliance requirements. CC ID 13451 [{allow} On giving notice, a subscriber or user of a Singapore telephone number may at any time withdraw any consent given to a person for the ="background-color:#CBD0E5;" class="term_secondary-verb">sending of any specified message to that Singapore telephone number. § 47.(1)]	Business Processes	Preventive
Confirm the individual's identity before granting an opt-out request. CC ID 16813	Process or Activity	Preventive
Highlight the section regarding data subject's consent from other sections in contracts and agreements. CC ID 13988	Establish/Maintain Documentation	Preventive
Allow consent requests to be provided in any official languages. CC ID 16530	Business Processes	Preventive
Notify interested personnel and affected parties of the reasons the opt-out request was refused. CC ID 16537	Communicate	Preventive
Collect and retain disclosure authorizations for each data subject. CC ID 13434	Records Management	Preventive
Refrain from requiring consent to collect, use, or disclose personal data beyond specified, legitimate reasons in order to receive products and services. CC ID 13605 [{refrain from requiring}(is unreasonable} A person shall not, as a condition for supplying goods, services, land, interest or opportunity, require a subscriber or user of a Singapore telephone number to give -verb">ound-color:#F0BBBC;" class="term_primary-noun">consentspan> for the sending of a specified le="background-color:#F0BBBC;" class="term_primary-noun">message to that Singapore telephone number or any other Singapore telephone number beyond what is reasonable to provide the goods, services, land, interest or opportunity to that subscriber or user, and any consent given in such circumstance is not validly given. § 46.(1) An organisation shall not — as a condition of providing a product or service, require an individual to consent to the collection, use or disclosure of personal data about the individual beyond what is reasonable to provide the product or service to that individual; or § 14.(2)(a)]	Data and Information Management	Preventive
Refrain from obtaining consent through deception. CC ID 13556 [{deceptive act or practice}{refrain from accepting} If a person obtains or attempts to obtain consent for sending a specified message to a Singapore telephone number— by providing="term_secondary-verb"> false or misleading information with respect to the sending of the specified message; or by using deceptive or misleading practices, any und-coloy-verb">r:#F0BBBC;" class="term_primary-noun">consent given in such circumstances is not validly given. § 46.(2) ¶ 1 An organisation shall not — obtain or attempt to obtain consent for collecting, using, or disclosing personal data by providing false or misleading information with respect to the collection, use, or disclosure of the personal data, or using deceptive or misleading practices. § 14.(2)(b)]	Data and Information Management	Preventive
Give individuals the ability to change the uses of their personal data. CC ID 00469 [{refrain from using} Notwithstanding the other provisions in this Part, an organisation may use personal data about an individual collected before the appointed day for the purposes for which the personal data was collected unless — consent for such use is withdrawn in accordance with section 16; or § 19.(a) A person shall not prohibit a subscriber or user of a Singapore telephone number from withdrawing his consent to the sending of a specified ound-color:#F0BBBC;" class="terd-color:#CBD0E5;" class="term_secondary-verb">m_primary-noun">message to that Singapore telephone number, but this section shall not affect any legal consequences arising from such withdrawal. § 47.(2)]	Data and Information Management	Preventive
Notify data subjects of the implications of withdrawing consent. CC ID 13551 [On receipt of the notice referred to in subsection (1), the organisation concerned shall inform the individual of the likely consequences of withdrawing his consent. § 16.(2) An organisation shall not prohibit an individual from withdrawing his consent to the collection, use or disclosure of personal data about the individual, but this section shall not affect any legal consequences arising from such withdrawal. § 16.(3)]	Data and Information Management	Preventive
Establish, implement, and maintain a personal data accountability program. CC ID 13432	Establish/Maintain Documentation	Preventive
Assign ownership of the privacy program to the appropriate organizational role. CC ID 11848 [An organisation shall designate one or more individuals to be responsible for ensuring that the organisation verb">complies with this Act. § 11.(3)]	Human Resources Management	Preventive
Require data controllers to be accountable for their actions. CC ID 00470	Establish Roles	Preventive
Notify the supervisory authority. CC ID 00472 [{terminated telephone number} Every telecommunications service provider shall report to the ground-color:#F0BBBC;" class="term_primary-noun">Commission, in the form and manner prescribed, all terminated Singapore telephone numbers. § 42.(1) {report}{terminated telephone number}For the purpose of subsection (1), where — it shall be the responsibility of the first provider to satisfy subsection (1). § 42.(4) ¶ 1]	Behavior	Preventive
Establish, implement, and maintain approval applications. CC ID 16778	Establish/Maintain Documentation	Preventive
Define the requirements for approving or denying approval applications. CC ID 16780	Business Processes	Preventive
Submit approval applications to the supervisory authority. CC ID 16627	Communicate	Preventive
Include required information in the approval application. CC ID 16628	Establish/Maintain Documentation	Preventive
Extend the time limit for approving or denying approval applications. CC ID 16779	Business Processes	Preventive
Approve the approval application unless applicant has been convicted. CC ID 16603	Process or Activity	Preventive
Provide the supervisory authority with any information requested by the supervisory authority. CC ID 12606	Process or Activity	Preventive
Notify the supervisory authority of the safeguards employed to protect the data subject's rights. CC ID 12605	Communicate	Preventive
Include any reasons for delay if notifying the supervisory authority after the time limit. CC ID 12675	Communicate	Corrective
Establish, implement, and maintain Binding Corporate Rules for the international transfers of restricted data. CC ID 12584 [{business improvement purpose}Sub-paragraph (1)(a) and (c) applies only if — X and Y are bound by any contract or other agreement or binding corporate rules requiring the recipient of personal data about P to implement and maintain appropriate safeguards for the personal data. FIRST SCHEDULE PART 5 § 1.(3)(c)]	Establish/Maintain Documentation	Preventive
Include cooperation mechanisms with the supervisory authority in the Binding Corporate Rules. CC ID 12682	Establish/Maintain Documentation	Preventive
Include the tasks assigned to the role of data controller in the Binding Corporate Rules. CC ID 12612	Establish/Maintain Documentation	Preventive
Include data subject's rights in the Binding Corporate Rules. CC ID 12596	Establish/Maintain Documentation	Preventive
Include the means to exercise the data subject's rights in the Binding Corporate Rules. CC ID 12597	Establish/Maintain Documentation	Preventive
Include the organizational structure and contact information in the Binding Corporate Rules. CC ID 12595	Establish/Maintain Documentation	Preventive
Include the acceptance of liability for breaches of the binding corporate rules in the Binding Corporate Rules. CC ID 12594	Establish/Maintain Documentation	Preventive
Include the mechanisms for reporting legal requirements causing adverse effects on protecting restricted data in the Binding Corporate Rules. CC ID 12620	Establish/Maintain Documentation	Preventive
Include provisions for providing information on the binding corporate rules to the data subject in the Binding Corporate Rules. CC ID 12593	Establish/Maintain Documentation	Preventive
Include reporting changes to the binding corporate rules in the Binding Corporate Rules. CC ID 12591	Establish/Maintain Documentation	Preventive
Include reporting changes of the binding corporate rules to the supervisory authority in the Binding Corporate Rules. CC ID 12592	Establish/Maintain Documentation	Preventive
Include complaint procedures in the Binding Corporate Rules. CC ID 12613	Establish/Maintain Documentation	Preventive
Include the data transfers in the Binding Corporate Rules. CC ID 12590	Establish/Maintain Documentation	Preventive
Include specifying the mechanisms for verifying compliance of the binding corporate rules in the Binding Corporate Rules. CC ID 12662	Establish/Maintain Documentation	Preventive
Include the identification of the countries in question for the data transfers in the Binding Corporate Rules. CC ID 12601	Establish/Maintain Documentation	Preventive
Include the type of data subjects affected by the data transfers in the Binding Corporate Rules. CC ID 12600	Establish/Maintain Documentation	Preventive
Include all pertinent data processing information for data transfers in the Binding Corporate Rules. CC ID 12599	Establish/Maintain Documentation	Preventive
Include the categories of personal data for data transfers in the Binding Corporate Rules. CC ID 12598	Establish/Maintain Documentation	Preventive
Include specifying the legally binding nature of the binding corporate rules in the Binding Corporate Rules. CC ID 12627	Establish/Maintain Documentation	Preventive
Include privacy awareness and training in the Binding Corporate Rules. CC ID 12626	Establish/Maintain Documentation	Preventive
Establish, implement, and maintain Data Processing Contracts. CC ID 12650	Establish/Maintain Documentation	Preventive
Include the stipulation of complying with external requirements in the Data Processing Contract. CC ID 12676 [For the purposes of subsection (2)(a), the organisation must, before collecting, using or disclosing any personal data about the individual — satisfy any other prescribed requirements. § 15A.(4)(c) The organisation must, in respect of the assessment mentioned in subsection (4)(a) — comply with any other prescribed requirements. § 15A.(5)(c) {person}A checker is deemed to have complied with subsection (2)(a) if — the applicable information that the checker provides to P is in accordance with a reply from the Commission in response to the checker's application under section 40(2); and § 43A.(3)(a)]	Establish/Maintain Documentation	Preventive
Include the stipulation that personal data will be disposed or returned to the data subject in the Data Processing Contract. CC ID 12669 [{prospective party}{organization}If X enters into the business asset transaction, the following conditions apply: if any personal data X collects from Y does not relate directly to the part of Y or Y's business assets with which the business asset transaction entered into is concerned, X must destroy, or return to Y, that personal data; FIRST SCHEDULE PART 4 § 1.(4)(b)]	Establish/Maintain Documentation	Preventive
Establish, implement, and maintain a personal data use limitation program. CC ID 13428	Establish/Maintain Documentation	Preventive
Establish, implement, and maintain a personal data use purpose specification. CC ID 00093	Establish/Maintain Documentation	Preventive
Notify the data subject of the collection purpose. CC ID 00095 [For the purposes of sections 14(1)(a) and 18(b), an organisation shall inform the individual of— the purposes for the collection, use or disclosure of the personal data, as the case may be, on or before pan style="background-color:#CBD0E5;" class="term_secondary-verb">collecting the personal data; § 20.(1)(a) For the purposes of subsection (4), the organisation must inform the individual of the following: the purpose for which the organisation is collecting, using or disclosing (as the case may be) the personal data about the individual; § 20.(5)(a) For the purposes of subsection (2)(a), the organisation must, before collecting, using or disclosing any personal data about the individual — take reasonable steps to bring the following information to the attention of the individual: the purpose for which the personal data will be collected, used or disclosed; § 15A.(4)(b)(ii) For the purposes of subsection (2)(a), the organisation must, before collecting, using or disclosing any personal data about the individual — take reasonable steps to bring the following information to the attention of the individual: the organisation's intention to collect, use or disclose the personal data; § 15A.(4)(b)(i) {individual's vital interest} Where the organisation collects, uses or discloses (as the case may be) personal data about the individual under sub-paragraph (1), the organisation must, as soon as is practicable, notify the individual of the collection, use or disclosure (as the case may be) and the purpose for the collection, use or disclosure, as the case may be. FIRST SCHEDULE PART 1 § 1.(2)]	Behavior	Preventive
Refrain from using restricted data collected for research and statistics for other purposes. CC ID 00096	Data and Information Management	Preventive
Notify the data subject of changes to personal data use. CC ID 00105 [For the purposes of sections 14(1)(a) and 18(b), an organisation shall inform the individual of— any other purpose of the use or disclosure of the personal data of which the individual has not been informed under paragraph (a), before the un">usepan> or disclosure of the personal data for that purpose; and § 20.(1)(b)]	Behavior	Preventive
Establish, implement, and maintain data use change of purpose procedures. CC ID 00106	Establish/Maintain Documentation	Preventive
Document the use of publicly accessible personal data as an acceptable secondary purpose. CC ID 00108	Establish/Maintain Documentation	Preventive
Document the use of privacy-related data as acceptable if the information being used is publicly available information, the secondary use is marketing, and it is not practical to seek consent from the individual before use. CC ID 00110	Establish/Maintain Documentation	Preventive
Document the use of personal data as an acceptable secondary purpose when the data subject is not charged to request to opt out of direct marketing communications. CC ID 00111	Establish/Maintain Documentation	Preventive
Document the use of personal data as an acceptable secondary purpose when the data subject has not requested to opt out of direct marketing communications. CC ID 00112	Establish/Maintain Documentation	Preventive
Document the use of personal data as an acceptable secondary purpose when the organization highlights the opt out option during each direct marketing communication. CC ID 00113	Establish/Maintain Documentation	Preventive
Document the use of personal data as an acceptable secondary purpose when the organization displays contact information in each written direct marketing communication. CC ID 00114	Establish/Maintain Documentation	Preventive
Document the use of personal data as an acceptable secondary purpose when the data subject gives consent. CC ID 00115 [If an individual gives or is deemed to have given, consent to the disclosure of personal data about the individual by one organisation to another organisation for a particular purpose, the individual is deemed to consent to the collection, use, or disclosure of the personal data for that particular purpose by that other organisation. § 15.(2) {consent}{disclosure} Where an organisation collects personal data disclosed to it by B under subsection (3)(c), subsection (3)(b) and (c) applies to the organisation as if the personal data were disclosed by A to the organisation under subsection (3)(a). § 15.(4)]	Establish/Maintain Documentation	Preventive
Document the use of personal data as an acceptable secondary purpose when the personal data is Individually Identifiable Health Information used for research. CC ID 00116	Establish/Maintain Documentation	Preventive
Document the use of personal data as an acceptable secondary purpose when the personal data is used for statistical research, scholarly research, or scientific research and the data subject is anonymous. CC ID 00117	Establish/Maintain Documentation	Preventive
Document the use of personal data as an acceptable secondary purpose when the data controller believes the use is necessary to prevent a life-threatening emergency. CC ID 00118	Establish/Maintain Documentation	Preventive
Document the use of personal data as an acceptable secondary purpose when required by law. CC ID 00119	Establish/Maintain Documentation	Preventive
Document the use of personal data as an acceptable secondary purpose when the personal data is necessary for public emergencies, public health and safety, or individual emergencies. CC ID 00121	Establish/Maintain Documentation	Preventive
Document the use of personal data as an acceptable secondary purpose when the primary purpose is directly related to the secondary purpose. CC ID 00123	Establish/Maintain Documentation	Preventive
Document the use of personal data as an acceptable secondary purpose when it is necessary for the enforcement of care and custody. CC ID 15453	Establish/Maintain Documentation	Preventive
Document the use of data as an acceptable secondary purpose when it is necessary for use in a legal proceeding. CC ID 15451	Establish/Maintain Documentation	Preventive
Document the use of personal data as an acceptable secondary purpose when it is necessary for a law enforcement investigation. CC ID 15449	Establish/Maintain Documentation	Preventive
Document the use of personal data as an acceptable secondary purpose when it is necessary to perform a treaty with a foreign government. CC ID 15447	Establish/Maintain Documentation	Preventive
Dispose of media and restricted data in a timely manner. CC ID 00125 [{dispose}{deidentify}{no longer appropriate} An organisation shall cease to retain its documents containing personal data, or remove the means by which the personal data can be associated with particular individuals, as soon as it is reasonable to assume that — the ass="term_primastyle="background-color:#CBD0E5;" class="term_secondary-verb">ry-noun">purpose for which that personal data was collected is no longer being served by retention of the personal data; and § 25.(a) {dispose}{deidentify} An organisation shall cease to retain its documents containing personal data, or remove the means by which the personal data can be associated with particular individuals, as soon as it is reasonable to assume that— <span style="background-color:#F0BBBC;" class="term_primary-noun">retention is style="background-color:#CBD0E5;" class="term_secondary-verb">rm_primary-verb">no longer necessaryspan> for legal or business purposes. § 25.(b) {prospective party}{organization} If the business asset transaction does not proceed or is not completed, X must destroy, or return to Y, all personal data collected. FIRST SCHEDULE PART 4 § 1.(5) {organization}{prospective party}{business asset transaction}{individual}If the relevant transaction does not proceed or is not completed — X must destroy, or return to Y or Z (as the case may be), all personal data collected; and FIRST SCHEDULE PART 4 § 2.(4)(a) {business asset transaction}{organization}If the relevant transaction does not proceed or is not completed — Y must destroy, or return to Z, all personal data collected. FIRST SCHEDULE PART 4 § 2.(4)(b)]	Data and Information Management	Preventive
Refrain from destroying records being inspected or reviewed. CC ID 13015	Records Management	Preventive
Notify the data subject after their personal data is disposed, as necessary. CC ID 13502	Communicate	Preventive
Establish, implement, and maintain data access procedures. CC ID 00414	Establish/Maintain Documentation	Preventive
Provide individuals with information about the processing purpose of their personal data. CC ID 00416 [An organisation may collect, use or disclose personal data about an individual only for purposes— that the -noun">individual has been n style="background-color:#B7D8ED;" class="term_primary-verb">informed of under section 20, if applicable. § 18.(b) Subject to subsections (2), (3) and (4), on request of an individual, an organisation shall, as soon as reasonably possible, provide the individual with— information about the ways in which the personal data referred to in paragraph (a) has been or may have been used or disclosed by the organisation within a year before the date of the request. § 21.(1)(b) For the purposes of subsection (2)(a), the organisation must, before collecting, using or disclosing any personal data about the individual — take reasonable steps to bring the following information to the attention of the individual: the purpose for which the personal data will be collected, used or disclosed; § 15A.(4)(b)(ii) For the purposes of subsection (2)(a), the organisation must, before collecting, using or disclosing any personal data about the individual — take reasonable steps to bring the following information to the attention of the individual: the organisation's intention to collect, use or disclose the personal data; § 15A.(4)(b)(i) {individual's vital interest} Where the organisation collects, uses or discloses (as the case may be) personal data about the individual under sub-paragraph (1), the organisation must, as soon as is practicable, notify the individual of the collection, use or disclosure (as the case may be) and the purpose for the collection, use or disclosure, as the case may be. FIRST SCHEDULE PART 1 § 1.(2) For the purposes of subsection (4), the organisation must inform the individual of the following: the purpose for which the organisation is collecting, using or disclosing (as the case may be) the personal data about the individual; § 20.(5)(a) {inform}Despite subsection (3), an organisation must comply with subsection (5) on or before collecting, using or disclosing personal data about an individual for the purpose of or in relation to the organisation — entering into an employment relationship with the individual or appointing the individual to any office; or § 20.(4)(a) {inform}Despite subsection (3), an organisation must comply with subsection (5) on or before collecting, using or disclosing personal data about an individual for the purpose of or in relation to the organisation — entering into an employment relationship with the individual or appointing the individual to any office; or § 20.(4)(a) {inform}Despite subsection (3), an organisation must comply with subsection (5) on or before collecting, using or disclosing personal data about an individual for the purpose of or in relation to the organisation — entering into an employment relationship with the individual or appointing the individual to any office; or § 20.(4)(a) {inform}Despite subsection (3), an organisation must comply with subsection (5) on or before collecting, using or disclosing personal data about an individual for the purpose of or in relation to the organisation — managing or terminating the employment relationship with or appointment of the individual. § 20.(4)(b) {inform}Despite subsection (3), an organisation must comply with subsection (5) on or before collecting, using or disclosing personal data about an individual for the purpose of or in relation to the organisation — managing or terminating the employment relationship with or appointment of the individual. § 20.(4)(b) {inform}Despite subsection (3), an organisation must comply with subsection (5) on or before collecting, using or disclosing personal data about an individual for the purpose of or in relation to the organisation — managing or terminating the employment relationship with or appointment of the individual. § 20.(4)(b)]	Data and Information Management	Preventive
Provide individuals with information about disclosure of their personal data. CC ID 00417 [{individual's vital interest} Where the organisation collects, uses or discloses (as the case may be) personal data about the individual under sub-paragraph (1), the organisation must, as soon as is practicable, notify the individual of the collection, use or disclosure (as the case may be) and the purpose for the collection, use or disclosure, as the case may be. FIRST SCHEDULE PART 1 § 1.(2)]	Data and Information Management	Preventive
Allow guardians and legal representatives access to personal data about the individual for whom they are guardians or legal representatives. CC ID 00418	Data and Information Management	Preventive
Establish, implement, and maintain procedures for individuals to be able to modify their personal data, as necessary. CC ID 11811 [{allow} An individual may request an organisation to correct an error or omission in the personal data about the individual that is in the possession or under the control of the organisation. § 22.(1)]	Establish/Maintain Documentation	Preventive
Submit personal data removal requests in writing. CC ID 11973	Records Management	Preventive
Include a liability waiver for any harm caused by the exclusion of personal data in the personal data removal request. CC ID 11975	Establish/Maintain Documentation	Preventive
Allow authorized individuals to authenticate record entries containing personal data. CC ID 11812	Records Management	Corrective
Establish, implement, and maintain restricted data use limitation procedures. CC ID 00128 [Subject to subsection (3), an individual is deemed to consent to the collection, use or disclosure of personal data about the individual by an organisation if — the organisation satisfies the requirements in subsection (4); and § 15A.(2)(a)]	Establish/Maintain Documentation	Preventive
Identify any adverse effects the processing of personal data will have on the data subject. CC ID 15299 [The organisation must, in respect of the assessment mentioned in subsection (4)(a) — identify any adverse effect that the proposed collection, use or disclosure of the personal data for the purpose concerned is likely to have on the individual; § 15A.(5)(a) {legitimate interest}{collect}{disclose}The organisation must, in respect of the assessment mentioned in sub-paragraph (2)(a) — identify any adverse effect that the proposed collection, use or disclosure (as the case may be) of personal data about an individual is likely to have on the individual; FIRST SCHEDULE PART 3 § 1.(3)(a)]	Data and Information Management	Preventive
Disclose de-identified data, as necessary. CC ID 13034	Communicate	Preventive
Notify the data subject after personal data is used or disclosed. CC ID 06247 [{business asset transaction}{organization}{prospective party}If X enters into the relevant transaction, the following conditions apply: X, Y or Z must notify the applicable individuals of Z whose personal data is disclosed that — the relevant transaction has taken place; and FIRST SCHEDULE PART 4 § 2.(3)(c)(i) {business asset transaction}{organization}{prospective party}If X enters into the relevant transaction, the following conditions apply: X, Y or Z must notify the applicable individuals of Z whose personal data is disclosed that — the personal data about them has been disclosed to X. FIRST SCHEDULE PART 4 § 2.(3)(c)(ii) If X enters into the business asset transaction, the following conditions apply: X or Y must notify the applicable individuals of Y whose personal data is disclosed that — the business asset transaction has taken place; and FIRST SCHEDULE PART 4 § 1.(4)(c)(i)]	Behavior	Preventive
Refrain from processing restricted data, as necessary. CC ID 12551 [Notwithstanding the other provisions in this Part, an organisation may use personal data about an individual collected before the appointed day for the purposes for which the personal data was collected unless — the individual, whether before, on or after the appointed day, has otherwise indicated to the organisation that he does not consent to the use of the personal data. § 19.(b) An organisation shall not, on or after the appointed day, collect, use or disclose personal data about an individual unless — § 13.]	Records Management	Preventive
Refrain from processing restricted data if the restricted data is involved in a legal claim. CC ID 12668	Process or Activity	Preventive
Refrain from providing information to the data subject when the organization cannot identify the data subject. CC ID 12667	Process or Activity	Preventive
Refrain from erasing personal data when the data subject consents to retention. CC ID 14326	Business Processes	Preventive
Refrain from erasing personal data upon data subject request when personal data processing is necessary for statistical purposes. CC ID 12656	Process or Activity	Preventive
Refrain from erasing personal data upon data subject request when personal data processing is necessary for historical research purposes. CC ID 12655	Process or Activity	Preventive
Refrain from erasing personal data upon data subject request when personal data processing is necessary for scientific research purposes. CC ID 12654	Process or Activity	Preventive
Refrain from erasing personal data upon data subject request when personal data processing is necessary for exercising freedom of expression. CC ID 12684	Process or Activity	Preventive
Refrain from erasing personal data upon data subject request when it is used to provide a service. CC ID 13779	Process or Activity	Preventive
Refrain from erasing personal data upon data subject request when it is being used for incident detection. CC ID 13778	Process or Activity	Detective
Refrain from erasing personal data upon data subject request when personal data processing is necessary for archival purposes. CC ID 12653	Process or Activity	Preventive
Refrain from erasing personal data upon data subject request when personal data processing is for compliance with a legal obligation. CC ID 12652	Process or Activity	Preventive
Refrain from erasing personal data upon data subject request when personal data processing is necessary for the public interest. CC ID 12649	Process or Activity	Preventive
Refrain from erasing personal data upon data subject request when personal data processing concerns legal claims. CC ID 12644	Process or Activity	Preventive
Refrain from processing personal data when it is likely to cause unlawful discrimination or arbitrary discrimination. CC ID 00197	Data and Information Management	Preventive
Refrain from processing personal data when it is used for behavioral monitoring. CC ID 16528	Data and Information Management	Preventive
Refrain from processing personal data when it reveals trade union membership. CC ID 12583	Business Processes	Preventive
Refrain from processing personal data when it concerns an individual's sexual orientation. CC ID 12582	Business Processes	Preventive
Refrain from processing personal data when it concerns an individual's sex life. CC ID 12581	Business Processes	Preventive
Refrain from processing personal data when it contains Individually Identifiable Health Information. CC ID 12580	Business Processes	Preventive
Refrain from processing personal data when biometric data is used for the purpose of identifying an individual. CC ID 12579	Business Processes	Preventive
Refrain from processing personal data when the genetic data is used for the purpose of identifying individuals. CC ID 12578	Business Processes	Preventive
Refrain from processing personal data when it reveals philosophical beliefs. CC ID 12577	Business Processes	Preventive
Refrain from processing personal data when it reveals religious beliefs. CC ID 12576	Business Processes	Preventive
Refrain from processing personal data when it reveals political opinions. CC ID 12575	Business Processes	Preventive
Refrain from processing personal data if it reveals ethnic origin. CC ID 12574	Business Processes	Preventive
Refrain from processing personal data if the data subject opposes the data erasure of personal data. CC ID 12619	Process or Activity	Preventive
Establish and maintain a record of processing activities when processing restricted data. CC ID 12636	Establish/Maintain Documentation	Preventive
Refrain from maintaining a record of processing activities if the data processor employs a limited number of persons. CC ID 13378	Establish/Maintain Documentation	Preventive
Refrain from maintaining a record of processing activities if the personal data relates to criminal records. CC ID 13377	Establish/Maintain Documentation	Preventive
Refrain from maintaining a record of processing activities if the data being processed is restricted data. CC ID 13376	Establish/Maintain Documentation	Preventive
Refrain from maintaining a record of processing activities if it could result in a risk to the data subject's rights or data subject's freedom. CC ID 13375	Establish/Maintain Documentation	Preventive
Include the data protection officer's contact information in the record of processing activities. CC ID 12640	Records Management	Preventive
Include the data processor's contact information in the record of processing activities. CC ID 12657	Records Management	Preventive
Include the data processor's representative's contact information in the record of processing activities. CC ID 12658	Records Management	Preventive
Include a general description of the implemented security measures in the record of processing activities. CC ID 12641	Records Management	Preventive
Include a description of the data subject categories in the record of processing activities. CC ID 12659	Records Management	Preventive
Include the purpose of processing restricted data in the record of processing activities. CC ID 12663	Records Management	Preventive
Include the personal data processing categories in the record of processing activities. CC ID 12661	Records Management	Preventive
Include the time limits for erasing each data category in the record of processing activities. CC ID 12690	Records Management	Preventive
Include the data recipient categories to whom restricted data has been or will be disclosed in the record of processing activities. CC ID 12664	Records Management	Preventive
Include a description of the personal data categories in the record of processing activities. CC ID 12660	Records Management	Preventive
Include the joint data controller's contact information in the record of processing activities. CC ID 12639	Records Management	Preventive
Include the data controller's representative's contact information in the record of processing activities. CC ID 12638	Records Management	Preventive
Include documentation of the transferee's safeguards for transferring restricted data in the record of processing activities. CC ID 12643	Records Management	Preventive
Include the identification of transferees for transferring restricted data in the record of processing activities. CC ID 12642	Records Management	Preventive
Include the data controller's contact information in the record of processing activities. CC ID 12637	Records Management	Preventive
Process restricted data lawfully and carefully. CC ID 00086 [{be appropriate} An organisation may collect, use or disclose personal data> about an individual only for purposes— that a reasonable person would consider appropriate in the n style="background-color:#F0BBBC;" class="term_primary-noun">circumstances; and § 18.(a)]	Establish Roles	Preventive
Analyze requirements for processing personal data in contracts. CC ID 12550	Investigate	Detective
Implement technical controls that limit processing restricted data for specific purposes. CC ID 12646	Technical Security	Preventive
Process personal data pertaining to a patient's health in order to treat those patients. CC ID 00200	Data and Information Management	Preventive
Notify the subject of care when a lack of availability of health information systems might have adversely affected their care. CC ID 13990	Communicate	Corrective
Refrain from disclosing Individually Identifiable Health Information when in violation of territorial or federal law. CC ID 11966	Records Management	Preventive
Document the conditions for the use or disclosure of Individually Identifiable Health Information by a covered entity to another covered entity. CC ID 00210	Establish/Maintain Documentation	Preventive
Disclose Individually Identifiable Health Information for a covered entity's own use. CC ID 00211	Data and Information Management	Preventive
Disclose Individually Identifiable Health Information for a healthcare provider's treatment activities by a covered entity. CC ID 00212	Data and Information Management	Preventive
Rely upon the warranty of the covered entity that the record disclosure request for Individually Identifiable Health Information is permitted with the consent of the data subject. CC ID 11970	Records Management	Preventive
Rely upon the warranty of the covered entity that the record disclosure request for Individually Identifiable Health Information is to support the treatment of the individual. CC ID 11969	Process or Activity	Preventive
Rely upon the warranty of the covered entity that the record disclosure request for Individually Identifiable Health Information is permitted by law. CC ID 11976	Records Management	Preventive
Disclose Individually Identifiable Health Information for payment activities between covered entities or healthcare providers. CC ID 00213	Data and Information Management	Preventive
Disclose Individually Identifiable Health Information for Treatment, Payment, and Health Care Operations activities when both covered entities have a relationship with the data subject. CC ID 00214	Data and Information Management	Preventive
Disclose Individually Identifiable Health Information for Treatment, Payment, and Health Care Operations activities between a covered entity and a participating healthcare provider when the information is collected from the data subject and a third party. CC ID 00215	Data and Information Management	Preventive
Disclose Individually Identifiable Health Information in accordance with agreed upon restrictions. CC ID 06249	Data and Information Management	Preventive
Disclose Individually Identifiable Health Information in accordance with the privacy notice. CC ID 06250	Data and Information Management	Preventive
Disclose permitted Individually Identifiable Health Information for facility directories. CC ID 06251	Data and Information Management	Preventive
Disclose Individually Identifiable Health Information for cadaveric organ donation purposes, eye donation purposes, or tissue donation purposes. CC ID 06252	Data and Information Management	Preventive
Disclose Individually Identifiable Health Information for medical suitability determinations. CC ID 06253	Data and Information Management	Preventive
Disclose Individually Identifiable Health Information for armed forces personnel appropriately. CC ID 06254	Data and Information Management	Preventive
Disclose Individually Identifiable Health Information in order to provide public benefits by government agencies. CC ID 06255	Data and Information Management	Preventive
Disclose Individually Identifiable Health Information for fundraising. CC ID 06256	Data and Information Management	Preventive
Disclose Individually Identifiable Health Information for research use when the appropriate requirements are included in the approval documentation or waiver documentation. CC ID 06257	Establish/Maintain Documentation	Preventive
Document the conditions for the disclosure of Individually Identifiable Health Information by an organization providing healthcare services to organizations other than business associates or other covered entities. CC ID 00201	Establish/Maintain Documentation	Preventive
Disclose Individually Identifiable Health Information when the data subject cannot physically or legally provide consent and the disclosing organization is a healthcare provider. CC ID 00202	Data and Information Management	Preventive
Disclose Individually Identifiable Health Information to provide appropriate treatment to the data subject when the disclosing organization is a healthcare provider. CC ID 00203	Data and Information Management	Preventive
Disclose Individually Identifiable Health Information when it is not contrary to the data subject's wish prior to becoming unable to provide consent and the disclosing organization is a healthcare provider. CC ID 00204	Data and Information Management	Preventive
Disclose Individually Identifiable Health Information that is reasonable or necessary for the disclosure purpose when the disclosing organization is a healthcare provider. CC ID 00205 [{disclose}The disclosure of personal data about an individual who is a current or former patient of any of the following to a public agency for the purposes of policy formulation or review: a healthcare institution licensed under the Private Hospitals and Medical Clinics Act (Cap. 248); SECOND SCHEDULE PART 3 Division 1 § 3.(a)]	Data and Information Management	Preventive
Disclose Individually Identifiable Health Information consistent with the law when the disclosing organization is a healthcare provider. CC ID 00206 [{disclose}The disclosure of personal data about an individual who is a current or former patient of any of the following to a public agency for the purposes of policy formulation or review: a prescribed healthcare body. SECOND SCHEDULE PART 3 Division 1 § 3.(c) {disclose}The disclosure of personal data about an individual who is a current or former patient of any of the following to a public agency for the purposes of policy formulation or review: a licensee under the Healthcare Services Act 2020 (Act 3 of 2020); SECOND SCHEDULE PART 3 Division 1 § 3.(b)]	Data and Information Management	Preventive
Disclose Individually Identifiable Health Information in order to carry out treatment when the disclosing organization is a healthcare provider. CC ID 00207	Data and Information Management	Preventive
Disclose Individually Identifiable Health Information in order to carry out treatment when the data subject has provided consent and the disclosing organization is a healthcare provider. CC ID 00208	Data and Information Management	Preventive
Disclose Individually Identifiable Health Information in order to carry out treatment when the data subject's guardian or representative has provided consent and the disclosing organization is a healthcare provider. CC ID 00209	Data and Information Management	Preventive
Disclose Individually Identifiable Health Information when the disclosing organization is a healthcare provider that supports public health and safety activities. CC ID 06248	Data and Information Management	Preventive
Disclose Individually Identifiable Health Information in order to report abuse or neglect when the disclosing organization is a healthcare provider. CC ID 06819	Data and Information Management	Preventive
Document how Individually Identifiable Health Information is used and disclosed when authorization has been granted. CC ID 00216	Establish/Maintain Documentation	Preventive
Define and implement valid authorization control requirements. CC ID 06258	Establish/Maintain Documentation	Preventive
Obtain explicit consent for authorization to release Individually Identifiable Health Information. CC ID 00217	Data and Information Management	Preventive
Obtain explicit consent for authorization to release psychotherapy notes. CC ID 00218	Data and Information Management	Preventive
Refrain from using Individually Identifiable Health Information to determine eligibility or continued eligibility for credit. CC ID 00219	Data and Information Management	Preventive
Process personal data after the data subject has granted explicit consent. CC ID 00180 [{refrain from processing} An organisation shall not, on or after the appointed day, collect, use or disclose personal data about an individual unless— the individual rb">gives</span>, or is deemed to have given, his consent under this Act to the collection, use or disclosure, as the case may be; or § 13.(a)]	Data and Information Management	Preventive
Process personal data in order to perform a legal obligation or exercise a legal right. CC ID 00182	Data and Information Management	Preventive
Process personal data relating to criminal offenses when required by law. CC ID 00237	Data and Information Management	Preventive
Process personal data in order to prevent personal injury or damage to the data subject's health. CC ID 00183	Data and Information Management	Preventive
Process personal data in order to prevent personal injury or damage to a third party's health. CC ID 00184	Data and Information Management	Preventive
Process personal data for statistical purposes or scientific purposes. CC ID 00256	Data and Information Management	Preventive
Process personal data during legitimate activities with safeguards for the data subject's legal rights. CC ID 00185 [{collect}{disclose}Subject to sub-paragraphs (2), (3) and (4) — the collection, use or disclosure (as the case may be) of personal data about an individual is in the legitimate interests of the organisation or another person; and FIRST SCHEDULE PART 3 § 1.(1)(a)]	Data and Information Management	Preventive
Process traffic data in a controlled manner. CC ID 00130	Data and Information Management	Preventive
Process personal data for health insurance, social insurance, state social benefits, social welfare, or child protection. CC ID 00186	Data and Information Management	Preventive
Process personal data when it is publicly accessible. CC ID 00187 [{without consent}{collect}{disclose} The collection, use or disclosure (as the case may be) of personal data about an individual that is publicly available. FIRST SCHEDULE PART 2 § 1.]	Data and Information Management	Preventive
Process personal data for direct marketing and other personalized mail programs. CC ID 00188	Data and Information Management	Preventive
Refrain from processing personal data for marketing or advertising to children. CC ID 14010	Business Processes	Preventive
Refrain from disseminating and communicating with individuals that have opted out of direct marketing communications. CC ID 13708	Communicate	Corrective
Process personal data for the purposes of employment. CC ID 16527	Data and Information Management	Preventive
Process personal data for justice administration, lawsuits, judicial decisions, and investigations. CC ID 00189 [{collect}{disclose} The collection, use or disclosure (as the case may be) of personal data about an individual is necessary for the provision of legal services by the organisation to another person, or for the organisation to obtain legal services. FIRST SCHEDULE PART 3 § 5.]	Data and Information Management	Preventive
Process personal data for debt collection or benefit payments. CC ID 00190 [{without consent}{collect}{disclose}The collection, use or disclosure (as the case may be) of personal data about an individual is necessary for the organisation — to recover a debt owed by the individual to the organisation; or FIRST SCHEDULE PART 3 § 4.(a) {collect}{disclose}The collection, use or disclosure (as the case may be) of personal data about an individual is necessary for the organisation — to pay to the individual a debt owed by the organisation. FIRST SCHEDULE PART 3 § 4.(b) {legitimate interest}{collect}{disclose}The collection, use or disclosure (as the case may be) of personal data about an individual is to — confer an interest or a benefit on the individual under a private trust or benefit plan; and FIRST SCHEDULE PART 3 § 7.(a)]	Data and Information Management	Preventive
Process personal data in order to advance the public interest. CC ID 00191 [The use of personal data about an individual for a research purpose (including historical or statistical research), if — there is a clear public benefit to using the personal data for the research purpose; SECOND SCHEDULE PART 2 Division 3 § 1.(b)]	Data and Information Management	Preventive
Process personal data for surveys, archives, or scientific research. CC ID 00192	Data and Information Management	Preventive
Process personal data absent consent for journalistic purposes, artistic purposes, or literary purposes. CC ID 00193 [{without consent} The personal data about an individual is collected, used or disclosed (as the case may be) by a news organisation solely for its news activity. FIRST SCHEDULE PART 2 § 5. {without consent}{artistic purpose}{collect}{disclose} The collection, use or disclosure (as the case may be) of personal data about an individual is solely for artistic or literary purposes. FIRST SCHEDULE PART 2 § 3.]	Data and Information Management	Preventive
Process personal data for academic purposes or religious purposes. CC ID 00194	Data and Information Management	Preventive
Process personal data when it is used by a public authority for National Security policy or criminal policy. CC ID 00195	Data and Information Management	Preventive
Refrain from storing data in newly created files or registers which directly or indirectly reveals the restricted data. CC ID 00196	Data and Information Management	Preventive
Follow legal obligations while processing personal data. CC ID 04794	Data and Information Management	Preventive
Start personal data processing only after the needed notifications are submitted. CC ID 04791	Data and Information Management	Preventive
Process personal data absent consent for specific and well-documented circumstances. CC ID 13537 [An individual is deemed to consent to the collection, use or disclosure of personal data about the individual by an organisation for a purpose if— it is reasonable that the individual would voluntarily provide the y-verb">le="background-color:#F0BBBC;" class="term_primary-noun">data. § 15.(1)(b) An organisation may — use personal data about an individual without the consent of the individual, in the circumstances or for the purposes, and subject to any condition, in the First Schedule or Part 2 of the Second Schedule; or § 17.(1)(b) {individual's vital interest}{without consent}Subject to sub-paragraph (2), the collection, use or disclosure (as the case may be) of personal data about an individual is necessary for any purpose which is clearly in the interests of the individual, and — the individual would not reasonably be expected to withhold consent. FIRST SCHEDULE PART 1 § 1.(1)(b) {without consent}{collect}{disclose} The collection, use or disclosure (as the case may be) of personal data about an individual is in the national interest. FIRST SCHEDULE PART 2 § 2. {business improvement purpose}{organization}Subject to the conditions in sub-paragraphs (3), (4) and (5), personal data about an individual (P) — is used by X for a relevant purpose; or FIRST SCHEDULE PART 5 § 1.(1)(b) {business improvement purpose}Sub-paragraph (1)(b) applies only if — a reasonable person would consider the use of personal data about P for the relevant purpose to be appropriate in the circumstances. FIRST SCHEDULE PART 5 § 1.(4)(b) {business improvement purpose}{refrain from achieving}Sub-paragraph (1)(b) applies only if — the relevant purpose for which X uses personal data about P cannot reasonably be achieved without the use of the personal data in an individually identifiable form; and FIRST SCHEDULE PART 5 § 1.(4)(a)]	Data and Information Management	Preventive
Process personal data absent consent in order to protect the vital interests of the data subject. CC ID 14012 [{individual's vital interest}{collect}{disclose} Subject to sub-paragraph (2), the collection, use or disclosure (as the case may be) of personal data about an individual is necessary for any purpose which is clearly in the interests of the individual, and — FIRST SCHEDULE PART 1 § 1.(1)]	Process or Activity	Preventive
Process personal data absent consent when the data subject has been notified the personal data may be collected, used, or disclosed. CC ID 13617	Data and Information Management	Preventive
Process personal data absent consent in order to establish, manage, or terminate employment contracts. CC ID 13615 [{without consent}The personal data about an individual is collected, used or disclosed (as the case may be) by the organisation, and the collection, use or disclosure (as the case may be) of the personal data is reasonable for the purpose of or in relation to the organisation — entering into an employment relationship with the individual or appointing the individual to any office; or FIRST SCHEDULE PART 3 § 10.(a) {without consent}The personal data about an individual is collected, used or disclosed (as the case may be) by the organisation, and the collection, use or disclosure (as the case may be) of the personal data is reasonable for the purpose of or in relation to the organisation — managing or terminating the employment relationship with or appointment of the individual. FIRST SCHEDULE PART 3 § 10.(b)]	Data and Information Management	Preventive
Process personal data absent consent when the data subject is notified that the business transaction is completed and their information was disclosed. CC ID 13612	Data and Information Management	Preventive
Process personal data absent consent when the disclosure concerns the data subject's products and services obtained from the organization. CC ID 13611 [Subject to the conditions in sub-paragraph (2), personal data about an individual (P) is used by the organisation for any of the following purposes: improving or enhancing any goods or services provided, or developing new goods or services to be provided, by the organisation; SECOND SCHEDULE PART 2 Division 2 § 1.(1)(a) Subject to the conditions in sub-paragraph (2), personal data about an individual (P) is used by the organisation for any of the following purposes: learning about and understanding the behaviour and preferences of P or another individual in relation to the goods or services provided by the organisation; SECOND SCHEDULE PART 2 Division 2 § 1.(1)(c) Subject to the conditions in sub-paragraph (2), personal data about an individual (P) is used by the organisation for any of the following purposes: identifying any goods or services provided by the organisation that may be suitable for P or another individual, or personalising or customising any such goods or services for P or another individual. SECOND SCHEDULE PART 2 Division 2 § 1.(1)(d) Subject to the conditions in sub-paragraph (2), personal data about an individual (P) is used by the organisation for any of the following purposes: identifying any goods or services provided by the organisation that may be suitable for P or another individual, or personalising or customising any such goods or services for P or another individual. SECOND SCHEDULE PART 2 Division 2 § 1.(1)(d)]	Data and Information Management	Preventive
Process personal data absent consent when it is impracticable to obtain consent. CC ID 13580 [{individual's vital interest}The collection, use or disclosure (as the case may be) of personal data about an individual, where — consent for the collection, use or disclosure (as the case may be) cannot be obtained in a timely way; and FIRST SCHEDULE PART 1 § 3.(a)]	Data and Information Management	Preventive
Process personal data absent consent when it is in the data subject's interest and consent cannot be obtained in a timely manner. CC ID 15282 [{individual's vital interest}Subject to sub-paragraph (2), the collection, use or disclosure (as the case may be) of personal data about an individual is necessary for any purpose which is clearly in the interests of the individual, and — consent for the collection, use or disclosure (as the case may be) cannot be obtained in a timely way; or FIRST SCHEDULE PART 1 § 1.(1)(a)]	Data and Information Management	Preventive
Process personal data absent consent to determine whether to proceed with business transactions. CC ID 13587 [{without consent}Subject to the conditions in sub-paragraphs (2), (3), (4) and (5), where an organisation (X) is a party or a prospective party to a business asset transaction with another organisation (Y), personal data about an applicable individual of Y — is used or disclosed by X in relation to the business asset transaction; or FIRST SCHEDULE PART 4 § 1.(1)(b) Subject to the conditions in sub-paragraphs (2), (3) and (4), where an organisation (X) is a party or a prospective party to a business asset transaction with another organisation (Y) in respect of Y's interest in a third organisation (Z) (called in this paragraph the relevant transaction), personal data about an applicable individual of Z — is used or disclosed by X or Y in relation to the relevant transaction; or FIRST SCHEDULE PART 4 § 2.(1)(b) {legitimate interest}{collect}{disclose}Subject to sub-paragraph (2), the collection, use or disclosure (as the case may be) of personal data about an individual — relates to a credit report provided by a credit bureau to a member of the credit bureau in relation to a transaction between the member and the individual. FIRST SCHEDULE PART 3 § 6.(1)(b) {business asset transaction}{organization}{prospective party}{individual}If X enters into the relevant transaction, the following conditions apply: X may use or disclose the personal data collected from Y or Z (as the case may be) only for the same purposes for which Y or Z (as the case may be) would have been permitted to use or disclose the personal data; FIRST SCHEDULE PART 4 § 2.(3)(a)]	Data and Information Management	Preventive
Process personal data absent consent in order to perform a contract. CC ID 13586 [{prospective party}{organization}If X enters into the business asset transaction, the following conditions apply: X may use or disclose the personal data X collected from Y only for the same purposes for which Y would have been permitted to use or disclose the personal data; FIRST SCHEDULE PART 4 § 1.(4)(a) {organization}If X is a prospective party to the business asset transaction, the following conditions apply: X and Y must have entered into an agreement that requires X to use or disclose the personal data solely for purposes related to the business asset transaction. FIRST SCHEDULE PART 4 § 1.(3)(b) {business asset transaction}{organization}{individual}If X is a prospective party to the relevant transaction, the following conditions apply: where Y collects the personal data mentioned in sub-paragraph (1) from Z — Y and Z must have entered into an agreement that requires Y to use or disclose the personal data solely for purposes related to the relevant transaction. FIRST SCHEDULE PART 4 § 2.(2)(b)(ii)]	Data and Information Management	Preventive
Process personal data absent consent when the privacy commissioner is notified before the information is used. CC ID 13581	Data and Information Management	Preventive
Process personal data absent consent to perform obligations in the field of employment law. CC ID 16814	Data and Information Management	Preventive
Process personal data absent consent if the disclosure is to the next of kin or authorized representative. CC ID 15294 [{is necessary}{without consent} The collection, use or disclosure of personal data is for the purpose of contacting the next-of-kin or a friend of any injured, ill or deceased individual. FIRST SCHEDULE PART 1 § 4.]	Data and Information Management	Preventive
Process personal data absent consent when it is used in a manner to ensure confidentiality. CC ID 13579	Data and Information Management	Preventive
Process personal data absent consent when it is used for statistical research, scientific research, or scholarly research. CC ID 13578 [{refrain from achieving}The use of personal data about an individual for a research purpose (including historical or statistical research), if — the research purpose cannot reasonably be accomplished unless the personal data is used in an individually identifiable form; SECOND SCHEDULE PART 2 Division 3 § 1.(a) {collect}{disclose} The collection, use or disclosure (as the case may be) of personal data about an individual is necessary for evaluative purposes. FIRST SCHEDULE PART 3 § 2. The use of personal data about an individual for a research purpose (including historical or statistical research), if — the results of the research will not be used to make any decision that affects the individual; and SECOND SCHEDULE PART 2 Division 3 § 1.(c)]	Data and Information Management	Preventive
Process personal data absent consent when it is needed by law. CC ID 13577 [{refrain from processing} An organisation shall not, on or after the appointed day, collect,use or disclose personal data about an individual unless— the collection, use or disclosure, as the case may be, without the consent of the individual is 0E5;" class="term_secondary-verb">required or authorised under this Act or any other written law. § 13.(b) Subject to section 25, if an individual withdraws consent to the collection, use or disclosure of personal data about the individual by an organisation for any purpose, the organisation shall cease (and cause its data intermediaries and agents to cease) collecting, using or disclosing the personal data, as the case may be, unless such collection, use or disclosure, as the case may be, without the consent of the individual is required or authorised under this Act or other written law. § 16.(4)]	Data and Information Management	Preventive
Process personal data for public interests absent consent in order to protect historical records or archival records. CC ID 15296 [{without consent}{archival purpose} The collection, use or disclosure (as the case may be) of personal data about an individual is solely for archival or historical purposes, if a reasonable person would not consider the personal data to be too sensitive to the individual to be collected, used or disclosed (as the case may be) at the proposed time. FIRST SCHEDULE PART 2 § 4.]	Data and Information Management	Preventive
Process personal data absent consent when it is from publicly available information. CC ID 13576 [{without consent}The use of personal data about an individual, if — the personal data was disclosed by a public agency; and SECOND SCHEDULE PART 2 Division 1 § 1.(a)]	Data and Information Management	Preventive
Process personal data absent consent to create a credit report. CC ID 15288 [{legitimate interest}{collect}{disclose}Subject to sub-paragraph (2), the collection, use or disclosure (as the case may be) of personal data about an individual — is for the purpose of the preparation by a credit bureau of a credit report; or FIRST SCHEDULE PART 3 § 6.(1)(a)]	Data and Information Management	Preventive
Process personal data absent consent if its use is consistent with the intended purpose. CC ID 13575 [Unless otherwise provided under this Act, an organisation may — use or disclose personal data about an individual that — for purposes consistent with the purpose of that collection, or for any purpose permitted by subsection (1)(b) or (c), as the case may be. § 17.(2)(b) ¶ 1 Without limiting subsection (2) and subject to subsection (9), an individual (P) who enters into a contract with an organisation (A) and provides personal data to A pursuant or in relation to that contract is deemed to consent to the following: the collection and use of that personal data by B, where the collection and use are reasonably necessary for any purpose mentioned in paragraph (a); § 15.(6)(b) {without consent}The personal data about an individual — is collected, used or disclosed (as the case may be) for purposes consistent with the purpose for which the document was produced. FIRST SCHEDULE PART 3 § 9.(b) {personal purpose}{domestic purposes}The personal data about an individual — is collected, used or disclosed (as the case may be) by the organisation solely for the purpose in sub-paragraph (a). FIRST SCHEDULE PART 3 § 8.(b) {without consent}The use of personal data about an individual, if — the use of personal data by the organization is consistent with the purpose of the disclosure by the public agency. SECOND SCHEDULE PART 2 Division 1 § 1.(b)]	Data and Information Management	Preventive
Process personal data absent consent to administer a trust fund or benefit plan. CC ID 15291 [{collect}{disclose}The collection, use or disclosure (as the case may be) of personal data about an individual is to — administer that trust or benefit plan, at the request of the settlor or the person establishing the benefit plan, as the case may be. FIRST SCHEDULE PART 3 § 7.(b)]	Data and Information Management	Preventive
Process personal data absent consent when produced for business purposes. CC ID 13563 [Subject to the conditions in sub-paragraph (2), personal data about an individual (P) is used by the organisation for any of the following purposes: improving or enhancing any goods or services provided, or developing new goods or services to be provided, by the organisation; SECOND SCHEDULE PART 2 Division 2 § 1.(1)(a) Subject to the conditions in sub-paragraph (2), personal data about an individual (P) is used by the organisation for any of the following purposes: improving or enhancing the methods or processes, or developing new methods or processes, for the operations of the organisation; SECOND SCHEDULE PART 2 Division 2 § 1.(1)(b) Subject to the conditions in sub-paragraph (2), personal data about an individual (P) is used by the organisation for any of the following purposes: improving or enhancing the methods or processes, or developing new methods or processes, for the operations of the organisation; SECOND SCHEDULE PART 2 Division 2 § 1.(1)(b) {cannot achieve}Sub-paragraph (1) applies only if — the purpose for which the organisation uses personal data about P cannot reasonably be achieved without the use of the personal data in an individually identifiable form; and SECOND SCHEDULE PART 2 Division 2 § 1.(2)(a) {business improvement purpose}Sub-paragraph (1) applies only if — a reasonable person would consider the use of personal data about P for that purpose to be appropriate in the circumstances. SECOND SCHEDULE PART 2 Division 2 § 1.(2)(b)]	Data and Information Management	Preventive
Process personal data absent consent for handling insurance claims. CC ID 13561	Data and Information Management	Preventive
Process personal data absent consent when it is necessary for corporate restructuring. CC ID 16533	Data and Information Management	Preventive
Process personal data absent consent if the information is contained in a witness statement. CC ID 13560	Data and Information Management	Preventive
Process personal data absent consent for life-threatening emergencies. CC ID 13558 [{without consent}{collect}{disclose}The collection, use or disclosure (as the case may be) of personal data about an individual, where — there are reasonable grounds to believe that the health or safety of the individual or another individual will be seriously affected. FIRST SCHEDULE PART 1 § 3.(b)]	Data and Information Management	Preventive
Process personal data absent consent for reasonable investigative purposes. CC ID 13557 [{collect}{disclose} The collection, use or disclosure (as the case may be) of personal data about an individual is necessary for any investigation or proceedings. FIRST SCHEDULE PART 3 § 3.]	Data and Information Management	Preventive
Notify the individual before restricted data is collected, used, or disclosed. CC ID 00132 [{prospective party}{organization}If X enters into the business asset transaction, the following conditions apply: X or Y must notify the applicable individuals of Y whose personal data is disclosed that — the personal data about them has been disclosed to X. FIRST SCHEDULE PART 4 § 1.(4)(c)(ii)]	Behavior	Preventive
Define security breach notification requirement exceptions. CC ID 04797	Establish/Maintain Documentation	Preventive
Refrain from disclosing a security breach if an investigation concludes none has occurred. CC ID 13086 [{data breach}{notifiable data breach} The organisation must carry out the assessment mentioned in subsection (2) or (3)(b) in accordance with any prescribed requirements. § 26C.(4)]	Communicate	Corrective
Refrain from disclosing personal data absent consent of the individual or for defined exceptions. CC ID 11967 [An organisation shall not, on or after the appointed day, collect, use or disclose personal data about an individual unless — § 13.]	Records Management	Preventive
Notify the data subject when personal data has been inadvertently disclosed. CC ID 13989	Communicate	Corrective
Disclose restricted data when the data subject has given unambiguous and implicit consent. CC ID 00157 [Without limiting subsection (2) and subject to subsection (9), an individual (P) who enters into a contract with an organisation (A) and provides personal data to A pursuant or in relation to that contract is deemed to consent to the following: the disclosure of that personal data by A to another organisation (B), where the disclosure is reasonably necessary — § 15.(6)(a)]	Data and Information Management	Preventive
Define what restricted data is not required to be disclosed absent consent. CC ID 00134	Establish/Maintain Documentation	Preventive
Define the exceptions to disclosure absent consent. CC ID 00135	Establish/Maintain Documentation	Preventive
Disclose personal data when the data subject has consented and has the ability to opt out. CC ID 00158 [Without limiting subsection (2) and subject to subsection (9), an individual (P) who provides personal data to an organisation (A) with a view to P entering into a contract with A is deemed to consent to the following where reasonably necessary for the conclusion of the contract between P and A: the collection and use of that personal data by B; § 15.(3)(b)]	Data and Information Management	Detective
Define opt-out exceptions for disclosing restricted data. CC ID 00159	Establish/Maintain Documentation	Preventive
Define how a data subject may give consent. CC ID 00160 [An individual has not given consent under this Act for the collection, use or disclosure of personal data about the individual by an organisation for a purpose unless— the individual has been provided with the information required under section 20; and § 14.(1)(a) {render invalid} Any consent given in any of the circumstances in subsection (2) is not validly given for the purposes of this Act. § 14.(3) An individual is deemed to consent to the collection, use or disclosure of personal data about the individual by an organisation for a purpose if— the individual, without actually giving consent referred to in section 14, voluntarily provides the personal data to the organisation for that purpose; and § 15.(1)(a) In this Act, references to the consent given or deemed to have been given, by an individual for the collection, use, or disclosure of personal data about the individual shall include consent given, or deemed to have been given, by any person validly acting on behalf of that individual for the collection, use or disclosure of such personal data. § 14.(4) An individual has not given consent under this Act for the collection, use or disclosure of personal data about the individual by an organisation for a purpose unless — the individual provided his consent for that purpose in accordance with this Act. § 14.(1)(b) Subject to subsection (3), an individual is deemed to consent to the collection, use or disclosure of personal data about the individual by an organisation if — the individual does not notify the organisation, before the expiry of the period mentioned in subsection (4)(b)(iii), that the individual does not consent to the proposed collection, use or disclosure of the personal data by the organisation. § 15A.(2)(b) For the purposes of subsection (2)(a), the organisation must, before collecting, using or disclosing any personal data about the individual — take reasonable steps to bring the following information to the attention of the individual: a reasonable period within which, and a reasonable manner by which, the individual may notify the organisation that the individual does not consent to the organisation's proposed collection, use or disclosure of the personal data; and § 15A.(4)(b)(iii)]	Establish/Maintain Documentation	Preventive
Disclose Personal Identification Numbers absent consent in order to update address information. CC ID 04793	Data and Information Management	Preventive
Disclose personal data absent consent for specific and well-documented circumstances. CC ID 15267 [An organisation may — disclose personal data about an individual without the consent of the individual, in the circumstances or for the purposes, and subject to any condition, in the First Schedule or Part 3 of the Second Schedule. § 17.(1)(c) {individual's vital interest}{without consent}Subject to sub-paragraph (2), the collection, use or disclosure (as the case may be) of personal data about an individual is necessary for any purpose which is clearly in the interests of the individual, and — the individual would not reasonably be expected to withhold consent. FIRST SCHEDULE PART 1 § 1.(1)(b) {organization}{corporation}{business improvement purpose}Subject to the conditions in sub-paragraphs (3), (4) and (5), personal data about an individual (P) — is disclosed by Y to X for a relevant purpose. FIRST SCHEDULE PART 5 § 1.(1)(c)]	Communicate	Preventive
Disclose restricted data absent consent when the law does not require consent. CC ID 00136	Data and Information Management	Preventive
Disclose data absent consent if its disclosure is consistent with the intended purpose. CC ID 15270 [Unless otherwise provided under this Act, an organisation may — use or disclose personal data about an individual that — for purposes consistent with the purpose of that collection, or for any purpose permitted by subsection (1)(b) or (c), as the case may be. § 17.(2)(b) ¶ 1 Without limiting subsection (2) and subject to subsection (9), an individual (P) who enters into a contract with an organisation (A) and provides personal data to A pursuant or in relation to that contract is deemed to consent to the following: the disclosure of that personal data by B to another organisation, where the disclosure is reasonably necessary for any purpose mentioned in paragraph (a). § 15.(6)(c) {personal purpose}{domestic purposes}The personal data about an individual — is collected, used or disclosed (as the case may be) by the organisation solely for the purpose in sub-paragraph (a). FIRST SCHEDULE PART 3 § 8.(b) {business improvement purpose}{refrain from achieving}Sub-paragraph (1)(a) and (c) applies only if — the relevant purpose for which X collects, or Y discloses, personal data about P cannot reasonably be achieved without the collection, use or disclosure (as the case may be) of the personal data in an individually identifiable form; FIRST SCHEDULE PART 5 § 1.(3)(a) {without consent}The personal data about an individual — is collected, used or disclosed (as the case may be) for purposes consistent with the purpose for which the document was produced. FIRST SCHEDULE PART 3 § 9.(b)]	Data and Information Management	Preventive
Disclose restricted data when a relevant connection exists between the data subject and the data controller's operations. CC ID 00137 [Without limiting subsection (2) and subject to subsection (9), an individual (P) who provides personal data to an organisation (A) with a view to P entering into a contract with A is deemed to consent to the following where reasonably necessary for the conclusion of the contract between P and A: the disclosure of that personal data by A to another organisation (B); § 15.(3)(a) Without limiting subsection (2) and subject to subsection (9), an individual (P) who provides personal data to an organisation (A) with a view to P entering into a contract with A is deemed to consent to the following where reasonably necessary for the conclusion of the contract between P and A: the disclosure of that personal data by B to another organisation. § 15.(3)(c) {business improvement purpose}Where X collects from Y, and Y discloses to X, personal data about P for a purpose mentioned in sub-paragraph (2)(c) or (d), P must be, at the time of the collection or disclosure, as the case may be — an existing customer of Y; and FIRST SCHEDULE PART 5 § 1.(5)(a) {business improvement purpose}Where X collects from Y, and Y discloses to X, personal data about P for a purpose mentioned in sub-paragraph (2)(c) or (d), P must be, at the time of the collection or disclosure, as the case may be — an existing customer or a prospective customer of X. FIRST SCHEDULE PART 5 § 1.(5)(b)]	Data and Information Management	Preventive
Disclose personal data absent consent if the disclosure with the consent or knowledge of the data subject would compromise the ability to prevent, detect, or suppress fraud. CC ID 13594	Data and Information Management	Preventive
Disclose personal data absent consent when it is in the data subject's interest and consent cannot be obtained in a timely manner. CC ID 15284 [{individual's vital interest}Subject to sub-paragraph (2), the collection, use or disclosure (as the case may be) of personal data about an individual is necessary for any purpose which is clearly in the interests of the individual, and — consent for the collection, use or disclosure (as the case may be) cannot be obtained in a timely way; or FIRST SCHEDULE PART 1 § 1.(1)(a)]	Data and Information Management	Preventive
Disclose personal data absent consent in order to establish, manage, or terminate employment contracts. CC ID 13616 [{without consent}The personal data about an individual is collected, used or disclosed (as the case may be) by the organisation, and the collection, use or disclosure (as the case may be) of the personal data is reasonable for the purpose of or in relation to the organisation — entering into an employment relationship with the individual or appointing the individual to any office; or FIRST SCHEDULE PART 3 § 10.(a) {without consent}The personal data about an individual is collected, used or disclosed (as the case may be) by the organisation, and the collection, use or disclosure (as the case may be) of the personal data is reasonable for the purpose of or in relation to the organisation — managing or terminating the employment relationship with or appointment of the individual. FIRST SCHEDULE PART 3 § 10.(b)]	Data and Information Management	Preventive
Disclose personal data absent consent when the data subject is notified that the business transaction is completed and their information was disclosed. CC ID 13613	Data and Information Management	Preventive
Disclose personal data absent consent when the data subject has been notified the personal data may be collected, used, or disclosed. CC ID 13603	Data and Information Management	Preventive
Disclose personal data absent consent if disclosure is made a predetermined number of years after the death of the data subject. CC ID 13598	Data and Information Management	Preventive
Disclose personal data absent consent when disclosure is made a predetermined number of years after the information was created. CC ID 13597	Data and Information Management	Preventive
Disclose personal data absent consent if the data subject is notified of the disclosure. CC ID 13596	Data and Information Management	Preventive
Disclose personal data absent consent to detect, suppress, or prevent fraud. CC ID 13592	Data and Information Management	Preventive
Disclose personal data absent consent to create a credit report. CC ID 15297 [{legitimate interest}{collect}{disclose}Subject to sub-paragraph (2), the collection, use or disclosure (as the case may be) of personal data about an individual — is for the purpose of the preparation by a credit bureau of a credit report; or FIRST SCHEDULE PART 3 § 6.(1)(a)]	Data and Information Management	Preventive
Disclose personal data absent consent if it is necessary to identify an individual who is injured, ill or deceased. CC ID 13595	Data and Information Management	Preventive
Disclose restricted data absent consent if the disclosure is to a government institution. CC ID 13583	Data and Information Management	Preventive
Disclose personal data absent consent for reasonable investigative purposes. CC ID 13593	Data and Information Management	Preventive
Disclose personal data absent consent to determine whether to proceed with business transactions. CC ID 15285 [{business asset transaction}{organization}{individual}If X is a prospective party to the relevant transaction, the following conditions apply: where Y collects the personal data mentioned in sub-paragraph (1) from Z — Y may collect, and Z may disclose, only personal data that is necessary for X or Y (as the case may be) to determine whether to proceed with the relevant transaction; and FIRST SCHEDULE PART 4 § 2.(2)(b)(i)]	Data and Information Management	Preventive
Disclose personal data absent consent for handling insurance claims. CC ID 13585	Data and Information Management	Preventive
Disclose personal data absent consent if the information is contained in a witness statement. CC ID 13584	Data and Information Management	Preventive
Disclose personal data absent consent if the data subject is believed to be a victim of financial abuse. CC ID 13555	Data and Information Management	Preventive
Disclose personal data absent consent for transactions related to the consumer. CC ID 14853	Data and Information Management	Preventive
Disclose restricted data absent consent to a government institution that has requested the information. CC ID 13582	Data and Information Management	Preventive
Disclose personal data absent consent if the disclosure is to the next of kin or authorized representative. CC ID 13554 [{is necessary}{without consent} The collection, use or disclosure of personal data is for the purpose of contacting the next-of-kin or a friend of any injured, ill or deceased individual. FIRST SCHEDULE PART 1 § 4.]	Data and Information Management	Preventive
Disclose restricted data absent consent when it is for the data controller's legitimate interest or third party's legitimate interest and it prevails over individual rights. CC ID 00138 [{collect}{disclose}Subject to sub-paragraphs (2), (3) and (4) — the collection, use or disclosure (as the case may be) of personal data about an individual is in the legitimate interests of the organisation or another person; and FIRST SCHEDULE PART 3 § 1.(1)(a)]	Data and Information Management	Preventive
Disclose personal data absent consent if the organization notifies the privacy commissioner before disclosing the information. CC ID 13553	Data and Information Management	Preventive
Disclose personal data absent consent if it is impracticable to obtain consent. CC ID 13552 [{individual's vital interest}The collection, use or disclosure (as the case may be) of personal data about an individual, where — consent for the collection, use or disclosure (as the case may be) cannot be obtained in a timely way; and FIRST SCHEDULE PART 1 § 3.(a) The disclosure of personal data about an individual for a research purpose (including historical or statistical research), if — it is impracticable for the organisation to seek the consent of the individual for the disclosure; SECOND SCHEDULE PART 3 Division 2 § 1.(b)]	Data and Information Management	Preventive
Disclose restricted data absent consent in order to perform a contract. CC ID 00139 [Without limiting subsection (2) and subject to subsection (9), an individual (P) who enters into a contract with an organisation (A) and provides personal data to A pursuant or in relation to that contract is deemed to consent to the following: the disclosure of that personal data by A to another organisation (B), where the disclosure is reasonably necessary — for the conclusion or performance of a contract between A and B which is entered into at P's request, or which a reasonable person would consider to be in P's interest; § 15.(6)(a)(ii) {without consent}Subject to the conditions in sub-paragraphs (2), (3), (4) and (5), where an organisation (X) is a party or a prospective party to a business asset transaction with another organisation (Y), personal data about an applicable individual of Y — is used or disclosed by X in relation to the business asset transaction; or FIRST SCHEDULE PART 4 § 1.(1)(b) {without consent}Subject to the conditions in sub-paragraphs (2), (3), (4) and (5), where an organisation (X) is a party or a prospective party to a business asset transaction with another organisation (Y), personal data about an applicable individual of Y — is disclosed by Y to X for the purposes of the business transaction. FIRST SCHEDULE PART 4 § 1.(1)(c) {organization}If X is a prospective party to the business asset transaction, the following conditions apply: X may collect, and Y may disclose, only personal data that is necessary for X to determine whether to proceed with the business asset transaction; FIRST SCHEDULE PART 4 § 1.(3)(a) {prospective party}{organization}If X enters into the business asset transaction, the following conditions apply: X may use or disclose the personal data X collected from Y only for the same purposes for which Y would have been permitted to use or disclose the personal data; FIRST SCHEDULE PART 4 § 1.(4)(a) {organization}If X is a prospective party to the business asset transaction, the following conditions apply: X and Y must have entered into an agreement that requires X to use or disclose the personal data solely for purposes related to the business asset transaction. FIRST SCHEDULE PART 4 § 1.(3)(b) Subject to the conditions in sub-paragraphs (2), (3) and (4), where an organisation (X) is a party or a prospective party to a business asset transaction with another organisation (Y) in respect of Y's interest in a third organisation (Z) (called in this paragraph the relevant transaction), personal data about an applicable individual of Z — is used or disclosed by X or Y in relation to the relevant transaction; or FIRST SCHEDULE PART 4 § 2.(1)(b) Without limiting subsection (2) and subject to subsection (9), an individual (P) who enters into a contract with an organisation (A) and provides personal data to A pursuant or in relation to that contract is deemed to consent to the following: the disclosure of that personal data by A to another organisation (B), where the disclosure is reasonably necessary — for the performance of the contract between P and A; or § 15.(6)(a)(i) {legitimate interest}{collect}{disclose}Subject to sub-paragraph (2), the collection, use or disclosure (as the case may be) of personal data about an individual — relates to a credit report provided by a credit bureau to a member of the credit bureau in relation to a transaction between the member and the individual. FIRST SCHEDULE PART 3 § 6.(1)(b) Subject to the conditions in sub-paragraphs (2), (3) and (4), where an organisation (X) is a party or a prospective party to a business asset transaction with another organisation (Y) in respect of Y's interest in a third organisation (Z) (called in this paragraph the relevant transaction), personal data about an applicable individual of Z — is disclosed by Y or Z (as the case may be) to X, or by Z to Y, for the purposes of the relevant transaction. FIRST SCHEDULE PART 4 § 2.(1)(c) {business asset transaction}If X is a prospective party to the relevant transaction, the following conditions apply: where X collects the personal data mentioned in sub-paragraph (1) from Y or Z — X may collect, and Y or Z (as the case may be) may disclose, only personal data that is necessary for X to determine whether to proceed with the relevant transaction; and FIRST SCHEDULE PART 4 § 2.(2)(a)(i) {business asset transaction}{organization}{prospective party}{individual}If X enters into the relevant transaction, the following conditions apply: X may use or disclose the personal data collected from Y or Z (as the case may be) only for the same purposes for which Y or Z (as the case may be) would have been permitted to use or disclose the personal data; FIRST SCHEDULE PART 4 § 2.(3)(a) {business asset transaction}If X is a prospective party to the relevant transaction, the following conditions apply: where X collects the personal data mentioned in sub-paragraph (1) from Y or Z — X and Y or Z (as the case may be) must have entered into an agreement that requires X to use or disclose the personal data solely for purposes related to the relevant transaction; FIRST SCHEDULE PART 4 § 2.(2)(a)(ii) {business asset transaction}{organization}{individual}If X is a prospective party to the relevant transaction, the following conditions apply: where Y collects the personal data mentioned in sub-paragraph (1) from Z — Y and Z must have entered into an agreement that requires Y to use or disclose the personal data solely for purposes related to the relevant transaction. FIRST SCHEDULE PART 4 § 2.(2)(b)(ii) {legitimate interest}{collect}{disclose}The collection, use or disclosure (as the case may be) of personal data about an individual is to — confer an interest or a benefit on the individual under a private trust or benefit plan; and FIRST SCHEDULE PART 3 § 7.(a)]	Data and Information Management	Preventive
Disclose restricted data absent consent in order to assist Telecommunications Ombudsmen in resolving complaints. CC ID 00140	Data and Information Management	Preventive
Disclose personal data absent consent to administer a trust fund or benefit plan. CC ID 15290 [{collect}{disclose}The collection, use or disclosure (as the case may be) of personal data about an individual is to — administer that trust or benefit plan, at the request of the settlor or the person establishing the benefit plan, as the case may be. FIRST SCHEDULE PART 3 § 7.(b)]	Data and Information Management	Preventive
Disclose personal data absent consent for research purposes and the data subject is not identified. CC ID 15286 [{disclose}The disclosure of personal data about an individual for a research purpose (including historical or statistical research), if — in the event that the results of the research are published, the organisation publishes the results in a form that does not identify the individual. SECOND SCHEDULE PART 3 Division 2 § 1.(e)]	Data and Information Management	Preventive
Disclose personal data absent consent when the personal data is disclosed by calling an emergency service number. CC ID 00141	Data and Information Management	Preventive
Disclose restricted data absent consent when the restricted data prevents life-threatening emergencies to third parties. CC ID 00142	Data and Information Management	Preventive
Disclose restricted data absent consent when the restricted data preserves human life at sea. CC ID 00143	Data and Information Management	Preventive
Disclose restricted data absent consent in order to process the restricted data for public interests. CC ID 00144 [{disclose}{without consent} The disclosure of personal data about an individual to a public agency, where the disclosure is necessary in the public interest. SECOND SCHEDULE PART 3 Division 1 § 1.]	Data and Information Management	Preventive
Disclose restricted data for public interests absent consent in order to provide social work assistance services. CC ID 00145	Data and Information Management	Preventive
Disclose restricted data for public interests absent consent if confidentiality is assured and the disclosure is for statistical research, scientific research, or scholarly research. CC ID 00146 [The use of personal data about an individual for a research purpose (including historical or statistical research), if — in the event that the results of the research are published, the organisation publishes the results in a form that does not identify the individual. SECOND SCHEDULE PART 2 Division 3 § 1.(d) {refrain from achieving}The disclosure of personal data about an individual for a research purpose (including historical or statistical research), if — the research purpose cannot reasonably be accomplished unless the personal data is disclosed in an individually identifiable form; SECOND SCHEDULE PART 3 Division 2 § 1.(a) The disclosure of personal data about an individual for a research purpose (including historical or statistical research), if — there is a clear public benefit to disclosing the personal data for the research purpose; SECOND SCHEDULE PART 3 Division 2 § 1.(c) {collect}{disclose} The collection, use or disclosure (as the case may be) of personal data about an individual is necessary for evaluative purposes. FIRST SCHEDULE PART 3 § 2. {disclose}The disclosure of personal data about an individual for a research purpose (including historical or statistical research), if — the results of the research will not be used to make a decision that affects the individual; and SECOND SCHEDULE PART 3 Division 2 § 1.(d)]	Data and Information Management	Preventive
Disclose restricted data for public interests absent consent in order to protect historical records or archival records. CC ID 00147 [{without consent}{archival purpose} The collection, use or disclosure (as the case may be) of personal data about an individual is solely for archival or historical purposes, if a reasonable person would not consider the personal data to be too sensitive to the individual to be collected, used or disclosed (as the case may be) at the proposed time. FIRST SCHEDULE PART 2 § 4.]	Data and Information Management	Preventive
Disclose restricted data absent consent for public economic interests. CC ID 00148	Data and Information Management	Preventive
Disclose restricted data for public interests absent consent for National Security reasons. CC ID 00149 [{without consent}{collect}{disclose} The collection, use or disclosure (as the case may be) of personal data about an individual is in the national interest. FIRST SCHEDULE PART 2 § 2.]	Data and Information Management	Preventive
Disclose restricted data absent consent for journalistic purposes, artistic purposes, or literary purposes. CC ID 00150 [{without consent} The personal data about an individual is collected, used or disclosed (as the case may be) by a news organisation solely for its news activity. FIRST SCHEDULE PART 2 § 5. {without consent}{artistic purpose}{collect}{disclose} The collection, use or disclosure (as the case may be) of personal data about an individual is solely for artistic or literary purposes. FIRST SCHEDULE PART 2 § 3.]	Data and Information Management	Preventive
Disclose restricted data absent consent when it is publicly accessible. CC ID 00151 [{without consent}{collect}{disclose} The collection, use or disclosure (as the case may be) of personal data about an individual that is publicly available. FIRST SCHEDULE PART 2 § 1.]	Data and Information Management	Preventive
Disclose restricted data absent consent when it is related to publicly available information. CC ID 00152	Data and Information Management	Preventive
Disclose publicly accessible restricted data absent consent when the data subject has already published it. CC ID 00153	Data and Information Management	Preventive
Disclose restricted data absent consent in order to protect the data subject's vital interests. CC ID 00154 [{individual's vital interest}{collect}{disclose} Subject to sub-paragraph (2), the collection, use or disclosure (as the case may be) of personal data about an individual is necessary for any purpose which is clearly in the interests of the individual, and — FIRST SCHEDULE PART 1 § 1.(1)]	Data and Information Management	Preventive
Disclose restricted data absent consent in order to protect the data subject's vital interests when there is a life-threatening emergency. CC ID 00155 [{without consent}{collect}{disclose}The collection, use or disclosure (as the case may be) of personal data about an individual, where — there are reasonable grounds to believe that the health or safety of the individual or another individual will be seriously affected. FIRST SCHEDULE PART 1 § 3.(b)]	Data and Information Management	Preventive
Disclose restricted data absent consent when it is for judicial decisions, lawsuits, and investigations. CC ID 00161 [{collect}{disclose} The collection, use or disclosure (as the case may be) of personal data about an individual is necessary for any investigation or proceedings. FIRST SCHEDULE PART 3 § 3. {collect}{disclose} The collection, use or disclosure (as the case may be) of personal data about an individual is necessary for the provision of legal services by the organisation to another person, or for the organisation to obtain legal services. FIRST SCHEDULE PART 3 § 5.]	Data and Information Management	Preventive
Disclose restricted data for judicial decisions, lawsuits, and investigations only after the data controller includes a note of the disclosure in the record. CC ID 00162	Establish/Maintain Documentation	Detective
Disclose restricted data absent consent when it is needed by law. CC ID 00163	Data and Information Management	Preventive
Disclose personal data required by law absent consent for special cases involving security or law enforcement. CC ID 04796 [An organisation must not inform any individual under subsection (1)(b) that the organisation has disclosed personal data about the individual to a prescribed law enforcement agency if the disclosure was made under this Act or any other written law without the consent of the individual. § 21.(4) {disclose} The disclosure of personal data about any individual to any officer of a prescribed law enforcement agency, upon production of written authorisation signed by the head or director of that prescribed law enforcement agency or a person of a similar rank, certifying that the personal data is necessary for the purposes of the functions or duties of the officer. SECOND SCHEDULE PART 3 Division 1 § 4.]	Data and Information Management	Preventive
Disclose personal data absent consent when it is being disclosed to the data subject. CC ID 00164	Data and Information Management	Preventive
Disclose personal data absent consent for direct marketing or other personalized mail programs. CC ID 14855	Data and Information Management	Preventive
Disclose personal data absent consent in order to collect a debt owed by the data subject. CC ID 00165 [{without consent}{collect}{disclose}The collection, use or disclosure (as the case may be) of personal data about an individual is necessary for the organisation — to recover a debt owed by the individual to the organisation; or FIRST SCHEDULE PART 3 § 4.(a) {collect}{disclose}The collection, use or disclosure (as the case may be) of personal data about an individual is necessary for the organisation — to pay to the individual a debt owed by the organisation. FIRST SCHEDULE PART 3 § 4.(b)]	Data and Information Management	Preventive
Disclose personal data absent consent when the data subject or data owner is anonymous. CC ID 00166	Data and Information Management	Preventive
Disclose restricted data absent consent when the disclosure concerns the individual's products or services obtained from the organization. CC ID 13469	Communicate	Preventive
Establish, implement, and maintain restricted data retention procedures. CC ID 00167 [the organisation must preserve, for not less than the prescribed period, a copy of the personal data concerned. § 22A.(1) ¶ 1]	Establish/Maintain Documentation	Preventive
Establish, implement, and maintain personal data disposition procedures. CC ID 13498	Establish/Maintain Documentation	Preventive
Capture personal data removal requests. CC ID 13507	Communicate	Preventive
Remove personal data from records after receiving a personal data removal request. CC ID 11972	Records Management	Preventive
Refrain from erasing personal data upon receiving a personal data removal request when it is necessary for maintaining information assets. CC ID 13789	Process or Activity	Preventive
Refrain from erasing personal data upon receiving a personal data removal request when it is necessary to complete a payment transaction. CC ID 13788	Process or Activity	Preventive
Dispose of personal data removal requests, as necessary. CC ID 13512	Business Processes	Preventive
Limit the redisclosure and reuse of restricted data. CC ID 00168	Data and Information Management	Preventive
Refrain from redisclosing or reusing restricted data. CC ID 00169	Data and Information Management	Preventive
Document the redisclosing restricted data exceptions. CC ID 00170	Establish/Maintain Documentation	Preventive
Redisclose restricted data when the data subject consents. CC ID 00171	Data and Information Management	Preventive
Redisclose restricted data when it is for criminal law enforcement. CC ID 00172	Data and Information Management	Preventive
Redisclose restricted data in order to protect public revenue. CC ID 00173	Data and Information Management	Preventive
Redisclose restricted data in order to assist a Telecommunications Ombudsman. CC ID 00174	Data and Information Management	Preventive
Redisclose restricted data in order to prevent a life-threatening emergency. CC ID 00175	Data and Information Management	Preventive
Redisclose restricted data when it deals with installing, maintaining, operating, or providing access to a Public Telecommunications Network or a telecommunication facility. CC ID 00176	Data and Information Management	Preventive
Redisclose restricted data in order to preserve human life at sea. CC ID 00177	Data and Information Management	Preventive
Obtain explicit consent directly from the data subject prior to the use of that person's sensitive data. CC ID 00178	Data and Information Management	Preventive
Obtain consent from a parent or legal representative in order to use or disclose a child's data. CC ID 00198	Data and Information Management	Preventive
Obtain opt-in consent from teenagers prior to the collection, use, or disclosure of personal data. CC ID 00199	Data and Information Management	Preventive
Obtain explicit consent prior to using the data subject's Personal Identification Number. CC ID 00238	Data and Information Management	Preventive
Process Personal Identification Numbers with consent. CC ID 00239	Data and Information Management	Preventive
Refrain from requiring individuals to use Personal Identification Numbers as an account number or password. CC ID 00253	Behavior	Preventive
Obtain consent prior to selling a Personal Identification Number. CC ID 00240	Data and Information Management	Preventive
Obtain consent prior to displaying a Personal Identification Number. CC ID 00241	Data and Information Management	Preventive
Refrain from displaying Personal Identification Numbers on government-issued checks or other paperwork. CC ID 00254	Data and Information Management	Preventive
Refrain from displaying Personal Identification Numbers on identification cards or badges. CC ID 00255	Data and Information Management	Preventive
Document the conditions to use Personal Identification Numbers absent consent. CC ID 00242	Establish/Maintain Documentation	Preventive
Use Personal Identification Numbers absent consent for granting credit or collecting a debt. CC ID 00252	Data and Information Management	Preventive
Use Personal Identification Numbers absent consent for research purposes. CC ID 00247	Data and Information Management	Preventive
Refrain from requiring consent to use a Personal Identification Number when protecting the public health and safety or an individual's safety in an emergency. CC ID 00244	Data and Information Management	Preventive
Use Personal Identification Numbers absent consent when a federal law mandates its use. CC ID 00243	Data and Information Management	Preventive
Allow data subjects the ability to restrict the use and disclosure of personal data. CC ID 06821	Data and Information Management	Preventive
Establish, implement, and maintain data disclosure procedures. CC ID 00133 [Subject to subsection (3), an individual is deemed to consent to the collection, use or disclosure of personal data about the individual by an organisation if — the organisation satisfies the requirements in subsection (4); and § 15A.(2)(a) {business asset transaction}{organization}{prospective party}{individual}If X enters into the relevant transaction, the following conditions apply: Y may use or disclose the personal data collected from Z only for the same purposes for which Z would have been permitted to use or disclose the personal data; FIRST SCHEDULE PART 4 § 2.(3)(b)]	Establish/Maintain Documentation	Preventive
Identify any adverse effects the disclosure of personal data will have on the data subject. CC ID 15298 [The organisation must, in respect of the assessment mentioned in subsection (4)(a) — identify any adverse effect that the proposed collection, use or disclosure of the personal data for the purpose concerned is likely to have on the individual; § 15A.(5)(a) {legitimate interest}{collect}{disclose}The organisation must, in respect of the assessment mentioned in sub-paragraph (2)(a) — identify any adverse effect that the proposed collection, use or disclosure (as the case may be) of personal data about an individual is likely to have on the individual; FIRST SCHEDULE PART 3 § 1.(3)(a)]	Data and Information Management	Preventive
Review personal data disclosure requests. CC ID 07129	Data and Information Management	Preventive
Notify the data subject of the disclosure purpose. CC ID 15268 [For the purposes of subsection (4), the organisation must inform the individual of the following: the purpose for which the organisation is collecting, using or disclosing (as the case may be) the personal data about the individual; § 20.(5)(a)]	Communicate	Preventive
Establish, implement, and maintain data request denial procedures. CC ID 00434	Establish/Maintain Documentation	Preventive
Include frivolous requests or vexatious requests as a reason for denial in the personal data request denial procedures. CC ID 00435 [{personal data request} An organisation is not required to provide information under section 21(1) in respect of— any request— that would unreasonably interfere with the ound-color:#F0BBBC;" class="term_primary-noun">operations of the organisation because of the repetitious or systematic nature of the requests; FIFTH SCHEDULE § 1.(j)(i) {personal data request} An organisation is not required to provide information under section 21(1) in respect of— any request— for y-noun">informatground-color:#CBD0E5;" class="term_secondary-verb">ionan> that is trivial; or FIFTH SCHEDULE § 1.(j)(iv) {personal data request}{is unnecessary} An organisation is not required to provide information under section 21(1) in respect of— any request— that is otherwise frivolous or vexatious. FIFTH SCHEDULE § 1.(j)(v) {interfere}{operation} For the purposes of paragraph 1(j)(i), the organisation may have regard to the number and frequency of requests received. FIFTH SCHEDULE § 2.]	Data and Information Management	Preventive
Include when the required information is unavailable as a reason for denial in the personal data request denial procedures. CC ID 00436 [{personal data request} An organisation is not required to provide information under section 21(1) in respect of— any request— for information that lass="term_primary-verb">does not exist or cannot be found; FIFTH SCHEDULE § 1.(j)(iii)]	Data and Information Management	Preventive
Include when the disclosure of personal data constitutes contempt of court or contempt of House of Representatives as a reason for denial in the personal data request denial procedures. CC ID 00437	Data and Information Management	Preventive
Include disclosing personal data that would identify suppliers or breaches an express promise of privacy or implied promise of privacy as a reason for denial in the personal data request denial procedures. CC ID 00438 [{other person} An organisation shall not provide an individual with the individual's personal data or other information under subsection (1) if the provision of that personal data or other information, as the case may be, could reasonably be expected to— class="term_primary-verb">reveal personal data about another individual; § 21.(3)(c) {other person} An organisation shall not provide an individual with the individual's personal data or other information under subsection (1) if the provision of that personal data or other information, as the case may be, could reasonably be expected to — m_primary-verb">reveal the identity of an individual who has provided personal data about another individual and the individual providing the personal data does not consent to the disclosure of his identity; or § 21.(3)(d)]	Data and Information Management	Preventive
Include disclosing personal data that would compromise National Security as a reason for denial in the personal data request denial procedures. CC ID 00439	Data and Information Management	Preventive
Include information that is protected by attorney-client privilege as a reason for denial in the personal data request denial procedures. CC ID 00440	Data and Information Management	Preventive
Include disclosing personal data that would reveal trade secrets, commercial information, or harmful financial information as a reason for denial in the personal data request denial procedures. CC ID 00441 [An organisation is not required to provide information under section 21(1) in respect of— personal data which, if disclosed, would reveal or:#F0BBBC;" class="term_primary-noun">confidential commercial information that could, in the opispan>nion of a reasonable person, harm the ">competitive position of the organisation; FIFTH SCHEDULE § 1.(g)]	Data and Information Management	Preventive
Include disclosing personal data that would threaten an individual's life or an individual's security as a reason for denial in the personal data request denial procedures. CC ID 00442 [An organisation shall not provide an individual with the individual's personal data or other information under subsection (1) if the provision of that personal data or other information, as the case may be, could reasonably be expected to— <span style="background-color:#B7D8ED;" class="term_primary-verb">threaten the safety or physical or mental health of an individual other than the individual who made the request; § 21.(3)(a) An organisation shall not provide an individual with the individual's personal data or other information under subsection (1) if the provision of that personal data or other information, as the case may be, could reasonably be expected to— cause immediate or grave harm> to the ackground-color:#F0BBBC;" class="term_primary-noun">safety or to the physical or mental style="background-color:#F0BBBC;" class="term_primary-noun">health of the individual who made the request; § 21.(3)(b)]	Data and Information Management	Preventive
Include disclosing personal data that would have an unreasonable impact on another individual's privacy as a reason for denial in the personal data request denial procedures. CC ID 00443	Data and Information Management	Preventive
Include disclosing personal data that would threaten facilities, property, transport, or communication systems as a reason for denial in the personal data request denial procedures. CC ID 08702	Process or Activity	Preventive
Include responding to access requests after the time limit as a reason for denial in the personal data request denial procedures. CC ID 13600	Data and Information Management	Preventive
Include information that was generated from a formal dispute as a reason for denial in the personal data request denial procedures. CC ID 00444	Data and Information Management	Preventive
Include personal data that is used solely for scientific research, scholarly research, statistical research, library purposes, museum purposes, or archival purposes as a reason for denial in the personal data request denial procedures. CC ID 00445 [An organisation is not required to provide information under section 21(1) in respect of— opinion data rb">keptan> solely for an style="background-color:#F0BBBC;" class="term_primary-noun">evaluative purpose; FIFTH SCHEDULE § 1.(a)]	Data and Information Management	Preventive
Include personal data that is for the state's economic interest as a reason for denial in the personal data request denial procedures. CC ID 00446 [{contravene} An organisation shall not provide an individual with the individual's personal data or other information under subsection (1)if the provision of that round-color:#F0BBBC;" class="term_primary-noun">personal data or other information, as the case may be, could reasonably be expected to — be contrary to the national interest. § 21.(3)(e)]	Data and Information Management	Detective
Include personal data that is for protecting the civil rights or other's freedoms as a reason for denial in the personal data request denial procedures. CC ID 00447	Data and Information Management	Preventive
Include disclosing personal data that constitutes a state secret as a reason for denial in the personal data request denial procedures. CC ID 00448	Data and Information Management	Preventive
Include disclosing personal data that would result in interference with the operation of public functions as a reason for denial in the personal data request denial procedures. CC ID 00449	Data and Information Management	Preventive
Include disclosing personal data that would interrupt criminal investigation and surveillance or other legal purposes as a reason for denial in the personal data request denial procedures. CC ID 00450 [An organisation is not required to provide information under section 21(1) in respect of — personal data collected, used or disclosed without consent, under paragraph 3 of Part 3 of the First Schedule, for the purposes of an investigation if the investigation and associated proceedings and appeals have not been completed; FIFTH SCHEDULE § 1.(h)]	Data and Information Management	Preventive
Include when a country's laws prevent disclosure as a reason for denial in the personal data request denial procedures. CC ID 00451	Data and Information Management	Preventive
Include disclosing personal data that would interfere with grievance proceeding or employee security investigations as a reason for denial in the personal data request denial procedures. CC ID 06873 [An organisation is not required to provide information under section 21(1) in respect of— the personal data was collected or created by a mediator or arbitrator in the conduct of a mediation or arbitration for which he was appointed to act— under a un">collective agreement under the Industrial Relations Act (Cap. 136) or by agreement between the parties to the mediation or arbitration; FIFTH SCHEDULE § 1.(i)(i) An organisation is not required to provide information under section 21(1) in respect of— the personal data was collected or created by a mediator or arbitrator in the conduct of a ry-noun">mediationn> or arbitrationan> for which he was appointed to act— under any written m_primary-noun">law; or FIFTH SCHEDULE § 1.(i)(ii) An organisation is not required to provide information under section 21(1) in respect of— the personal data was collected or created by a mediator or arbitrator in the conduct of a mediation or arbitration for which he was style="background-color:#CBD0E5;" class="term_secondary-verb">ED;" class="term_primary-verb">appointed to act— by a pan style="background-color:#F0BBBC;" class="term_primary-noun">court, arbitral institution or mediation centre; or FIFTH SCHEDULE § 1.(i)(iii)]	Data and Information Management	Preventive
Include disclosing personal data that would interfere with commercial acquisitions or reorganizations as a reason for denial in the personal data request denial procedures. CC ID 06874	Data and Information Management	Preventive
Include if the cost or burden of disclosing the personal data is disproportionate as a reason for denial in the personal data request denial procedures. CC ID 06875 [{personal data request}{be disproportionate} An organisation is not required to provide information under section 21(1) in respect of—any request— if the burden or expense of providing access would "background-color:#B7D8ED;" class="term_primary-verb">be unreasonable to the organisation or disproportionate to the individual's interests; FIFTH SCHEDULE § 1.(j)(ii) {personal data request}{be disproportionate} An organisation is not required to provide information under section 21(1) in respect of—any request— if the burden or expense of providing access would "background-color:#B7D8ED;" class="term_primary-verb">be unreasonable to the organisation or disproportionate to the individual's interests; FIFTH SCHEDULE § 1.(j)(ii)]	Data and Information Management	Preventive
Notify interested personnel and affected parties of the reasons the data access request was refused. CC ID 00453 [the organisation must, within the prescribed time and in accordance with the prescribed requirements, notify the individual of the rejection. § 21.(6) ¶ 1]	Data and Information Management	Preventive
Notify the individual of the organization's legal rights to refuse the personal data access request, as necessary. CC ID 13509	Communicate	Preventive
Notify individuals of their right to challenge a refusal to a data access request. CC ID 00454	Data and Information Management	Preventive
Include if the record would constitute an action for breach of a duty of confidence as a reason for denial in the personal data request denial procedures. CC ID 08700	Process or Activity	Preventive
Disseminate and communicate personal data to the individual that it relates to. CC ID 00428 [Subject to subsections (2), (3) and (4), on request of an individual, an organisation shall, as soon as reasonably possible, provide the individual with— personal data> about the individual that is in the possession or under the control of the organisation; and § 21.(1)(a) {is complete} If an organisation is able to provide the individual with the individual's personal data and other information requested under subsection (1) without the personal data or other information excluded under subsections (2), (3) and (4), the organisation shall d-color:#B7D8ED;" class="term_primary-verb">provide the individual with ="term_primary-noun">access to the personal data and other information without the personal data or other information excluded under subsections (2), (3) and (4). § 21.(5)]	Data and Information Management	Preventive
Provide personal data to an individual after the individual's identity has been confirmed. CC ID 06876	Data and Information Management	Preventive
Notify that data subject of any exclusions to requested personal data. CC ID 15271 [the organisation must notify the individual of the exclusion, under subsection (2) or (3), of any of the personal data or other information so requested. § 21.(7) ¶ 1]	Communicate	Preventive
Provide data or records in a reasonable time frame. CC ID 00429 [{person}A checker is deemed to have complied with subsection (2)(a) if — the checker provides the applicable information to P before the expiry of the prescribed period mentioned in section 43(2)(b)(i). § 43A.(3)(b)]	Data and Information Management	Preventive
Notify individuals of the new time limit for responding to an access request in a notice of extension. CC ID 13599	Communicate	Preventive
Extend the time limit for providing personal data in order to convert it to an alternative format. CC ID 13591	Data and Information Management	Preventive
Extend the time limit for providing personal data if the time is impracticable to respond to the access request. CC ID 13590	Data and Information Management	Preventive
Extend the time limit for providing data if it would unreasonably interfere with the organization's activities. CC ID 13589	Data and Information Management	Preventive
Provide data at a cost that is not excessive. CC ID 00430	Data and Information Management	Preventive
Provide records or data in a reasonable manner. CC ID 00431	Data and Information Management	Preventive
Provide personal data in a form that is intelligible. CC ID 00432	Data and Information Management	Preventive
Provide restricted data that would threaten the life or security of another individual after that information has been redacted. CC ID 13604	Data and Information Management	Preventive
Provide restricted data that would reveal confidential commercial information after that information has been redacted. CC ID 13602	Data and Information Management	Preventive
Remove data pertaining to third parties before giving the requestor access to the information. CC ID 13601	Data and Information Management	Preventive
Document that a data search was conducted in case the requested data cannot be found. CC ID 06953	Establish/Maintain Documentation	Preventive
Establish, implement, and maintain a personal data collection program. CC ID 06487	Establish/Maintain Documentation	Preventive
Identify any adverse effects the collection of personal data will have on the data subject. CC ID 15279 [The organisation must, in respect of the assessment mentioned in subsection (4)(a) — identify any adverse effect that the proposed collection, use or disclosure of the personal data for the purpose concerned is likely to have on the individual; § 15A.(5)(a) {legitimate interest}{collect}{disclose}The organisation must, in respect of the assessment mentioned in sub-paragraph (2)(a) — identify any adverse effect that the proposed collection, use or disclosure (as the case may be) of personal data about an individual is likely to have on the individual; FIRST SCHEDULE PART 3 § 1.(3)(a)]	Data and Information Management	Preventive
Refrain from collecting personal data, as necessary. CC ID 15269 [An organisation shall not, on or after the appointed day, collect, use or disclose personal data about an individual unless — § 13.]	Data and Information Management	Preventive
Establish, implement, and maintain personal data collection limitation boundaries. CC ID 00507 [Subject to subsection (3), an individual is deemed to consent to the collection, use or disclosure of personal data about the individual by an organisation if — the organisation satisfies the requirements in subsection (4); and § 15A.(2)(a)]	Establish/Maintain Documentation	Preventive
Establish, implement, and maintain a personal data use policy. CC ID 00076	Establish/Maintain Documentation	Preventive
Use personal data for specified purposes. CC ID 11831 [{business asset transaction}{organization}{prospective party}{individual}If X enters into the relevant transaction, the following conditions apply: Y may use or disclose the personal data collected from Z only for the same purposes for which Z would have been permitted to use or disclose the personal data; FIRST SCHEDULE PART 4 § 2.(3)(b)]	Data and Information Management	Preventive
Post the collection purpose. CC ID 00101	Establish/Maintain Documentation	Preventive
Obtain the data subject's consent and acknowledgment before collecting data. CC ID 00012 [Without limiting subsection (2) and subject to subsection (9), an individual (P) who enters into a contract with an organisation (A) and provides personal data to A pursuant or in relation to that contract is deemed to consent to the following: § 15.(6)]	Data and Information Management	Preventive
Document each individual's personal data collection consent preferences. CC ID 06945	Establish/Maintain Documentation	Preventive
Provide explicit consent that is clear and unambiguous. CC ID 00181	Data and Information Management	Preventive
Allow individuals to change their personal data collection consent preferences. CC ID 06946 [{allow} On giving reasonable notice to the organisation, an individual may at any time withdraw any consent given, or deemed to have been given under this Act, in respect of the collection, use or disclosure by that organisation of personal data about the individual for any purpose. § 16.(1) An organisation shall not prohibit an individual from withdrawing his consent to the collection, use or disclosure of personal data about the individual, but this section shall not affect any legal consequences arising from such withdrawal. § 16.(3)]	Data and Information Management	Preventive
Adhere to each individual's personal data collection consent preferences. CC ID 06947	Data and Information Management	Preventive
Notify the data subject of the source of collected personal data. CC ID 00083	Behavior	Preventive
Furnish disclosure of information and usage of information to data subjects when oral consent is given. CC ID 04717	Data and Information Management	Preventive
Disclose the direct marketing purpose before obtaining consent for collecting information. CC ID 04718	Data and Information Management	Preventive
Establish and maintain a personal data definition. CC ID 00028	Establish/Maintain Documentation	Preventive
Include an individual's name in the personal data definition. CC ID 04710	Data and Information Management	Preventive
Include an individual's name combined with other personal data in the personal data definition. CC ID 04709	Data and Information Management	Preventive
Include the legal surname of the parent or legal representative prior to marriage in the personal data definition. CC ID 04686	Data and Information Management	Preventive
Include an individual's signature in the personal data definition. CC ID 04711	Data and Information Management	Preventive
Include an individual's date of birth in the personal data definition. CC ID 04770	Data and Information Management	Preventive
Include the number of children in the personal data definition. CC ID 13759	Establish/Maintain Documentation	Preventive
Include the individual's religion in the personal data definition. CC ID 13765	Establish/Maintain Documentation	Preventive
Include an individual's physical characteristics or description in the personal data definition. CC ID 04712	Data and Information Management	Preventive
Include an individual's biometric data in the personal data definition. CC ID 04698	Data and Information Management	Preventive
Include an individual's photographic image in the personal data definition. CC ID 04779	Data and Information Management	Preventive
Include an individual's fingerprints in the personal data definition. CC ID 04689	Data and Information Management	Preventive
Include an individual's address in the personal data definition. CC ID 04687	Data and Information Management	Preventive
Include an individual's telephone number in the personal data definition. CC ID 04688	Data and Information Management	Preventive
Include an individual's fax number in the personal data definition. CC ID 07120	Data and Information Management	Preventive
Include an individual's political party affiliation in the personal data definition. CC ID 13764	Establish/Maintain Documentation	Preventive
Include an individual's license plate number in the personal data definition. CC ID 13763	Establish/Maintain Documentation	Preventive
Include an individual's financial account number in the personal data definition. CC ID 04692	Data and Information Management	Preventive
Include an individual's account balances in the personal data definition. CC ID 13770	Establish/Maintain Documentation	Preventive
Include stock numbers, bond numbers, and other security certificate numbers in the personal data definition. CC ID 04768	Data and Information Management	Preventive
Include an individual's electronic identification name or number in the personal data definition. CC ID 04694	Data and Information Management	Preventive
Include an individual's logon credentials in the personal data definition. CC ID 13771	Establish/Maintain Documentation	Preventive
Include an individual's Alien Registration Number in the personal data definition. CC ID 04743	Data and Information Management	Preventive
Include an individual's passport number in the personal data definition. CC ID 04713	Data and Information Management	Preventive
Include an individual's driver's license number or an individual's state identification card number in the personal data definition. CC ID 04691	Data and Information Management	Preventive
Include an individual's Social Security Number or Personal Identification Number in the personal data definition. CC ID 04690	Data and Information Management	Preventive
Include an individual's military identification number in the personal data definition. CC ID 13083	Establish/Maintain Documentation	Preventive
Include an individual's e-mail address in the personal data definition. CC ID 04696	Data and Information Management	Preventive
Include electronic signatures in the personal data definition. CC ID 04697	Data and Information Management	Preventive
Include an individual's payment card information in the personal data definition. CC ID 04751	Data and Information Management	Preventive
Include an individual's credit card number or an individual's debit card number in the personal data definition. CC ID 04693	Data and Information Management	Preventive
Include an individual's payment card service code in the personal data definition. CC ID 04753	Data and Information Management	Preventive
Include an individual's payment card expiration date in the personal data definition. CC ID 04755	Data and Information Management	Preventive
Include the payment transaction data and transaction authentication data in the personal data definition. CC ID 04825	Data and Information Management	Preventive
Include an individual's Individually Identifiable Health Information in the personal data definition. CC ID 04700	Data and Information Management	Preventive
Include an individual's medical history in the personal data definition. CC ID 04701	Data and Information Management	Preventive
Include an individual's medical treatment in the personal data definition. CC ID 04702	Data and Information Management	Preventive
Include an individual's medical diagnosis in the personal data definition. CC ID 04703	Data and Information Management	Preventive
Include an individual's mental condition or an individual's physical condition in the personal data definition. CC ID 04704	Data and Information Management	Preventive
Include an individual's medical record numbers in the personal data definition. CC ID 07121	Data and Information Management	Preventive
Include an individual's health insurance information in the personal data definition. CC ID 04705	Data and Information Management	Preventive
Include an individual's health insurance policy number in the personal data definition. CC ID 04706	Data and Information Management	Preventive
Include an individual's health insurance application and health insurance claims history (including appeals) in the personal data definition. CC ID 04707	Data and Information Management	Preventive
Include an individual's education information in the personal data definition. CC ID 04714	Data and Information Management	Preventive
Include an individual's professional certification numbers or an individual's professional license numbers in the personal data definition. CC ID 07122	Data and Information Management	Preventive
Include an individual's employment information in the personal data definition. CC ID 04715	Data and Information Management	Preventive
Include an employer's Taxpayer Identification Number in the personal data definition. CC ID 04767	Data and Information Management	Preventive
Include an individual's Taxpayer Identification Number in the personal data definition. CC ID 04763	Data and Information Management	Preventive
Include an individual's employment history in the personal data definition. CC ID 04716	Data and Information Management	Preventive
Include an individual's place of employment in the personal data definition. CC ID 04765	Data and Information Management	Preventive
Include an individual's Employee Identification Number in the personal data definition. CC ID 04766	Data and Information Management	Preventive
Include an individual's property information in the personal data definition. CC ID 04780	Data and Information Management	Preventive
Include an individual's property title in the personal data definition. CC ID 04781	Data and Information Management	Preventive
Include an individual's vehicle registration in the personal data definition. CC ID 04782	Data and Information Management	Preventive
Include hardware asset identification information in the personal data definition. CC ID 07123	Data and Information Management	Preventive
Include MAC addresses in the personal data definition. CC ID 04778	Data and Information Management	Preventive
Include Internet Protocol addresses in the personal data definition. CC ID 04777	Data and Information Management	Preventive
Include asset serial numbers in the personal data definition. CC ID 07124	Data and Information Management	Preventive
Include Uniform Resource Locators in the personal data definition. CC ID 07125	Data and Information Management	Preventive
Refrain from including publicly available information in the personal data definition. CC ID 13084	Establish/Maintain Documentation	Preventive
Define specially restricted data. CC ID 00037	Data and Information Management	Preventive
Protect an individual's civil rights during personal data collection and personal data processing. CC ID 00079	Data and Information Management	Preventive
Refrain from compiling data that is likely to give rise to unlawful discrimination or arbitrary discrimination. CC ID 00075	Data and Information Management	Preventive
Refrain from subjecting an individual to a solely automated decision process that produces legal effects based on the evaluation of certain characteristics. CC ID 00080	Data and Information Management	Preventive
Implement a nondiscrimination principle. CC ID 00081	Data and Information Management	Preventive
Include the collection and use of personal data in the nondiscrimination principle. CC ID 11799	Data and Information Management	Preventive
Preserve each individual's right to human dignity. CC ID 00082	Data and Information Management	Preventive
Manage Personal Identification Numbers and PIN verification code numbers. CC ID 00058	Data and Information Management	Preventive
Employ a random number generator to create authenticators. CC ID 13782	Technical Security	Preventive
Collect Personal Identification Numbers with the individual's consent. CC ID 00059	Data and Information Management	Preventive
Collect Personal Identification Numbers absent consent when the law mandates. CC ID 00061	Data and Information Management	Preventive
Collect Personal Identification Numbers absent consent for research purposes. CC ID 00065	Data and Information Management	Preventive
Collect Personal Identification Numbers absent consent to realize the rights or duties of the data subject or data controller. CC ID 04792	Data and Information Management	Preventive
Refrain from requiring a Personal Identification Number to purchase goods or services. CC ID 00069	Behavior	Preventive
Manage health data collection. CC ID 00050	Data and Information Management	Preventive
Collect Individually Identifiable Health Information to provide health care services. CC ID 00052	Data and Information Management	Preventive
Collect Individually Identifiable Health Information when the law dictates. CC ID 00053	Data and Information Management	Preventive
Collect Individually Identifiable Health Information for research. CC ID 00054	Data and Information Management	Preventive
Remove personal data before disclosing health data. CC ID 00055	Data and Information Management	Preventive
Give special attention to collecting children's data. CC ID 00038	Data and Information Management	Preventive
Use simple understandable language to collect information from children. CC ID 00039	Behavior	Preventive
Notify parents or legal representatives of what information is collected from children. CC ID 00040	Establish/Maintain Documentation	Preventive
Obtain consent from a parent or legal representative before collecting information from children. CC ID 00041	Data and Information Management	Preventive
Waive verifiable consent from a parent or legal representative for collecting information from children in order to collect online contact information for a one-time only response to a specific request. CC ID 00043	Data and Information Management	Preventive
Waive verifiable consent from a parent or legal representative for collecting information from children in order to request the parent or legal representative's information to obtain consent. CC ID 00044	Data and Information Management	Preventive
Waive verifiable consent from a parent or legal representative for collecting information from children in order to respond to additional requests which do not go beyond the scope of the request. CC ID 00045	Data and Information Management	Preventive
Waive verifiable consent from a parent or legal representative for collecting information from children in order to protect the child's safety. CC ID 00046	Data and Information Management	Preventive
Waive verifiable consent from a parent or legal representative for collecting information from children in order to take liability precautions. CC ID 00047	Data and Information Management	Preventive
Waive verifiable consent from a parent or legal representative for collecting information from children in order to respond to a judicial process. CC ID 00048	Data and Information Management	Preventive
Waive verifiable consent from a parent or legal representative for collecting information from children in order to respond to a request for law enforcement purposes. CC ID 00049	Data and Information Management	Preventive
Waive verifiable consent from a parent or legal representative for collecting information from children in order to protect the website's security or integrity or the online service's security or integrity. CC ID 06199	Data and Information Management	Preventive
Establish, implement, and maintain a personal data collection policy. CC ID 00029	Establish/Maintain Documentation	Preventive
Collect personal data directly from the data subject. CC ID 00011	Data and Information Management	Preventive
Create and manage user account aliases to maintain pseudonymity. CC ID 04549	Data and Information Management	Preventive
Provide unlinkability for users and resources. CC ID 04550	Data and Information Management	Preventive
Provide unobservability of users and resources. CC ID 04551	Technical Security	Preventive
Confirm the data quality of personal data collected from third parties. CC ID 13510	Investigate	Detective
Collect restricted data in a fair and lawful manner. CC ID 00010 [Without limiting subsection (2) and subject to subsection (9), an individual (P) who provides personal data to an organisation (A) with a view to P entering into a contract with A is deemed to consent to the following where reasonably necessary for the conclusion of the contract between P and A: the collection and use of that personal data by B; § 15.(3)(b)]	Data and Information Management	Preventive
Collect restricted data absent consent for specific and well-documented circumstances. CC ID 00013 [An organisation may — collect personal data about an individual, without the consent of the individual or from a source other than the individual, in the circumstances or for the purposes, and subject to any condition, in the First Schedule or Part 1 of the Second Schedule; § 17.(1)(a) {individual's vital interest}{without consent}Subject to sub-paragraph (2), the collection, use or disclosure (as the case may be) of personal data about an individual is necessary for any purpose which is clearly in the interests of the individual, and — the individual would not reasonably be expected to withhold consent. FIRST SCHEDULE PART 1 § 1.(1)(b) {without consent}{collect}{disclose} The collection, use or disclosure (as the case may be) of personal data about an individual is in the national interest. FIRST SCHEDULE PART 2 § 2. {business improvement purpose}Sub-paragraph (1)(a) and (c) applies only if — a reasonable person would consider the collection or disclosure of personal data about P for the relevant purpose to be appropriate in the circumstances; and FIRST SCHEDULE PART 5 § 1.(3)(b) Unless otherwise provided under this Act, an organisation may — collect personal data about an individual that the organisation receives by way of a disclosure to the organisation — § 17.(2)(a) Subject to the conditions in sub-paragraphs (3), (4) and (5), personal data about an individual (P) — is collected by an organisation (X) that is a corporation from a related corporation (Y) for a purpose specified in sub-paragraph (2) (called the relevant purpose); FIRST SCHEDULE PART 5 § 1.(1)(a) {business improvement purpose}Where X collects from Y, and Y discloses to X, personal data about P for a purpose mentioned in sub-paragraph (2)(c) or (d), P must be, at the time of the collection or disclosure, as the case may be — an existing customer of Y; and FIRST SCHEDULE PART 5 § 1.(5)(a) {business improvement purpose}Where X collects from Y, and Y discloses to X, personal data about P for a purpose mentioned in sub-paragraph (2)(c) or (d), P must be, at the time of the collection or disclosure, as the case may be — an existing customer or a prospective customer of X. FIRST SCHEDULE PART 5 § 1.(5)(b) {personal purpose}The personal data about an individual — is provided to the organisation by another individual to enable the organisation to provide a service for the personal or domestic purposes of that other individual; and FIRST SCHEDULE PART 3 § 8.(a) {without consent}Unless otherwise provided under this Act, an organisation may — collect personal data about an individual that the organisation receives by way of a disclosure to the organisation — on or after the specified date in accordance with subsection (1)(c); or § 17.(2)(a)(i) {without consent}Unless otherwise provided under this Act, an organisation may — collect personal data about an individual that the organisation receives by way of a disclosure to the organisation — before the specified date in accordance with section 17(3) as in force before the specified date, § 17.(2)(a)(ii)]	Data and Information Management	Preventive
Collect restricted data absent consent when the data collection is in the individual's interests and consent can not be obtained in a timely manner. CC ID 00014 [{individual's vital interest}The collection, use or disclosure (as the case may be) of personal data about an individual, where — consent for the collection, use or disclosure (as the case may be) cannot be obtained in a timely way; and FIRST SCHEDULE PART 1 § 3.(a) {individual's vital interest}Subject to sub-paragraph (2), the collection, use or disclosure (as the case may be) of personal data about an individual is necessary for any purpose which is clearly in the interests of the individual, and — consent for the collection, use or disclosure (as the case may be) cannot be obtained in a timely way; or FIRST SCHEDULE PART 1 § 1.(1)(a) {legitimate interest}{collect}{disclose}The collection, use or disclosure (as the case may be) of personal data about an individual is to — confer an interest or a benefit on the individual under a private trust or benefit plan; and FIRST SCHEDULE PART 3 § 7.(a)]	Data and Information Management	Preventive
Collect restricted data absent consent when consent compromises data accuracy. CC ID 00015	Data and Information Management	Preventive
Collect personal data absent consent in order to make a disclosure. CC ID 13550 [{individual}{consent} Where an organisation collects personal data disclosed to it by B under subsection (6)(c), subsection (6)(b) and (c) applies to the organisation as if the personal data were disclosed by A to the organisation under subsection (6)(a). § 15.(7) {without consent}{collect}The collection of personal data about an individual, if — the personal data was disclosed by a public agency; and SECOND SCHEDULE PART 1 § 1.(a)]	Data and Information Management	Preventive
Collect personal data absent consent for reasonable investigative purposes. CC ID 11801 [{collect}{disclose} The collection, use or disclosure (as the case may be) of personal data about an individual is necessary for any investigation or proceedings. FIRST SCHEDULE PART 3 § 3.]	Data and Information Management	Preventive
Collect personal data absent consent if the collection is consistent with the intended purpose. CC ID 13548 [Without limiting subsection (2) and subject to subsection (9), an individual (P) who enters into a contract with an organisation (A) and provides personal data to A pursuant or in relation to that contract is deemed to consent to the following: the collection and use of that personal data by B, where the collection and use are reasonably necessary for any purpose mentioned in paragraph (a); § 15.(6)(b) {without consent}The personal data about an individual — is collected, used or disclosed (as the case may be) for purposes consistent with the purpose for which the document was produced. FIRST SCHEDULE PART 3 § 9.(b) {business improvement purpose}{refrain from achieving}Sub-paragraph (1)(a) and (c) applies only if — the relevant purpose for which X collects, or Y discloses, personal data about P cannot reasonably be achieved without the collection, use or disclosure (as the case may be) of the personal data in an individually identifiable form; FIRST SCHEDULE PART 5 § 1.(3)(a) {collect}{without consent}The collection of personal data about an individual, if — the collection of personal data by the organisation is consistent with the purpose of the disclosure by the public agency. SECOND SCHEDULE PART 1 § 1.(b) {personal purpose}{domestic purposes}The personal data about an individual — is collected, used or disclosed (as the case may be) by the organisation solely for the purpose in sub-paragraph (a). FIRST SCHEDULE PART 3 § 8.(b)]	Data and Information Management	Preventive
Collect personal data absent consent when the personal data was produced by the data subject in the course of employment, business, or profession. CC ID 13544 [{collect}{without consent}The personal data about an individual — is included in a document produced in the course, and for the purposes, of the individual's employment, business or profession; and FIRST SCHEDULE PART 3 § 9.(a) {without consent}Subject to the conditions in sub-paragraphs (2), (3), (4) and (5), where an organisation (X) is a party or a prospective party to a business asset transaction with another organisation (Y), personal data about an applicable individual of Y — is collected from Y by X for the purposes of the business asset transaction; FIRST SCHEDULE PART 4 § 1.(1)(a) {organization}{party} Where the business asset transaction concerns any part of Y or Y's business assets, the personal data mentioned in sub-paragraph (1) must relate directly to that part of Y or Y's business assets, as the case may be. FIRST SCHEDULE PART 4 § 1.(2) {organization}If X is a prospective party to the business asset transaction, the following conditions apply: X may collect, and Y may disclose, only personal data that is necessary for X to determine whether to proceed with the business asset transaction; FIRST SCHEDULE PART 4 § 1.(3)(a) Subject to the conditions in sub-paragraphs (2), (3) and (4), where an organisation (X) is a party or a prospective party to a business asset transaction with another organisation (Y) in respect of Y's interest in a third organisation (Z) (called in this paragraph the relevant transaction), personal data about an applicable individual of Z — is collected from Y or Z by X, or from Z by Y, for the purposes of the relevant transaction; FIRST SCHEDULE PART 4 § 2.(1)(a) {legitimate interest}{collect}{disclose}Subject to sub-paragraph (2), the collection, use or disclosure (as the case may be) of personal data about an individual — relates to a credit report provided by a credit bureau to a member of the credit bureau in relation to a transaction between the member and the individual. FIRST SCHEDULE PART 3 § 6.(1)(b) {business asset transaction}If X is a prospective party to the relevant transaction, the following conditions apply: where X collects the personal data mentioned in sub-paragraph (1) from Y or Z — X may collect, and Y or Z (as the case may be) may disclose, only personal data that is necessary for X to determine whether to proceed with the relevant transaction; and FIRST SCHEDULE PART 4 § 2.(2)(a)(i) {business asset transaction}{organization}{individual}If X is a prospective party to the relevant transaction, the following conditions apply: where Y collects the personal data mentioned in sub-paragraph (1) from Z — Y may collect, and Z may disclose, only personal data that is necessary for X or Y (as the case may be) to determine whether to proceed with the relevant transaction; and FIRST SCHEDULE PART 4 § 2.(2)(b)(i) {business asset transaction}If X is a prospective party to the relevant transaction, the following conditions apply: where X collects the personal data mentioned in sub-paragraph (1) from Y or Z — X and Y or Z (as the case may be) must have entered into an agreement that requires X to use or disclose the personal data solely for purposes related to the relevant transaction; FIRST SCHEDULE PART 4 § 2.(2)(a)(ii)]	Data and Information Management	Preventive
Collect personal data absent consent for handling insurance claims. CC ID 13543	Data and Information Management	Preventive
Collect personal data absent consent when the data subject has authorized the collection through another individual. CC ID 00016	Data and Information Management	Preventive
Collect personal data absent consent if the disclosure is to the next of kin or authorized representative. CC ID 15295 [{is necessary}{without consent} The collection, use or disclosure of personal data is for the purpose of contacting the next-of-kin or a friend of any injured, ill or deceased individual. FIRST SCHEDULE PART 1 § 4.]	Data and Information Management	Preventive
Collect personal data absent consent in order to establish, manage, or terminate employment contracts. CC ID 13614 [{without consent}The personal data about an individual is collected, used or disclosed (as the case may be) by the organisation, and the collection, use or disclosure (as the case may be) of the personal data is reasonable for the purpose of or in relation to the organisation — entering into an employment relationship with the individual or appointing the individual to any office; or FIRST SCHEDULE PART 3 § 10.(a) {without consent}The personal data about an individual is collected, used or disclosed (as the case may be) by the organisation, and the collection, use or disclosure (as the case may be) of the personal data is reasonable for the purpose of or in relation to the organisation — managing or terminating the employment relationship with or appointment of the individual. FIRST SCHEDULE PART 3 § 10.(b)]	Data and Information Management	Preventive
Collect personal data absent consent in order to protect the data subject's vital interests. CC ID 15277 [{individual's vital interest}{collect}{disclose} Subject to sub-paragraph (2), the collection, use or disclosure (as the case may be) of personal data about an individual is necessary for any purpose which is clearly in the interests of the individual, and — FIRST SCHEDULE PART 1 § 1.(1)]	Data and Information Management	Preventive
Collect personal data for public interests absent consent in order to protect historical records or archival records. CC ID 15289 [{without consent}{archival purpose} The collection, use or disclosure (as the case may be) of personal data about an individual is solely for archival or historical purposes, if a reasonable person would not consider the personal data to be too sensitive to the individual to be collected, used or disclosed (as the case may be) at the proposed time. FIRST SCHEDULE PART 2 § 4.]	Data and Information Management	Preventive
Collect personal data absent consent to administer a trust fund or benefit plan. CC ID 15292 [{collect}{disclose}The collection, use or disclosure (as the case may be) of personal data about an individual is to — administer that trust or benefit plan, at the request of the settlor or the person establishing the benefit plan, as the case may be. FIRST SCHEDULE PART 3 § 7.(b)]	Data and Information Management	Preventive
Collect restricted data absent consent for journalistic purposes, artistic purposes, or literary purposes. CC ID 00017 [{without consent}{artistic purpose}{collect}{disclose} The collection, use or disclosure (as the case may be) of personal data about an individual is solely for artistic or literary purposes. FIRST SCHEDULE PART 2 § 3. {without consent} The personal data about an individual is collected, used or disclosed (as the case may be) by a news organisation solely for its news activity. FIRST SCHEDULE PART 2 § 5.]	Data and Information Management	Preventive
Collect personal data absent consent in order to collect a debt owed by the data subject. CC ID 15293 [{without consent}{collect}{disclose}The collection, use or disclosure (as the case may be) of personal data about an individual is necessary for the organisation — to recover a debt owed by the individual to the organisation; or FIRST SCHEDULE PART 3 § 4.(a) {collect}{disclose}The collection, use or disclosure (as the case may be) of personal data about an individual is necessary for the organisation — to pay to the individual a debt owed by the organisation. FIRST SCHEDULE PART 3 § 4.(b)]	Data and Information Management	Preventive
Collect personal data absent consent for statistical purposes or research purposes and the data subject is not identified. CC ID 00018 [{collect}{disclose} The collection, use or disclosure (as the case may be) of personal data about an individual is necessary for evaluative purposes. FIRST SCHEDULE PART 3 § 2.]	Data and Information Management	Preventive
Collect restricted data absent consent from publicly available information. CC ID 00019 [{without consent}{collect}{disclose} The collection, use or disclosure (as the case may be) of personal data about an individual that is publicly available. FIRST SCHEDULE PART 2 § 1.]	Data and Information Management	Preventive
Collect restricted data absent consent when needed by law. CC ID 00020	Data and Information Management	Preventive
Collect personal data absent consent to create a credit report. CC ID 15287 [{legitimate interest}{collect}{disclose}Subject to sub-paragraph (2), the collection, use or disclosure (as the case may be) of personal data about an individual — is for the purpose of the preparation by a credit bureau of a credit report; or FIRST SCHEDULE PART 3 § 6.(1)(a)]	Data and Information Management	Preventive
Collect restricted data absent consent when no potential harm can come to the data subject. CC ID 00021	Data and Information Management	Preventive
Collect personal data absent consent when collecting personal data from the data subject is impossible or the data collection involves a disproportionate effort. CC ID 00022	Data and Information Management	Preventive
Collect the minimum amount of restricted data necessary. CC ID 00078	Data and Information Management	Preventive
Collect restricted data in a proper information framework. CC ID 00009	Data and Information Management	Preventive
Collect and record restricted data for specific, explicit, and legitimate purposes. CC ID 00027 [Unless otherwise provided under this Act, an organisation may — collect personal data about an individual that the organisation receives by way of a disclosure to the organisation — for purposes consistent with the purpose of that disclosure, or for any purpose permitted by subsection (1)(a); or § 17.(2)(a) ¶ 1 {collect}{disclose}Subject to sub-paragraphs (2), (3) and (4) — the collection, use or disclosure (as the case may be) of personal data about an individual is in the legitimate interests of the organisation or another person; and FIRST SCHEDULE PART 3 § 1.(1)(a)]	Data and Information Management	Preventive
Collect restricted data when required by law. CC ID 00031	Data and Information Management	Preventive
Collect restricted data to prevent life-threatening emergencies. CC ID 00032 [{without consent}{collect}{disclose}The collection, use or disclosure (as the case may be) of personal data about an individual, where — there are reasonable grounds to believe that the health or safety of the individual or another individual will be seriously affected. FIRST SCHEDULE PART 1 § 3.(b)]	Data and Information Management	Preventive
Collect restricted data relating solely to nonprofit organization members or individuals who are in regular contact during the nonprofit organization's activities. CC ID 00034	Data and Information Management	Preventive
Collect restricted data for legal purposes. CC ID 00036 [{collect}{disclose} The collection, use or disclosure (as the case may be) of personal data about an individual is necessary for the provision of legal services by the organisation to another person, or for the organisation to obtain legal services. FIRST SCHEDULE PART 3 § 5.]	Data and Information Management	Preventive
Review the methods for collecting personal data, as necessary. CC ID 13511	Investigate	Detective
Provide the data subject with information about the data controller during the collection process. CC ID 00023	Establish/Maintain Documentation	Preventive
Disseminate and communicate the data collector's name and contact information to all interested personnel. CC ID 13760	Communicate	Preventive
Provide the data subject with the data collector's name and contact information. CC ID 00024 [For the purposes of subsection (4), the organisation must inform the individual of the following: on request by the individual, the business contact information of a person who is able to answer the individual's questions about that collection, use or disclosure (as the case may be) on behalf of the organisation. § 20.(5)(b)]	Establish/Maintain Documentation	Preventive
Provide the data subject with the name of the data collector who will hold the collected restricted data. CC ID 00025	Establish/Maintain Documentation	Preventive
Provide the data subject with the third party processor's contact information when the data controller is not processing the restricted data. CC ID 00026	Establish/Maintain Documentation	Preventive
Establish, implement, and maintain a data handling program. CC ID 13427	Establish/Maintain Documentation	Preventive
Establish, implement, and maintain data handling policies. CC ID 00353	Establish/Maintain Documentation	Preventive
Establish, implement, and maintain data and information confidentiality policies. CC ID 00361	Establish/Maintain Documentation	Preventive
Implement security measures to protect personal data. CC ID 13606 [{storage device}An organisation must protect personal data in its possession or under its control by making reasonable security arrangements to prevent — the loss of any storage medium or device on which personal data is stored. § 24.(b) {absent authorization}An organisation must protect personal data in its possession or under its control by making reasonable security arrangements to prevent — unauthorised access, collection, use, disclosure, copying, modification or disposal, or similar risks; and § 24.(a)]	Technical Security	Preventive
Establish, implement, and maintain a personal data transfer program. CC ID 00307	Establish/Maintain Documentation	Preventive
Include procedures for transferring personal data to third parties in the personal data transfer program. CC ID 00333	Establish/Maintain Documentation	Preventive
Define the personal data transfer exceptions for transferring personal data to another country when adequate protection level standards are not met. CC ID 00315 [{other country} An organisation shall not transfer any personal data to a country or territory outside Singapore except in accordance with requirements verb">prescribed under this Act to ensure that organisations provide a standard of protection to personal data so transferred that is comparable to the protection under this Act. § 26.(1)]	Establish/Maintain Documentation	Preventive
Include publicly available information as a personal data transfer exception for transferring personal data to another country outside an adequate data protection level. CC ID 00316	Data and Information Management	Preventive
Include transfer agreements between data controllers and third parties when it is for the data subject's interest as a personal data transfer exception for transferring personal data to another country outside an adequate data protection level. CC ID 00317	Data and Information Management	Preventive
Include personal data for the health field and for treatment as a personal data transfer exception for transferring personal data to another country outside an adequate data protection level. CC ID 00318	Data and Information Management	Preventive
Include personal data for journalistic purposes or private purposes as a personal data transfer exception for transferring personal data to another country outside an adequate data protection level. CC ID 00319	Data and Information Management	Preventive
Include personal data for important public interest as a personal data transfer exception for transferring personal data to another country outside an adequate data protection level. CC ID 00320	Data and Information Management	Preventive
Include consent by the data subject as a personal data transfer exception for transferring personal data to another country outside an adequate data protection level. CC ID 00321	Data and Information Management	Preventive
Include personal data used for a contract as a personal data transfer exception for transferring personal data to another country outside an adequate data protection level. CC ID 00322	Data and Information Management	Preventive
Include personal data for protecting the data subject or the data subject's interests, such as saving his/her life or providing healthcare as a personal data transfer exception for transferring personal data to another country outside an adequate data protection level. CC ID 00323	Data and Information Management	Preventive
Include personal data that is necessary to fulfill international law obligations as a personal data transfer exception for transferring personal data to another country outside an adequate data protection level. CC ID 00324	Data and Information Management	Preventive
Include personal data used for legal investigations as a personal data transfer exception for transferring personal data to another country outside an adequate data protection level. CC ID 00325	Data and Information Management	Preventive
Include personal data that is authorized by a legislative act as a personal data transfer exception for transferring personal data to another country outside an adequate data protection level. CC ID 00326	Data and Information Management	Preventive
Establish, implement, and maintain a privacy impact assessment. CC ID 13712 [The organisation must, in respect of the assessment mentioned in subsection (4)(a) — identify and implement reasonable measures to — reduce the likelihood that the adverse effect will occur; or § 15A.(5)(b)(ii) The organisation must, in respect of the assessment mentioned in subsection (4)(a) — identify and implement reasonable measures to — eliminate the adverse effect; § 15A.(5)(b)(i) The organisation must, in respect of the assessment mentioned in subsection (4)(a) — identify and implement reasonable measures to — mitigate the adverse effect; and § 15A.(5)(b)(iii)]	Establish/Maintain Documentation	Preventive
Include the individuals with whom information is shared in the privacy impact assessment. CC ID 15520	Establish/Maintain Documentation	Preventive
Include how to grant consent in the privacy impact assessment. CC ID 15519	Establish/Maintain Documentation	Preventive
Include the opportunities for individuals to consent to using their information in the privacy impact assessment. CC ID 15518	Establish/Maintain Documentation	Preventive
Include the opportunities for opting out of information collection in the privacy impact assessment. CC ID 15517	Establish/Maintain Documentation	Preventive
Include data handling procedures in the privacy impact assessment. CC ID 15516	Establish/Maintain Documentation	Preventive
Include the intended use of information in the privacy impact assessment. CC ID 15515	Establish/Maintain Documentation	Preventive
Include the reason information is being collected in the privacy impact assessment. CC ID 15514	Establish/Maintain Documentation	Preventive
Include the type of information to be collected in the privacy impact assessment. CC ID 15513	Business Processes	Preventive
Disseminate and communicate the results of the Privacy Impact Assessment to interested personnel and affected parties. CC ID 15458	Communicate	Preventive
Develop remedies and sanctions for privacy policy violations. CC ID 00474	Data and Information Management	Preventive
Change or destroy any personal data that is incorrect. CC ID 00462 [When an organisation is notified under subsection (2)(b) or (3) of a correction of personal data, the organisation shall correct the personal data in its possession or under its control unless the organisation is satisfied on reasonable grounds that the correction should "background-color:#CBD0E5;" class="term_secondary-verb">not be made. § 22.(4) Unless the organisation is satisfied on reasonable grounds that a correction should not be made, the organisation shall — correct the personal data as soon as practicable; and § 22.(2)(a)]	Data and Information Management	Corrective
Notify the data subject of changes made to personal data as the result of a dispute. CC ID 00463	Behavior	Corrective
Refrain from updating personal data on a regular basis, unless it is necessary for the purposes it was collected. CC ID 13610 [{refrain from correcting} Nothing in this section shall require an organisation to correct or otherwise alter an opinion, including a professional or an expert opinion. § 22.(6)]	Data and Information Management	Preventive
Escalate the appeal process to change personal data when the data controller fails to make changes to the disputed data. CC ID 00465	Data and Information Management	Corrective
Establish, implement, and maintain a privacy dispute resolution program. CC ID 12526 [An organisation shall — develop a process to receive and respond to complaints that may arise with respect to the application of this Act; § 12.(b)]	Establish/Maintain Documentation	Preventive
Include potential remedies in the privacy dispute resolution program. CC ID 12531	Establish/Maintain Documentation	Preventive
Provide the data subject with the name, title, and address to whom complaints are forwarded. CC ID 00395	Establish/Maintain Documentation	Preventive
Include the time frames in which privacy rights violation complaints are processed in the privacy dispute resolution program. CC ID 12529	Establish/Maintain Documentation	Preventive
Document unresolved challenges. CC ID 13568 [An individual may request an organisation to correct an error or omission in the personal data about the individual that is in the possession or under the control of the organisation. Section 22 shall not apply in respect of— any erm_secondary-verb">BBC;" class="term_primary-noun">examination> conducted by an education institution, examination scripts and, prior to the release of examination results, <span style="background-color:#F0BBBC;" class="term_primary-noun">examination results; SIXTH SCHEDULE § 1.(b) An individual may request an organisation to correct an error or omission in the personal data about the individual that is in the possession or under the control of the organisation. Section 22 shall not apply in respect of— the personal data of the background-color:#F0BBBC;" class="term_primary-noun">beneficiaries of a tyle="background-color:#F0BBBC;" class="term_primary-noun">private trust kept solely for the purpose of ass="term_primary-verb">administering the trust; SIXTH SCHEDULE § 1.(c) An organisation is not required to provide information under section 21(1) in respect of — a document related to a prosecution if all proceedings related to the prosecution have not been completed; or SIXTH SCHEDULE § 1.(e)]	Establish/Maintain Documentation	Preventive
Establish, implement, and maintain an accuracy resolution policy. CC ID 00460	Establish/Maintain Documentation	Preventive
Notify individuals of their right to challenge personal data. CC ID 00457	Data and Information Management	Preventive
Notify individuals of their right to object to personal data for legitimate reasons. CC ID 00458	Data and Information Management	Preventive
Terminate an individual's restriction agreement under specific circumstances. CC ID 06260	Configuration	Preventive
Notify individuals of their ability to challenge personal behavioral assessments on record. CC ID 04798	Human Resources Management	Preventive
Notify individuals of their ability to object to personal data processing, absent cost. CC ID 00459	Data and Information Management	Preventive
Notify individuals of the time frame in which they may challenge personal data. CC ID 16861	Communicate	Preventive
Investigate the disputed accuracy of personal data. CC ID 00461	Data and Information Management	Preventive
Notify the data subject of which and why disputed changes were not made to personal data. CC ID 00466	Behavior	Corrective
Notify entities to whom personal data was transferred that the personal data is wrong, along with the corrections. CC ID 00467 [subject to subsection (3), send the corrected personal data to every other organisation to which the personal data was disclosed by the organisation within a year before the date the correction was made, unless that other organisation does not need the corrected personal data for any legal or business purpose. § 22.(2)(b) An organisation (not being a credit bureau) may, if the individual consents, send the corrected personal data only to specific organisations to which the personal data was disclosed by the organisation within a year before the date the correction was made. § 22.(3)]	Behavior	Corrective
Notify third parties of unresolved challenges. CC ID 13559	Communicate	Preventive
Document disagreements as to whether personal data is complete and accurate. CC ID 06952	Establish/Maintain Documentation	Preventive
Include the change to the personal data that the data subject requested and the reason the organization refused to make the change in the statement of disagreement. CC ID 06954 [An individual may request an organisation to correct an error or omission in the personal data about the individual that is in the possession or under the control of the organisation. Section 22 shall b">not apply in respect of— background-color:#F0BBBC;" class="term_primary-noun">opinion data kept solely for an imary-noun">evaluative purpose; SIXTH SCHEDULE § 1.(a) If no correction is made under subsection (2)(a) or (4), the organisation shall annotate the personal data in its possession or under its control with the correction that was requested but e="background-color:#CBD0E5;" class="term_secondary-verb">not made. § 22.(5)]	Establish/Maintain Documentation	Preventive
Investigate privacy rights violation complaints. CC ID 00480	Behavior	Detective
Defer privacy rights violation complaint investigations under certain conditions. CC ID 00487	Behavior	Preventive
Defer privacy rights violation complaint investigations when the respondent has made an application for a determination. CC ID 00488 [An organisation or a person (including any individual who is a complainant) aggrieved by — may make a written application to the Commission to reconsider the direction or decision in accordance with this section. § 48N.(1) ¶ 1]	Behavior	Preventive
Define the organization's liability based on the applicable law. CC ID 00504	Establish/Maintain Documentation	Preventive
Define the sanctions and fines available for privacy rights violations based on applicable law. CC ID 00505 [A person who suffers loss or damage directly as a result of a contravention — has a right of action for relief in civil proceedings in a court. § 48O.(1) ¶ 1 A telecommunications service provider which contravenes subsection (1) shall be guilty of an offence and shall be liable on conviction to a fine not exceeding $10,000. § 42.(2)]	Establish/Maintain Documentation	Preventive
Define the appeal process based on the applicable law. CC ID 00506 [The application for reconsideration — must be made in the form and manner required by the Commission; and § 48N.(4)(b) An organisation or a person aggrieved by a financial penalty imposed by the Commission under section 48J(1) on the organisation or person may make a written application to the Commission to reconsider the decision to impose the financial penalty or the amount of the financial penalty so imposed in accordance with this section. § 48N.(2) The application for reconsideration — subject to subsection (5), must be submitted to the Commission within the prescribed period; § 48N.(4)(a) The application for reconsideration — must set out the grounds on which the applicant is requesting the reconsideration. § 48N.(4)(c)]	Establish/Maintain Documentation	Preventive
Define the fee structure for the appeal process. CC ID 16532	Process or Activity	Preventive
Define the time requirements for the appeal process. CC ID 16531	Process or Activity	Preventive
Disseminate and communicate instructions for the appeal process to interested personnel and affected parties. CC ID 16544	Communicate	Preventive
Disseminate and communicate a written explanation of the reasons for appeal decisions to interested personnel and affected parties. CC ID 16542	Communicate	Preventive
Establish, implement, and maintain a Customer Information Management program. CC ID 00084	Data and Information Management	Preventive
Establish, implement, and maintain customer data authentication procedures. CC ID 13187	Establish/Maintain Documentation	Preventive
Check the accuracy of restricted data. CC ID 00088 [{is complete} An organisation shall make a reasonable effort to ensure that personal data collected by or on behalf of the organisation is accurate and complete, if the personal data— is likely to be und-color:#B7D8ED;" class="term_primary-verb">used by the organisation to imary-verb">make a decision that affects the individual to whom the personal data " class="term_secondary-verb">relates; or § 23.(a) {is complete} An organisation shall make a reasonable effort to ensure that personal data collected by or on behalf of the organisation is accurate and complete, if the _primary-noun">personal data— is likely to be e="background-color:#B7D8ED;" class="term_primary-verb">disclosed by the organisation to another organisation. § 23.(b) {person}A checker must — ensure that the applicable information provided to P is accurate; and § 43A.(2)(a) {be complete}{be accurate} The organisation must ensure that the copy of the personal data it preserves for the purposes of subsection (1) is a complete and accurate copy of the personal data concerned. § 22A.(2) {be complete} An organisation shall make a reasonable effort to ensure that personal data collected by or on behalf of the organisation verb">is accurate and complete, if the personal data — § 23.]	Data and Information Management	Preventive
Record restricted data correctly. CC ID 00089	Testing	Detective
Check that restricted data is complete. CC ID 00090 [{be complete}{be accurate} The organisation must ensure that the copy of the personal data it preserves for the purposes of subsection (1) is a complete and accurate copy of the personal data concerned. § 22A.(2) {be complete} An organisation shall make a reasonable effort to ensure that personal data collected by or on behalf of the organisation is accurate and complete, if the personal data — § 23.]	Data and Information Management	Preventive
Establish, implement, and maintain an anti-spam policy. CC ID 00283 [Subject to section 48(2), a person must not send a specified message addressed to a Singapore telephone number unless — the specified message includes the information, and complies with the conditions, specified in the regulations, if any; and § 44.(c) Subject to section 48(2), a person must not send a specified message addressed to a Singapore telephone number unless — the specified message includes the information, and complies with the conditions, specified in the regulations, if any; and § 44.(c) For the purposes of subsection (1), the person has valid confirmation that a Singapore telephone number is not listed in the relevant register in either of the following circumstances: the person has obtained from a checker information that the Singapore telephone number is not listed in the relevant register (called in this section the relevant information) and has no reason to believe that, and is not reckless as to whether — § 43.(2)(b)]	Establish/Maintain Documentation	Preventive
Refrain from sending unsolicited commercial electronic messages under predetermined conditions. CC ID 13993 [Subject to section 48(2), a person must not send a specified message addressed to a Singapore telephone number unless — the information included in the specified message in compliance with this section is reasonably likely to be valid for at least 30 days after the message is sent. § 44.(d) For the purposes of subsection (1), the person has valid confirmation that a Singapore telephone number is not listed in the relevant register in either of the following circumstances: the person has, within the prescribed duration before sending the specified message — made an application to the Commission under section 40(2) to confirm whether the Singapore telephone number is listed in the relevant register; and § 43.(2)(a)(i)]	Communicate	Preventive
Refrain from sending unsolicited commercial electronic messages with hyperlinks to a country with an anti-spam policy. CC ID 00284	Behavior	Preventive
Refrain from including misleading information in the e-mail header when transmitting electronic messages. CC ID 00285	Behavior	Preventive
Include information identifying the organization hired to send commercial electronic messages when sending commercial electronic messages through a third party. CC ID 00286	Establish/Maintain Documentation	Detective
Include contact information in commercial electronic messages. CC ID 15457	Business Processes	Preventive
Refrain from sending commercial electronic messages to a third party computer when the message does not contain a functioning return e-mail address that is clearly visible to the receiver. CC ID 00287	Behavior	Preventive
Refrain from sending commercial electronic messages, physical mail, or making telephone calls after an opt out by a user. CC ID 00288 [{refrain from sending} If a subscriber or user of a Singapore telephone number gives notice withdrawing consent given to a person for the sending of any specified message="background-color:#CBD0E5;" class="term_secondary-verb">span> to that Singapore telephone number, the person shall cease (and cause its agent to cease) sending any specified message to that Singapore telephone number after the expiry of the prescribed period. § 47.(3)]	Behavior	Preventive
Include a personal identifier, an opt-out provision, and a physical address to add the recipient to the do-not-e-mail registry in all commercial e-mails. CC ID 00289	Behavior	Preventive
Make the opt-out functional after the e-mail is sent, as necessary. CC ID 00290	Data and Information Management	Preventive
Unsubscribe users from the opt-out notification, as necessary. CC ID 00291	Data and Information Management	Preventive
Make identifiers accurate after e-mails are sent, as necessary. CC ID 00292	Data and Information Management	Preventive
Define aggravated violations that relate to commercial electronic messages. CC ID 00293	Establish/Maintain Documentation	Preventive
Refrain from using misleading subject lines or false subject line on unsolicited commercial electronic messages. CC ID 00294	Behavior	Preventive
Define who enforces the anti-spam policy. CC ID 00295	Establish Roles	Preventive
Establish, implement, and maintain a do-not-e-mail registry. CC ID 00297	Establish/Maintain Documentation	Preventive
Enter individuals into the do-not-e-mail registry upon request. CC ID 11810	Data and Information Management	Preventive
Refrain from using address-harvesting software to send unsolicited commercial e-mails. CC ID 00298	Behavior	Preventive
Refrain from sending unsolicited commercial electronic messages to nonexistent electronic addresses. CC ID 00299 [Subject to section 48(2), a person must not send a specified message addressed to a Singapore telephone number unless the person has, at the time the person sends the specified message, valid confirmation that the Singapore telephone number is not listed in the relevant register. § 43.(1) For the purposes of subsection (1), the person has valid confirmation that a Singapore telephone number is not listed in the relevant register in either of the following circumstances: the person has, within the prescribed duration before sending the specified message — received confirmation from the Commission that the Singapore telephone number is not listed in the relevant register; § 43.(2)(a)(ii) Subject to subsections (2) and (3), a person must not send, cause to be sent or authorise the sending of an applicable message. § 48B.(1)]	Behavior	Preventive
Include that commercial electronic messages may be sent to an individual in any situation where the sender has prior consent from the individual or another existing business relationship in the anti-spam policy. CC ID 00300	Establish/Maintain Documentation	Preventive
Send commercial electronic messages to individuals who have consented to receive them. CC ID 00302	Behavior	Preventive
Send commercial electronic messages to individuals who have an existing relationship with the organization. CC ID 00301	Behavior	Preventive
Send commercial electronic messages to individuals who perform a business function to which the content of the message pertains. CC ID 13995	Communicate	Preventive
Document erroneous messages when an unsolicited commercial electronic message is accidentally sent. CC ID 00303	Establish/Maintain Documentation	Preventive
Give customers the opportunity to object to receiving commercial electronic messages. CC ID 00304 [{allow} For the avoidance of doubt, a subscriber of a Singapore telephone number may, at any time on or after the date of commencement of this Part, withdraw any consent given for the style="background-color:#CBD0E5;" class="term_secondary-verb">sending of a specified message to that Singapore telephone number. § 47.(6)]	Data and Information Management	Preventive
Refrain from unknowingly including hyperlinks in commercial electronic messages to the anti-spam policy's country of origin. CC ID 00305	Testing	Detective

Common Controls and
mandates by Type 172 Mandated Controls - bold
59 Implied Controls - italic 800 Implementation

Number of Controls

1031 Total

Acquisition/Sale of Assets or Services

Mandated - bold Implied - italic Implementation - regular	IMPACT ZONE	CLASS
KEY: Primary Verb Primary Noun Secondary Verb Secondary Noun Limiting Term
Acquire resources necessary to support Governance, Risk, and Compliance. CC ID 12861	Operational management	Preventive

Actionable Reports or Measurements

Mandated - bold Implied - italic Implementation - regular	IMPACT ZONE	CLASS
KEY: Primary Verb Primary Noun Secondary Verb Secondary Noun Limiting Term
Measure policy compliance when reviewing the internal control framework. CC ID 06442	Operational management	Corrective
Refrain from including restricted information in the incident response notification. CC ID 16806	Operational management	Preventive

Audits and Risk Management

Mandated - bold Implied - italic Implementation - regular	IMPACT ZONE	CLASS
KEY: Primary Verb Primary Noun Secondary Verb Secondary Noun Limiting Term
Analyze the effect of the Governance, Risk, and Compliance capability to achieve organizational objectives. CC ID 12809	Operational management	Preventive

Behavior

Mandated - bold Implied - italic Implementation - regular	IMPACT ZONE	CLASS
KEY: Primary Verb Primary Noun Secondary Verb Secondary Noun Limiting Term
Delegate authority for specific processes, as necessary. CC ID 06780 [An individual designated under subsection (3) may delegate to another individual the responsibility conferred by that BBBC;" class="term_primary-noun">designation. § 11.(4)]	Human Resources management	Preventive
Disseminate and communicate updates to the Governance, Risk, and Compliance framework to interested personnel and affected parties. CC ID 06955	Operational management	Preventive
Make compliance and governance decisions in a timely manner. CC ID 06490	Operational management	Preventive
Refrain from accepting instant messages from unknown senders. CC ID 12537	Operational management	Preventive
Include employee engagement in the analysis of the organizational culture. CC ID 12914	Operational management	Preventive
Include skill development in the analysis of the organizational culture. CC ID 12913	Operational management	Preventive
Include employee turnover rates in the analysis of the organizational culture. CC ID 12912	Operational management	Preventive
Include employee loyalty in the analysis of the organizational culture. CC ID 12911	Operational management	Preventive
Include employee satisfaction in the analysis of the organizational culture. CC ID 12910	Operational management	Preventive
Disseminate and communicate the Governance, Risk, and Compliance framework to all interested personnel and affected parties. CC ID 00815 [An organisation shall — communicate to its staff information about the organisation's policies and practices referred to in paragraph (a); and § 12.(c) An organisation shall — make information available on request about— the policies and practices referred to in paragraph (a); and § 12.(d)(i)]	Operational management	Preventive
Share data loss event information with the media. CC ID 01759	Operational management	Corrective
Report to breach notification organizations the time frame in which the organization will send data loss event notifications to interested personnel and affected parties. CC ID 04731	Operational management	Corrective
Notify interested personnel and affected parties of the privacy breach that affects their personal data. CC ID 00365 [Where a data intermediary (other than a data intermediary mentioned in section 26E) has reason to believe that a data breach has occurred in relation to personal data that the data intermediary is processing on behalf of and for the purposes of another organisation — the data intermediary must, without undue delay, notify that other organisation of the occurrence of the data breach; and § 26C.(3)(a) Subject to subsections (5), (6) and (7), on or after notifying the Commission under subsection (1), the organisation must also notify each affected individual affected by a notifiable data breach mentioned in section 26B(1)(a) in any manner that is reasonable in the circumstances. § 26D.(2) {refrain from delaying} the organisation must, without undue delay, notify the public agency of the occurrence of the data breach. § 26E. ¶ 1]	Operational management	Corrective
Determine whether or not incident response notifications are necessary during the privacy breach investigation. CC ID 00801 [Where a data intermediary (other than a data intermediary mentioned in section 26E) has reason to believe that a data breach has occurred in relation to personal data that the data intermediary is processing on behalf of and for the purposes of another organisation — that other organisations must, upon notification by the data intermediary, conduct an assessment of whether the data breach is a notifiable data breach. § 26C.(3)(b) {reasonable manner}{be efficient} Subject to subsection (3), where an organisation has reason to believe that a data breach affecting personal data in its possession or under its control has occurred, the organisation must conduct, in a reasonable and expeditious manner, an assessment of whether the data breach is a notifiable data breach. § 26C.(2)]	Operational management	Detective
Delay sending incident response notifications under predetermined conditions. CC ID 00804	Operational management	Corrective
Avoid false positive incident response notifications. CC ID 04732	Operational management	Detective
Send paper incident response notifications to affected parties, as necessary. CC ID 00366	Operational management	Corrective
Determine if a substitute incident response notification is permitted if notifying affected parties. CC ID 00803	Operational management	Corrective
Use a substitute incident response notification to notify interested personnel and affected parties of the privacy breach that affects their personal data. CC ID 00368	Operational management	Corrective
Telephone incident response notifications to affected parties, as necessary. CC ID 04650	Operational management	Corrective
Send electronic substitute incident response notifications to affected parties, as necessary. CC ID 04747	Operational management	Preventive
Send substitute incident response notifications to breach notification organizations, as necessary. CC ID 04750	Operational management	Preventive
Publish the incident response notification in a general circulation periodical. CC ID 04651	Operational management	Corrective
Publish the substitute incident response notification in a general circulation periodical, as necessary. CC ID 04769	Operational management	Preventive
Send electronic incident response notifications to affected parties, as necessary. CC ID 00367	Operational management	Corrective
Register with public bodies and notify the Data Commissioner before processing personal data. CC ID 00383	Privacy protection for information and data	Preventive
Define the criteria for waivers of data subjects' rights. CC ID 16858	Privacy protection for information and data	Preventive
Revoke waivers of data subject's rights, as necessary. CC ID 16859	Privacy protection for information and data	Preventive
Notify the supervisory authority. CC ID 00472 [{terminated telephone number} Every telecommunications service provider shall report to the ground-color:#F0BBBC;" class="term_primary-noun">Commission, in the form and manner prescribed, all terminated Singapore telephone numbers. § 42.(1) {report}{terminated telephone number}For the purpose of subsection (1), where — it shall be the responsibility of the first provider to satisfy subsection (1). § 42.(4) ¶ 1]	Privacy protection for information and data	Preventive
Notify the data subject of the collection purpose. CC ID 00095 [For the purposes of sections 14(1)(a) and 18(b), an organisation shall inform the individual of— the purposes for the collection, use or disclosure of the personal data, as the case may be, on or before pan style="background-color:#CBD0E5;" class="term_secondary-verb">collecting the personal data; § 20.(1)(a) For the purposes of subsection (4), the organisation must inform the individual of the following: the purpose for which the organisation is collecting, using or disclosing (as the case may be) the personal data about the individual; § 20.(5)(a) For the purposes of subsection (2)(a), the organisation must, before collecting, using or disclosing any personal data about the individual — take reasonable steps to bring the following information to the attention of the individual: the purpose for which the personal data will be collected, used or disclosed; § 15A.(4)(b)(ii) For the purposes of subsection (2)(a), the organisation must, before collecting, using or disclosing any personal data about the individual — take reasonable steps to bring the following information to the attention of the individual: the organisation's intention to collect, use or disclose the personal data; § 15A.(4)(b)(i) {individual's vital interest} Where the organisation collects, uses or discloses (as the case may be) personal data about the individual under sub-paragraph (1), the organisation must, as soon as is practicable, notify the individual of the collection, use or disclosure (as the case may be) and the purpose for the collection, use or disclosure, as the case may be. FIRST SCHEDULE PART 1 § 1.(2)]	Privacy protection for information and data	Preventive
Notify the data subject of changes to personal data use. CC ID 00105 [For the purposes of sections 14(1)(a) and 18(b), an organisation shall inform the individual of— any other purpose of the use or disclosure of the personal data of which the individual has not been informed under paragraph (a), before the un">usepan> or disclosure of the personal data for that purpose; and § 20.(1)(b)]	Privacy protection for information and data	Preventive
Notify the data subject after personal data is used or disclosed. CC ID 06247 [{business asset transaction}{organization}{prospective party}If X enters into the relevant transaction, the following conditions apply: X, Y or Z must notify the applicable individuals of Z whose personal data is disclosed that — the relevant transaction has taken place; and FIRST SCHEDULE PART 4 § 2.(3)(c)(i) {business asset transaction}{organization}{prospective party}If X enters into the relevant transaction, the following conditions apply: X, Y or Z must notify the applicable individuals of Z whose personal data is disclosed that — the personal data about them has been disclosed to X. FIRST SCHEDULE PART 4 § 2.(3)(c)(ii) If X enters into the business asset transaction, the following conditions apply: X or Y must notify the applicable individuals of Y whose personal data is disclosed that — the business asset transaction has taken place; and FIRST SCHEDULE PART 4 § 1.(4)(c)(i)]	Privacy protection for information and data	Preventive
Notify the individual before restricted data is collected, used, or disclosed. CC ID 00132 [{prospective party}{organization}If X enters into the business asset transaction, the following conditions apply: X or Y must notify the applicable individuals of Y whose personal data is disclosed that — the personal data about them has been disclosed to X. FIRST SCHEDULE PART 4 § 1.(4)(c)(ii)]	Privacy protection for information and data	Preventive
Refrain from requiring individuals to use Personal Identification Numbers as an account number or password. CC ID 00253	Privacy protection for information and data	Preventive
Notify the data subject of the source of collected personal data. CC ID 00083	Privacy protection for information and data	Preventive
Refrain from requiring a Personal Identification Number to purchase goods or services. CC ID 00069	Privacy protection for information and data	Preventive
Use simple understandable language to collect information from children. CC ID 00039	Privacy protection for information and data	Preventive
Notify the data subject of changes made to personal data as the result of a dispute. CC ID 00463	Privacy protection for information and data	Corrective
Notify the data subject of which and why disputed changes were not made to personal data. CC ID 00466	Privacy protection for information and data	Corrective
Notify entities to whom personal data was transferred that the personal data is wrong, along with the corrections. CC ID 00467 [subject to subsection (3), send the corrected personal data to every other organisation to which the personal data was disclosed by the organisation within a year before the date the correction was made, unless that other organisation does not need the corrected personal data for any legal or business purpose. § 22.(2)(b) An organisation (not being a credit bureau) may, if the individual consents, send the corrected personal data only to specific organisations to which the personal data was disclosed by the organisation within a year before the date the correction was made. § 22.(3)]	Privacy protection for information and data	Corrective
Investigate privacy rights violation complaints. CC ID 00480	Privacy protection for information and data	Detective
Defer privacy rights violation complaint investigations under certain conditions. CC ID 00487	Privacy protection for information and data	Preventive
Defer privacy rights violation complaint investigations when the respondent has made an application for a determination. CC ID 00488 [An organisation or a person (including any individual who is a complainant) aggrieved by — may make a written application to the Commission to reconsider the direction or decision in accordance with this section. § 48N.(1) ¶ 1]	Privacy protection for information and data	Preventive
Refrain from sending unsolicited commercial electronic messages with hyperlinks to a country with an anti-spam policy. CC ID 00284	Privacy protection for information and data	Preventive
Refrain from including misleading information in the e-mail header when transmitting electronic messages. CC ID 00285	Privacy protection for information and data	Preventive
Refrain from sending commercial electronic messages to a third party computer when the message does not contain a functioning return e-mail address that is clearly visible to the receiver. CC ID 00287	Privacy protection for information and data	Preventive
Refrain from sending commercial electronic messages, physical mail, or making telephone calls after an opt out by a user. CC ID 00288 [{refrain from sending} If a subscriber or user of a Singapore telephone number gives notice withdrawing consent given to a person for the sending of any specified message="background-color:#CBD0E5;" class="term_secondary-verb">span> to that Singapore telephone number, the person shall cease (and cause its agent to cease) sending any specified message to that Singapore telephone number after the expiry of the prescribed period. § 47.(3)]	Privacy protection for information and data	Preventive
Include a personal identifier, an opt-out provision, and a physical address to add the recipient to the do-not-e-mail registry in all commercial e-mails. CC ID 00289	Privacy protection for information and data	Preventive
Refrain from using misleading subject lines or false subject line on unsolicited commercial electronic messages. CC ID 00294	Privacy protection for information and data	Preventive
Refrain from using address-harvesting software to send unsolicited commercial e-mails. CC ID 00298	Privacy protection for information and data	Preventive
Refrain from sending unsolicited commercial electronic messages to nonexistent electronic addresses. CC ID 00299 [Subject to section 48(2), a person must not send a specified message addressed to a Singapore telephone number unless the person has, at the time the person sends the specified message, valid confirmation that the Singapore telephone number is not listed in the relevant register. § 43.(1) For the purposes of subsection (1), the person has valid confirmation that a Singapore telephone number is not listed in the relevant register in either of the following circumstances: the person has, within the prescribed duration before sending the specified message — received confirmation from the Commission that the Singapore telephone number is not listed in the relevant register; § 43.(2)(a)(ii) Subject to subsections (2) and (3), a person must not send, cause to be sent or authorise the sending of an applicable message. § 48B.(1)]	Privacy protection for information and data	Preventive
Send commercial electronic messages to individuals who have consented to receive them. CC ID 00302	Privacy protection for information and data	Preventive
Send commercial electronic messages to individuals who have an existing relationship with the organization. CC ID 00301	Privacy protection for information and data	Preventive

Business Processes

Mandated - bold Implied - italic Implementation - regular	IMPACT ZONE	CLASS
KEY: Primary Verb Primary Noun Secondary Verb Secondary Noun Limiting Term
Establish, implement, and maintain a positive information control environment. CC ID 00813	Operational management	Preventive
Define the scope for the internal control framework. CC ID 16325	Operational management	Preventive
Review the relevance of information supporting internal controls. CC ID 12420	Operational management	Detective
Assign resources to implement the internal control framework. CC ID 00816	Operational management	Preventive
Establish, implement, and maintain a baseline of internal controls. CC ID 12415	Operational management	Preventive
Leverage actionable information to support internal controls. CC ID 12414	Operational management	Preventive
Align the information security policy with the organization's risk acceptance level. CC ID 13042	Operational management	Preventive
Establish, implement, and maintain information security procedures. CC ID 12006	Operational management	Preventive
Refrain from requiring supervision when users are accessing social media applications. CC ID 14011	Operational management	Preventive
Refrain from requiring users to disclose social media account usernames or authenticators. CC ID 14009	Operational management	Preventive
Establish, implement, and maintain information sharing agreements. CC ID 15645	Operational management	Preventive
Adhere to operating procedures as defined in the Standard Operating Procedures Manual. CC ID 06328	Operational management	Preventive
Establish, implement, and maintain domain name registration and renewal procedures. CC ID 07075	Operational management	Preventive
Implement and comply with the Governance, Risk, and Compliance framework. CC ID 00818	Operational management	Preventive
Include contractual relationships with workforce members in the analysis of the organizational culture. CC ID 15674	Operational management	Preventive
Include the number of workforce members who are not employees in the analysis of the organizational culture. CC ID 15673	Operational management	Preventive
Include the type of work performed by workforce members in the analysis of the organizational culture. CC ID 15675	Operational management	Preventive
Include demographic characteristics of employees in the analysis of the organizational culture. CC ID 15671	Operational management	Preventive
Review systems for compliance with organizational information security policies. CC ID 12004	Operational management	Preventive
Establish, implement, and maintain an Incident Management program. CC ID 00853	Operational management	Preventive
Refrain from charging for providing incident response notifications. CC ID 13876	Operational management	Preventive
Offer identity theft prevention services or identity theft mitigation services at no cost to the affected parties. CC ID 13766	Operational management	Corrective
Refrain from requiring the data subject to create an account in order to submit a consumer request. CC ID 13780	Privacy protection for information and data	Preventive
Provide the data subject with the data protection officer's contact information. CC ID 12573	Privacy protection for information and data	Preventive
Refrain from charging a fee to implement an opt-out request. CC ID 13877	Privacy protection for information and data	Preventive
Offer incentives for consumers to opt-in to provide their personal data to the organization. CC ID 13781	Privacy protection for information and data	Preventive
Refrain from using coercive financial incentive programs to entice opt-in consent. CC ID 13795	Privacy protection for information and data	Preventive
Treat an opt-out direction by an individual joint consumer as applying to all associated joint consumers. CC ID 13452	Privacy protection for information and data	Preventive
Treat opt-out directions separately for each customer relationship the data subject establishes with the organization. CC ID 13454	Privacy protection for information and data	Preventive
Comply with opt-out directions by the data subject, unless otherwise directed by compliance requirements. CC ID 13451 [{allow} On giving notice, a subscriber or user of a Singapore telephone number may at any time withdraw any consent given to a person for the ="background-color:#CBD0E5;" class="term_secondary-verb">sending of any specified message to that Singapore telephone number. § 47.(1)]	Privacy protection for information and data	Preventive
Allow consent requests to be provided in any official languages. CC ID 16530	Privacy protection for information and data	Preventive
Define the requirements for approving or denying approval applications. CC ID 16780	Privacy protection for information and data	Preventive
Extend the time limit for approving or denying approval applications. CC ID 16779	Privacy protection for information and data	Preventive
Refrain from erasing personal data when the data subject consents to retention. CC ID 14326	Privacy protection for information and data	Preventive
Refrain from processing personal data when it reveals trade union membership. CC ID 12583	Privacy protection for information and data	Preventive
Refrain from processing personal data when it concerns an individual's sexual orientation. CC ID 12582	Privacy protection for information and data	Preventive
Refrain from processing personal data when it concerns an individual's sex life. CC ID 12581	Privacy protection for information and data	Preventive
Refrain from processing personal data when it contains Individually Identifiable Health Information. CC ID 12580	Privacy protection for information and data	Preventive
Refrain from processing personal data when biometric data is used for the purpose of identifying an individual. CC ID 12579	Privacy protection for information and data	Preventive
Refrain from processing personal data when the genetic data is used for the purpose of identifying individuals. CC ID 12578	Privacy protection for information and data	Preventive
Refrain from processing personal data when it reveals philosophical beliefs. CC ID 12577	Privacy protection for information and data	Preventive
Refrain from processing personal data when it reveals religious beliefs. CC ID 12576	Privacy protection for information and data	Preventive
Refrain from processing personal data when it reveals political opinions. CC ID 12575	Privacy protection for information and data	Preventive
Refrain from processing personal data if it reveals ethnic origin. CC ID 12574	Privacy protection for information and data	Preventive
Refrain from processing personal data for marketing or advertising to children. CC ID 14010	Privacy protection for information and data	Preventive
Dispose of personal data removal requests, as necessary. CC ID 13512	Privacy protection for information and data	Preventive
Include the type of information to be collected in the privacy impact assessment. CC ID 15513	Privacy protection for information and data	Preventive
Include contact information in commercial electronic messages. CC ID 15457	Privacy protection for information and data	Preventive

Communicate

Mandated - bold Implied - italic Implementation - regular	IMPACT ZONE	CLASS
KEY: Primary Verb Primary Noun Secondary Verb Secondary Noun Limiting Term
Disseminate and communicate the Data Protection Impact Assessment to interested personnel and affected parties. CC ID 15313	Audits and risk management	Preventive
Disseminate and communicate the compliance policy to interested personnel and affected parties. CC ID 14809	Operational management	Preventive
Disseminate and communicate the governance policy to all interested personnel and affected parties. CC ID 15625	Operational management	Preventive
Share security information with interested personnel and affected parties. CC ID 11732	Operational management	Preventive
Disseminate and communicate the internal control framework to all interested personnel and affected parties. CC ID 15229	Operational management	Preventive
Disseminate and communicate the cybersecurity policy to interested personnel and affected parties. CC ID 16835	Operational management	Preventive
Disseminate and communicate the information security procedures to all interested personnel and affected parties. CC ID 16303	Operational management	Preventive
Disseminate and communicate the information security policy to interested personnel and affected parties. CC ID 11739	Operational management	Preventive
Disseminate and communicate the Standard Operating Procedures Manual to all interested personnel and affected parties. CC ID 12026	Operational management	Preventive
Disseminate and communicate the Acceptable Use Policy to all interested personnel and affected parties. CC ID 12431	Operational management	Preventive
Disseminate and communicate nondisclosure agreements to interested personnel and affected parties. CC ID 16191	Operational management	Preventive
Provide assurance to interested personnel and affected parties that the Governance, Risk, and Compliance capability is reliable, effective, efficient, and responsive. CC ID 12788	Operational management	Preventive
Notify interested personnel and affected parties of an extortion payment in the event of a cybersecurity event. CC ID 16539	Operational management	Preventive
Notify interested personnel and affected parties of the reasons for the extortion payment, along with any alternative solutions. CC ID 16538	Operational management	Preventive
Report to breach notification organizations the reasons for a delay in sending breach notifications. CC ID 16797	Operational management	Preventive
Report to breach notification organizations the distribution list to which the organization will send data loss event notifications. CC ID 16782	Operational management	Preventive
Submit written requests to delay the notification of affected parties. CC ID 16783	Operational management	Preventive
Provide enrollment information for identity theft prevention services or identity theft mitigation services. CC ID 13767	Operational management	Corrective
Include a copy of the incident response notification in breach notifications, as necessary. CC ID 13085	Operational management	Preventive
Notify interested personnel and affected parties of the privacy breach about any recovered restricted data. CC ID 13347	Operational management	Corrective
Provide public proof the organization participates in a privacy program. CC ID 12349	Privacy protection for information and data	Preventive
Disclose statements added to education records, as necessary. CC ID 12990	Privacy protection for information and data	Preventive
Disclose educational data absent consent when disclosure is in connection with a disciplinary proceeding. CC ID 13005	Privacy protection for information and data	Preventive
Refrain from disclosing disciplinary proceeding results unless the student has violated the institution's rules or policies. CC ID 13023	Privacy protection for information and data	Preventive
Disclose educational data absent consent when it concerns sex offenders. CC ID 13013	Privacy protection for information and data	Preventive
Disclose educational data absent consent to organizations conducting studies if educational data is destroyed when no longer required. CC ID 12995	Privacy protection for information and data	Preventive
Refrain from providing information to the data subject, as necessary. CC ID 12625 [An organisation is not required to provide information under section 21(1) in respect of— any examination conducted by an education institution, und-color:#F0BBBC;" class="term_primary-noun">examination scripts and, prior to the release of examination results, lass="term_primary-noun">examination results; FIFTH SCHEDULE § 1.(b) An organisation is not required to provide information under section 21(1) in respect of— the personal data of the beneficiaries of a F0BBBC;" class="term_primary-noun">private trust ss="term_primary-verb">kept solely for the purpose of administering the trust; FIFTH SCHEDULE § 1.(c) An organisation is not required to provide information under section 21(1) in respect of— personal data kept by an arbitral institution or a mediation centre solely for the >purposespan> of an style="background-color:#F0BBBC;" class="term_primary-noun">arbitration or mediation proceedings administered by the arbitral institution or mediation centre; FIFTH SCHEDULE § 1.(d) An organisation is not required to provide information under section 21(1) in respect of— a document related to a prosecution if all 0BBBC;" class="term_primary-noun">proceedings related to the prosecution haground-color:#CBD0E5;" class="term_secondary-verb">ve n style="background-color:#B7D8ED;" class="term_primary-verb">not been completed; FIFTH SCHEDULE § 1.(e) An organisation is not required to provide information under section 21(1) in respect of— personal data which is primary-verb">subjectspan> to an style="background-color:#F0BBBC;" class="term_primary-noun">legal privilege; FIFTH SCHEDULE § 1.(f) An organisation is not required to provide information under section 21(1) in respect of— personal data kept by an arbitral institution or a mediation centre solely for the >purposespan> of an style="background-color:#F0BBBC;" class="term_primary-noun">arbitration or mediation proceedings administered by the arbitral institution or mediation centre; SIXTH SCHEDULE § 1.(d) {notifiable data breach}An organisation must not notify any affected individual in accordance with subsection (2) if — the Commission so directs. § 26D.(6)(b) An organisation is not required to provide information under section 21(1) in respect of — derived personal data. SIXTH SCHEDULE § 1.(f)]	Privacy protection for information and data	Preventive
Refrain from providing information to the data subject when it is forbidden by law. CC ID 12651 [{notifiable data breach}An organisation must not notify any affected individual in accordance with subsection (2) if — a prescribed law enforcement agency so instructs; or § 26D.(6)(a)]	Privacy protection for information and data	Preventive
Refrain from providing information to the data subject when it proves impossible due to statistical purposes. CC ID 12645	Privacy protection for information and data	Preventive
Provide the data subject with information about lifting any restriction of processing, as necessary. CC ID 12634	Privacy protection for information and data	Preventive
Refrain from providing information to the data subject when it proves impossible due to historical research purposes. CC ID 12633	Privacy protection for information and data	Preventive
Refrain from providing information to the data subject when it proves impossible due to scientific research purposes. CC ID 12632	Privacy protection for information and data	Preventive
Refrain from providing information to the data subject when it proves impossible due to archival purposes. CC ID 12631	Privacy protection for information and data	Preventive
Refrain from providing information to the data subject when providing information involves disproportionate effort. CC ID 12629	Privacy protection for information and data	Preventive
Refrain from providing information to the data subject when the data subject has the information. CC ID 12628	Privacy protection for information and data	Preventive
Disseminate and communicate the disclosure accounting record to interested personnel and affected parties. CC ID 14433 [For the purposes of subsection (2)(a), the organisation must, before collecting, using or disclosing any personal data about the individual — take reasonable steps to bring the following information to the attention of the individual: the purpose for which the personal data will be collected, used or disclosed; § 15A.(4)(b)(ii)]	Privacy protection for information and data	Preventive
Notify interested personnel and affected parties of the reasons the opt-out request was refused. CC ID 16537	Privacy protection for information and data	Preventive
Submit approval applications to the supervisory authority. CC ID 16627	Privacy protection for information and data	Preventive
Notify the supervisory authority of the safeguards employed to protect the data subject's rights. CC ID 12605	Privacy protection for information and data	Preventive
Include any reasons for delay if notifying the supervisory authority after the time limit. CC ID 12675	Privacy protection for information and data	Corrective
Notify the data subject after their personal data is disposed, as necessary. CC ID 13502	Privacy protection for information and data	Preventive
Disclose de-identified data, as necessary. CC ID 13034	Privacy protection for information and data	Preventive
Notify the subject of care when a lack of availability of health information systems might have adversely affected their care. CC ID 13990	Privacy protection for information and data	Corrective
Refrain from disseminating and communicating with individuals that have opted out of direct marketing communications. CC ID 13708	Privacy protection for information and data	Corrective
Refrain from disclosing a security breach if an investigation concludes none has occurred. CC ID 13086 [{data breach}{notifiable data breach} The organisation must carry out the assessment mentioned in subsection (2) or (3)(b) in accordance with any prescribed requirements. § 26C.(4)]	Privacy protection for information and data	Corrective
Notify the data subject when personal data has been inadvertently disclosed. CC ID 13989	Privacy protection for information and data	Corrective
Disclose personal data absent consent for specific and well-documented circumstances. CC ID 15267 [An organisation may — disclose personal data about an individual without the consent of the individual, in the circumstances or for the purposes, and subject to any condition, in the First Schedule or Part 3 of the Second Schedule. § 17.(1)(c) {individual's vital interest}{without consent}Subject to sub-paragraph (2), the collection, use or disclosure (as the case may be) of personal data about an individual is necessary for any purpose which is clearly in the interests of the individual, and — the individual would not reasonably be expected to withhold consent. FIRST SCHEDULE PART 1 § 1.(1)(b) {organization}{corporation}{business improvement purpose}Subject to the conditions in sub-paragraphs (3), (4) and (5), personal data about an individual (P) — is disclosed by Y to X for a relevant purpose. FIRST SCHEDULE PART 5 § 1.(1)(c)]	Privacy protection for information and data	Preventive
Disclose restricted data absent consent when the disclosure concerns the individual's products or services obtained from the organization. CC ID 13469	Privacy protection for information and data	Preventive
Capture personal data removal requests. CC ID 13507	Privacy protection for information and data	Preventive
Notify the data subject of the disclosure purpose. CC ID 15268 [For the purposes of subsection (4), the organisation must inform the individual of the following: the purpose for which the organisation is collecting, using or disclosing (as the case may be) the personal data about the individual; § 20.(5)(a)]	Privacy protection for information and data	Preventive
Notify the individual of the organization's legal rights to refuse the personal data access request, as necessary. CC ID 13509	Privacy protection for information and data	Preventive
Notify that data subject of any exclusions to requested personal data. CC ID 15271 [the organisation must notify the individual of the exclusion, under subsection (2) or (3), of any of the personal data or other information so requested. § 21.(7) ¶ 1]	Privacy protection for information and data	Preventive
Notify individuals of the new time limit for responding to an access request in a notice of extension. CC ID 13599	Privacy protection for information and data	Preventive
Disseminate and communicate the data collector's name and contact information to all interested personnel. CC ID 13760	Privacy protection for information and data	Preventive
Disseminate and communicate the results of the Privacy Impact Assessment to interested personnel and affected parties. CC ID 15458	Privacy protection for information and data	Preventive
Notify individuals of the time frame in which they may challenge personal data. CC ID 16861	Privacy protection for information and data	Preventive
Notify third parties of unresolved challenges. CC ID 13559	Privacy protection for information and data	Preventive
Disseminate and communicate instructions for the appeal process to interested personnel and affected parties. CC ID 16544	Privacy protection for information and data	Preventive
Disseminate and communicate a written explanation of the reasons for appeal decisions to interested personnel and affected parties. CC ID 16542	Privacy protection for information and data	Preventive
Refrain from sending unsolicited commercial electronic messages under predetermined conditions. CC ID 13993 [Subject to section 48(2), a person must not send a specified message addressed to a Singapore telephone number unless — the information included in the specified message in compliance with this section is reasonably likely to be valid for at least 30 days after the message is sent. § 44.(d) For the purposes of subsection (1), the person has valid confirmation that a Singapore telephone number is not listed in the relevant register in either of the following circumstances: the person has, within the prescribed duration before sending the specified message — made an application to the Commission under section 40(2) to confirm whether the Singapore telephone number is listed in the relevant register; and § 43.(2)(a)(i)]	Privacy protection for information and data	Preventive
Send commercial electronic messages to individuals who perform a business function to which the content of the message pertains. CC ID 13995	Privacy protection for information and data	Preventive

Configuration

Mandated - bold Implied - italic Implementation - regular	IMPACT ZONE	CLASS
KEY: Primary Verb Primary Noun Secondary Verb Secondary Noun Limiting Term
Automate threat assessments, as necessary. CC ID 06877	Operational management	Preventive
Automate vulnerability management, as necessary. CC ID 11730	Operational management	Preventive
Terminate an individual's restriction agreement under specific circumstances. CC ID 06260	Privacy protection for information and data	Preventive

Data and Information Management

376

Mandated - bold Implied - italic Implementation - regular	IMPACT ZONE	CLASS
KEY: Primary Verb Primary Noun Secondary Verb Secondary Noun Limiting Term
Include a removable storage media use policy in the Acceptable Use Policy. CC ID 06772	Operational management	Preventive
Identify the sender in all electronic messages. CC ID 13996 [{be clear}{be accurate}Subject to section 48(2), a person must not send a specified message addressed to a Singapore telephone number unless — the specified message includes clear and accurate information identifying the individual or organisation that sent or authorised the sending of the specified message; § 44.(a) {be clear}{be accurate}Subject to section 48(2), a person must not send a specified message addressed to a Singapore telephone number unless — the specified message includes clear and accurate information about how the recipient can readily contact that individual or organisation; § 44.(b) Subject to section 48(3), a person that makes a voice call containing a specified message or causes a voice call containing a specified message to be made or authorises the making of a voice call containing a specified message, addressed to a Singapore telephone number, from a telephone number or fax number, must not do any of the following: conceal or withhold from the recipient the calling line identity of the sender; § 45.(a) Subject to section 48(3), a person that makes a voice call containing a specified message or causes a voice call containing a specified message to be made or authorises the making of a voice call containing a specified message, addressed to a Singapore telephone number, from a telephone number or fax number, must not do any of the following: perform any operation or issue any instruction in connection with the sending of the specified message for the purpose of, or that has the effect of, concealing or withholding from the recipient the calling line identity of the sender. § 45.(b)]	Operational management	Preventive
Share incident information with interested personnel and affected parties. CC ID 01212 [{data breach} The notification under subsection (1) must be made in the form and submitted in the manner required by the Commission. § 26D.(4)]	Operational management	Corrective
Comply with privacy regulations and civil liberties requirements when sharing data loss event information. CC ID 10036	Operational management	Preventive
Report data loss event information to breach notification organizations. CC ID 01210 [Where an organisation assesses, in accordance with section 26C, that a data breach is a notifiable data breach, the organisation must notify the Commission as soon as is practicable, but in any case no later than 3 calendar days after the day the organisation makes that assessment. § 26D.(1)]	Operational management	Corrective
Establish, implement, and maintain a personal data transparency program. CC ID 00375	Privacy protection for information and data	Preventive
Establish, implement, and maintain adequate openness procedures. CC ID 00377 [{absent consent} An organisation, on or before collecting personal data about an individual from another organisation without the consent of the individual, shall provide the other organisation with sufficient :#CBD0E5;" class="term_secondary-verb">ary-noun">informationpan> regarding the purpose of the an style="background-color:#F0BBBC;" class="term_primary-noun">collection to allow that other organisation to determine whether the disclosure would be in accordance with this Act. § 20.(2) An organisation shall — make information available on request about — § 12.(d)]	Privacy protection for information and data	Preventive
Provide legal authorities access to personal data, upon request. CC ID 06818	Privacy protection for information and data	Preventive
Document the countries where restricted data may be stored. CC ID 12750	Privacy protection for information and data	Preventive
Protect the rights of students and their parents or legal representatives. CC ID 00222	Privacy protection for information and data	Preventive
Disclose educational data, as necessary. CC ID 00223 [{disclose}{without consent} The disclosure of personal data about an individual who is a current or former student of an educational institution to a public agency for the purposes of policy formulation or review. SECOND SCHEDULE PART 3 Division 1 § 2.]	Privacy protection for information and data	Preventive
Obtain explicit consent from students or their parent or legal representative prior to using or disclosing educational data. CC ID 00220	Privacy protection for information and data	Preventive
Disclose education records when written consent is received. CC ID 00224	Privacy protection for information and data	Preventive
Disclose educational data absent consent to other school officials. CC ID 00226	Privacy protection for information and data	Preventive
Disclose educational data absent consent to another institution's school officials. CC ID 00227	Privacy protection for information and data	Preventive
Disclose educational data absent consent in connection with financial aid. CC ID 00229	Privacy protection for information and data	Preventive
Disclose educational data absent consent to organizations conducting studies on tests. CC ID 00230	Privacy protection for information and data	Preventive
Disclose educational data absent consent to accrediting organizations. CC ID 00231	Privacy protection for information and data	Preventive
Disclose educational data absent consent to a dependent student's parent or legal representative. CC ID 00232	Privacy protection for information and data	Preventive
Disclose educational data absent consent in order to comply with a judicial order. CC ID 00233	Privacy protection for information and data	Preventive
Disclose educational data absent consent for a health and safety emergency. CC ID 00234	Privacy protection for information and data	Preventive
Disclose educational data absent consent when it is merely directory information. CC ID 00235	Privacy protection for information and data	Preventive
Disclose educational data absent consent to a crime victim. CC ID 00236	Privacy protection for information and data	Preventive
Provide the data subject with the means of gaining access to personal data held by the organization. CC ID 00396 [{legitimate interest}For the purposes of sub-paragraph (1), the organisation must — provide the individual with reasonable access to information about the organisation's collection, use or disclosure of personal data (as the case may be) in accordance with sub-paragraph (1). FIRST SCHEDULE PART 3 § 1.(2)(b)]	Privacy protection for information and data	Preventive
Provide the data subject with what personal data is made available to related organizations or subsidiaries. CC ID 00399	Privacy protection for information and data	Preventive
Allow data subjects to opt out and refrain from granting an authorization of consent to use personal data. CC ID 00391	Privacy protection for information and data	Preventive
Establish, implement, and maintain an opt-out method in accordance with organizational standards. CC ID 16526	Privacy protection for information and data	Preventive
Refrain from requiring consent to collect, use, or disclose personal data beyond specified, legitimate reasons in order to receive products and services. CC ID 13605 [{refrain from requiring}(is unreasonable} A person shall not, as a condition for supplying goods, services, land, interest or opportunity, require a subscriber or user of a Singapore telephone number to give -verb">ound-color:#F0BBBC;" class="term_primary-noun">consentspan> for the sending of a specified le="background-color:#F0BBBC;" class="term_primary-noun">message to that Singapore telephone number or any other Singapore telephone number beyond what is reasonable to provide the goods, services, land, interest or opportunity to that subscriber or user, and any consent given in such circumstance is not validly given. § 46.(1) An organisation shall not — as a condition of providing a product or service, require an individual to consent to the collection, use or disclosure of personal data about the individual beyond what is reasonable to provide the product or service to that individual; or § 14.(2)(a)]	Privacy protection for information and data	Preventive
Refrain from obtaining consent through deception. CC ID 13556 [{deceptive act or practice}{refrain from accepting} If a person obtains or attempts to obtain consent for sending a specified message to a Singapore telephone number— by providing="term_secondary-verb"> false or misleading information with respect to the sending of the specified message; or by using deceptive or misleading practices, any und-coloy-verb">r:#F0BBBC;" class="term_primary-noun">consent given in such circumstances is not validly given. § 46.(2) ¶ 1 An organisation shall not — obtain or attempt to obtain consent for collecting, using, or disclosing personal data by providing false or misleading information with respect to the collection, use, or disclosure of the personal data, or using deceptive or misleading practices. § 14.(2)(b)]	Privacy protection for information and data	Preventive
Give individuals the ability to change the uses of their personal data. CC ID 00469 [{refrain from using} Notwithstanding the other provisions in this Part, an organisation may use personal data about an individual collected before the appointed day for the purposes for which the personal data was collected unless — consent for such use is withdrawn in accordance with section 16; or § 19.(a) A person shall not prohibit a subscriber or user of a Singapore telephone number from withdrawing his consent to the sending of a specified ound-color:#F0BBBC;" class="terd-color:#CBD0E5;" class="term_secondary-verb">m_primary-noun">message to that Singapore telephone number, but this section shall not affect any legal consequences arising from such withdrawal. § 47.(2)]	Privacy protection for information and data	Preventive
Notify data subjects of the implications of withdrawing consent. CC ID 13551 [On receipt of the notice referred to in subsection (1), the organisation concerned shall inform the individual of the likely consequences of withdrawing his consent. § 16.(2) An organisation shall not prohibit an individual from withdrawing his consent to the collection, use or disclosure of personal data about the individual, but this section shall not affect any legal consequences arising from such withdrawal. § 16.(3)]	Privacy protection for information and data	Preventive
Refrain from using restricted data collected for research and statistics for other purposes. CC ID 00096	Privacy protection for information and data	Preventive
Dispose of media and restricted data in a timely manner. CC ID 00125 [{dispose}{deidentify}{no longer appropriate} An organisation shall cease to retain its documents containing personal data, or remove the means by which the personal data can be associated with particular individuals, as soon as it is reasonable to assume that — the ass="term_primastyle="background-color:#CBD0E5;" class="term_secondary-verb">ry-noun">purpose for which that personal data was collected is no longer being served by retention of the personal data; and § 25.(a) {dispose}{deidentify} An organisation shall cease to retain its documents containing personal data, or remove the means by which the personal data can be associated with particular individuals, as soon as it is reasonable to assume that— <span style="background-color:#F0BBBC;" class="term_primary-noun">retention is style="background-color:#CBD0E5;" class="term_secondary-verb">rm_primary-verb">no longer necessaryspan> for legal or business purposes. § 25.(b) {prospective party}{organization} If the business asset transaction does not proceed or is not completed, X must destroy, or return to Y, all personal data collected. FIRST SCHEDULE PART 4 § 1.(5) {organization}{prospective party}{business asset transaction}{individual}If the relevant transaction does not proceed or is not completed — X must destroy, or return to Y or Z (as the case may be), all personal data collected; and FIRST SCHEDULE PART 4 § 2.(4)(a) {business asset transaction}{organization}If the relevant transaction does not proceed or is not completed — Y must destroy, or return to Z, all personal data collected. FIRST SCHEDULE PART 4 § 2.(4)(b)]	Privacy protection for information and data	Preventive
Provide individuals with information about the processing purpose of their personal data. CC ID 00416 [An organisation may collect, use or disclose personal data about an individual only for purposes— that the -noun">individual has been n style="background-color:#B7D8ED;" class="term_primary-verb">informed of under section 20, if applicable. § 18.(b) Subject to subsections (2), (3) and (4), on request of an individual, an organisation shall, as soon as reasonably possible, provide the individual with— information about the ways in which the personal data referred to in paragraph (a) has been or may have been used or disclosed by the organisation within a year before the date of the request. § 21.(1)(b) For the purposes of subsection (2)(a), the organisation must, before collecting, using or disclosing any personal data about the individual — take reasonable steps to bring the following information to the attention of the individual: the purpose for which the personal data will be collected, used or disclosed; § 15A.(4)(b)(ii) For the purposes of subsection (2)(a), the organisation must, before collecting, using or disclosing any personal data about the individual — take reasonable steps to bring the following information to the attention of the individual: the organisation's intention to collect, use or disclose the personal data; § 15A.(4)(b)(i) {individual's vital interest} Where the organisation collects, uses or discloses (as the case may be) personal data about the individual under sub-paragraph (1), the organisation must, as soon as is practicable, notify the individual of the collection, use or disclosure (as the case may be) and the purpose for the collection, use or disclosure, as the case may be. FIRST SCHEDULE PART 1 § 1.(2) For the purposes of subsection (4), the organisation must inform the individual of the following: the purpose for which the organisation is collecting, using or disclosing (as the case may be) the personal data about the individual; § 20.(5)(a) {inform}Despite subsection (3), an organisation must comply with subsection (5) on or before collecting, using or disclosing personal data about an individual for the purpose of or in relation to the organisation — entering into an employment relationship with the individual or appointing the individual to any office; or § 20.(4)(a) {inform}Despite subsection (3), an organisation must comply with subsection (5) on or before collecting, using or disclosing personal data about an individual for the purpose of or in relation to the organisation — entering into an employment relationship with the individual or appointing the individual to any office; or § 20.(4)(a) {inform}Despite subsection (3), an organisation must comply with subsection (5) on or before collecting, using or disclosing personal data about an individual for the purpose of or in relation to the organisation — entering into an employment relationship with the individual or appointing the individual to any office; or § 20.(4)(a) {inform}Despite subsection (3), an organisation must comply with subsection (5) on or before collecting, using or disclosing personal data about an individual for the purpose of or in relation to the organisation — managing or terminating the employment relationship with or appointment of the individual. § 20.(4)(b) {inform}Despite subsection (3), an organisation must comply with subsection (5) on or before collecting, using or disclosing personal data about an individual for the purpose of or in relation to the organisation — managing or terminating the employment relationship with or appointment of the individual. § 20.(4)(b) {inform}Despite subsection (3), an organisation must comply with subsection (5) on or before collecting, using or disclosing personal data about an individual for the purpose of or in relation to the organisation — managing or terminating the employment relationship with or appointment of the individual. § 20.(4)(b)]	Privacy protection for information and data	Preventive
Provide individuals with information about disclosure of their personal data. CC ID 00417 [{individual's vital interest} Where the organisation collects, uses or discloses (as the case may be) personal data about the individual under sub-paragraph (1), the organisation must, as soon as is practicable, notify the individual of the collection, use or disclosure (as the case may be) and the purpose for the collection, use or disclosure, as the case may be. FIRST SCHEDULE PART 1 § 1.(2)]	Privacy protection for information and data	Preventive
Allow guardians and legal representatives access to personal data about the individual for whom they are guardians or legal representatives. CC ID 00418	Privacy protection for information and data	Preventive
Identify any adverse effects the processing of personal data will have on the data subject. CC ID 15299 [The organisation must, in respect of the assessment mentioned in subsection (4)(a) — identify any adverse effect that the proposed collection, use or disclosure of the personal data for the purpose concerned is likely to have on the individual; § 15A.(5)(a) {legitimate interest}{collect}{disclose}The organisation must, in respect of the assessment mentioned in sub-paragraph (2)(a) — identify any adverse effect that the proposed collection, use or disclosure (as the case may be) of personal data about an individual is likely to have on the individual; FIRST SCHEDULE PART 3 § 1.(3)(a)]	Privacy protection for information and data	Preventive
Refrain from processing personal data when it is likely to cause unlawful discrimination or arbitrary discrimination. CC ID 00197	Privacy protection for information and data	Preventive
Refrain from processing personal data when it is used for behavioral monitoring. CC ID 16528	Privacy protection for information and data	Preventive
Process personal data pertaining to a patient's health in order to treat those patients. CC ID 00200	Privacy protection for information and data	Preventive
Disclose Individually Identifiable Health Information for a covered entity's own use. CC ID 00211	Privacy protection for information and data	Preventive
Disclose Individually Identifiable Health Information for a healthcare provider's treatment activities by a covered entity. CC ID 00212	Privacy protection for information and data	Preventive
Disclose Individually Identifiable Health Information for payment activities between covered entities or healthcare providers. CC ID 00213	Privacy protection for information and data	Preventive
Disclose Individually Identifiable Health Information for Treatment, Payment, and Health Care Operations activities when both covered entities have a relationship with the data subject. CC ID 00214	Privacy protection for information and data	Preventive
Disclose Individually Identifiable Health Information for Treatment, Payment, and Health Care Operations activities between a covered entity and a participating healthcare provider when the information is collected from the data subject and a third party. CC ID 00215	Privacy protection for information and data	Preventive
Disclose Individually Identifiable Health Information in accordance with agreed upon restrictions. CC ID 06249	Privacy protection for information and data	Preventive
Disclose Individually Identifiable Health Information in accordance with the privacy notice. CC ID 06250	Privacy protection for information and data	Preventive
Disclose permitted Individually Identifiable Health Information for facility directories. CC ID 06251	Privacy protection for information and data	Preventive
Disclose Individually Identifiable Health Information for cadaveric organ donation purposes, eye donation purposes, or tissue donation purposes. CC ID 06252	Privacy protection for information and data	Preventive
Disclose Individually Identifiable Health Information for medical suitability determinations. CC ID 06253	Privacy protection for information and data	Preventive
Disclose Individually Identifiable Health Information for armed forces personnel appropriately. CC ID 06254	Privacy protection for information and data	Preventive
Disclose Individually Identifiable Health Information in order to provide public benefits by government agencies. CC ID 06255	Privacy protection for information and data	Preventive
Disclose Individually Identifiable Health Information for fundraising. CC ID 06256	Privacy protection for information and data	Preventive
Disclose Individually Identifiable Health Information when the data subject cannot physically or legally provide consent and the disclosing organization is a healthcare provider. CC ID 00202	Privacy protection for information and data	Preventive
Disclose Individually Identifiable Health Information to provide appropriate treatment to the data subject when the disclosing organization is a healthcare provider. CC ID 00203	Privacy protection for information and data	Preventive
Disclose Individually Identifiable Health Information when it is not contrary to the data subject's wish prior to becoming unable to provide consent and the disclosing organization is a healthcare provider. CC ID 00204	Privacy protection for information and data	Preventive
Disclose Individually Identifiable Health Information that is reasonable or necessary for the disclosure purpose when the disclosing organization is a healthcare provider. CC ID 00205 [{disclose}The disclosure of personal data about an individual who is a current or former patient of any of the following to a public agency for the purposes of policy formulation or review: a healthcare institution licensed under the Private Hospitals and Medical Clinics Act (Cap. 248); SECOND SCHEDULE PART 3 Division 1 § 3.(a)]	Privacy protection for information and data	Preventive
Disclose Individually Identifiable Health Information consistent with the law when the disclosing organization is a healthcare provider. CC ID 00206 [{disclose}The disclosure of personal data about an individual who is a current or former patient of any of the following to a public agency for the purposes of policy formulation or review: a prescribed healthcare body. SECOND SCHEDULE PART 3 Division 1 § 3.(c) {disclose}The disclosure of personal data about an individual who is a current or former patient of any of the following to a public agency for the purposes of policy formulation or review: a licensee under the Healthcare Services Act 2020 (Act 3 of 2020); SECOND SCHEDULE PART 3 Division 1 § 3.(b)]	Privacy protection for information and data	Preventive
Disclose Individually Identifiable Health Information in order to carry out treatment when the disclosing organization is a healthcare provider. CC ID 00207	Privacy protection for information and data	Preventive
Disclose Individually Identifiable Health Information in order to carry out treatment when the data subject has provided consent and the disclosing organization is a healthcare provider. CC ID 00208	Privacy protection for information and data	Preventive
Disclose Individually Identifiable Health Information in order to carry out treatment when the data subject's guardian or representative has provided consent and the disclosing organization is a healthcare provider. CC ID 00209	Privacy protection for information and data	Preventive
Disclose Individually Identifiable Health Information when the disclosing organization is a healthcare provider that supports public health and safety activities. CC ID 06248	Privacy protection for information and data	Preventive
Disclose Individually Identifiable Health Information in order to report abuse or neglect when the disclosing organization is a healthcare provider. CC ID 06819	Privacy protection for information and data	Preventive
Obtain explicit consent for authorization to release Individually Identifiable Health Information. CC ID 00217	Privacy protection for information and data	Preventive
Obtain explicit consent for authorization to release psychotherapy notes. CC ID 00218	Privacy protection for information and data	Preventive
Refrain from using Individually Identifiable Health Information to determine eligibility or continued eligibility for credit. CC ID 00219	Privacy protection for information and data	Preventive
Process personal data after the data subject has granted explicit consent. CC ID 00180 [{refrain from processing} An organisation shall not, on or after the appointed day, collect, use or disclose personal data about an individual unless— the individual rb">gives</span>, or is deemed to have given, his consent under this Act to the collection, use or disclosure, as the case may be; or § 13.(a)]	Privacy protection for information and data	Preventive
Process personal data in order to perform a legal obligation or exercise a legal right. CC ID 00182	Privacy protection for information and data	Preventive
Process personal data relating to criminal offenses when required by law. CC ID 00237	Privacy protection for information and data	Preventive
Process personal data in order to prevent personal injury or damage to the data subject's health. CC ID 00183	Privacy protection for information and data	Preventive
Process personal data in order to prevent personal injury or damage to a third party's health. CC ID 00184	Privacy protection for information and data	Preventive
Process personal data for statistical purposes or scientific purposes. CC ID 00256	Privacy protection for information and data	Preventive
Process personal data during legitimate activities with safeguards for the data subject's legal rights. CC ID 00185 [{collect}{disclose}Subject to sub-paragraphs (2), (3) and (4) — the collection, use or disclosure (as the case may be) of personal data about an individual is in the legitimate interests of the organisation or another person; and FIRST SCHEDULE PART 3 § 1.(1)(a)]	Privacy protection for information and data	Preventive
Process traffic data in a controlled manner. CC ID 00130	Privacy protection for information and data	Preventive
Process personal data for health insurance, social insurance, state social benefits, social welfare, or child protection. CC ID 00186	Privacy protection for information and data	Preventive
Process personal data when it is publicly accessible. CC ID 00187 [{without consent}{collect}{disclose} The collection, use or disclosure (as the case may be) of personal data about an individual that is publicly available. FIRST SCHEDULE PART 2 § 1.]	Privacy protection for information and data	Preventive
Process personal data for direct marketing and other personalized mail programs. CC ID 00188	Privacy protection for information and data	Preventive
Process personal data for the purposes of employment. CC ID 16527	Privacy protection for information and data	Preventive
Process personal data for justice administration, lawsuits, judicial decisions, and investigations. CC ID 00189 [{collect}{disclose} The collection, use or disclosure (as the case may be) of personal data about an individual is necessary for the provision of legal services by the organisation to another person, or for the organisation to obtain legal services. FIRST SCHEDULE PART 3 § 5.]	Privacy protection for information and data	Preventive
Process personal data for debt collection or benefit payments. CC ID 00190 [{without consent}{collect}{disclose}The collection, use or disclosure (as the case may be) of personal data about an individual is necessary for the organisation — to recover a debt owed by the individual to the organisation; or FIRST SCHEDULE PART 3 § 4.(a) {collect}{disclose}The collection, use or disclosure (as the case may be) of personal data about an individual is necessary for the organisation — to pay to the individual a debt owed by the organisation. FIRST SCHEDULE PART 3 § 4.(b) {legitimate interest}{collect}{disclose}The collection, use or disclosure (as the case may be) of personal data about an individual is to — confer an interest or a benefit on the individual under a private trust or benefit plan; and FIRST SCHEDULE PART 3 § 7.(a)]	Privacy protection for information and data	Preventive
Process personal data in order to advance the public interest. CC ID 00191 [The use of personal data about an individual for a research purpose (including historical or statistical research), if — there is a clear public benefit to using the personal data for the research purpose; SECOND SCHEDULE PART 2 Division 3 § 1.(b)]	Privacy protection for information and data	Preventive
Process personal data for surveys, archives, or scientific research. CC ID 00192	Privacy protection for information and data	Preventive
Process personal data absent consent for journalistic purposes, artistic purposes, or literary purposes. CC ID 00193 [{without consent} The personal data about an individual is collected, used or disclosed (as the case may be) by a news organisation solely for its news activity. FIRST SCHEDULE PART 2 § 5. {without consent}{artistic purpose}{collect}{disclose} The collection, use or disclosure (as the case may be) of personal data about an individual is solely for artistic or literary purposes. FIRST SCHEDULE PART 2 § 3.]	Privacy protection for information and data	Preventive
Process personal data for academic purposes or religious purposes. CC ID 00194	Privacy protection for information and data	Preventive
Process personal data when it is used by a public authority for National Security policy or criminal policy. CC ID 00195	Privacy protection for information and data	Preventive
Refrain from storing data in newly created files or registers which directly or indirectly reveals the restricted data. CC ID 00196	Privacy protection for information and data	Preventive
Follow legal obligations while processing personal data. CC ID 04794	Privacy protection for information and data	Preventive
Start personal data processing only after the needed notifications are submitted. CC ID 04791	Privacy protection for information and data	Preventive
Process personal data absent consent for specific and well-documented circumstances. CC ID 13537 [An individual is deemed to consent to the collection, use or disclosure of personal data about the individual by an organisation for a purpose if— it is reasonable that the individual would voluntarily provide the y-verb">le="background-color:#F0BBBC;" class="term_primary-noun">data. § 15.(1)(b) An organisation may — use personal data about an individual without the consent of the individual, in the circumstances or for the purposes, and subject to any condition, in the First Schedule or Part 2 of the Second Schedule; or § 17.(1)(b) {individual's vital interest}{without consent}Subject to sub-paragraph (2), the collection, use or disclosure (as the case may be) of personal data about an individual is necessary for any purpose which is clearly in the interests of the individual, and — the individual would not reasonably be expected to withhold consent. FIRST SCHEDULE PART 1 § 1.(1)(b) {without consent}{collect}{disclose} The collection, use or disclosure (as the case may be) of personal data about an individual is in the national interest. FIRST SCHEDULE PART 2 § 2. {business improvement purpose}{organization}Subject to the conditions in sub-paragraphs (3), (4) and (5), personal data about an individual (P) — is used by X for a relevant purpose; or FIRST SCHEDULE PART 5 § 1.(1)(b) {business improvement purpose}Sub-paragraph (1)(b) applies only if — a reasonable person would consider the use of personal data about P for the relevant purpose to be appropriate in the circumstances. FIRST SCHEDULE PART 5 § 1.(4)(b) {business improvement purpose}{refrain from achieving}Sub-paragraph (1)(b) applies only if — the relevant purpose for which X uses personal data about P cannot reasonably be achieved without the use of the personal data in an individually identifiable form; and FIRST SCHEDULE PART 5 § 1.(4)(a)]	Privacy protection for information and data	Preventive
Process personal data absent consent when the data subject has been notified the personal data may be collected, used, or disclosed. CC ID 13617	Privacy protection for information and data	Preventive
Process personal data absent consent in order to establish, manage, or terminate employment contracts. CC ID 13615 [{without consent}The personal data about an individual is collected, used or disclosed (as the case may be) by the organisation, and the collection, use or disclosure (as the case may be) of the personal data is reasonable for the purpose of or in relation to the organisation — entering into an employment relationship with the individual or appointing the individual to any office; or FIRST SCHEDULE PART 3 § 10.(a) {without consent}The personal data about an individual is collected, used or disclosed (as the case may be) by the organisation, and the collection, use or disclosure (as the case may be) of the personal data is reasonable for the purpose of or in relation to the organisation — managing or terminating the employment relationship with or appointment of the individual. FIRST SCHEDULE PART 3 § 10.(b)]	Privacy protection for information and data	Preventive
Process personal data absent consent when the data subject is notified that the business transaction is completed and their information was disclosed. CC ID 13612	Privacy protection for information and data	Preventive
Process personal data absent consent when the disclosure concerns the data subject's products and services obtained from the organization. CC ID 13611 [Subject to the conditions in sub-paragraph (2), personal data about an individual (P) is used by the organisation for any of the following purposes: improving or enhancing any goods or services provided, or developing new goods or services to be provided, by the organisation; SECOND SCHEDULE PART 2 Division 2 § 1.(1)(a) Subject to the conditions in sub-paragraph (2), personal data about an individual (P) is used by the organisation for any of the following purposes: learning about and understanding the behaviour and preferences of P or another individual in relation to the goods or services provided by the organisation; SECOND SCHEDULE PART 2 Division 2 § 1.(1)(c) Subject to the conditions in sub-paragraph (2), personal data about an individual (P) is used by the organisation for any of the following purposes: identifying any goods or services provided by the organisation that may be suitable for P or another individual, or personalising or customising any such goods or services for P or another individual. SECOND SCHEDULE PART 2 Division 2 § 1.(1)(d) Subject to the conditions in sub-paragraph (2), personal data about an individual (P) is used by the organisation for any of the following purposes: identifying any goods or services provided by the organisation that may be suitable for P or another individual, or personalising or customising any such goods or services for P or another individual. SECOND SCHEDULE PART 2 Division 2 § 1.(1)(d)]	Privacy protection for information and data	Preventive
Process personal data absent consent when it is impracticable to obtain consent. CC ID 13580 [{individual's vital interest}The collection, use or disclosure (as the case may be) of personal data about an individual, where — consent for the collection, use or disclosure (as the case may be) cannot be obtained in a timely way; and FIRST SCHEDULE PART 1 § 3.(a)]	Privacy protection for information and data	Preventive
Process personal data absent consent when it is in the data subject's interest and consent cannot be obtained in a timely manner. CC ID 15282 [{individual's vital interest}Subject to sub-paragraph (2), the collection, use or disclosure (as the case may be) of personal data about an individual is necessary for any purpose which is clearly in the interests of the individual, and — consent for the collection, use or disclosure (as the case may be) cannot be obtained in a timely way; or FIRST SCHEDULE PART 1 § 1.(1)(a)]	Privacy protection for information and data	Preventive
Process personal data absent consent to determine whether to proceed with business transactions. CC ID 13587 [{without consent}Subject to the conditions in sub-paragraphs (2), (3), (4) and (5), where an organisation (X) is a party or a prospective party to a business asset transaction with another organisation (Y), personal data about an applicable individual of Y — is used or disclosed by X in relation to the business asset transaction; or FIRST SCHEDULE PART 4 § 1.(1)(b) Subject to the conditions in sub-paragraphs (2), (3) and (4), where an organisation (X) is a party or a prospective party to a business asset transaction with another organisation (Y) in respect of Y's interest in a third organisation (Z) (called in this paragraph the relevant transaction), personal data about an applicable individual of Z — is used or disclosed by X or Y in relation to the relevant transaction; or FIRST SCHEDULE PART 4 § 2.(1)(b) {legitimate interest}{collect}{disclose}Subject to sub-paragraph (2), the collection, use or disclosure (as the case may be) of personal data about an individual — relates to a credit report provided by a credit bureau to a member of the credit bureau in relation to a transaction between the member and the individual. FIRST SCHEDULE PART 3 § 6.(1)(b) {business asset transaction}{organization}{prospective party}{individual}If X enters into the relevant transaction, the following conditions apply: X may use or disclose the personal data collected from Y or Z (as the case may be) only for the same purposes for which Y or Z (as the case may be) would have been permitted to use or disclose the personal data; FIRST SCHEDULE PART 4 § 2.(3)(a)]	Privacy protection for information and data	Preventive
Process personal data absent consent in order to perform a contract. CC ID 13586 [{prospective party}{organization}If X enters into the business asset transaction, the following conditions apply: X may use or disclose the personal data X collected from Y only for the same purposes for which Y would have been permitted to use or disclose the personal data; FIRST SCHEDULE PART 4 § 1.(4)(a) {organization}If X is a prospective party to the business asset transaction, the following conditions apply: X and Y must have entered into an agreement that requires X to use or disclose the personal data solely for purposes related to the business asset transaction. FIRST SCHEDULE PART 4 § 1.(3)(b) {business asset transaction}{organization}{individual}If X is a prospective party to the relevant transaction, the following conditions apply: where Y collects the personal data mentioned in sub-paragraph (1) from Z — Y and Z must have entered into an agreement that requires Y to use or disclose the personal data solely for purposes related to the relevant transaction. FIRST SCHEDULE PART 4 § 2.(2)(b)(ii)]	Privacy protection for information and data	Preventive
Process personal data absent consent when the privacy commissioner is notified before the information is used. CC ID 13581	Privacy protection for information and data	Preventive
Process personal data absent consent to perform obligations in the field of employment law. CC ID 16814	Privacy protection for information and data	Preventive
Process personal data absent consent if the disclosure is to the next of kin or authorized representative. CC ID 15294 [{is necessary}{without consent} The collection, use or disclosure of personal data is for the purpose of contacting the next-of-kin or a friend of any injured, ill or deceased individual. FIRST SCHEDULE PART 1 § 4.]	Privacy protection for information and data	Preventive
Process personal data absent consent when it is used in a manner to ensure confidentiality. CC ID 13579	Privacy protection for information and data	Preventive
Process personal data absent consent when it is used for statistical research, scientific research, or scholarly research. CC ID 13578 [{refrain from achieving}The use of personal data about an individual for a research purpose (including historical or statistical research), if — the research purpose cannot reasonably be accomplished unless the personal data is used in an individually identifiable form; SECOND SCHEDULE PART 2 Division 3 § 1.(a) {collect}{disclose} The collection, use or disclosure (as the case may be) of personal data about an individual is necessary for evaluative purposes. FIRST SCHEDULE PART 3 § 2. The use of personal data about an individual for a research purpose (including historical or statistical research), if — the results of the research will not be used to make any decision that affects the individual; and SECOND SCHEDULE PART 2 Division 3 § 1.(c)]	Privacy protection for information and data	Preventive
Process personal data absent consent when it is needed by law. CC ID 13577 [{refrain from processing} An organisation shall not, on or after the appointed day, collect,use or disclose personal data about an individual unless— the collection, use or disclosure, as the case may be, without the consent of the individual is 0E5;" class="term_secondary-verb">required or authorised under this Act or any other written law. § 13.(b) Subject to section 25, if an individual withdraws consent to the collection, use or disclosure of personal data about the individual by an organisation for any purpose, the organisation shall cease (and cause its data intermediaries and agents to cease) collecting, using or disclosing the personal data, as the case may be, unless such collection, use or disclosure, as the case may be, without the consent of the individual is required or authorised under this Act or other written law. § 16.(4)]	Privacy protection for information and data	Preventive
Process personal data for public interests absent consent in order to protect historical records or archival records. CC ID 15296 [{without consent}{archival purpose} The collection, use or disclosure (as the case may be) of personal data about an individual is solely for archival or historical purposes, if a reasonable person would not consider the personal data to be too sensitive to the individual to be collected, used or disclosed (as the case may be) at the proposed time. FIRST SCHEDULE PART 2 § 4.]	Privacy protection for information and data	Preventive
Process personal data absent consent when it is from publicly available information. CC ID 13576 [{without consent}The use of personal data about an individual, if — the personal data was disclosed by a public agency; and SECOND SCHEDULE PART 2 Division 1 § 1.(a)]	Privacy protection for information and data	Preventive
Process personal data absent consent to create a credit report. CC ID 15288 [{legitimate interest}{collect}{disclose}Subject to sub-paragraph (2), the collection, use or disclosure (as the case may be) of personal data about an individual — is for the purpose of the preparation by a credit bureau of a credit report; or FIRST SCHEDULE PART 3 § 6.(1)(a)]	Privacy protection for information and data	Preventive
Process personal data absent consent if its use is consistent with the intended purpose. CC ID 13575 [Unless otherwise provided under this Act, an organisation may — use or disclose personal data about an individual that — for purposes consistent with the purpose of that collection, or for any purpose permitted by subsection (1)(b) or (c), as the case may be. § 17.(2)(b) ¶ 1 Without limiting subsection (2) and subject to subsection (9), an individual (P) who enters into a contract with an organisation (A) and provides personal data to A pursuant or in relation to that contract is deemed to consent to the following: the collection and use of that personal data by B, where the collection and use are reasonably necessary for any purpose mentioned in paragraph (a); § 15.(6)(b) {without consent}The personal data about an individual — is collected, used or disclosed (as the case may be) for purposes consistent with the purpose for which the document was produced. FIRST SCHEDULE PART 3 § 9.(b) {personal purpose}{domestic purposes}The personal data about an individual — is collected, used or disclosed (as the case may be) by the organisation solely for the purpose in sub-paragraph (a). FIRST SCHEDULE PART 3 § 8.(b) {without consent}The use of personal data about an individual, if — the use of personal data by the organization is consistent with the purpose of the disclosure by the public agency. SECOND SCHEDULE PART 2 Division 1 § 1.(b)]	Privacy protection for information and data	Preventive
Process personal data absent consent to administer a trust fund or benefit plan. CC ID 15291 [{collect}{disclose}The collection, use or disclosure (as the case may be) of personal data about an individual is to — administer that trust or benefit plan, at the request of the settlor or the person establishing the benefit plan, as the case may be. FIRST SCHEDULE PART 3 § 7.(b)]	Privacy protection for information and data	Preventive
Process personal data absent consent when produced for business purposes. CC ID 13563 [Subject to the conditions in sub-paragraph (2), personal data about an individual (P) is used by the organisation for any of the following purposes: improving or enhancing any goods or services provided, or developing new goods or services to be provided, by the organisation; SECOND SCHEDULE PART 2 Division 2 § 1.(1)(a) Subject to the conditions in sub-paragraph (2), personal data about an individual (P) is used by the organisation for any of the following purposes: improving or enhancing the methods or processes, or developing new methods or processes, for the operations of the organisation; SECOND SCHEDULE PART 2 Division 2 § 1.(1)(b) Subject to the conditions in sub-paragraph (2), personal data about an individual (P) is used by the organisation for any of the following purposes: improving or enhancing the methods or processes, or developing new methods or processes, for the operations of the organisation; SECOND SCHEDULE PART 2 Division 2 § 1.(1)(b) {cannot achieve}Sub-paragraph (1) applies only if — the purpose for which the organisation uses personal data about P cannot reasonably be achieved without the use of the personal data in an individually identifiable form; and SECOND SCHEDULE PART 2 Division 2 § 1.(2)(a) {business improvement purpose}Sub-paragraph (1) applies only if — a reasonable person would consider the use of personal data about P for that purpose to be appropriate in the circumstances. SECOND SCHEDULE PART 2 Division 2 § 1.(2)(b)]	Privacy protection for information and data	Preventive
Process personal data absent consent for handling insurance claims. CC ID 13561	Privacy protection for information and data	Preventive
Process personal data absent consent when it is necessary for corporate restructuring. CC ID 16533	Privacy protection for information and data	Preventive
Process personal data absent consent if the information is contained in a witness statement. CC ID 13560	Privacy protection for information and data	Preventive
Process personal data absent consent for life-threatening emergencies. CC ID 13558 [{without consent}{collect}{disclose}The collection, use or disclosure (as the case may be) of personal data about an individual, where — there are reasonable grounds to believe that the health or safety of the individual or another individual will be seriously affected. FIRST SCHEDULE PART 1 § 3.(b)]	Privacy protection for information and data	Preventive
Process personal data absent consent for reasonable investigative purposes. CC ID 13557 [{collect}{disclose} The collection, use or disclosure (as the case may be) of personal data about an individual is necessary for any investigation or proceedings. FIRST SCHEDULE PART 3 § 3.]	Privacy protection for information and data	Preventive
Disclose restricted data when the data subject has given unambiguous and implicit consent. CC ID 00157 [Without limiting subsection (2) and subject to subsection (9), an individual (P) who enters into a contract with an organisation (A) and provides personal data to A pursuant or in relation to that contract is deemed to consent to the following: the disclosure of that personal data by A to another organisation (B), where the disclosure is reasonably necessary — § 15.(6)(a)]	Privacy protection for information and data	Preventive
Disclose personal data when the data subject has consented and has the ability to opt out. CC ID 00158 [Without limiting subsection (2) and subject to subsection (9), an individual (P) who provides personal data to an organisation (A) with a view to P entering into a contract with A is deemed to consent to the following where reasonably necessary for the conclusion of the contract between P and A: the collection and use of that personal data by B; § 15.(3)(b)]	Privacy protection for information and data	Detective
Disclose Personal Identification Numbers absent consent in order to update address information. CC ID 04793	Privacy protection for information and data	Preventive
Disclose restricted data absent consent when the law does not require consent. CC ID 00136	Privacy protection for information and data	Preventive
Disclose data absent consent if its disclosure is consistent with the intended purpose. CC ID 15270 [Unless otherwise provided under this Act, an organisation may — use or disclose personal data about an individual that — for purposes consistent with the purpose of that collection, or for any purpose permitted by subsection (1)(b) or (c), as the case may be. § 17.(2)(b) ¶ 1 Without limiting subsection (2) and subject to subsection (9), an individual (P) who enters into a contract with an organisation (A) and provides personal data to A pursuant or in relation to that contract is deemed to consent to the following: the disclosure of that personal data by B to another organisation, where the disclosure is reasonably necessary for any purpose mentioned in paragraph (a). § 15.(6)(c) {personal purpose}{domestic purposes}The personal data about an individual — is collected, used or disclosed (as the case may be) by the organisation solely for the purpose in sub-paragraph (a). FIRST SCHEDULE PART 3 § 8.(b) {business improvement purpose}{refrain from achieving}Sub-paragraph (1)(a) and (c) applies only if — the relevant purpose for which X collects, or Y discloses, personal data about P cannot reasonably be achieved without the collection, use or disclosure (as the case may be) of the personal data in an individually identifiable form; FIRST SCHEDULE PART 5 § 1.(3)(a) {without consent}The personal data about an individual — is collected, used or disclosed (as the case may be) for purposes consistent with the purpose for which the document was produced. FIRST SCHEDULE PART 3 § 9.(b)]	Privacy protection for information and data	Preventive
Disclose restricted data when a relevant connection exists between the data subject and the data controller's operations. CC ID 00137 [Without limiting subsection (2) and subject to subsection (9), an individual (P) who provides personal data to an organisation (A) with a view to P entering into a contract with A is deemed to consent to the following where reasonably necessary for the conclusion of the contract between P and A: the disclosure of that personal data by A to another organisation (B); § 15.(3)(a) Without limiting subsection (2) and subject to subsection (9), an individual (P) who provides personal data to an organisation (A) with a view to P entering into a contract with A is deemed to consent to the following where reasonably necessary for the conclusion of the contract between P and A: the disclosure of that personal data by B to another organisation. § 15.(3)(c) {business improvement purpose}Where X collects from Y, and Y discloses to X, personal data about P for a purpose mentioned in sub-paragraph (2)(c) or (d), P must be, at the time of the collection or disclosure, as the case may be — an existing customer of Y; and FIRST SCHEDULE PART 5 § 1.(5)(a) {business improvement purpose}Where X collects from Y, and Y discloses to X, personal data about P for a purpose mentioned in sub-paragraph (2)(c) or (d), P must be, at the time of the collection or disclosure, as the case may be — an existing customer or a prospective customer of X. FIRST SCHEDULE PART 5 § 1.(5)(b)]	Privacy protection for information and data	Preventive
Disclose personal data absent consent if the disclosure with the consent or knowledge of the data subject would compromise the ability to prevent, detect, or suppress fraud. CC ID 13594	Privacy protection for information and data	Preventive
Disclose personal data absent consent when it is in the data subject's interest and consent cannot be obtained in a timely manner. CC ID 15284 [{individual's vital interest}Subject to sub-paragraph (2), the collection, use or disclosure (as the case may be) of personal data about an individual is necessary for any purpose which is clearly in the interests of the individual, and — consent for the collection, use or disclosure (as the case may be) cannot be obtained in a timely way; or FIRST SCHEDULE PART 1 § 1.(1)(a)]	Privacy protection for information and data	Preventive
Disclose personal data absent consent in order to establish, manage, or terminate employment contracts. CC ID 13616 [{without consent}The personal data about an individual is collected, used or disclosed (as the case may be) by the organisation, and the collection, use or disclosure (as the case may be) of the personal data is reasonable for the purpose of or in relation to the organisation — entering into an employment relationship with the individual or appointing the individual to any office; or FIRST SCHEDULE PART 3 § 10.(a) {without consent}The personal data about an individual is collected, used or disclosed (as the case may be) by the organisation, and the collection, use or disclosure (as the case may be) of the personal data is reasonable for the purpose of or in relation to the organisation — managing or terminating the employment relationship with or appointment of the individual. FIRST SCHEDULE PART 3 § 10.(b)]	Privacy protection for information and data	Preventive
Disclose personal data absent consent when the data subject is notified that the business transaction is completed and their information was disclosed. CC ID 13613	Privacy protection for information and data	Preventive
Disclose personal data absent consent when the data subject has been notified the personal data may be collected, used, or disclosed. CC ID 13603	Privacy protection for information and data	Preventive
Disclose personal data absent consent if disclosure is made a predetermined number of years after the death of the data subject. CC ID 13598	Privacy protection for information and data	Preventive
Disclose personal data absent consent when disclosure is made a predetermined number of years after the information was created. CC ID 13597	Privacy protection for information and data	Preventive
Disclose personal data absent consent if the data subject is notified of the disclosure. CC ID 13596	Privacy protection for information and data	Preventive
Disclose personal data absent consent to detect, suppress, or prevent fraud. CC ID 13592	Privacy protection for information and data	Preventive
Disclose personal data absent consent to create a credit report. CC ID 15297 [{legitimate interest}{collect}{disclose}Subject to sub-paragraph (2), the collection, use or disclosure (as the case may be) of personal data about an individual — is for the purpose of the preparation by a credit bureau of a credit report; or FIRST SCHEDULE PART 3 § 6.(1)(a)]	Privacy protection for information and data	Preventive
Disclose personal data absent consent if it is necessary to identify an individual who is injured, ill or deceased. CC ID 13595	Privacy protection for information and data	Preventive
Disclose restricted data absent consent if the disclosure is to a government institution. CC ID 13583	Privacy protection for information and data	Preventive
Disclose personal data absent consent for reasonable investigative purposes. CC ID 13593	Privacy protection for information and data	Preventive
Disclose personal data absent consent to determine whether to proceed with business transactions. CC ID 15285 [{business asset transaction}{organization}{individual}If X is a prospective party to the relevant transaction, the following conditions apply: where Y collects the personal data mentioned in sub-paragraph (1) from Z — Y may collect, and Z may disclose, only personal data that is necessary for X or Y (as the case may be) to determine whether to proceed with the relevant transaction; and FIRST SCHEDULE PART 4 § 2.(2)(b)(i)]	Privacy protection for information and data	Preventive
Disclose personal data absent consent for handling insurance claims. CC ID 13585	Privacy protection for information and data	Preventive
Disclose personal data absent consent if the information is contained in a witness statement. CC ID 13584	Privacy protection for information and data	Preventive
Disclose personal data absent consent if the data subject is believed to be a victim of financial abuse. CC ID 13555	Privacy protection for information and data	Preventive
Disclose personal data absent consent for transactions related to the consumer. CC ID 14853	Privacy protection for information and data	Preventive
Disclose restricted data absent consent to a government institution that has requested the information. CC ID 13582	Privacy protection for information and data	Preventive
Disclose personal data absent consent if the disclosure is to the next of kin or authorized representative. CC ID 13554 [{is necessary}{without consent} The collection, use or disclosure of personal data is for the purpose of contacting the next-of-kin or a friend of any injured, ill or deceased individual. FIRST SCHEDULE PART 1 § 4.]	Privacy protection for information and data	Preventive
Disclose restricted data absent consent when it is for the data controller's legitimate interest or third party's legitimate interest and it prevails over individual rights. CC ID 00138 [{collect}{disclose}Subject to sub-paragraphs (2), (3) and (4) — the collection, use or disclosure (as the case may be) of personal data about an individual is in the legitimate interests of the organisation or another person; and FIRST SCHEDULE PART 3 § 1.(1)(a)]	Privacy protection for information and data	Preventive
Disclose personal data absent consent if the organization notifies the privacy commissioner before disclosing the information. CC ID 13553	Privacy protection for information and data	Preventive
Disclose personal data absent consent if it is impracticable to obtain consent. CC ID 13552 [{individual's vital interest}The collection, use or disclosure (as the case may be) of personal data about an individual, where — consent for the collection, use or disclosure (as the case may be) cannot be obtained in a timely way; and FIRST SCHEDULE PART 1 § 3.(a) The disclosure of personal data about an individual for a research purpose (including historical or statistical research), if — it is impracticable for the organisation to seek the consent of the individual for the disclosure; SECOND SCHEDULE PART 3 Division 2 § 1.(b)]	Privacy protection for information and data	Preventive
Disclose restricted data absent consent in order to perform a contract. CC ID 00139 [Without limiting subsection (2) and subject to subsection (9), an individual (P) who enters into a contract with an organisation (A) and provides personal data to A pursuant or in relation to that contract is deemed to consent to the following: the disclosure of that personal data by A to another organisation (B), where the disclosure is reasonably necessary — for the conclusion or performance of a contract between A and B which is entered into at P's request, or which a reasonable person would consider to be in P's interest; § 15.(6)(a)(ii) {without consent}Subject to the conditions in sub-paragraphs (2), (3), (4) and (5), where an organisation (X) is a party or a prospective party to a business asset transaction with another organisation (Y), personal data about an applicable individual of Y — is used or disclosed by X in relation to the business asset transaction; or FIRST SCHEDULE PART 4 § 1.(1)(b) {without consent}Subject to the conditions in sub-paragraphs (2), (3), (4) and (5), where an organisation (X) is a party or a prospective party to a business asset transaction with another organisation (Y), personal data about an applicable individual of Y — is disclosed by Y to X for the purposes of the business transaction. FIRST SCHEDULE PART 4 § 1.(1)(c) {organization}If X is a prospective party to the business asset transaction, the following conditions apply: X may collect, and Y may disclose, only personal data that is necessary for X to determine whether to proceed with the business asset transaction; FIRST SCHEDULE PART 4 § 1.(3)(a) {prospective party}{organization}If X enters into the business asset transaction, the following conditions apply: X may use or disclose the personal data X collected from Y only for the same purposes for which Y would have been permitted to use or disclose the personal data; FIRST SCHEDULE PART 4 § 1.(4)(a) {organization}If X is a prospective party to the business asset transaction, the following conditions apply: X and Y must have entered into an agreement that requires X to use or disclose the personal data solely for purposes related to the business asset transaction. FIRST SCHEDULE PART 4 § 1.(3)(b) Subject to the conditions in sub-paragraphs (2), (3) and (4), where an organisation (X) is a party or a prospective party to a business asset transaction with another organisation (Y) in respect of Y's interest in a third organisation (Z) (called in this paragraph the relevant transaction), personal data about an applicable individual of Z — is used or disclosed by X or Y in relation to the relevant transaction; or FIRST SCHEDULE PART 4 § 2.(1)(b) Without limiting subsection (2) and subject to subsection (9), an individual (P) who enters into a contract with an organisation (A) and provides personal data to A pursuant or in relation to that contract is deemed to consent to the following: the disclosure of that personal data by A to another organisation (B), where the disclosure is reasonably necessary — for the performance of the contract between P and A; or § 15.(6)(a)(i) {legitimate interest}{collect}{disclose}Subject to sub-paragraph (2), the collection, use or disclosure (as the case may be) of personal data about an individual — relates to a credit report provided by a credit bureau to a member of the credit bureau in relation to a transaction between the member and the individual. FIRST SCHEDULE PART 3 § 6.(1)(b) Subject to the conditions in sub-paragraphs (2), (3) and (4), where an organisation (X) is a party or a prospective party to a business asset transaction with another organisation (Y) in respect of Y's interest in a third organisation (Z) (called in this paragraph the relevant transaction), personal data about an applicable individual of Z — is disclosed by Y or Z (as the case may be) to X, or by Z to Y, for the purposes of the relevant transaction. FIRST SCHEDULE PART 4 § 2.(1)(c) {business asset transaction}If X is a prospective party to the relevant transaction, the following conditions apply: where X collects the personal data mentioned in sub-paragraph (1) from Y or Z — X may collect, and Y or Z (as the case may be) may disclose, only personal data that is necessary for X to determine whether to proceed with the relevant transaction; and FIRST SCHEDULE PART 4 § 2.(2)(a)(i) {business asset transaction}{organization}{prospective party}{individual}If X enters into the relevant transaction, the following conditions apply: X may use or disclose the personal data collected from Y or Z (as the case may be) only for the same purposes for which Y or Z (as the case may be) would have been permitted to use or disclose the personal data; FIRST SCHEDULE PART 4 § 2.(3)(a) {business asset transaction}If X is a prospective party to the relevant transaction, the following conditions apply: where X collects the personal data mentioned in sub-paragraph (1) from Y or Z — X and Y or Z (as the case may be) must have entered into an agreement that requires X to use or disclose the personal data solely for purposes related to the relevant transaction; FIRST SCHEDULE PART 4 § 2.(2)(a)(ii) {business asset transaction}{organization}{individual}If X is a prospective party to the relevant transaction, the following conditions apply: where Y collects the personal data mentioned in sub-paragraph (1) from Z — Y and Z must have entered into an agreement that requires Y to use or disclose the personal data solely for purposes related to the relevant transaction. FIRST SCHEDULE PART 4 § 2.(2)(b)(ii) {legitimate interest}{collect}{disclose}The collection, use or disclosure (as the case may be) of personal data about an individual is to — confer an interest or a benefit on the individual under a private trust or benefit plan; and FIRST SCHEDULE PART 3 § 7.(a)]	Privacy protection for information and data	Preventive
Disclose restricted data absent consent in order to assist Telecommunications Ombudsmen in resolving complaints. CC ID 00140	Privacy protection for information and data	Preventive
Disclose personal data absent consent to administer a trust fund or benefit plan. CC ID 15290 [{collect}{disclose}The collection, use or disclosure (as the case may be) of personal data about an individual is to — administer that trust or benefit plan, at the request of the settlor or the person establishing the benefit plan, as the case may be. FIRST SCHEDULE PART 3 § 7.(b)]	Privacy protection for information and data	Preventive
Disclose personal data absent consent for research purposes and the data subject is not identified. CC ID 15286 [{disclose}The disclosure of personal data about an individual for a research purpose (including historical or statistical research), if — in the event that the results of the research are published, the organisation publishes the results in a form that does not identify the individual. SECOND SCHEDULE PART 3 Division 2 § 1.(e)]	Privacy protection for information and data	Preventive
Disclose personal data absent consent when the personal data is disclosed by calling an emergency service number. CC ID 00141	Privacy protection for information and data	Preventive
Disclose restricted data absent consent when the restricted data prevents life-threatening emergencies to third parties. CC ID 00142	Privacy protection for information and data	Preventive
Disclose restricted data absent consent when the restricted data preserves human life at sea. CC ID 00143	Privacy protection for information and data	Preventive
Disclose restricted data absent consent in order to process the restricted data for public interests. CC ID 00144 [{disclose}{without consent} The disclosure of personal data about an individual to a public agency, where the disclosure is necessary in the public interest. SECOND SCHEDULE PART 3 Division 1 § 1.]	Privacy protection for information and data	Preventive
Disclose restricted data for public interests absent consent in order to provide social work assistance services. CC ID 00145	Privacy protection for information and data	Preventive
Disclose restricted data for public interests absent consent if confidentiality is assured and the disclosure is for statistical research, scientific research, or scholarly research. CC ID 00146 [The use of personal data about an individual for a research purpose (including historical or statistical research), if — in the event that the results of the research are published, the organisation publishes the results in a form that does not identify the individual. SECOND SCHEDULE PART 2 Division 3 § 1.(d) {refrain from achieving}The disclosure of personal data about an individual for a research purpose (including historical or statistical research), if — the research purpose cannot reasonably be accomplished unless the personal data is disclosed in an individually identifiable form; SECOND SCHEDULE PART 3 Division 2 § 1.(a) The disclosure of personal data about an individual for a research purpose (including historical or statistical research), if — there is a clear public benefit to disclosing the personal data for the research purpose; SECOND SCHEDULE PART 3 Division 2 § 1.(c) {collect}{disclose} The collection, use or disclosure (as the case may be) of personal data about an individual is necessary for evaluative purposes. FIRST SCHEDULE PART 3 § 2. {disclose}The disclosure of personal data about an individual for a research purpose (including historical or statistical research), if — the results of the research will not be used to make a decision that affects the individual; and SECOND SCHEDULE PART 3 Division 2 § 1.(d)]	Privacy protection for information and data	Preventive
Disclose restricted data for public interests absent consent in order to protect historical records or archival records. CC ID 00147 [{without consent}{archival purpose} The collection, use or disclosure (as the case may be) of personal data about an individual is solely for archival or historical purposes, if a reasonable person would not consider the personal data to be too sensitive to the individual to be collected, used or disclosed (as the case may be) at the proposed time. FIRST SCHEDULE PART 2 § 4.]	Privacy protection for information and data	Preventive
Disclose restricted data absent consent for public economic interests. CC ID 00148	Privacy protection for information and data	Preventive
Disclose restricted data for public interests absent consent for National Security reasons. CC ID 00149 [{without consent}{collect}{disclose} The collection, use or disclosure (as the case may be) of personal data about an individual is in the national interest. FIRST SCHEDULE PART 2 § 2.]	Privacy protection for information and data	Preventive
Disclose restricted data absent consent for journalistic purposes, artistic purposes, or literary purposes. CC ID 00150 [{without consent} The personal data about an individual is collected, used or disclosed (as the case may be) by a news organisation solely for its news activity. FIRST SCHEDULE PART 2 § 5. {without consent}{artistic purpose}{collect}{disclose} The collection, use or disclosure (as the case may be) of personal data about an individual is solely for artistic or literary purposes. FIRST SCHEDULE PART 2 § 3.]	Privacy protection for information and data	Preventive
Disclose restricted data absent consent when it is publicly accessible. CC ID 00151 [{without consent}{collect}{disclose} The collection, use or disclosure (as the case may be) of personal data about an individual that is publicly available. FIRST SCHEDULE PART 2 § 1.]	Privacy protection for information and data	Preventive
Disclose restricted data absent consent when it is related to publicly available information. CC ID 00152	Privacy protection for information and data	Preventive
Disclose publicly accessible restricted data absent consent when the data subject has already published it. CC ID 00153	Privacy protection for information and data	Preventive
Disclose restricted data absent consent in order to protect the data subject's vital interests. CC ID 00154 [{individual's vital interest}{collect}{disclose} Subject to sub-paragraph (2), the collection, use or disclosure (as the case may be) of personal data about an individual is necessary for any purpose which is clearly in the interests of the individual, and — FIRST SCHEDULE PART 1 § 1.(1)]	Privacy protection for information and data	Preventive
Disclose restricted data absent consent in order to protect the data subject's vital interests when there is a life-threatening emergency. CC ID 00155 [{without consent}{collect}{disclose}The collection, use or disclosure (as the case may be) of personal data about an individual, where — there are reasonable grounds to believe that the health or safety of the individual or another individual will be seriously affected. FIRST SCHEDULE PART 1 § 3.(b)]	Privacy protection for information and data	Preventive
Disclose restricted data absent consent when it is for judicial decisions, lawsuits, and investigations. CC ID 00161 [{collect}{disclose} The collection, use or disclosure (as the case may be) of personal data about an individual is necessary for any investigation or proceedings. FIRST SCHEDULE PART 3 § 3. {collect}{disclose} The collection, use or disclosure (as the case may be) of personal data about an individual is necessary for the provision of legal services by the organisation to another person, or for the organisation to obtain legal services. FIRST SCHEDULE PART 3 § 5.]	Privacy protection for information and data	Preventive
Disclose restricted data absent consent when it is needed by law. CC ID 00163	Privacy protection for information and data	Preventive
Disclose personal data required by law absent consent for special cases involving security or law enforcement. CC ID 04796 [An organisation must not inform any individual under subsection (1)(b) that the organisation has disclosed personal data about the individual to a prescribed law enforcement agency if the disclosure was made under this Act or any other written law without the consent of the individual. § 21.(4) {disclose} The disclosure of personal data about any individual to any officer of a prescribed law enforcement agency, upon production of written authorisation signed by the head or director of that prescribed law enforcement agency or a person of a similar rank, certifying that the personal data is necessary for the purposes of the functions or duties of the officer. SECOND SCHEDULE PART 3 Division 1 § 4.]	Privacy protection for information and data	Preventive
Disclose personal data absent consent when it is being disclosed to the data subject. CC ID 00164	Privacy protection for information and data	Preventive
Disclose personal data absent consent for direct marketing or other personalized mail programs. CC ID 14855	Privacy protection for information and data	Preventive
Disclose personal data absent consent in order to collect a debt owed by the data subject. CC ID 00165 [{without consent}{collect}{disclose}The collection, use or disclosure (as the case may be) of personal data about an individual is necessary for the organisation — to recover a debt owed by the individual to the organisation; or FIRST SCHEDULE PART 3 § 4.(a) {collect}{disclose}The collection, use or disclosure (as the case may be) of personal data about an individual is necessary for the organisation — to pay to the individual a debt owed by the organisation. FIRST SCHEDULE PART 3 § 4.(b)]	Privacy protection for information and data	Preventive
Disclose personal data absent consent when the data subject or data owner is anonymous. CC ID 00166	Privacy protection for information and data	Preventive
Limit the redisclosure and reuse of restricted data. CC ID 00168	Privacy protection for information and data	Preventive
Refrain from redisclosing or reusing restricted data. CC ID 00169	Privacy protection for information and data	Preventive
Redisclose restricted data when the data subject consents. CC ID 00171	Privacy protection for information and data	Preventive
Redisclose restricted data when it is for criminal law enforcement. CC ID 00172	Privacy protection for information and data	Preventive
Redisclose restricted data in order to protect public revenue. CC ID 00173	Privacy protection for information and data	Preventive
Redisclose restricted data in order to assist a Telecommunications Ombudsman. CC ID 00174	Privacy protection for information and data	Preventive
Redisclose restricted data in order to prevent a life-threatening emergency. CC ID 00175	Privacy protection for information and data	Preventive
Redisclose restricted data when it deals with installing, maintaining, operating, or providing access to a Public Telecommunications Network or a telecommunication facility. CC ID 00176	Privacy protection for information and data	Preventive
Redisclose restricted data in order to preserve human life at sea. CC ID 00177	Privacy protection for information and data	Preventive
Obtain explicit consent directly from the data subject prior to the use of that person's sensitive data. CC ID 00178	Privacy protection for information and data	Preventive
Obtain consent from a parent or legal representative in order to use or disclose a child's data. CC ID 00198	Privacy protection for information and data	Preventive
Obtain opt-in consent from teenagers prior to the collection, use, or disclosure of personal data. CC ID 00199	Privacy protection for information and data	Preventive
Obtain explicit consent prior to using the data subject's Personal Identification Number. CC ID 00238	Privacy protection for information and data	Preventive
Process Personal Identification Numbers with consent. CC ID 00239	Privacy protection for information and data	Preventive
Obtain consent prior to selling a Personal Identification Number. CC ID 00240	Privacy protection for information and data	Preventive
Obtain consent prior to displaying a Personal Identification Number. CC ID 00241	Privacy protection for information and data	Preventive
Refrain from displaying Personal Identification Numbers on government-issued checks or other paperwork. CC ID 00254	Privacy protection for information and data	Preventive
Refrain from displaying Personal Identification Numbers on identification cards or badges. CC ID 00255	Privacy protection for information and data	Preventive
Use Personal Identification Numbers absent consent for granting credit or collecting a debt. CC ID 00252	Privacy protection for information and data	Preventive
Use Personal Identification Numbers absent consent for research purposes. CC ID 00247	Privacy protection for information and data	Preventive
Refrain from requiring consent to use a Personal Identification Number when protecting the public health and safety or an individual's safety in an emergency. CC ID 00244	Privacy protection for information and data	Preventive
Use Personal Identification Numbers absent consent when a federal law mandates its use. CC ID 00243	Privacy protection for information and data	Preventive
Allow data subjects the ability to restrict the use and disclosure of personal data. CC ID 06821	Privacy protection for information and data	Preventive
Identify any adverse effects the disclosure of personal data will have on the data subject. CC ID 15298 [The organisation must, in respect of the assessment mentioned in subsection (4)(a) — identify any adverse effect that the proposed collection, use or disclosure of the personal data for the purpose concerned is likely to have on the individual; § 15A.(5)(a) {legitimate interest}{collect}{disclose}The organisation must, in respect of the assessment mentioned in sub-paragraph (2)(a) — identify any adverse effect that the proposed collection, use or disclosure (as the case may be) of personal data about an individual is likely to have on the individual; FIRST SCHEDULE PART 3 § 1.(3)(a)]	Privacy protection for information and data	Preventive
Review personal data disclosure requests. CC ID 07129	Privacy protection for information and data	Preventive
Include frivolous requests or vexatious requests as a reason for denial in the personal data request denial procedures. CC ID 00435 [{personal data request} An organisation is not required to provide information under section 21(1) in respect of— any request— that would unreasonably interfere with the ound-color:#F0BBBC;" class="term_primary-noun">operations of the organisation because of the repetitious or systematic nature of the requests; FIFTH SCHEDULE § 1.(j)(i) {personal data request} An organisation is not required to provide information under section 21(1) in respect of— any request— for y-noun">informatground-color:#CBD0E5;" class="term_secondary-verb">ionan> that is trivial; or FIFTH SCHEDULE § 1.(j)(iv) {personal data request}{is unnecessary} An organisation is not required to provide information under section 21(1) in respect of— any request— that is otherwise frivolous or vexatious. FIFTH SCHEDULE § 1.(j)(v) {interfere}{operation} For the purposes of paragraph 1(j)(i), the organisation may have regard to the number and frequency of requests received. FIFTH SCHEDULE § 2.]	Privacy protection for information and data	Preventive
Include when the required information is unavailable as a reason for denial in the personal data request denial procedures. CC ID 00436 [{personal data request} An organisation is not required to provide information under section 21(1) in respect of— any request— for information that lass="term_primary-verb">does not exist or cannot be found; FIFTH SCHEDULE § 1.(j)(iii)]	Privacy protection for information and data	Preventive
Include when the disclosure of personal data constitutes contempt of court or contempt of House of Representatives as a reason for denial in the personal data request denial procedures. CC ID 00437	Privacy protection for information and data	Preventive
Include disclosing personal data that would identify suppliers or breaches an express promise of privacy or implied promise of privacy as a reason for denial in the personal data request denial procedures. CC ID 00438 [{other person} An organisation shall not provide an individual with the individual's personal data or other information under subsection (1) if the provision of that personal data or other information, as the case may be, could reasonably be expected to— class="term_primary-verb">reveal personal data about another individual; § 21.(3)(c) {other person} An organisation shall not provide an individual with the individual's personal data or other information under subsection (1) if the provision of that personal data or other information, as the case may be, could reasonably be expected to — m_primary-verb">reveal the identity of an individual who has provided personal data about another individual and the individual providing the personal data does not consent to the disclosure of his identity; or § 21.(3)(d)]	Privacy protection for information and data	Preventive
Include disclosing personal data that would compromise National Security as a reason for denial in the personal data request denial procedures. CC ID 00439	Privacy protection for information and data	Preventive
Include information that is protected by attorney-client privilege as a reason for denial in the personal data request denial procedures. CC ID 00440	Privacy protection for information and data	Preventive
Include disclosing personal data that would reveal trade secrets, commercial information, or harmful financial information as a reason for denial in the personal data request denial procedures. CC ID 00441 [An organisation is not required to provide information under section 21(1) in respect of— personal data which, if disclosed, would reveal or:#F0BBBC;" class="term_primary-noun">confidential commercial information that could, in the opispan>nion of a reasonable person, harm the ">competitive position of the organisation; FIFTH SCHEDULE § 1.(g)]	Privacy protection for information and data	Preventive
Include disclosing personal data that would threaten an individual's life or an individual's security as a reason for denial in the personal data request denial procedures. CC ID 00442 [An organisation shall not provide an individual with the individual's personal data or other information under subsection (1) if the provision of that personal data or other information, as the case may be, could reasonably be expected to— <span style="background-color:#B7D8ED;" class="term_primary-verb">threaten the safety or physical or mental health of an individual other than the individual who made the request; § 21.(3)(a) An organisation shall not provide an individual with the individual's personal data or other information under subsection (1) if the provision of that personal data or other information, as the case may be, could reasonably be expected to— cause immediate or grave harm> to the ackground-color:#F0BBBC;" class="term_primary-noun">safety or to the physical or mental style="background-color:#F0BBBC;" class="term_primary-noun">health of the individual who made the request; § 21.(3)(b)]	Privacy protection for information and data	Preventive
Include disclosing personal data that would have an unreasonable impact on another individual's privacy as a reason for denial in the personal data request denial procedures. CC ID 00443	Privacy protection for information and data	Preventive
Include responding to access requests after the time limit as a reason for denial in the personal data request denial procedures. CC ID 13600	Privacy protection for information and data	Preventive
Include information that was generated from a formal dispute as a reason for denial in the personal data request denial procedures. CC ID 00444	Privacy protection for information and data	Preventive
Include personal data that is used solely for scientific research, scholarly research, statistical research, library purposes, museum purposes, or archival purposes as a reason for denial in the personal data request denial procedures. CC ID 00445 [An organisation is not required to provide information under section 21(1) in respect of— opinion data rb">keptan> solely for an style="background-color:#F0BBBC;" class="term_primary-noun">evaluative purpose; FIFTH SCHEDULE § 1.(a)]	Privacy protection for information and data	Preventive
Include personal data that is for the state's economic interest as a reason for denial in the personal data request denial procedures. CC ID 00446 [{contravene} An organisation shall not provide an individual with the individual's personal data or other information under subsection (1)if the provision of that round-color:#F0BBBC;" class="term_primary-noun">personal data or other information, as the case may be, could reasonably be expected to — be contrary to the national interest. § 21.(3)(e)]	Privacy protection for information and data	Detective
Include personal data that is for protecting the civil rights or other's freedoms as a reason for denial in the personal data request denial procedures. CC ID 00447	Privacy protection for information and data	Preventive
Include disclosing personal data that constitutes a state secret as a reason for denial in the personal data request denial procedures. CC ID 00448	Privacy protection for information and data	Preventive
Include disclosing personal data that would result in interference with the operation of public functions as a reason for denial in the personal data request denial procedures. CC ID 00449	Privacy protection for information and data	Preventive
Include disclosing personal data that would interrupt criminal investigation and surveillance or other legal purposes as a reason for denial in the personal data request denial procedures. CC ID 00450 [An organisation is not required to provide information under section 21(1) in respect of — personal data collected, used or disclosed without consent, under paragraph 3 of Part 3 of the First Schedule, for the purposes of an investigation if the investigation and associated proceedings and appeals have not been completed; FIFTH SCHEDULE § 1.(h)]	Privacy protection for information and data	Preventive
Include when a country's laws prevent disclosure as a reason for denial in the personal data request denial procedures. CC ID 00451	Privacy protection for information and data	Preventive
Include disclosing personal data that would interfere with grievance proceeding or employee security investigations as a reason for denial in the personal data request denial procedures. CC ID 06873 [An organisation is not required to provide information under section 21(1) in respect of— the personal data was collected or created by a mediator or arbitrator in the conduct of a mediation or arbitration for which he was appointed to act— under a un">collective agreement under the Industrial Relations Act (Cap. 136) or by agreement between the parties to the mediation or arbitration; FIFTH SCHEDULE § 1.(i)(i) An organisation is not required to provide information under section 21(1) in respect of— the personal data was collected or created by a mediator or arbitrator in the conduct of a ry-noun">mediationn> or arbitrationan> for which he was appointed to act— under any written m_primary-noun">law; or FIFTH SCHEDULE § 1.(i)(ii) An organisation is not required to provide information under section 21(1) in respect of— the personal data was collected or created by a mediator or arbitrator in the conduct of a mediation or arbitration for which he was style="background-color:#CBD0E5;" class="term_secondary-verb">ED;" class="term_primary-verb">appointed to act— by a pan style="background-color:#F0BBBC;" class="term_primary-noun">court, arbitral institution or mediation centre; or FIFTH SCHEDULE § 1.(i)(iii)]	Privacy protection for information and data	Preventive
Include disclosing personal data that would interfere with commercial acquisitions or reorganizations as a reason for denial in the personal data request denial procedures. CC ID 06874	Privacy protection for information and data	Preventive
Include if the cost or burden of disclosing the personal data is disproportionate as a reason for denial in the personal data request denial procedures. CC ID 06875 [{personal data request}{be disproportionate} An organisation is not required to provide information under section 21(1) in respect of—any request— if the burden or expense of providing access would "background-color:#B7D8ED;" class="term_primary-verb">be unreasonable to the organisation or disproportionate to the individual's interests; FIFTH SCHEDULE § 1.(j)(ii) {personal data request}{be disproportionate} An organisation is not required to provide information under section 21(1) in respect of—any request— if the burden or expense of providing access would "background-color:#B7D8ED;" class="term_primary-verb">be unreasonable to the organisation or disproportionate to the individual's interests; FIFTH SCHEDULE § 1.(j)(ii)]	Privacy protection for information and data	Preventive
Notify interested personnel and affected parties of the reasons the data access request was refused. CC ID 00453 [the organisation must, within the prescribed time and in accordance with the prescribed requirements, notify the individual of the rejection. § 21.(6) ¶ 1]	Privacy protection for information and data	Preventive
Notify individuals of their right to challenge a refusal to a data access request. CC ID 00454	Privacy protection for information and data	Preventive
Disseminate and communicate personal data to the individual that it relates to. CC ID 00428 [Subject to subsections (2), (3) and (4), on request of an individual, an organisation shall, as soon as reasonably possible, provide the individual with— personal data> about the individual that is in the possession or under the control of the organisation; and § 21.(1)(a) {is complete} If an organisation is able to provide the individual with the individual's personal data and other information requested under subsection (1) without the personal data or other information excluded under subsections (2), (3) and (4), the organisation shall d-color:#B7D8ED;" class="term_primary-verb">provide the individual with ="term_primary-noun">access to the personal data and other information without the personal data or other information excluded under subsections (2), (3) and (4). § 21.(5)]	Privacy protection for information and data	Preventive
Provide personal data to an individual after the individual's identity has been confirmed. CC ID 06876	Privacy protection for information and data	Preventive
Provide data or records in a reasonable time frame. CC ID 00429 [{person}A checker is deemed to have complied with subsection (2)(a) if — the checker provides the applicable information to P before the expiry of the prescribed period mentioned in section 43(2)(b)(i). § 43A.(3)(b)]	Privacy protection for information and data	Preventive
Extend the time limit for providing personal data in order to convert it to an alternative format. CC ID 13591	Privacy protection for information and data	Preventive
Extend the time limit for providing personal data if the time is impracticable to respond to the access request. CC ID 13590	Privacy protection for information and data	Preventive
Extend the time limit for providing data if it would unreasonably interfere with the organization's activities. CC ID 13589	Privacy protection for information and data	Preventive
Provide data at a cost that is not excessive. CC ID 00430	Privacy protection for information and data	Preventive
Provide records or data in a reasonable manner. CC ID 00431	Privacy protection for information and data	Preventive
Provide personal data in a form that is intelligible. CC ID 00432	Privacy protection for information and data	Preventive
Provide restricted data that would threaten the life or security of another individual after that information has been redacted. CC ID 13604	Privacy protection for information and data	Preventive
Provide restricted data that would reveal confidential commercial information after that information has been redacted. CC ID 13602	Privacy protection for information and data	Preventive
Remove data pertaining to third parties before giving the requestor access to the information. CC ID 13601	Privacy protection for information and data	Preventive
Identify any adverse effects the collection of personal data will have on the data subject. CC ID 15279 [The organisation must, in respect of the assessment mentioned in subsection (4)(a) — identify any adverse effect that the proposed collection, use or disclosure of the personal data for the purpose concerned is likely to have on the individual; § 15A.(5)(a) {legitimate interest}{collect}{disclose}The organisation must, in respect of the assessment mentioned in sub-paragraph (2)(a) — identify any adverse effect that the proposed collection, use or disclosure (as the case may be) of personal data about an individual is likely to have on the individual; FIRST SCHEDULE PART 3 § 1.(3)(a)]	Privacy protection for information and data	Preventive
Refrain from collecting personal data, as necessary. CC ID 15269 [An organisation shall not, on or after the appointed day, collect, use or disclose personal data about an individual unless — § 13.]	Privacy protection for information and data	Preventive
Use personal data for specified purposes. CC ID 11831 [{business asset transaction}{organization}{prospective party}{individual}If X enters into the relevant transaction, the following conditions apply: Y may use or disclose the personal data collected from Z only for the same purposes for which Z would have been permitted to use or disclose the personal data; FIRST SCHEDULE PART 4 § 2.(3)(b)]	Privacy protection for information and data	Preventive
Obtain the data subject's consent and acknowledgment before collecting data. CC ID 00012 [Without limiting subsection (2) and subject to subsection (9), an individual (P) who enters into a contract with an organisation (A) and provides personal data to A pursuant or in relation to that contract is deemed to consent to the following: § 15.(6)]	Privacy protection for information and data	Preventive
Provide explicit consent that is clear and unambiguous. CC ID 00181	Privacy protection for information and data	Preventive
Allow individuals to change their personal data collection consent preferences. CC ID 06946 [{allow} On giving reasonable notice to the organisation, an individual may at any time withdraw any consent given, or deemed to have been given under this Act, in respect of the collection, use or disclosure by that organisation of personal data about the individual for any purpose. § 16.(1) An organisation shall not prohibit an individual from withdrawing his consent to the collection, use or disclosure of personal data about the individual, but this section shall not affect any legal consequences arising from such withdrawal. § 16.(3)]	Privacy protection for information and data	Preventive
Adhere to each individual's personal data collection consent preferences. CC ID 06947	Privacy protection for information and data	Preventive
Furnish disclosure of information and usage of information to data subjects when oral consent is given. CC ID 04717	Privacy protection for information and data	Preventive
Disclose the direct marketing purpose before obtaining consent for collecting information. CC ID 04718	Privacy protection for information and data	Preventive
Include an individual's name in the personal data definition. CC ID 04710	Privacy protection for information and data	Preventive
Include an individual's name combined with other personal data in the personal data definition. CC ID 04709	Privacy protection for information and data	Preventive
Include the legal surname of the parent or legal representative prior to marriage in the personal data definition. CC ID 04686	Privacy protection for information and data	Preventive
Include an individual's signature in the personal data definition. CC ID 04711	Privacy protection for information and data	Preventive
Include an individual's date of birth in the personal data definition. CC ID 04770	Privacy protection for information and data	Preventive
Include an individual's physical characteristics or description in the personal data definition. CC ID 04712	Privacy protection for information and data	Preventive
Include an individual's biometric data in the personal data definition. CC ID 04698	Privacy protection for information and data	Preventive
Include an individual's photographic image in the personal data definition. CC ID 04779	Privacy protection for information and data	Preventive
Include an individual's fingerprints in the personal data definition. CC ID 04689	Privacy protection for information and data	Preventive
Include an individual's address in the personal data definition. CC ID 04687	Privacy protection for information and data	Preventive
Include an individual's telephone number in the personal data definition. CC ID 04688	Privacy protection for information and data	Preventive
Include an individual's fax number in the personal data definition. CC ID 07120	Privacy protection for information and data	Preventive
Include an individual's financial account number in the personal data definition. CC ID 04692	Privacy protection for information and data	Preventive
Include stock numbers, bond numbers, and other security certificate numbers in the personal data definition. CC ID 04768	Privacy protection for information and data	Preventive
Include an individual's electronic identification name or number in the personal data definition. CC ID 04694	Privacy protection for information and data	Preventive
Include an individual's Alien Registration Number in the personal data definition. CC ID 04743	Privacy protection for information and data	Preventive
Include an individual's passport number in the personal data definition. CC ID 04713	Privacy protection for information and data	Preventive
Include an individual's driver's license number or an individual's state identification card number in the personal data definition. CC ID 04691	Privacy protection for information and data	Preventive
Include an individual's Social Security Number or Personal Identification Number in the personal data definition. CC ID 04690	Privacy protection for information and data	Preventive
Include an individual's e-mail address in the personal data definition. CC ID 04696	Privacy protection for information and data	Preventive
Include electronic signatures in the personal data definition. CC ID 04697	Privacy protection for information and data	Preventive
Include an individual's payment card information in the personal data definition. CC ID 04751	Privacy protection for information and data	Preventive
Include an individual's credit card number or an individual's debit card number in the personal data definition. CC ID 04693	Privacy protection for information and data	Preventive
Include an individual's payment card service code in the personal data definition. CC ID 04753	Privacy protection for information and data	Preventive
Include an individual's payment card expiration date in the personal data definition. CC ID 04755	Privacy protection for information and data	Preventive
Include the payment transaction data and transaction authentication data in the personal data definition. CC ID 04825	Privacy protection for information and data	Preventive
Include an individual's Individually Identifiable Health Information in the personal data definition. CC ID 04700	Privacy protection for information and data	Preventive
Include an individual's medical history in the personal data definition. CC ID 04701	Privacy protection for information and data	Preventive
Include an individual's medical treatment in the personal data definition. CC ID 04702	Privacy protection for information and data	Preventive
Include an individual's medical diagnosis in the personal data definition. CC ID 04703	Privacy protection for information and data	Preventive
Include an individual's mental condition or an individual's physical condition in the personal data definition. CC ID 04704	Privacy protection for information and data	Preventive
Include an individual's medical record numbers in the personal data definition. CC ID 07121	Privacy protection for information and data	Preventive
Include an individual's health insurance information in the personal data definition. CC ID 04705	Privacy protection for information and data	Preventive
Include an individual's health insurance policy number in the personal data definition. CC ID 04706	Privacy protection for information and data	Preventive
Include an individual's health insurance application and health insurance claims history (including appeals) in the personal data definition. CC ID 04707	Privacy protection for information and data	Preventive
Include an individual's education information in the personal data definition. CC ID 04714	Privacy protection for information and data	Preventive
Include an individual's professional certification numbers or an individual's professional license numbers in the personal data definition. CC ID 07122	Privacy protection for information and data	Preventive
Include an individual's employment information in the personal data definition. CC ID 04715	Privacy protection for information and data	Preventive
Include an employer's Taxpayer Identification Number in the personal data definition. CC ID 04767	Privacy protection for information and data	Preventive
Include an individual's Taxpayer Identification Number in the personal data definition. CC ID 04763	Privacy protection for information and data	Preventive
Include an individual's employment history in the personal data definition. CC ID 04716	Privacy protection for information and data	Preventive
Include an individual's place of employment in the personal data definition. CC ID 04765	Privacy protection for information and data	Preventive
Include an individual's Employee Identification Number in the personal data definition. CC ID 04766	Privacy protection for information and data	Preventive
Include an individual's property information in the personal data definition. CC ID 04780	Privacy protection for information and data	Preventive
Include an individual's property title in the personal data definition. CC ID 04781	Privacy protection for information and data	Preventive
Include an individual's vehicle registration in the personal data definition. CC ID 04782	Privacy protection for information and data	Preventive
Include hardware asset identification information in the personal data definition. CC ID 07123	Privacy protection for information and data	Preventive
Include MAC addresses in the personal data definition. CC ID 04778	Privacy protection for information and data	Preventive
Include Internet Protocol addresses in the personal data definition. CC ID 04777	Privacy protection for information and data	Preventive
Include asset serial numbers in the personal data definition. CC ID 07124	Privacy protection for information and data	Preventive
Include Uniform Resource Locators in the personal data definition. CC ID 07125	Privacy protection for information and data	Preventive
Define specially restricted data. CC ID 00037	Privacy protection for information and data	Preventive
Protect an individual's civil rights during personal data collection and personal data processing. CC ID 00079	Privacy protection for information and data	Preventive
Refrain from compiling data that is likely to give rise to unlawful discrimination or arbitrary discrimination. CC ID 00075	Privacy protection for information and data	Preventive
Refrain from subjecting an individual to a solely automated decision process that produces legal effects based on the evaluation of certain characteristics. CC ID 00080	Privacy protection for information and data	Preventive
Implement a nondiscrimination principle. CC ID 00081	Privacy protection for information and data	Preventive
Include the collection and use of personal data in the nondiscrimination principle. CC ID 11799	Privacy protection for information and data	Preventive
Preserve each individual's right to human dignity. CC ID 00082	Privacy protection for information and data	Preventive
Manage Personal Identification Numbers and PIN verification code numbers. CC ID 00058	Privacy protection for information and data	Preventive
Collect Personal Identification Numbers with the individual's consent. CC ID 00059	Privacy protection for information and data	Preventive
Collect Personal Identification Numbers absent consent when the law mandates. CC ID 00061	Privacy protection for information and data	Preventive
Collect Personal Identification Numbers absent consent for research purposes. CC ID 00065	Privacy protection for information and data	Preventive
Collect Personal Identification Numbers absent consent to realize the rights or duties of the data subject or data controller. CC ID 04792	Privacy protection for information and data	Preventive
Manage health data collection. CC ID 00050	Privacy protection for information and data	Preventive
Collect Individually Identifiable Health Information to provide health care services. CC ID 00052	Privacy protection for information and data	Preventive
Collect Individually Identifiable Health Information when the law dictates. CC ID 00053	Privacy protection for information and data	Preventive
Collect Individually Identifiable Health Information for research. CC ID 00054	Privacy protection for information and data	Preventive
Remove personal data before disclosing health data. CC ID 00055	Privacy protection for information and data	Preventive
Give special attention to collecting children's data. CC ID 00038	Privacy protection for information and data	Preventive
Obtain consent from a parent or legal representative before collecting information from children. CC ID 00041	Privacy protection for information and data	Preventive
Waive verifiable consent from a parent or legal representative for collecting information from children in order to collect online contact information for a one-time only response to a specific request. CC ID 00043	Privacy protection for information and data	Preventive
Waive verifiable consent from a parent or legal representative for collecting information from children in order to request the parent or legal representative's information to obtain consent. CC ID 00044	Privacy protection for information and data	Preventive
Waive verifiable consent from a parent or legal representative for collecting information from children in order to respond to additional requests which do not go beyond the scope of the request. CC ID 00045	Privacy protection for information and data	Preventive
Waive verifiable consent from a parent or legal representative for collecting information from children in order to protect the child's safety. CC ID 00046	Privacy protection for information and data	Preventive
Waive verifiable consent from a parent or legal representative for collecting information from children in order to take liability precautions. CC ID 00047	Privacy protection for information and data	Preventive
Waive verifiable consent from a parent or legal representative for collecting information from children in order to respond to a judicial process. CC ID 00048	Privacy protection for information and data	Preventive
Waive verifiable consent from a parent or legal representative for collecting information from children in order to respond to a request for law enforcement purposes. CC ID 00049	Privacy protection for information and data	Preventive
Waive verifiable consent from a parent or legal representative for collecting information from children in order to protect the website's security or integrity or the online service's security or integrity. CC ID 06199	Privacy protection for information and data	Preventive
Collect personal data directly from the data subject. CC ID 00011	Privacy protection for information and data	Preventive
Create and manage user account aliases to maintain pseudonymity. CC ID 04549	Privacy protection for information and data	Preventive
Provide unlinkability for users and resources. CC ID 04550	Privacy protection for information and data	Preventive
Collect restricted data in a fair and lawful manner. CC ID 00010 [Without limiting subsection (2) and subject to subsection (9), an individual (P) who provides personal data to an organisation (A) with a view to P entering into a contract with A is deemed to consent to the following where reasonably necessary for the conclusion of the contract between P and A: the collection and use of that personal data by B; § 15.(3)(b)]	Privacy protection for information and data	Preventive
Collect restricted data absent consent for specific and well-documented circumstances. CC ID 00013 [An organisation may — collect personal data about an individual, without the consent of the individual or from a source other than the individual, in the circumstances or for the purposes, and subject to any condition, in the First Schedule or Part 1 of the Second Schedule; § 17.(1)(a) {individual's vital interest}{without consent}Subject to sub-paragraph (2), the collection, use or disclosure (as the case may be) of personal data about an individual is necessary for any purpose which is clearly in the interests of the individual, and — the individual would not reasonably be expected to withhold consent. FIRST SCHEDULE PART 1 § 1.(1)(b) {without consent}{collect}{disclose} The collection, use or disclosure (as the case may be) of personal data about an individual is in the national interest. FIRST SCHEDULE PART 2 § 2. {business improvement purpose}Sub-paragraph (1)(a) and (c) applies only if — a reasonable person would consider the collection or disclosure of personal data about P for the relevant purpose to be appropriate in the circumstances; and FIRST SCHEDULE PART 5 § 1.(3)(b) Unless otherwise provided under this Act, an organisation may — collect personal data about an individual that the organisation receives by way of a disclosure to the organisation — § 17.(2)(a) Subject to the conditions in sub-paragraphs (3), (4) and (5), personal data about an individual (P) — is collected by an organisation (X) that is a corporation from a related corporation (Y) for a purpose specified in sub-paragraph (2) (called the relevant purpose); FIRST SCHEDULE PART 5 § 1.(1)(a) {business improvement purpose}Where X collects from Y, and Y discloses to X, personal data about P for a purpose mentioned in sub-paragraph (2)(c) or (d), P must be, at the time of the collection or disclosure, as the case may be — an existing customer of Y; and FIRST SCHEDULE PART 5 § 1.(5)(a) {business improvement purpose}Where X collects from Y, and Y discloses to X, personal data about P for a purpose mentioned in sub-paragraph (2)(c) or (d), P must be, at the time of the collection or disclosure, as the case may be — an existing customer or a prospective customer of X. FIRST SCHEDULE PART 5 § 1.(5)(b) {personal purpose}The personal data about an individual — is provided to the organisation by another individual to enable the organisation to provide a service for the personal or domestic purposes of that other individual; and FIRST SCHEDULE PART 3 § 8.(a) {without consent}Unless otherwise provided under this Act, an organisation may — collect personal data about an individual that the organisation receives by way of a disclosure to the organisation — on or after the specified date in accordance with subsection (1)(c); or § 17.(2)(a)(i) {without consent}Unless otherwise provided under this Act, an organisation may — collect personal data about an individual that the organisation receives by way of a disclosure to the organisation — before the specified date in accordance with section 17(3) as in force before the specified date, § 17.(2)(a)(ii)]	Privacy protection for information and data	Preventive
Collect restricted data absent consent when the data collection is in the individual's interests and consent can not be obtained in a timely manner. CC ID 00014 [{individual's vital interest}The collection, use or disclosure (as the case may be) of personal data about an individual, where — consent for the collection, use or disclosure (as the case may be) cannot be obtained in a timely way; and FIRST SCHEDULE PART 1 § 3.(a) {individual's vital interest}Subject to sub-paragraph (2), the collection, use or disclosure (as the case may be) of personal data about an individual is necessary for any purpose which is clearly in the interests of the individual, and — consent for the collection, use or disclosure (as the case may be) cannot be obtained in a timely way; or FIRST SCHEDULE PART 1 § 1.(1)(a) {legitimate interest}{collect}{disclose}The collection, use or disclosure (as the case may be) of personal data about an individual is to — confer an interest or a benefit on the individual under a private trust or benefit plan; and FIRST SCHEDULE PART 3 § 7.(a)]	Privacy protection for information and data	Preventive
Collect restricted data absent consent when consent compromises data accuracy. CC ID 00015	Privacy protection for information and data	Preventive
Collect personal data absent consent in order to make a disclosure. CC ID 13550 [{individual}{consent} Where an organisation collects personal data disclosed to it by B under subsection (6)(c), subsection (6)(b) and (c) applies to the organisation as if the personal data were disclosed by A to the organisation under subsection (6)(a). § 15.(7) {without consent}{collect}The collection of personal data about an individual, if — the personal data was disclosed by a public agency; and SECOND SCHEDULE PART 1 § 1.(a)]	Privacy protection for information and data	Preventive
Collect personal data absent consent for reasonable investigative purposes. CC ID 11801 [{collect}{disclose} The collection, use or disclosure (as the case may be) of personal data about an individual is necessary for any investigation or proceedings. FIRST SCHEDULE PART 3 § 3.]	Privacy protection for information and data	Preventive
Collect personal data absent consent if the collection is consistent with the intended purpose. CC ID 13548 [Without limiting subsection (2) and subject to subsection (9), an individual (P) who enters into a contract with an organisation (A) and provides personal data to A pursuant or in relation to that contract is deemed to consent to the following: the collection and use of that personal data by B, where the collection and use are reasonably necessary for any purpose mentioned in paragraph (a); § 15.(6)(b) {without consent}The personal data about an individual — is collected, used or disclosed (as the case may be) for purposes consistent with the purpose for which the document was produced. FIRST SCHEDULE PART 3 § 9.(b) {business improvement purpose}{refrain from achieving}Sub-paragraph (1)(a) and (c) applies only if — the relevant purpose for which X collects, or Y discloses, personal data about P cannot reasonably be achieved without the collection, use or disclosure (as the case may be) of the personal data in an individually identifiable form; FIRST SCHEDULE PART 5 § 1.(3)(a) {collect}{without consent}The collection of personal data about an individual, if — the collection of personal data by the organisation is consistent with the purpose of the disclosure by the public agency. SECOND SCHEDULE PART 1 § 1.(b) {personal purpose}{domestic purposes}The personal data about an individual — is collected, used or disclosed (as the case may be) by the organisation solely for the purpose in sub-paragraph (a). FIRST SCHEDULE PART 3 § 8.(b)]	Privacy protection for information and data	Preventive
Collect personal data absent consent when the personal data was produced by the data subject in the course of employment, business, or profession. CC ID 13544 [{collect}{without consent}The personal data about an individual — is included in a document produced in the course, and for the purposes, of the individual's employment, business or profession; and FIRST SCHEDULE PART 3 § 9.(a) {without consent}Subject to the conditions in sub-paragraphs (2), (3), (4) and (5), where an organisation (X) is a party or a prospective party to a business asset transaction with another organisation (Y), personal data about an applicable individual of Y — is collected from Y by X for the purposes of the business asset transaction; FIRST SCHEDULE PART 4 § 1.(1)(a) {organization}{party} Where the business asset transaction concerns any part of Y or Y's business assets, the personal data mentioned in sub-paragraph (1) must relate directly to that part of Y or Y's business assets, as the case may be. FIRST SCHEDULE PART 4 § 1.(2) {organization}If X is a prospective party to the business asset transaction, the following conditions apply: X may collect, and Y may disclose, only personal data that is necessary for X to determine whether to proceed with the business asset transaction; FIRST SCHEDULE PART 4 § 1.(3)(a) Subject to the conditions in sub-paragraphs (2), (3) and (4), where an organisation (X) is a party or a prospective party to a business asset transaction with another organisation (Y) in respect of Y's interest in a third organisation (Z) (called in this paragraph the relevant transaction), personal data about an applicable individual of Z — is collected from Y or Z by X, or from Z by Y, for the purposes of the relevant transaction; FIRST SCHEDULE PART 4 § 2.(1)(a) {legitimate interest}{collect}{disclose}Subject to sub-paragraph (2), the collection, use or disclosure (as the case may be) of personal data about an individual — relates to a credit report provided by a credit bureau to a member of the credit bureau in relation to a transaction between the member and the individual. FIRST SCHEDULE PART 3 § 6.(1)(b) {business asset transaction}If X is a prospective party to the relevant transaction, the following conditions apply: where X collects the personal data mentioned in sub-paragraph (1) from Y or Z — X may collect, and Y or Z (as the case may be) may disclose, only personal data that is necessary for X to determine whether to proceed with the relevant transaction; and FIRST SCHEDULE PART 4 § 2.(2)(a)(i) {business asset transaction}{organization}{individual}If X is a prospective party to the relevant transaction, the following conditions apply: where Y collects the personal data mentioned in sub-paragraph (1) from Z — Y may collect, and Z may disclose, only personal data that is necessary for X or Y (as the case may be) to determine whether to proceed with the relevant transaction; and FIRST SCHEDULE PART 4 § 2.(2)(b)(i) {business asset transaction}If X is a prospective party to the relevant transaction, the following conditions apply: where X collects the personal data mentioned in sub-paragraph (1) from Y or Z — X and Y or Z (as the case may be) must have entered into an agreement that requires X to use or disclose the personal data solely for purposes related to the relevant transaction; FIRST SCHEDULE PART 4 § 2.(2)(a)(ii)]	Privacy protection for information and data	Preventive
Collect personal data absent consent for handling insurance claims. CC ID 13543	Privacy protection for information and data	Preventive
Collect personal data absent consent when the data subject has authorized the collection through another individual. CC ID 00016	Privacy protection for information and data	Preventive
Collect personal data absent consent if the disclosure is to the next of kin or authorized representative. CC ID 15295 [{is necessary}{without consent} The collection, use or disclosure of personal data is for the purpose of contacting the next-of-kin or a friend of any injured, ill or deceased individual. FIRST SCHEDULE PART 1 § 4.]	Privacy protection for information and data	Preventive
Collect personal data absent consent in order to establish, manage, or terminate employment contracts. CC ID 13614 [{without consent}The personal data about an individual is collected, used or disclosed (as the case may be) by the organisation, and the collection, use or disclosure (as the case may be) of the personal data is reasonable for the purpose of or in relation to the organisation — entering into an employment relationship with the individual or appointing the individual to any office; or FIRST SCHEDULE PART 3 § 10.(a) {without consent}The personal data about an individual is collected, used or disclosed (as the case may be) by the organisation, and the collection, use or disclosure (as the case may be) of the personal data is reasonable for the purpose of or in relation to the organisation — managing or terminating the employment relationship with or appointment of the individual. FIRST SCHEDULE PART 3 § 10.(b)]	Privacy protection for information and data	Preventive
Collect personal data absent consent in order to protect the data subject's vital interests. CC ID 15277 [{individual's vital interest}{collect}{disclose} Subject to sub-paragraph (2), the collection, use or disclosure (as the case may be) of personal data about an individual is necessary for any purpose which is clearly in the interests of the individual, and — FIRST SCHEDULE PART 1 § 1.(1)]	Privacy protection for information and data	Preventive
Collect personal data for public interests absent consent in order to protect historical records or archival records. CC ID 15289 [{without consent}{archival purpose} The collection, use or disclosure (as the case may be) of personal data about an individual is solely for archival or historical purposes, if a reasonable person would not consider the personal data to be too sensitive to the individual to be collected, used or disclosed (as the case may be) at the proposed time. FIRST SCHEDULE PART 2 § 4.]	Privacy protection for information and data	Preventive
Collect personal data absent consent to administer a trust fund or benefit plan. CC ID 15292 [{collect}{disclose}The collection, use or disclosure (as the case may be) of personal data about an individual is to — administer that trust or benefit plan, at the request of the settlor or the person establishing the benefit plan, as the case may be. FIRST SCHEDULE PART 3 § 7.(b)]	Privacy protection for information and data	Preventive
Collect restricted data absent consent for journalistic purposes, artistic purposes, or literary purposes. CC ID 00017 [{without consent}{artistic purpose}{collect}{disclose} The collection, use or disclosure (as the case may be) of personal data about an individual is solely for artistic or literary purposes. FIRST SCHEDULE PART 2 § 3. {without consent} The personal data about an individual is collected, used or disclosed (as the case may be) by a news organisation solely for its news activity. FIRST SCHEDULE PART 2 § 5.]	Privacy protection for information and data	Preventive
Collect personal data absent consent in order to collect a debt owed by the data subject. CC ID 15293 [{without consent}{collect}{disclose}The collection, use or disclosure (as the case may be) of personal data about an individual is necessary for the organisation — to recover a debt owed by the individual to the organisation; or FIRST SCHEDULE PART 3 § 4.(a) {collect}{disclose}The collection, use or disclosure (as the case may be) of personal data about an individual is necessary for the organisation — to pay to the individual a debt owed by the organisation. FIRST SCHEDULE PART 3 § 4.(b)]	Privacy protection for information and data	Preventive
Collect personal data absent consent for statistical purposes or research purposes and the data subject is not identified. CC ID 00018 [{collect}{disclose} The collection, use or disclosure (as the case may be) of personal data about an individual is necessary for evaluative purposes. FIRST SCHEDULE PART 3 § 2.]	Privacy protection for information and data	Preventive
Collect restricted data absent consent from publicly available information. CC ID 00019 [{without consent}{collect}{disclose} The collection, use or disclosure (as the case may be) of personal data about an individual that is publicly available. FIRST SCHEDULE PART 2 § 1.]	Privacy protection for information and data	Preventive
Collect restricted data absent consent when needed by law. CC ID 00020	Privacy protection for information and data	Preventive
Collect personal data absent consent to create a credit report. CC ID 15287 [{legitimate interest}{collect}{disclose}Subject to sub-paragraph (2), the collection, use or disclosure (as the case may be) of personal data about an individual — is for the purpose of the preparation by a credit bureau of a credit report; or FIRST SCHEDULE PART 3 § 6.(1)(a)]	Privacy protection for information and data	Preventive
Collect restricted data absent consent when no potential harm can come to the data subject. CC ID 00021	Privacy protection for information and data	Preventive
Collect personal data absent consent when collecting personal data from the data subject is impossible or the data collection involves a disproportionate effort. CC ID 00022	Privacy protection for information and data	Preventive
Collect the minimum amount of restricted data necessary. CC ID 00078	Privacy protection for information and data	Preventive
Collect restricted data in a proper information framework. CC ID 00009	Privacy protection for information and data	Preventive
Collect and record restricted data for specific, explicit, and legitimate purposes. CC ID 00027 [Unless otherwise provided under this Act, an organisation may — collect personal data about an individual that the organisation receives by way of a disclosure to the organisation — for purposes consistent with the purpose of that disclosure, or for any purpose permitted by subsection (1)(a); or § 17.(2)(a) ¶ 1 {collect}{disclose}Subject to sub-paragraphs (2), (3) and (4) — the collection, use or disclosure (as the case may be) of personal data about an individual is in the legitimate interests of the organisation or another person; and FIRST SCHEDULE PART 3 § 1.(1)(a)]	Privacy protection for information and data	Preventive
Collect restricted data when required by law. CC ID 00031	Privacy protection for information and data	Preventive
Collect restricted data to prevent life-threatening emergencies. CC ID 00032 [{without consent}{collect}{disclose}The collection, use or disclosure (as the case may be) of personal data about an individual, where — there are reasonable grounds to believe that the health or safety of the individual or another individual will be seriously affected. FIRST SCHEDULE PART 1 § 3.(b)]	Privacy protection for information and data	Preventive
Collect restricted data relating solely to nonprofit organization members or individuals who are in regular contact during the nonprofit organization's activities. CC ID 00034	Privacy protection for information and data	Preventive
Collect restricted data for legal purposes. CC ID 00036 [{collect}{disclose} The collection, use or disclosure (as the case may be) of personal data about an individual is necessary for the provision of legal services by the organisation to another person, or for the organisation to obtain legal services. FIRST SCHEDULE PART 3 § 5.]	Privacy protection for information and data	Preventive
Include publicly available information as a personal data transfer exception for transferring personal data to another country outside an adequate data protection level. CC ID 00316	Privacy protection for information and data	Preventive
Include transfer agreements between data controllers and third parties when it is for the data subject's interest as a personal data transfer exception for transferring personal data to another country outside an adequate data protection level. CC ID 00317	Privacy protection for information and data	Preventive
Include personal data for the health field and for treatment as a personal data transfer exception for transferring personal data to another country outside an adequate data protection level. CC ID 00318	Privacy protection for information and data	Preventive
Include personal data for journalistic purposes or private purposes as a personal data transfer exception for transferring personal data to another country outside an adequate data protection level. CC ID 00319	Privacy protection for information and data	Preventive
Include personal data for important public interest as a personal data transfer exception for transferring personal data to another country outside an adequate data protection level. CC ID 00320	Privacy protection for information and data	Preventive
Include consent by the data subject as a personal data transfer exception for transferring personal data to another country outside an adequate data protection level. CC ID 00321	Privacy protection for information and data	Preventive
Include personal data used for a contract as a personal data transfer exception for transferring personal data to another country outside an adequate data protection level. CC ID 00322	Privacy protection for information and data	Preventive
Include personal data for protecting the data subject or the data subject's interests, such as saving his/her life or providing healthcare as a personal data transfer exception for transferring personal data to another country outside an adequate data protection level. CC ID 00323	Privacy protection for information and data	Preventive
Include personal data that is necessary to fulfill international law obligations as a personal data transfer exception for transferring personal data to another country outside an adequate data protection level. CC ID 00324	Privacy protection for information and data	Preventive
Include personal data used for legal investigations as a personal data transfer exception for transferring personal data to another country outside an adequate data protection level. CC ID 00325	Privacy protection for information and data	Preventive
Include personal data that is authorized by a legislative act as a personal data transfer exception for transferring personal data to another country outside an adequate data protection level. CC ID 00326	Privacy protection for information and data	Preventive
Develop remedies and sanctions for privacy policy violations. CC ID 00474	Privacy protection for information and data	Preventive
Change or destroy any personal data that is incorrect. CC ID 00462 [When an organisation is notified under subsection (2)(b) or (3) of a correction of personal data, the organisation shall correct the personal data in its possession or under its control unless the organisation is satisfied on reasonable grounds that the correction should "background-color:#CBD0E5;" class="term_secondary-verb">not be made. § 22.(4) Unless the organisation is satisfied on reasonable grounds that a correction should not be made, the organisation shall — correct the personal data as soon as practicable; and § 22.(2)(a)]	Privacy protection for information and data	Corrective
Refrain from updating personal data on a regular basis, unless it is necessary for the purposes it was collected. CC ID 13610 [{refrain from correcting} Nothing in this section shall require an organisation to correct or otherwise alter an opinion, including a professional or an expert opinion. § 22.(6)]	Privacy protection for information and data	Preventive
Escalate the appeal process to change personal data when the data controller fails to make changes to the disputed data. CC ID 00465	Privacy protection for information and data	Corrective
Notify individuals of their right to challenge personal data. CC ID 00457	Privacy protection for information and data	Preventive
Notify individuals of their right to object to personal data for legitimate reasons. CC ID 00458	Privacy protection for information and data	Preventive
Notify individuals of their ability to object to personal data processing, absent cost. CC ID 00459	Privacy protection for information and data	Preventive
Investigate the disputed accuracy of personal data. CC ID 00461	Privacy protection for information and data	Preventive
Establish, implement, and maintain a Customer Information Management program. CC ID 00084	Privacy protection for information and data	Preventive
Check the accuracy of restricted data. CC ID 00088 [{is complete} An organisation shall make a reasonable effort to ensure that personal data collected by or on behalf of the organisation is accurate and complete, if the personal data— is likely to be und-color:#B7D8ED;" class="term_primary-verb">used by the organisation to imary-verb">make a decision that affects the individual to whom the personal data " class="term_secondary-verb">relates; or § 23.(a) {is complete} An organisation shall make a reasonable effort to ensure that personal data collected by or on behalf of the organisation is accurate and complete, if the _primary-noun">personal data— is likely to be e="background-color:#B7D8ED;" class="term_primary-verb">disclosed by the organisation to another organisation. § 23.(b) {person}A checker must — ensure that the applicable information provided to P is accurate; and § 43A.(2)(a) {be complete}{be accurate} The organisation must ensure that the copy of the personal data it preserves for the purposes of subsection (1) is a complete and accurate copy of the personal data concerned. § 22A.(2) {be complete} An organisation shall make a reasonable effort to ensure that personal data collected by or on behalf of the organisation verb">is accurate and complete, if the personal data — § 23.]	Privacy protection for information and data	Preventive
Check that restricted data is complete. CC ID 00090 [{be complete}{be accurate} The organisation must ensure that the copy of the personal data it preserves for the purposes of subsection (1) is a complete and accurate copy of the personal data concerned. § 22A.(2) {be complete} An organisation shall make a reasonable effort to ensure that personal data collected by or on behalf of the organisation is accurate and complete, if the personal data — § 23.]	Privacy protection for information and data	Preventive
Make the opt-out functional after the e-mail is sent, as necessary. CC ID 00290	Privacy protection for information and data	Preventive
Unsubscribe users from the opt-out notification, as necessary. CC ID 00291	Privacy protection for information and data	Preventive
Make identifiers accurate after e-mails are sent, as necessary. CC ID 00292	Privacy protection for information and data	Preventive
Enter individuals into the do-not-e-mail registry upon request. CC ID 11810	Privacy protection for information and data	Preventive
Give customers the opportunity to object to receiving commercial electronic messages. CC ID 00304 [{allow} For the avoidance of doubt, a subscriber of a Singapore telephone number may, at any time on or after the date of commencement of this Part, withdraw any consent given for the style="background-color:#CBD0E5;" class="term_secondary-verb">sending of a specified message to that Singapore telephone number. § 47.(6)]	Privacy protection for information and data	Preventive

Establish Roles

Mandated - bold Implied - italic Implementation - regular	IMPACT ZONE	CLASS
KEY: Primary Verb Primary Noun Secondary Verb Secondary Noun Limiting Term
Identify and define all critical roles. CC ID 00777	Human Resources management	Preventive
Define and assign the data controller's roles and responsibilities. CC ID 00471 [An organisation is responsible for personal data in its possession or under its yle="background-color:#F0BBBC;" class="term_primary-noun">control. § 11.(2)]	Human Resources management	Preventive
Assign the role of data controller to applicable controls. CC ID 00354	Human Resources management	Preventive
Assign the role of data controller to additional personnel, as necessary. CC ID 00473	Human Resources management	Preventive
Establish and maintain the staff structure in line with the strategic plan. CC ID 00764	Human Resources management	Preventive
Assign ownership of the internal control framework to the appropriate organizational role. CC ID 06437	Operational management	Preventive
Define and assign the roles and responsibilities for interested personnel and affected parties when establishing, implementing, and maintaining the internal control framework. CC ID 07146	Operational management	Preventive
Assign ownership of the information security program to the appropriate role. CC ID 00814	Operational management	Preventive
Include roles and responsibilities in the registration notice. CC ID 16803	Privacy protection for information and data	Preventive
Require data controllers to be accountable for their actions. CC ID 00470	Privacy protection for information and data	Preventive
Process restricted data lawfully and carefully. CC ID 00086 [{be appropriate} An organisation may collect, use or disclose personal data> about an individual only for purposes— that a reasonable person would consider appropriate in the n style="background-color:#F0BBBC;" class="term_primary-noun">circumstances; and § 18.(a)]	Privacy protection for information and data	Preventive
Define who enforces the anti-spam policy. CC ID 00295	Privacy protection for information and data	Preventive

Establish/Maintain Documentation

360

Mandated - bold Implied - italic Implementation - regular	IMPACT ZONE	CLASS
KEY: Primary Verb Primary Noun Secondary Verb Secondary Noun Limiting Term
Establish, implement, and maintain a risk management program. CC ID 12051	Audits and risk management	Preventive
Establish, implement, and maintain the risk assessment framework. CC ID 00685	Audits and risk management	Preventive
Establish, implement, and maintain a risk assessment program. CC ID 00687	Audits and risk management	Preventive
Include a Data Protection Impact Assessment in the risk assessment program. CC ID 12630	Audits and risk management	Preventive
Include an assessment of the necessity and proportionality of the processing operations in relation to the purposes in the Data Protection Impact Assessment. CC ID 12681	Audits and risk management	Preventive
Include an assessment of the relationship between the data subject and the parties processing the data in the Data Protection Impact Assessment. CC ID 16371	Audits and risk management	Preventive
Include a risk assessment of data subject's rights in the Data Protection Impact Assessment. CC ID 12674	Audits and risk management	Preventive
Include the description and purpose of processing restricted data in the Data Protection Impact Assessment. CC ID 12673	Audits and risk management	Preventive
Include consideration of the data subject's expectations in the Data Protection Impact Assessment. CC ID 16370	Audits and risk management	Preventive
Include monitoring unsecured areas in the Data Protection Impact Assessment. CC ID 12671	Audits and risk management	Preventive
Include security measures for protecting restricted data in the Data Protection Impact Assessment. CC ID 12635 [{legitimate interest}The organisation must, in respect of the assessment mentioned in sub-paragraph (2)(a) — identify and implement reasonable measures — to eliminate the adverse effect; FIRST SCHEDULE PART 3 § 1.(3)(b)(i) {legitimate interest}The organisation must, in respect of the assessment mentioned in sub-paragraph (2)(a) — identify and implement reasonable measures — to reduce the likelihood that the adverse effect will occur; or FIRST SCHEDULE PART 3 § 1.(3)(b)(ii) {legitimate interest}The organisation must, in respect of the assessment mentioned in sub-paragraph (2)(a) — identify and implement reasonable measures — to mitigate the adverse effect; and FIRST SCHEDULE PART 3 § 1.(3)(b)(iii)]	Audits and risk management	Preventive
Establish, implement, and maintain a Governance, Risk, and Compliance framework. CC ID 01406 [An organisation shall — develop and implement policies and practices that are necessary for the organisation to meet the obligations of the organisation under this Act; § 12.(a)]	Operational management	Preventive
Include enterprise architecture in the Governance, Risk, and Compliance framework. CC ID 13266	Operational management	Preventive
Establish, implement, and maintain security requirements based on applicable regulations. CC ID 16283	Operational management	Preventive
Establish, implement, and maintain a prioritized plan for updating the Governance, Risk, and Compliance framework. CC ID 12853	Operational management	Preventive
Establish, implement, and maintain a compliance policy. CC ID 14807	Operational management	Preventive
Include the standard of conduct and accountability in the compliance policy. CC ID 14813	Operational management	Preventive
Include the scope in the compliance policy. CC ID 14812	Operational management	Preventive
Include roles and responsibilities in the compliance policy. CC ID 14811	Operational management	Preventive
Include a commitment to continual improvement in the compliance policy. CC ID 14810	Operational management	Preventive
Include management commitment in the compliance policy. CC ID 14808	Operational management	Preventive
Establish, implement, and maintain a governance policy. CC ID 15587	Operational management	Preventive
Include a commitment to continuous improvement in the governance policy. CC ID 15595	Operational management	Preventive
Include roles and responsibilities in the governance policy. CC ID 15594	Operational management	Preventive
Establish, implement, and maintain an internal control framework. CC ID 00820	Operational management	Preventive
Include the business need justification for excluding controls in the baseline of internal controls. CC ID 16129	Operational management	Preventive
Include the implementation status of controls in the baseline of internal controls. CC ID 16128	Operational management	Preventive
Include procedures for continuous quality improvement in the internal control framework. CC ID 00819	Operational management	Preventive
Include continuous service account management procedures in the internal control framework. CC ID 13860	Operational management	Preventive
Include threat assessment in the internal control framework. CC ID 01347	Operational management	Preventive
Include vulnerability management and risk assessment in the internal control framework. CC ID 13102	Operational management	Preventive
Include personnel security procedures in the internal control framework. CC ID 01349	Operational management	Preventive
Include continuous security warning monitoring procedures in the internal control framework. CC ID 01358	Operational management	Preventive
Include incident alert thresholds in the continuous security warning monitoring procedures. CC ID 13205	Operational management	Preventive
Include security information sharing procedures in the internal control framework. CC ID 06489	Operational management	Preventive
Include security incident response procedures in the internal control framework. CC ID 01359	Operational management	Preventive
Include incident response escalation procedures in the internal control framework. CC ID 11745	Operational management	Preventive
Include continuous user account management procedures in the internal control framework. CC ID 01360	Operational management	Preventive
Include emergency response procedures in the internal control framework. CC ID 06779	Operational management	Detective
Authorize and document all exceptions to the internal control framework. CC ID 06781	Operational management	Preventive
Establish, implement, and maintain a cybersecurity policy. CC ID 16833	Operational management	Preventive
Establish, implement, and maintain an information security program. CC ID 00812	Operational management	Preventive
Include physical safeguards in the information security program. CC ID 12375	Operational management	Preventive
Include technical safeguards in the information security program. CC ID 12374	Operational management	Preventive
Include administrative safeguards in the information security program. CC ID 12373	Operational management	Preventive
Include system development in the information security program. CC ID 12389	Operational management	Preventive
Include system maintenance in the information security program. CC ID 12388	Operational management	Preventive
Include system acquisition in the information security program. CC ID 12387	Operational management	Preventive
Include access control in the information security program. CC ID 12386	Operational management	Preventive
Include operations management in the information security program. CC ID 12385	Operational management	Preventive
Include communication management in the information security program. CC ID 12384	Operational management	Preventive
Include environmental security in the information security program. CC ID 12383	Operational management	Preventive
Include physical security in the information security program. CC ID 12382	Operational management	Preventive
Include human resources security in the information security program. CC ID 12381	Operational management	Preventive
Include asset management in the information security program. CC ID 12380	Operational management	Preventive
Include a continuous monitoring program in the information security program. CC ID 14323	Operational management	Preventive
Include change management procedures in the continuous monitoring plan. CC ID 16227	Operational management	Preventive
include recovery procedures in the continuous monitoring plan. CC ID 16226	Operational management	Preventive
Include mechanisms for decommissioning a system in the continuous monitoring plan. CC ID 16225	Operational management	Preventive
Include mechanisms for appeal and override in the continuous monitoring plan. CC ID 16223	Operational management	Preventive
Include how the information security department is organized in the information security program. CC ID 12379	Operational management	Preventive
Include risk management in the information security program. CC ID 12378	Operational management	Preventive
Include mitigating supply chain risks in the information security program. CC ID 13352	Operational management	Preventive
Establish, implement, and maintain an information security policy. CC ID 11740	Operational management	Preventive
Include business processes in the information security policy. CC ID 16326	Operational management	Preventive
Include the information security strategy in the information security policy. CC ID 16125	Operational management	Preventive
Include a commitment to continuous improvement in the information security policy. CC ID 16123	Operational management	Preventive
Include roles and responsibilities in the information security policy. CC ID 16120	Operational management	Preventive
Include a commitment to the information security requirements in the information security policy. CC ID 13496	Operational management	Preventive
Include information security objectives in the information security policy. CC ID 13493	Operational management	Preventive
Include the use of Cloud Services in the information security policy. CC ID 13146	Operational management	Preventive
Include notification procedures in the information security policy. CC ID 16842	Operational management	Preventive
Describe the group activities that protect restricted data in the information security procedures. CC ID 12294	Operational management	Preventive
Document the roles and responsibilities for all activities that protect restricted data in the information security procedures. CC ID 12304	Operational management	Preventive
Assign information security responsibilities to interested personnel and affected parties in the information security program. CC ID 11885	Operational management	Preventive
Establish, implement, and maintain a social media governance program. CC ID 06536	Operational management	Preventive
Include instant messaging, texting, and tweeting in the social media acceptable use policy. CC ID 04578	Operational management	Preventive
Include explicit restrictions in the social media acceptable use policy. CC ID 06655	Operational management	Preventive
Include contributive content sites in the social media acceptable use policy. CC ID 06656	Operational management	Preventive
Establish, implement, and maintain operational control procedures. CC ID 00831	Operational management	Preventive
Include assigning and approving operations in operational control procedures. CC ID 06382	Operational management	Preventive
Include startup processes in operational control procedures. CC ID 00833	Operational management	Preventive
Include change control processes in the operational control procedures. CC ID 16793	Operational management	Preventive
Establish and maintain a data processing run manual. CC ID 00832	Operational management	Preventive
Establish, implement, and maintain a Standard Operating Procedures Manual. CC ID 00826	Operational management	Preventive
Include metrics in the standard operating procedures manual. CC ID 14988	Operational management	Preventive
Include maintenance measures in the standard operating procedures manual. CC ID 14986	Operational management	Preventive
Include the expected lifetime of the system in the standard operating procedures manual. CC ID 14984	Operational management	Preventive
Include technical measures used to interpret output in the standard operating procedures manual. CC ID 14982	Operational management	Preventive
Include predetermined changes in the standard operating procedures manual. CC ID 14977	Operational management	Preventive
Include specifications for input data in the standard operating procedures manual. CC ID 14975	Operational management	Preventive
Include risks to health and safety or fundamental rights in the standard operating procedures manual. CC ID 14973	Operational management	Preventive
Include circumstances that may impact the system in the standard operating procedures manual. CC ID 14972	Operational management	Preventive
Include what the system was tested and validated for in the standard operating procedures manual. CC ID 14969	Operational management	Preventive
Include the intended purpose in the standard operating procedures manual. CC ID 14967	Operational management	Preventive
Include information on system performance in the standard operating procedures manual. CC ID 14965	Operational management	Preventive
Include contact details in the standard operating procedures manual. CC ID 14962	Operational management	Preventive
Update operating procedures that contribute to user errors. CC ID 06935	Operational management	Corrective
Establish, implement, and maintain a job scheduling methodology. CC ID 00834	Operational management	Preventive
Establish and maintain a job schedule exceptions list. CC ID 00835	Operational management	Preventive
Establish, implement, and maintain a data processing continuity plan. CC ID 00836	Operational management	Preventive
Establish, implement, and maintain Voice over Internet Protocol operating procedures. CC ID 04583	Operational management	Preventive
Establish, implement, and maintain the Acceptable Use Policy. CC ID 01350	Operational management	Preventive
Include that explicit management authorization must be given for the use of all technologies and their documentation in the Acceptable Use Policy. CC ID 01351	Operational management	Preventive
Include requiring users to protect restricted data in accordance with the Governance, Risk, and Compliance framework in the Acceptable Use Policy. CC ID 11894	Operational management	Preventive
Include Bring Your Own Device agreements in the Acceptable Use Policy. CC ID 15703	Operational management	Preventive
Include the obligations of users in the Bring Your Own Device agreement. CC ID 15708	Operational management	Preventive
Include the rights of the organization in the Bring Your Own Device agreement. CC ID 15707	Operational management	Preventive
Include the circumstances in which the organization may confiscate, audit, or inspect assets in the Bring Your Own Device agreement. CC ID 15706	Operational management	Preventive
Include the circumstances in which the organization may manage assets in the Bring Your Own Device agreement. CC ID 15705	Operational management	Preventive
Include Bring Your Own Device usage in the Acceptable Use Policy. CC ID 12293	Operational management	Preventive
Include a web usage policy in the Acceptable Use Policy. CC ID 16496	Operational management	Preventive
Include Bring Your Own Device security guidelines in the Acceptable Use Policy. CC ID 01352	Operational management	Preventive
Include asset tags in the Acceptable Use Policy. CC ID 01354	Operational management	Preventive
Specify the owner of applicable assets in the Acceptable Use Policy. CC ID 15699	Operational management	Preventive
Include asset use policies in the Acceptable Use Policy. CC ID 01355	Operational management	Preventive
Include authority for access authorization lists for assets in all relevant Acceptable Use Policies. CC ID 11872	Operational management	Preventive
Include access control mechanisms in the Acceptable Use Policy. CC ID 01353	Operational management	Preventive
Include prohibiting the copying or moving of restricted data from its original source onto local hard drives or removable storage media in the Acceptable Use Policy. CC ID 11893	Operational management	Preventive
Correlate the Acceptable Use Policy with the network security policy. CC ID 01356	Operational management	Preventive
Include appropriate network locations for each technology in the Acceptable Use Policy. CC ID 11881	Operational management	Preventive
Correlate the Acceptable Use Policy with the approved product list. CC ID 01357	Operational management	Preventive
Include facility access and facility use in the Acceptable Use Policy. CC ID 06441	Operational management	Preventive
Include disciplinary actions in the Acceptable Use Policy. CC ID 00296	Operational management	Corrective
Include the usage restrictions of mobile code technologies in the Acceptable Use Policy. CC ID 15311	Operational management	Preventive
Include a software installation policy in the Acceptable Use Policy. CC ID 06749	Operational management	Preventive
Document idle session termination and logout for remote access technologies in the Acceptable Use Policy. CC ID 12472	Operational management	Preventive
Require interested personnel and affected parties to sign Acceptable Use Policies. CC ID 06661	Operational management	Preventive
Require interested personnel and affected parties to re-sign Acceptable Use Policies, as necessary. CC ID 06663	Operational management	Preventive
Establish, implement, and maintain an Intellectual Property Right program. CC ID 00821	Operational management	Preventive
Establish, implement, and maintain Intellectual Property Rights protection procedures. CC ID 11512	Operational management	Preventive
Protect against circumvention of the organization's Intellectual Property Rights. CC ID 11513	Operational management	Preventive
Establish, implement, and maintain an e-mail policy. CC ID 06439	Operational management	Preventive
Include business use of personal e-mail in the e-mail policy. CC ID 14381	Operational management	Preventive
Protect policies, standards, and procedures from unauthorized modification or disclosure. CC ID 10603	Operational management	Preventive
Establish, implement, and maintain nondisclosure agreements. CC ID 04536	Operational management	Preventive
Require interested personnel and affected parties to sign nondisclosure agreements. CC ID 06667	Operational management	Preventive
Require interested personnel and affected parties to re-sign nondisclosure agreements, as necessary. CC ID 06669	Operational management	Preventive
Establish, implement, and maintain a use of information agreement. CC ID 06215	Operational management	Preventive
Include use limitations in the use of information agreement. CC ID 06244	Operational management	Preventive
Include disclosure requirements in the use of information agreement. CC ID 11735	Operational management	Preventive
Include information recipients in the use of information agreement. CC ID 06245	Operational management	Preventive
Include reporting out of scope use of information in the use of information agreement. CC ID 06246	Operational management	Preventive
Include disclosure of information in the use of information agreement. CC ID 11830	Operational management	Preventive
Include information security procedures assigned to the information recipient in the use of information agreement. CC ID 07130	Operational management	Preventive
Include information security procedures assigned to the originator in the use of information agreement. CC ID 14418	Operational management	Preventive
Include a do not contact rule for the individuals identified in a data set in the use of information agreement. CC ID 07131	Operational management	Preventive
Include the information recipient's third parties accepting the agreement in the use of information agreement. CC ID 07132	Operational management	Preventive
Comply with all implemented policies in the organization's compliance framework. CC ID 06384 [{reasonable and appropriate measure} In meeting its responsibilities under this Act, an organisation shall "term_primary-verb">consider what a reasonable person would consider appropriate in the circumstances. § 11.(1) {reasonable and appropriate measure} In meeting its responsibilities under this Act, an organisation shall "term_primary-verb">consider what a reasonable person would consider appropriate in the circumstances. § 11.(1) The designation of an individual by an organisation under subsection (3) shall not relieve the organisation of any of its obligations under this Act. § 11.(6) {legitimate interest}{personal data}The organisation must, in respect of the assessment mentioned in sub-paragraph (2)(a) — comply with any other prescribed requirements. FIRST SCHEDULE PART 3 § 1.(3)(c)]	Operational management	Preventive
Establish, implement, and maintain a customer service program. CC ID 00846	Operational management	Preventive
Include detection procedures in the Incident Management program. CC ID 00588	Operational management	Preventive
Share data loss event information with interconnected system owners. CC ID 01209	Operational management	Corrective
Document the justification for not reporting incidents to interested personnel and affected parties. CC ID 16547	Operational management	Preventive
Include data loss event notifications in the Incident Response program. CC ID 00364	Operational management	Preventive
Include required information in the written request to delay the notification to affected parties. CC ID 16785	Operational management	Preventive
Design the text of the notice for all incident response notifications to be no smaller than 10-point type. CC ID 12985	Operational management	Preventive
Establish, implement, and maintain incident response notifications. CC ID 12975 [{data breach} The notification under subsection (1) must be made in the form and submitted in the manner required by the Commission. § 26D.(4)]	Operational management	Corrective
Include information required by law in incident response notifications. CC ID 00802 [The notification under subsection (1) or (2) must contain, to the best of the knowledge and belief of the organisation at the time it notifies the Commission or affected individual (as the case may be), all the information that is prescribed for this purpose. § 26D.(3)]	Operational management	Detective
Title breach notifications "Notice of Data Breach". CC ID 12977	Operational management	Preventive
Display titles of incident response notifications clearly and conspicuously. CC ID 12986	Operational management	Preventive
Display headings in incident response notifications clearly and conspicuously. CC ID 12987	Operational management	Preventive
Design the incident response notification to call attention to its nature and significance. CC ID 12984	Operational management	Preventive
Use plain language to write incident response notifications. CC ID 12976	Operational management	Preventive
Include directions for changing the user's authenticator or security questions and answers in the breach notification. CC ID 12983	Operational management	Preventive
Include the affected parties rights in the incident response notification. CC ID 16811	Operational management	Preventive
Include details of the investigation in incident response notifications. CC ID 12296	Operational management	Preventive
Include the issuer's name in incident response notifications. CC ID 12062	Operational management	Preventive
Include a "What Happened" heading in breach notifications. CC ID 12978	Operational management	Preventive
Include a general description of the data loss event in incident response notifications. CC ID 04734	Operational management	Preventive
Include time information in incident response notifications. CC ID 04745	Operational management	Preventive
Include the identification of the data source in incident response notifications. CC ID 12305	Operational management	Preventive
Include a "What Information Was Involved" heading in the breach notification. CC ID 12979	Operational management	Preventive
Include the type of information that was lost in incident response notifications. CC ID 04735	Operational management	Preventive
Include the type of information the organization maintains about the affected parties in incident response notifications. CC ID 04776	Operational management	Preventive
Include a "What We Are Doing" heading in the breach notification. CC ID 12982	Operational management	Preventive
Include what the organization has done to enhance data protection controls in incident response notifications. CC ID 04736	Operational management	Preventive
Include what the organization is offering or has already done to assist affected parties in incident response notifications. CC ID 04737	Operational management	Preventive
Include a "For More Information" heading in breach notifications. CC ID 12981	Operational management	Preventive
Include details of the companies and persons involved in incident response notifications. CC ID 12295	Operational management	Preventive
Include the credit reporting agencies' contact information in incident response notifications. CC ID 04744	Operational management	Preventive
Include the reporting individual's contact information in incident response notifications. CC ID 12297	Operational management	Preventive
Include any consequences in the incident response notifications. CC ID 12604	Operational management	Preventive
Include whether the notification was delayed due to a law enforcement investigation in incident response notifications. CC ID 04746	Operational management	Preventive
Include a "What You Can Do" heading in the breach notification. CC ID 12980	Operational management	Preventive
Include how the affected parties can protect themselves from identity theft in incident response notifications. CC ID 04738	Operational management	Detective
Include contact information in incident response notifications. CC ID 04739	Operational management	Preventive
Include contact information in the substitute incident response notification. CC ID 16776	Operational management	Preventive
Post substitute incident response notifications to the organization's website, as necessary. CC ID 04748	Operational management	Preventive
Establish, implement, and maintain a privacy framework that protects restricted data. CC ID 11850	Privacy protection for information and data	Preventive
Establish, implement, and maintain opt-out notices. CC ID 13448 [A subscriber may apply to the Commission, in the form and manner prescribed — to remove his Singapore y-verb">oun">telephone numberspan> from a register. § 40.(1)(b)]	Privacy protection for information and data	Preventive
Include how opt out directions for joint consumers are treated in the opt-out notice. CC ID 13465	Privacy protection for information and data	Preventive
Include the opt out method for data subjects in the opt-out notice. CC ID 13467	Privacy protection for information and data	Preventive
Include the data subject's right to opt out of personal data disclosure in the opt-out notice. CC ID 13463	Privacy protection for information and data	Preventive
Explain the right to opt out in the opt-out notice. CC ID 13462	Privacy protection for information and data	Preventive
Include the organization's right to share personal data in the opt-out notice. CC ID 13450	Privacy protection for information and data	Preventive
Publish a description of processing activities in an official register. CC ID 00379	Privacy protection for information and data	Preventive
Establish and maintain a records request manual. CC ID 00381	Privacy protection for information and data	Preventive
Establish and maintain a description of voluntary disclosure and automatic availability of certain records. CC ID 00382	Privacy protection for information and data	Preventive
Define what is included in registration notices. CC ID 00386	Privacy protection for information and data	Preventive
Include the verification method in the registration notice. CC ID 16798	Privacy protection for information and data	Preventive
Include the statutory authority in the registration notice. CC ID 16799	Privacy protection for information and data	Preventive
Include the address where the file or hardware supporting the data processing is located in the registration notice. CC ID 00387	Privacy protection for information and data	Preventive
Include a purpose specification description in the registration notice. CC ID 00388	Privacy protection for information and data	Preventive
Include information about the dispute resolution body in the registration notice. CC ID 16800	Privacy protection for information and data	Preventive
Include the data subject category being processed in the registration notice. CC ID 00389	Privacy protection for information and data	Preventive
Include the time period for data processing in the registration notice. CC ID 00390	Privacy protection for information and data	Preventive
Include procedures for when the registration notice for processing personal data is insufficient in the registration notice. CC ID 00392	Privacy protection for information and data	Preventive
Provide the data subject with information about obtaining automated decision-making used during personal data processing. CC ID 12618	Privacy protection for information and data	Preventive
Provide the data subject with the name, title, and address of the individual accountable for the organizational policies. CC ID 00394 [For the purposes of sections 14(1)(a) and 18(b), an organisation shall inform the individual of— on request by the individual, the business contact information of a person who is able to econdary-verb">answer on behalf of the organisation the individual's questions about the collection, use or disclosure of the personal data. § 20.(1)(c) An organisation shall make available to the public the business contact information of at least one of the individuals designated under subsection (3) or delegated under subsection (4). § 11.(5) Without limiting subsection (5), an organisation is deemed to have satisfied that subsection if the organisation makes available the business contact information of any individual mentioned in subsection (3) in any prescribed manner. 11.(5A)]	Privacy protection for information and data	Preventive
Provide the data subject with a copy of any brochures or other information that explain policies, standards, or codes. CC ID 00398 [An organisation shall — make information available on request about — the complaint process referred to in paragraph (b). § 12.(d).(ii)]	Privacy protection for information and data	Preventive
Disseminate and communicate the notification of rights to students and their parent or legal representative. CC ID 12996	Privacy protection for information and data	Preventive
Include the criteria for determining what constitutes a legitimate educational interest in the notification of rights. CC ID 13004	Privacy protection for information and data	Preventive
Include the criteria for determining what constitutes a school official in the notification of rights. CC ID 13003	Privacy protection for information and data	Preventive
Specify the parties to whom education records may be disclosed in the written consent. CC ID 13002	Privacy protection for information and data	Preventive
Specify the purpose of the disclosure in the written consent. CC ID 13001	Privacy protection for information and data	Preventive
Specify which education records may be disclosed in the written consent. CC ID 13000	Privacy protection for information and data	Preventive
Document the conditions when consent is not required to disclose educational data. CC ID 00225	Privacy protection for information and data	Preventive
Record the health and safety threats of students when disclosing personal data. CC ID 12997	Privacy protection for information and data	Preventive
Provide adequate structures, policies, procedures, and mechanisms to support direct access by the data subject to personal data that is provided upon request. CC ID 00393	Privacy protection for information and data	Preventive
Provide the data subject with a description of the type of information held by the organization and a general account of its use. CC ID 00397 [Any person may apply to the Commission, in the form and manner required by the Commission, to confirm whether any Singapore ;" class="term_primary-noun">telephone number is listed in a oun">register. § 40.(2)]	Privacy protection for information and data	Preventive
Establish and maintain a disclosure accounting record. CC ID 13022	Privacy protection for information and data	Preventive
Include what information was disclosed and to whom in the disclosure accounting record. CC ID 04680	Privacy protection for information and data	Preventive
Include the disclosure purpose in the disclosure accounting record. CC ID 07135 [For the purposes of subsection (2)(a), the organisation must, before collecting, using or disclosing any personal data about the individual — take reasonable steps to bring the following information to the attention of the individual: the organisation's intention to collect, use or disclose the personal data; § 15A.(4)(b)(i)]	Privacy protection for information and data	Preventive
Establish, implement, and maintain personal data choice and consent program. CC ID 12569 [A subscriber may apply to the Commission, in the form and manner prescribed — to add his Singapore y-verb">">telephone numbern> to a register; or § 40.(1)(a) A person does not contravene subsection (1) if the subscriber or user of the Singapore telephone number to which a specified message is sent — gave clear and unambiguous consent to the sending of the specified message to that Singapore telephone number; and § 43.(4)(a)]	Privacy protection for information and data	Preventive
Establish, implement, and maintain data request procedures. CC ID 16546	Privacy protection for information and data	Preventive
Establish and maintain disclosure authorization forms for authorization of consent to use personal data. CC ID 13433 [A person does not contravene subsection (1) if the subscriber or user of the Singapore telephone number to which a specified message is sent — the consent is evidenced in written or other form so as to be accessible for subsequent reference. § 43.(4)(b)]	Privacy protection for information and data	Preventive
Include procedures for revoking authorization of consent to use personal data in the disclosure authorization form. CC ID 13438	Privacy protection for information and data	Preventive
Include the identity of the person seeking consent in the disclosure authorization. CC ID 13999	Privacy protection for information and data	Preventive
Include the recipients of the disclosed personal data in the disclosure authorization form. CC ID 13440	Privacy protection for information and data	Preventive
Include the signature of the data subject and the signing date in the disclosure authorization form. CC ID 13439	Privacy protection for information and data	Preventive
Include the identity of the data subject in the disclosure authorization form. CC ID 13436	Privacy protection for information and data	Preventive
Include the types of personal data to be disclosed in the disclosure authorization form. CC ID 13442	Privacy protection for information and data	Preventive
Include how personal data will be used in the disclosure authorization form. CC ID 13441	Privacy protection for information and data	Preventive
Include agreement termination information in the disclosure authorization form. CC ID 13437	Privacy protection for information and data	Preventive
Highlight the section regarding data subject's consent from other sections in contracts and agreements. CC ID 13988	Privacy protection for information and data	Preventive
Establish, implement, and maintain a personal data accountability program. CC ID 13432	Privacy protection for information and data	Preventive
Establish, implement, and maintain approval applications. CC ID 16778	Privacy protection for information and data	Preventive
Include required information in the approval application. CC ID 16628	Privacy protection for information and data	Preventive
Establish, implement, and maintain Binding Corporate Rules for the international transfers of restricted data. CC ID 12584 [{business improvement purpose}Sub-paragraph (1)(a) and (c) applies only if — X and Y are bound by any contract or other agreement or binding corporate rules requiring the recipient of personal data about P to implement and maintain appropriate safeguards for the personal data. FIRST SCHEDULE PART 5 § 1.(3)(c)]	Privacy protection for information and data	Preventive
Include cooperation mechanisms with the supervisory authority in the Binding Corporate Rules. CC ID 12682	Privacy protection for information and data	Preventive
Include the tasks assigned to the role of data controller in the Binding Corporate Rules. CC ID 12612	Privacy protection for information and data	Preventive
Include data subject's rights in the Binding Corporate Rules. CC ID 12596	Privacy protection for information and data	Preventive
Include the means to exercise the data subject's rights in the Binding Corporate Rules. CC ID 12597	Privacy protection for information and data	Preventive
Include the organizational structure and contact information in the Binding Corporate Rules. CC ID 12595	Privacy protection for information and data	Preventive
Include the acceptance of liability for breaches of the binding corporate rules in the Binding Corporate Rules. CC ID 12594	Privacy protection for information and data	Preventive
Include the mechanisms for reporting legal requirements causing adverse effects on protecting restricted data in the Binding Corporate Rules. CC ID 12620	Privacy protection for information and data	Preventive
Include provisions for providing information on the binding corporate rules to the data subject in the Binding Corporate Rules. CC ID 12593	Privacy protection for information and data	Preventive
Include reporting changes to the binding corporate rules in the Binding Corporate Rules. CC ID 12591	Privacy protection for information and data	Preventive
Include reporting changes of the binding corporate rules to the supervisory authority in the Binding Corporate Rules. CC ID 12592	Privacy protection for information and data	Preventive
Include complaint procedures in the Binding Corporate Rules. CC ID 12613	Privacy protection for information and data	Preventive
Include the data transfers in the Binding Corporate Rules. CC ID 12590	Privacy protection for information and data	Preventive
Include specifying the mechanisms for verifying compliance of the binding corporate rules in the Binding Corporate Rules. CC ID 12662	Privacy protection for information and data	Preventive
Include the identification of the countries in question for the data transfers in the Binding Corporate Rules. CC ID 12601	Privacy protection for information and data	Preventive
Include the type of data subjects affected by the data transfers in the Binding Corporate Rules. CC ID 12600	Privacy protection for information and data	Preventive
Include all pertinent data processing information for data transfers in the Binding Corporate Rules. CC ID 12599	Privacy protection for information and data	Preventive
Include the categories of personal data for data transfers in the Binding Corporate Rules. CC ID 12598	Privacy protection for information and data	Preventive
Include specifying the legally binding nature of the binding corporate rules in the Binding Corporate Rules. CC ID 12627	Privacy protection for information and data	Preventive
Include privacy awareness and training in the Binding Corporate Rules. CC ID 12626	Privacy protection for information and data	Preventive
Establish, implement, and maintain Data Processing Contracts. CC ID 12650	Privacy protection for information and data	Preventive
Include the stipulation of complying with external requirements in the Data Processing Contract. CC ID 12676 [For the purposes of subsection (2)(a), the organisation must, before collecting, using or disclosing any personal data about the individual — satisfy any other prescribed requirements. § 15A.(4)(c) The organisation must, in respect of the assessment mentioned in subsection (4)(a) — comply with any other prescribed requirements. § 15A.(5)(c) {person}A checker is deemed to have complied with subsection (2)(a) if — the applicable information that the checker provides to P is in accordance with a reply from the Commission in response to the checker's application under section 40(2); and § 43A.(3)(a)]	Privacy protection for information and data	Preventive
Include the stipulation that personal data will be disposed or returned to the data subject in the Data Processing Contract. CC ID 12669 [{prospective party}{organization}If X enters into the business asset transaction, the following conditions apply: if any personal data X collects from Y does not relate directly to the part of Y or Y's business assets with which the business asset transaction entered into is concerned, X must destroy, or return to Y, that personal data; FIRST SCHEDULE PART 4 § 1.(4)(b)]	Privacy protection for information and data	Preventive
Establish, implement, and maintain a personal data use limitation program. CC ID 13428	Privacy protection for information and data	Preventive
Establish, implement, and maintain a personal data use purpose specification. CC ID 00093	Privacy protection for information and data	Preventive
Establish, implement, and maintain data use change of purpose procedures. CC ID 00106	Privacy protection for information and data	Preventive
Document the use of publicly accessible personal data as an acceptable secondary purpose. CC ID 00108	Privacy protection for information and data	Preventive
Document the use of privacy-related data as acceptable if the information being used is publicly available information, the secondary use is marketing, and it is not practical to seek consent from the individual before use. CC ID 00110	Privacy protection for information and data	Preventive
Document the use of personal data as an acceptable secondary purpose when the data subject is not charged to request to opt out of direct marketing communications. CC ID 00111	Privacy protection for information and data	Preventive
Document the use of personal data as an acceptable secondary purpose when the data subject has not requested to opt out of direct marketing communications. CC ID 00112	Privacy protection for information and data	Preventive
Document the use of personal data as an acceptable secondary purpose when the organization highlights the opt out option during each direct marketing communication. CC ID 00113	Privacy protection for information and data	Preventive
Document the use of personal data as an acceptable secondary purpose when the organization displays contact information in each written direct marketing communication. CC ID 00114	Privacy protection for information and data	Preventive
Document the use of personal data as an acceptable secondary purpose when the data subject gives consent. CC ID 00115 [If an individual gives or is deemed to have given, consent to the disclosure of personal data about the individual by one organisation to another organisation for a particular purpose, the individual is deemed to consent to the collection, use, or disclosure of the personal data for that particular purpose by that other organisation. § 15.(2) {consent}{disclosure} Where an organisation collects personal data disclosed to it by B under subsection (3)(c), subsection (3)(b) and (c) applies to the organisation as if the personal data were disclosed by A to the organisation under subsection (3)(a). § 15.(4)]	Privacy protection for information and data	Preventive
Document the use of personal data as an acceptable secondary purpose when the personal data is Individually Identifiable Health Information used for research. CC ID 00116	Privacy protection for information and data	Preventive
Document the use of personal data as an acceptable secondary purpose when the personal data is used for statistical research, scholarly research, or scientific research and the data subject is anonymous. CC ID 00117	Privacy protection for information and data	Preventive
Document the use of personal data as an acceptable secondary purpose when the data controller believes the use is necessary to prevent a life-threatening emergency. CC ID 00118	Privacy protection for information and data	Preventive
Document the use of personal data as an acceptable secondary purpose when required by law. CC ID 00119	Privacy protection for information and data	Preventive
Document the use of personal data as an acceptable secondary purpose when the personal data is necessary for public emergencies, public health and safety, or individual emergencies. CC ID 00121	Privacy protection for information and data	Preventive
Document the use of personal data as an acceptable secondary purpose when the primary purpose is directly related to the secondary purpose. CC ID 00123	Privacy protection for information and data	Preventive
Document the use of personal data as an acceptable secondary purpose when it is necessary for the enforcement of care and custody. CC ID 15453	Privacy protection for information and data	Preventive
Document the use of data as an acceptable secondary purpose when it is necessary for use in a legal proceeding. CC ID 15451	Privacy protection for information and data	Preventive
Document the use of personal data as an acceptable secondary purpose when it is necessary for a law enforcement investigation. CC ID 15449	Privacy protection for information and data	Preventive
Document the use of personal data as an acceptable secondary purpose when it is necessary to perform a treaty with a foreign government. CC ID 15447	Privacy protection for information and data	Preventive
Establish, implement, and maintain data access procedures. CC ID 00414	Privacy protection for information and data	Preventive
Establish, implement, and maintain procedures for individuals to be able to modify their personal data, as necessary. CC ID 11811 [{allow} An individual may request an organisation to correct an error or omission in the personal data about the individual that is in the possession or under the control of the organisation. § 22.(1)]	Privacy protection for information and data	Preventive
Include a liability waiver for any harm caused by the exclusion of personal data in the personal data removal request. CC ID 11975	Privacy protection for information and data	Preventive
Establish, implement, and maintain restricted data use limitation procedures. CC ID 00128 [Subject to subsection (3), an individual is deemed to consent to the collection, use or disclosure of personal data about the individual by an organisation if — the organisation satisfies the requirements in subsection (4); and § 15A.(2)(a)]	Privacy protection for information and data	Preventive
Establish and maintain a record of processing activities when processing restricted data. CC ID 12636	Privacy protection for information and data	Preventive
Refrain from maintaining a record of processing activities if the data processor employs a limited number of persons. CC ID 13378	Privacy protection for information and data	Preventive
Refrain from maintaining a record of processing activities if the personal data relates to criminal records. CC ID 13377	Privacy protection for information and data	Preventive
Refrain from maintaining a record of processing activities if the data being processed is restricted data. CC ID 13376	Privacy protection for information and data	Preventive
Refrain from maintaining a record of processing activities if it could result in a risk to the data subject's rights or data subject's freedom. CC ID 13375	Privacy protection for information and data	Preventive
Document the conditions for the use or disclosure of Individually Identifiable Health Information by a covered entity to another covered entity. CC ID 00210	Privacy protection for information and data	Preventive
Disclose Individually Identifiable Health Information for research use when the appropriate requirements are included in the approval documentation or waiver documentation. CC ID 06257	Privacy protection for information and data	Preventive
Document the conditions for the disclosure of Individually Identifiable Health Information by an organization providing healthcare services to organizations other than business associates or other covered entities. CC ID 00201	Privacy protection for information and data	Preventive
Document how Individually Identifiable Health Information is used and disclosed when authorization has been granted. CC ID 00216	Privacy protection for information and data	Preventive
Define and implement valid authorization control requirements. CC ID 06258	Privacy protection for information and data	Preventive
Define security breach notification requirement exceptions. CC ID 04797	Privacy protection for information and data	Preventive
Define what restricted data is not required to be disclosed absent consent. CC ID 00134	Privacy protection for information and data	Preventive
Define the exceptions to disclosure absent consent. CC ID 00135	Privacy protection for information and data	Preventive
Define opt-out exceptions for disclosing restricted data. CC ID 00159	Privacy protection for information and data	Preventive
Define how a data subject may give consent. CC ID 00160 [An individual has not given consent under this Act for the collection, use or disclosure of personal data about the individual by an organisation for a purpose unless— the individual has been provided with the information required under section 20; and § 14.(1)(a) {render invalid} Any consent given in any of the circumstances in subsection (2) is not validly given for the purposes of this Act. § 14.(3) An individual is deemed to consent to the collection, use or disclosure of personal data about the individual by an organisation for a purpose if— the individual, without actually giving consent referred to in section 14, voluntarily provides the personal data to the organisation for that purpose; and § 15.(1)(a) In this Act, references to the consent given or deemed to have been given, by an individual for the collection, use, or disclosure of personal data about the individual shall include consent given, or deemed to have been given, by any person validly acting on behalf of that individual for the collection, use or disclosure of such personal data. § 14.(4) An individual has not given consent under this Act for the collection, use or disclosure of personal data about the individual by an organisation for a purpose unless — the individual provided his consent for that purpose in accordance with this Act. § 14.(1)(b) Subject to subsection (3), an individual is deemed to consent to the collection, use or disclosure of personal data about the individual by an organisation if — the individual does not notify the organisation, before the expiry of the period mentioned in subsection (4)(b)(iii), that the individual does not consent to the proposed collection, use or disclosure of the personal data by the organisation. § 15A.(2)(b) For the purposes of subsection (2)(a), the organisation must, before collecting, using or disclosing any personal data about the individual — take reasonable steps to bring the following information to the attention of the individual: a reasonable period within which, and a reasonable manner by which, the individual may notify the organisation that the individual does not consent to the organisation's proposed collection, use or disclosure of the personal data; and § 15A.(4)(b)(iii)]	Privacy protection for information and data	Preventive
Disclose restricted data for judicial decisions, lawsuits, and investigations only after the data controller includes a note of the disclosure in the record. CC ID 00162	Privacy protection for information and data	Detective
Establish, implement, and maintain restricted data retention procedures. CC ID 00167 [the organisation must preserve, for not less than the prescribed period, a copy of the personal data concerned. § 22A.(1) ¶ 1]	Privacy protection for information and data	Preventive
Establish, implement, and maintain personal data disposition procedures. CC ID 13498	Privacy protection for information and data	Preventive
Document the redisclosing restricted data exceptions. CC ID 00170	Privacy protection for information and data	Preventive
Document the conditions to use Personal Identification Numbers absent consent. CC ID 00242	Privacy protection for information and data	Preventive
Establish, implement, and maintain data disclosure procedures. CC ID 00133 [Subject to subsection (3), an individual is deemed to consent to the collection, use or disclosure of personal data about the individual by an organisation if — the organisation satisfies the requirements in subsection (4); and § 15A.(2)(a) {business asset transaction}{organization}{prospective party}{individual}If X enters into the relevant transaction, the following conditions apply: Y may use or disclose the personal data collected from Z only for the same purposes for which Z would have been permitted to use or disclose the personal data; FIRST SCHEDULE PART 4 § 2.(3)(b)]	Privacy protection for information and data	Preventive
Establish, implement, and maintain data request denial procedures. CC ID 00434	Privacy protection for information and data	Preventive
Document that a data search was conducted in case the requested data cannot be found. CC ID 06953	Privacy protection for information and data	Preventive
Establish, implement, and maintain a personal data collection program. CC ID 06487	Privacy protection for information and data	Preventive
Establish, implement, and maintain personal data collection limitation boundaries. CC ID 00507 [Subject to subsection (3), an individual is deemed to consent to the collection, use or disclosure of personal data about the individual by an organisation if — the organisation satisfies the requirements in subsection (4); and § 15A.(2)(a)]	Privacy protection for information and data	Preventive
Establish, implement, and maintain a personal data use policy. CC ID 00076	Privacy protection for information and data	Preventive
Post the collection purpose. CC ID 00101	Privacy protection for information and data	Preventive
Document each individual's personal data collection consent preferences. CC ID 06945	Privacy protection for information and data	Preventive
Establish and maintain a personal data definition. CC ID 00028	Privacy protection for information and data	Preventive
Include the number of children in the personal data definition. CC ID 13759	Privacy protection for information and data	Preventive
Include the individual's religion in the personal data definition. CC ID 13765	Privacy protection for information and data	Preventive
Include an individual's political party affiliation in the personal data definition. CC ID 13764	Privacy protection for information and data	Preventive
Include an individual's license plate number in the personal data definition. CC ID 13763	Privacy protection for information and data	Preventive
Include an individual's account balances in the personal data definition. CC ID 13770	Privacy protection for information and data	Preventive
Include an individual's logon credentials in the personal data definition. CC ID 13771	Privacy protection for information and data	Preventive
Include an individual's military identification number in the personal data definition. CC ID 13083	Privacy protection for information and data	Preventive
Refrain from including publicly available information in the personal data definition. CC ID 13084	Privacy protection for information and data	Preventive
Notify parents or legal representatives of what information is collected from children. CC ID 00040	Privacy protection for information and data	Preventive
Establish, implement, and maintain a personal data collection policy. CC ID 00029	Privacy protection for information and data	Preventive
Provide the data subject with information about the data controller during the collection process. CC ID 00023	Privacy protection for information and data	Preventive
Provide the data subject with the data collector's name and contact information. CC ID 00024 [For the purposes of subsection (4), the organisation must inform the individual of the following: on request by the individual, the business contact information of a person who is able to answer the individual's questions about that collection, use or disclosure (as the case may be) on behalf of the organisation. § 20.(5)(b)]	Privacy protection for information and data	Preventive
Provide the data subject with the name of the data collector who will hold the collected restricted data. CC ID 00025	Privacy protection for information and data	Preventive
Provide the data subject with the third party processor's contact information when the data controller is not processing the restricted data. CC ID 00026	Privacy protection for information and data	Preventive
Establish, implement, and maintain a data handling program. CC ID 13427	Privacy protection for information and data	Preventive
Establish, implement, and maintain data handling policies. CC ID 00353	Privacy protection for information and data	Preventive
Establish, implement, and maintain data and information confidentiality policies. CC ID 00361	Privacy protection for information and data	Preventive
Establish, implement, and maintain a personal data transfer program. CC ID 00307	Privacy protection for information and data	Preventive
Include procedures for transferring personal data to third parties in the personal data transfer program. CC ID 00333	Privacy protection for information and data	Preventive
Define the personal data transfer exceptions for transferring personal data to another country when adequate protection level standards are not met. CC ID 00315 [{other country} An organisation shall not transfer any personal data to a country or territory outside Singapore except in accordance with requirements verb">prescribed under this Act to ensure that organisations provide a standard of protection to personal data so transferred that is comparable to the protection under this Act. § 26.(1)]	Privacy protection for information and data	Preventive
Establish, implement, and maintain a privacy impact assessment. CC ID 13712 [The organisation must, in respect of the assessment mentioned in subsection (4)(a) — identify and implement reasonable measures to — reduce the likelihood that the adverse effect will occur; or § 15A.(5)(b)(ii) The organisation must, in respect of the assessment mentioned in subsection (4)(a) — identify and implement reasonable measures to — eliminate the adverse effect; § 15A.(5)(b)(i) The organisation must, in respect of the assessment mentioned in subsection (4)(a) — identify and implement reasonable measures to — mitigate the adverse effect; and § 15A.(5)(b)(iii)]	Privacy protection for information and data	Preventive
Include the individuals with whom information is shared in the privacy impact assessment. CC ID 15520	Privacy protection for information and data	Preventive
Include how to grant consent in the privacy impact assessment. CC ID 15519	Privacy protection for information and data	Preventive
Include the opportunities for individuals to consent to using their information in the privacy impact assessment. CC ID 15518	Privacy protection for information and data	Preventive
Include the opportunities for opting out of information collection in the privacy impact assessment. CC ID 15517	Privacy protection for information and data	Preventive
Include data handling procedures in the privacy impact assessment. CC ID 15516	Privacy protection for information and data	Preventive
Include the intended use of information in the privacy impact assessment. CC ID 15515	Privacy protection for information and data	Preventive
Include the reason information is being collected in the privacy impact assessment. CC ID 15514	Privacy protection for information and data	Preventive
Establish, implement, and maintain a privacy dispute resolution program. CC ID 12526 [An organisation shall — develop a process to receive and respond to complaints that may arise with respect to the application of this Act; § 12.(b)]	Privacy protection for information and data	Preventive
Include potential remedies in the privacy dispute resolution program. CC ID 12531	Privacy protection for information and data	Preventive
Provide the data subject with the name, title, and address to whom complaints are forwarded. CC ID 00395	Privacy protection for information and data	Preventive
Include the time frames in which privacy rights violation complaints are processed in the privacy dispute resolution program. CC ID 12529	Privacy protection for information and data	Preventive
Document unresolved challenges. CC ID 13568 [An individual may request an organisation to correct an error or omission in the personal data about the individual that is in the possession or under the control of the organisation. Section 22 shall not apply in respect of— any erm_secondary-verb">BBC;" class="term_primary-noun">examination> conducted by an education institution, examination scripts and, prior to the release of examination results, <span style="background-color:#F0BBBC;" class="term_primary-noun">examination results; SIXTH SCHEDULE § 1.(b) An individual may request an organisation to correct an error or omission in the personal data about the individual that is in the possession or under the control of the organisation. Section 22 shall not apply in respect of— the personal data of the background-color:#F0BBBC;" class="term_primary-noun">beneficiaries of a tyle="background-color:#F0BBBC;" class="term_primary-noun">private trust kept solely for the purpose of ass="term_primary-verb">administering the trust; SIXTH SCHEDULE § 1.(c) An organisation is not required to provide information under section 21(1) in respect of — a document related to a prosecution if all proceedings related to the prosecution have not been completed; or SIXTH SCHEDULE § 1.(e)]	Privacy protection for information and data	Preventive
Establish, implement, and maintain an accuracy resolution policy. CC ID 00460	Privacy protection for information and data	Preventive
Document disagreements as to whether personal data is complete and accurate. CC ID 06952	Privacy protection for information and data	Preventive
Include the change to the personal data that the data subject requested and the reason the organization refused to make the change in the statement of disagreement. CC ID 06954 [An individual may request an organisation to correct an error or omission in the personal data about the individual that is in the possession or under the control of the organisation. Section 22 shall b">not apply in respect of— background-color:#F0BBBC;" class="term_primary-noun">opinion data kept solely for an imary-noun">evaluative purpose; SIXTH SCHEDULE § 1.(a) If no correction is made under subsection (2)(a) or (4), the organisation shall annotate the personal data in its possession or under its control with the correction that was requested but e="background-color:#CBD0E5;" class="term_secondary-verb">not made. § 22.(5)]	Privacy protection for information and data	Preventive
Define the organization's liability based on the applicable law. CC ID 00504	Privacy protection for information and data	Preventive
Define the sanctions and fines available for privacy rights violations based on applicable law. CC ID 00505 [A person who suffers loss or damage directly as a result of a contravention — has a right of action for relief in civil proceedings in a court. § 48O.(1) ¶ 1 A telecommunications service provider which contravenes subsection (1) shall be guilty of an offence and shall be liable on conviction to a fine not exceeding $10,000. § 42.(2)]	Privacy protection for information and data	Preventive
Define the appeal process based on the applicable law. CC ID 00506 [The application for reconsideration — must be made in the form and manner required by the Commission; and § 48N.(4)(b) An organisation or a person aggrieved by a financial penalty imposed by the Commission under section 48J(1) on the organisation or person may make a written application to the Commission to reconsider the decision to impose the financial penalty or the amount of the financial penalty so imposed in accordance with this section. § 48N.(2) The application for reconsideration — subject to subsection (5), must be submitted to the Commission within the prescribed period; § 48N.(4)(a) The application for reconsideration — must set out the grounds on which the applicant is requesting the reconsideration. § 48N.(4)(c)]	Privacy protection for information and data	Preventive
Establish, implement, and maintain customer data authentication procedures. CC ID 13187	Privacy protection for information and data	Preventive
Establish, implement, and maintain an anti-spam policy. CC ID 00283 [Subject to section 48(2), a person must not send a specified message addressed to a Singapore telephone number unless — the specified message includes the information, and complies with the conditions, specified in the regulations, if any; and § 44.(c) Subject to section 48(2), a person must not send a specified message addressed to a Singapore telephone number unless — the specified message includes the information, and complies with the conditions, specified in the regulations, if any; and § 44.(c) For the purposes of subsection (1), the person has valid confirmation that a Singapore telephone number is not listed in the relevant register in either of the following circumstances: the person has obtained from a checker information that the Singapore telephone number is not listed in the relevant register (called in this section the relevant information) and has no reason to believe that, and is not reckless as to whether — § 43.(2)(b)]	Privacy protection for information and data	Preventive
Include information identifying the organization hired to send commercial electronic messages when sending commercial electronic messages through a third party. CC ID 00286	Privacy protection for information and data	Detective
Define aggravated violations that relate to commercial electronic messages. CC ID 00293	Privacy protection for information and data	Preventive
Establish, implement, and maintain a do-not-e-mail registry. CC ID 00297	Privacy protection for information and data	Preventive
Include that commercial electronic messages may be sent to an individual in any situation where the sender has prior consent from the individual or another existing business relationship in the anti-spam policy. CC ID 00300	Privacy protection for information and data	Preventive
Document erroneous messages when an unsolicited commercial electronic message is accidentally sent. CC ID 00303	Privacy protection for information and data	Preventive

Human Resources Management

Mandated - bold Implied - italic Implementation - regular	IMPACT ZONE	CLASS
KEY: Primary Verb Primary Noun Secondary Verb Secondary Noun Limiting Term
Define and assign workforce roles and responsibilities. CC ID 13267	Human Resources management	Preventive
Assign the role of data controller to be the Point of Contact for the supervisory authority. CC ID 12616	Human Resources management	Preventive
Assign the role of the Data Controller to cooperate with the supervisory authority. CC ID 12615	Human Resources management	Preventive
Assign the data controller to facilitate the exercise of the data subject's rights. CC ID 12666	Human Resources management	Preventive
Assign the role of data controller to provide advice, when requested. CC ID 12611	Human Resources management	Preventive
Assign accountability for maintaining the Governance, Risk, and Compliance framework. CC ID 12523	Operational management	Preventive
Assign defining the program for disseminating and communicating the Governance, Risk, and Compliance framework. CC ID 12524	Operational management	Preventive
Assign the responsibility for establishing, implementing, and maintaining the information security program to the appropriate role. CC ID 11884	Operational management	Preventive
Assign the responsibility for distributing the information security program to the appropriate role. CC ID 11883	Operational management	Preventive
Refrain from discriminating against data subjects who have exercised privacy rights. CC ID 13435	Privacy protection for information and data	Preventive
Assign ownership of the privacy program to the appropriate organizational role. CC ID 11848 [An organisation shall designate one or more individuals to be responsible for ensuring that the organisation verb">complies with this Act. § 11.(3)]	Privacy protection for information and data	Preventive
Notify individuals of their ability to challenge personal behavioral assessments on record. CC ID 04798	Privacy protection for information and data	Preventive

IT Impact Zone

Mandated - bold Implied - italic Implementation - regular	IMPACT ZONE	CLASS
KEY: Primary Verb Primary Noun Secondary Verb Secondary Noun Limiting Term
Audits and risk management CC ID 00677	Audits and risk management	IT Impact Zone
Human Resources management CC ID 00763	Human Resources management	IT Impact Zone
Operational management CC ID 00805	Operational management	IT Impact Zone
Privacy protection for information and data CC ID 00008	Privacy protection for information and data	IT Impact Zone

Investigate

Mandated - bold Implied - italic Implementation - regular	IMPACT ZONE	CLASS
KEY: Primary Verb Primary Noun Secondary Verb Secondary Noun Limiting Term
Perform social network analysis, as necessary. CC ID 14864	Operational management	Detective
Analyze requirements for processing personal data in contracts. CC ID 12550	Privacy protection for information and data	Detective
Confirm the data quality of personal data collected from third parties. CC ID 13510	Privacy protection for information and data	Detective
Review the methods for collecting personal data, as necessary. CC ID 13511	Privacy protection for information and data	Detective

Log Management

Mandated - bold Implied - italic Implementation - regular	IMPACT ZONE	CLASS
KEY: Primary Verb Primary Noun Secondary Verb Secondary Noun Limiting Term
Submit an incident management audit log to the proper authorities for each security breach that affects a predefined number of individuals, as necessary. CC ID 06326	Operational management	Detective

Monitor and Evaluate Occurrences

Mandated - bold Implied - italic Implementation - regular	IMPACT ZONE	CLASS
KEY: Primary Verb Primary Noun Secondary Verb Secondary Noun Limiting Term
Monitor and review the effectiveness of the information security program. CC ID 12744	Operational management	Preventive

Process or Activity

Mandated - bold Implied - italic Implementation - regular	IMPACT ZONE	CLASS
KEY: Primary Verb Primary Noun Secondary Verb Secondary Noun Limiting Term
Establish, implement, and maintain Data Protection Impact Assessments. CC ID 14830 [For the purposes of subsection (2)(a), the organisation must, before collecting, using or disclosing any personal data about the individual — conduct an assessment to determine that the proposed collection, use or disclosure of the personal data is not likely to have an adverse effect on the individual; § 15A.(4)(a) {legitimate interest}For the purposes of sub-paragraph (1), the organisation must — conduct an assessment, before collecting, using or disclosing the personal data (as the case may be), to determine whether sub-paragraph (1) is satisfied; and FIRST SCHEDULE PART 3 § 1.(2)(a) {legitimate interest}For the purposes of sub-paragraph (1), the organisation must — conduct an assessment, before collecting, using or disclosing the personal data (as the case may be), to determine whether sub-paragraph (1) is satisfied; and FIRST SCHEDULE PART 3 § 1.(2)(a) {legitimate interest}For the purposes of sub-paragraph (1), the organisation must — conduct an assessment, before collecting, using or disclosing the personal data (as the case may be), to determine whether sub-paragraph (1) is satisfied; and FIRST SCHEDULE PART 3 § 1.(2)(a)]	Audits and risk management	Preventive
Integrate the use of technology in supporting the Governance, Risk, and Compliance capabilities. CC ID 12915	Operational management	Preventive
Evaluate the use of technology in supporting Governance, Risk, and Compliance capabilities. CC ID 12895	Operational management	Preventive
Evaluate information sharing partners, as necessary. CC ID 12749	Operational management	Preventive
Review and approve access controls, as necessary. CC ID 13074	Operational management	Detective
Provide management direction and support for the information security program. CC ID 11999	Operational management	Preventive
Approve the information security policy at the organization's management level or higher. CC ID 11737	Operational management	Preventive
Define thresholds for approving information security activities in the information security program. CC ID 15702	Operational management	Preventive
Use systems in accordance with the standard operating procedures manual. CC ID 15049	Operational management	Preventive
Provide support for information sharing activities. CC ID 15644	Operational management	Preventive
Analyze how policies used to create management boundaries relates to the Governance, Risk, and Compliance approach. CC ID 12821	Operational management	Preventive
Analyze how the organization sets limits in policies relating to the Governance, Risk, and Compliance approach. CC ID 12819	Operational management	Preventive
Analyze how the Board of Directors' and senior management's tone influences the Governance, Risk, and Compliance approach. CC ID 12818	Operational management	Preventive
Analyze the degree to which the governing body is engaged in the Governance, Risk, and Compliance approach. CC ID 12817	Operational management	Preventive
Analyze the Governance, Risk, and Compliance approach. CC ID 12816	Operational management	Preventive
Analyze the organizational culture. CC ID 12899	Operational management	Preventive
Include individual commitment to the organization's Governance, Risk, and Compliance framework in the analysis of the organizational culture. CC ID 12922	Operational management	Detective
Include the organizational climate in the analysis of the organizational culture. CC ID 12921	Operational management	Detective
Include consistency of leadership actions to mission, vision, and values in the analysis of the organizational culture. CC ID 12920	Operational management	Detective
Establish, implement, and maintain consequences for non-compliance with the organizational compliance framework. CC ID 11747	Operational management	Corrective
Revoke the written request to delay the notification. CC ID 16843	Operational management	Preventive
Post the incident response notification on the organization's website. CC ID 16809	Operational management	Preventive
Document the determination for providing a substitute incident response notification. CC ID 16841	Operational management	Preventive
Provide the data subject with information about automated decision-making during personal data processing. CC ID 12609	Privacy protection for information and data	Preventive
Provide the data subject with contractual requirements requiring the provision of personal data. CC ID 12588 [{person]A checker must — provide the applicable information to P in accordance with any prescribed requirements. § 43A.(2)(b)]	Privacy protection for information and data	Preventive
Notify the data subject of the right to data portability. CC ID 12603	Privacy protection for information and data	Preventive
Provide the data subject with information about the right to erasure. CC ID 12602	Privacy protection for information and data	Preventive
Confirm the individual's identity before granting an opt-out request. CC ID 16813	Privacy protection for information and data	Preventive
Approve the approval application unless applicant has been convicted. CC ID 16603	Privacy protection for information and data	Preventive
Provide the supervisory authority with any information requested by the supervisory authority. CC ID 12606	Privacy protection for information and data	Preventive
Refrain from processing restricted data if the restricted data is involved in a legal claim. CC ID 12668	Privacy protection for information and data	Preventive
Refrain from providing information to the data subject when the organization cannot identify the data subject. CC ID 12667	Privacy protection for information and data	Preventive
Refrain from erasing personal data upon data subject request when personal data processing is necessary for statistical purposes. CC ID 12656	Privacy protection for information and data	Preventive
Refrain from erasing personal data upon data subject request when personal data processing is necessary for historical research purposes. CC ID 12655	Privacy protection for information and data	Preventive
Refrain from erasing personal data upon data subject request when personal data processing is necessary for scientific research purposes. CC ID 12654	Privacy protection for information and data	Preventive
Refrain from erasing personal data upon data subject request when personal data processing is necessary for exercising freedom of expression. CC ID 12684	Privacy protection for information and data	Preventive
Refrain from erasing personal data upon data subject request when it is used to provide a service. CC ID 13779	Privacy protection for information and data	Preventive
Refrain from erasing personal data upon data subject request when it is being used for incident detection. CC ID 13778	Privacy protection for information and data	Detective
Refrain from erasing personal data upon data subject request when personal data processing is necessary for archival purposes. CC ID 12653	Privacy protection for information and data	Preventive
Refrain from erasing personal data upon data subject request when personal data processing is for compliance with a legal obligation. CC ID 12652	Privacy protection for information and data	Preventive
Refrain from erasing personal data upon data subject request when personal data processing is necessary for the public interest. CC ID 12649	Privacy protection for information and data	Preventive
Refrain from erasing personal data upon data subject request when personal data processing concerns legal claims. CC ID 12644	Privacy protection for information and data	Preventive
Refrain from processing personal data if the data subject opposes the data erasure of personal data. CC ID 12619	Privacy protection for information and data	Preventive
Rely upon the warranty of the covered entity that the record disclosure request for Individually Identifiable Health Information is to support the treatment of the individual. CC ID 11969	Privacy protection for information and data	Preventive
Process personal data absent consent in order to protect the vital interests of the data subject. CC ID 14012 [{individual's vital interest}{collect}{disclose} Subject to sub-paragraph (2), the collection, use or disclosure (as the case may be) of personal data about an individual is necessary for any purpose which is clearly in the interests of the individual, and — FIRST SCHEDULE PART 1 § 1.(1)]	Privacy protection for information and data	Preventive
Refrain from erasing personal data upon receiving a personal data removal request when it is necessary for maintaining information assets. CC ID 13789	Privacy protection for information and data	Preventive
Refrain from erasing personal data upon receiving a personal data removal request when it is necessary to complete a payment transaction. CC ID 13788	Privacy protection for information and data	Preventive
Include disclosing personal data that would threaten facilities, property, transport, or communication systems as a reason for denial in the personal data request denial procedures. CC ID 08702	Privacy protection for information and data	Preventive
Include if the record would constitute an action for breach of a duty of confidence as a reason for denial in the personal data request denial procedures. CC ID 08700	Privacy protection for information and data	Preventive
Define the fee structure for the appeal process. CC ID 16532	Privacy protection for information and data	Preventive
Define the time requirements for the appeal process. CC ID 16531	Privacy protection for information and data	Preventive

Records Management

Mandated - bold Implied - italic Implementation - regular	IMPACT ZONE	CLASS
KEY: Primary Verb Primary Noun Secondary Verb Secondary Noun Limiting Term
Include information sharing procedures in standard operating procedures. CC ID 12974	Operational management	Preventive
Refrain from allowing students the right to inspect the financial records of their parent or legal representative. CC ID 13025	Privacy protection for information and data	Preventive
Refrain from allowing students the right to inspect confidential letters and confidential letters of recommendation. CC ID 13019	Privacy protection for information and data	Preventive
Amend education records within a reasonable period after receiving a record amendment request. CC ID 12998	Privacy protection for information and data	Corrective
Decide whether to amend education records based on evidence presented during a hearing. CC ID 13020	Privacy protection for information and data	Corrective
Grant access to education records in support of educational program audits. CC ID 13032	Privacy protection for information and data	Preventive
Grant access to education records in support of external requirements. CC ID 13033	Privacy protection for information and data	Preventive
Collect and retain disclosure authorizations for each data subject. CC ID 13434	Privacy protection for information and data	Preventive
Refrain from destroying records being inspected or reviewed. CC ID 13015	Privacy protection for information and data	Preventive
Submit personal data removal requests in writing. CC ID 11973	Privacy protection for information and data	Preventive
Allow authorized individuals to authenticate record entries containing personal data. CC ID 11812	Privacy protection for information and data	Corrective
Refrain from processing restricted data, as necessary. CC ID 12551 [Notwithstanding the other provisions in this Part, an organisation may use personal data about an individual collected before the appointed day for the purposes for which the personal data was collected unless — the individual, whether before, on or after the appointed day, has otherwise indicated to the organisation that he does not consent to the use of the personal data. § 19.(b) An organisation shall not, on or after the appointed day, collect, use or disclose personal data about an individual unless — § 13.]	Privacy protection for information and data	Preventive
Include the data protection officer's contact information in the record of processing activities. CC ID 12640	Privacy protection for information and data	Preventive
Include the data processor's contact information in the record of processing activities. CC ID 12657	Privacy protection for information and data	Preventive
Include the data processor's representative's contact information in the record of processing activities. CC ID 12658	Privacy protection for information and data	Preventive
Include a general description of the implemented security measures in the record of processing activities. CC ID 12641	Privacy protection for information and data	Preventive
Include a description of the data subject categories in the record of processing activities. CC ID 12659	Privacy protection for information and data	Preventive
Include the purpose of processing restricted data in the record of processing activities. CC ID 12663	Privacy protection for information and data	Preventive
Include the personal data processing categories in the record of processing activities. CC ID 12661	Privacy protection for information and data	Preventive
Include the time limits for erasing each data category in the record of processing activities. CC ID 12690	Privacy protection for information and data	Preventive
Include the data recipient categories to whom restricted data has been or will be disclosed in the record of processing activities. CC ID 12664	Privacy protection for information and data	Preventive
Include a description of the personal data categories in the record of processing activities. CC ID 12660	Privacy protection for information and data	Preventive
Include the joint data controller's contact information in the record of processing activities. CC ID 12639	Privacy protection for information and data	Preventive
Include the data controller's representative's contact information in the record of processing activities. CC ID 12638	Privacy protection for information and data	Preventive
Include documentation of the transferee's safeguards for transferring restricted data in the record of processing activities. CC ID 12643	Privacy protection for information and data	Preventive
Include the identification of transferees for transferring restricted data in the record of processing activities. CC ID 12642	Privacy protection for information and data	Preventive
Include the data controller's contact information in the record of processing activities. CC ID 12637	Privacy protection for information and data	Preventive
Refrain from disclosing Individually Identifiable Health Information when in violation of territorial or federal law. CC ID 11966	Privacy protection for information and data	Preventive
Rely upon the warranty of the covered entity that the record disclosure request for Individually Identifiable Health Information is permitted with the consent of the data subject. CC ID 11970	Privacy protection for information and data	Preventive
Rely upon the warranty of the covered entity that the record disclosure request for Individually Identifiable Health Information is permitted by law. CC ID 11976	Privacy protection for information and data	Preventive
Refrain from disclosing personal data absent consent of the individual or for defined exceptions. CC ID 11967 [An organisation shall not, on or after the appointed day, collect, use or disclose personal data about an individual unless — § 13.]	Privacy protection for information and data	Preventive
Remove personal data from records after receiving a personal data removal request. CC ID 11972	Privacy protection for information and data	Preventive

Technical Security

Mandated - bold Implied - italic Implementation - regular	IMPACT ZONE	CLASS
KEY: Primary Verb Primary Noun Secondary Verb Secondary Noun Limiting Term
Include temporary activation of remote access technologies for third parties in the Acceptable Use Policy. CC ID 11892	Operational management	Preventive
Refrain from allowing access rights to education records maintained by another educational institution. CC ID 13014	Privacy protection for information and data	Preventive
Implement technical controls that limit processing restricted data for specific purposes. CC ID 12646	Privacy protection for information and data	Preventive
Employ a random number generator to create authenticators. CC ID 13782	Privacy protection for information and data	Preventive
Provide unobservability of users and resources. CC ID 04551	Privacy protection for information and data	Preventive
Implement security measures to protect personal data. CC ID 13606 [{storage device}An organisation must protect personal data in its possession or under its control by making reasonable security arrangements to prevent — the loss of any storage medium or device on which personal data is stored. § 24.(b) {absent authorization}An organisation must protect personal data in its possession or under its control by making reasonable security arrangements to prevent — unauthorised access, collection, use, disclosure, copying, modification or disposal, or similar risks; and § 24.(a)]	Privacy protection for information and data	Preventive

Testing

Mandated - bold Implied - italic Implementation - regular	IMPACT ZONE	CLASS
KEY: Primary Verb Primary Noun Secondary Verb Secondary Noun Limiting Term
Assign and staff all roles appropriately. CC ID 00784	Human Resources management	Detective
Record restricted data correctly. CC ID 00089	Privacy protection for information and data	Detective
Refrain from unknowingly including hyperlinks in commercial electronic messages to the anti-spam policy's country of origin. CC ID 00305	Privacy protection for information and data	Detective

Common Controls and
mandates by Classification 172 Mandated Controls - bold
59 Implied Controls - italic 800 Implementation

Number of Controls

1031 Total

Corrective

Mandated - bold Implied - italic Implementation - regular	IMPACT ZONE	TYPE
KEY: Primary Verb Primary Noun Secondary Verb Secondary Noun Limiting Term
Measure policy compliance when reviewing the internal control framework. CC ID 06442	Operational management	Actionable Reports or Measurements
Update operating procedures that contribute to user errors. CC ID 06935	Operational management	Establish/Maintain Documentation
Include disciplinary actions in the Acceptable Use Policy. CC ID 00296	Operational management	Establish/Maintain Documentation
Establish, implement, and maintain consequences for non-compliance with the organizational compliance framework. CC ID 11747	Operational management	Process or Activity
Share incident information with interested personnel and affected parties. CC ID 01212 [{data breach} The notification under subsection (1) must be made in the form and submitted in the manner required by the Commission. § 26D.(4)]	Operational management	Data and Information Management
Share data loss event information with the media. CC ID 01759	Operational management	Behavior
Share data loss event information with interconnected system owners. CC ID 01209	Operational management	Establish/Maintain Documentation
Report data loss event information to breach notification organizations. CC ID 01210 [Where an organisation assesses, in accordance with section 26C, that a data breach is a notifiable data breach, the organisation must notify the Commission as soon as is practicable, but in any case no later than 3 calendar days after the day the organisation makes that assessment. § 26D.(1)]	Operational management	Data and Information Management
Report to breach notification organizations the time frame in which the organization will send data loss event notifications to interested personnel and affected parties. CC ID 04731	Operational management	Behavior
Notify interested personnel and affected parties of the privacy breach that affects their personal data. CC ID 00365 [Where a data intermediary (other than a data intermediary mentioned in section 26E) has reason to believe that a data breach has occurred in relation to personal data that the data intermediary is processing on behalf of and for the purposes of another organisation — the data intermediary must, without undue delay, notify that other organisation of the occurrence of the data breach; and § 26C.(3)(a) Subject to subsections (5), (6) and (7), on or after notifying the Commission under subsection (1), the organisation must also notify each affected individual affected by a notifiable data breach mentioned in section 26B(1)(a) in any manner that is reasonable in the circumstances. § 26D.(2) {refrain from delaying} the organisation must, without undue delay, notify the public agency of the occurrence of the data breach. § 26E. ¶ 1]	Operational management	Behavior
Delay sending incident response notifications under predetermined conditions. CC ID 00804	Operational management	Behavior
Establish, implement, and maintain incident response notifications. CC ID 12975 [{data breach} The notification under subsection (1) must be made in the form and submitted in the manner required by the Commission. § 26D.(4)]	Operational management	Establish/Maintain Documentation
Provide enrollment information for identity theft prevention services or identity theft mitigation services. CC ID 13767	Operational management	Communicate
Offer identity theft prevention services or identity theft mitigation services at no cost to the affected parties. CC ID 13766	Operational management	Business Processes
Send paper incident response notifications to affected parties, as necessary. CC ID 00366	Operational management	Behavior
Determine if a substitute incident response notification is permitted if notifying affected parties. CC ID 00803	Operational management	Behavior
Use a substitute incident response notification to notify interested personnel and affected parties of the privacy breach that affects their personal data. CC ID 00368	Operational management	Behavior
Telephone incident response notifications to affected parties, as necessary. CC ID 04650	Operational management	Behavior
Publish the incident response notification in a general circulation periodical. CC ID 04651	Operational management	Behavior
Send electronic incident response notifications to affected parties, as necessary. CC ID 00367	Operational management	Behavior
Notify interested personnel and affected parties of the privacy breach about any recovered restricted data. CC ID 13347	Operational management	Communicate
Amend education records within a reasonable period after receiving a record amendment request. CC ID 12998	Privacy protection for information and data	Records Management
Decide whether to amend education records based on evidence presented during a hearing. CC ID 13020	Privacy protection for information and data	Records Management
Include any reasons for delay if notifying the supervisory authority after the time limit. CC ID 12675	Privacy protection for information and data	Communicate
Allow authorized individuals to authenticate record entries containing personal data. CC ID 11812	Privacy protection for information and data	Records Management
Notify the subject of care when a lack of availability of health information systems might have adversely affected their care. CC ID 13990	Privacy protection for information and data	Communicate
Refrain from disseminating and communicating with individuals that have opted out of direct marketing communications. CC ID 13708	Privacy protection for information and data	Communicate
Refrain from disclosing a security breach if an investigation concludes none has occurred. CC ID 13086 [{data breach}{notifiable data breach} The organisation must carry out the assessment mentioned in subsection (2) or (3)(b) in accordance with any prescribed requirements. § 26C.(4)]	Privacy protection for information and data	Communicate
Notify the data subject when personal data has been inadvertently disclosed. CC ID 13989	Privacy protection for information and data	Communicate
Change or destroy any personal data that is incorrect. CC ID 00462 [When an organisation is notified under subsection (2)(b) or (3) of a correction of personal data, the organisation shall correct the personal data in its possession or under its control unless the organisation is satisfied on reasonable grounds that the correction should "background-color:#CBD0E5;" class="term_secondary-verb">not be made. § 22.(4) Unless the organisation is satisfied on reasonable grounds that a correction should not be made, the organisation shall — correct the personal data as soon as practicable; and § 22.(2)(a)]	Privacy protection for information and data	Data and Information Management
Notify the data subject of changes made to personal data as the result of a dispute. CC ID 00463	Privacy protection for information and data	Behavior
Escalate the appeal process to change personal data when the data controller fails to make changes to the disputed data. CC ID 00465	Privacy protection for information and data	Data and Information Management
Notify the data subject of which and why disputed changes were not made to personal data. CC ID 00466	Privacy protection for information and data	Behavior
Notify entities to whom personal data was transferred that the personal data is wrong, along with the corrections. CC ID 00467 [subject to subsection (3), send the corrected personal data to every other organisation to which the personal data was disclosed by the organisation within a year before the date the correction was made, unless that other organisation does not need the corrected personal data for any legal or business purpose. § 22.(2)(b) An organisation (not being a credit bureau) may, if the individual consents, send the corrected personal data only to specific organisations to which the personal data was disclosed by the organisation within a year before the date the correction was made. § 22.(3)]	Privacy protection for information and data	Behavior

Detective

Mandated - bold Implied - italic Implementation - regular	IMPACT ZONE	TYPE
KEY: Primary Verb Primary Noun Secondary Verb Secondary Noun Limiting Term
Assign and staff all roles appropriately. CC ID 00784	Human Resources management	Testing
Review the relevance of information supporting internal controls. CC ID 12420	Operational management	Business Processes
Include emergency response procedures in the internal control framework. CC ID 06779	Operational management	Establish/Maintain Documentation
Review and approve access controls, as necessary. CC ID 13074	Operational management	Process or Activity
Perform social network analysis, as necessary. CC ID 14864	Operational management	Investigate
Include individual commitment to the organization's Governance, Risk, and Compliance framework in the analysis of the organizational culture. CC ID 12922	Operational management	Process or Activity
Include the organizational climate in the analysis of the organizational culture. CC ID 12921	Operational management	Process or Activity
Include consistency of leadership actions to mission, vision, and values in the analysis of the organizational culture. CC ID 12920	Operational management	Process or Activity
Submit an incident management audit log to the proper authorities for each security breach that affects a predefined number of individuals, as necessary. CC ID 06326	Operational management	Log Management
Determine whether or not incident response notifications are necessary during the privacy breach investigation. CC ID 00801 [Where a data intermediary (other than a data intermediary mentioned in section 26E) has reason to believe that a data breach has occurred in relation to personal data that the data intermediary is processing on behalf of and for the purposes of another organisation — that other organisations must, upon notification by the data intermediary, conduct an assessment of whether the data breach is a notifiable data breach. § 26C.(3)(b) {reasonable manner}{be efficient} Subject to subsection (3), where an organisation has reason to believe that a data breach affecting personal data in its possession or under its control has occurred, the organisation must conduct, in a reasonable and expeditious manner, an assessment of whether the data breach is a notifiable data breach. § 26C.(2)]	Operational management	Behavior
Avoid false positive incident response notifications. CC ID 04732	Operational management	Behavior
Include information required by law in incident response notifications. CC ID 00802 [The notification under subsection (1) or (2) must contain, to the best of the knowledge and belief of the organisation at the time it notifies the Commission or affected individual (as the case may be), all the information that is prescribed for this purpose. § 26D.(3)]	Operational management	Establish/Maintain Documentation
Include how the affected parties can protect themselves from identity theft in incident response notifications. CC ID 04738	Operational management	Establish/Maintain Documentation
Refrain from erasing personal data upon data subject request when it is being used for incident detection. CC ID 13778	Privacy protection for information and data	Process or Activity
Analyze requirements for processing personal data in contracts. CC ID 12550	Privacy protection for information and data	Investigate
Disclose personal data when the data subject has consented and has the ability to opt out. CC ID 00158 [Without limiting subsection (2) and subject to subsection (9), an individual (P) who provides personal data to an organisation (A) with a view to P entering into a contract with A is deemed to consent to the following where reasonably necessary for the conclusion of the contract between P and A: the collection and use of that personal data by B; § 15.(3)(b)]	Privacy protection for information and data	Data and Information Management
Disclose restricted data for judicial decisions, lawsuits, and investigations only after the data controller includes a note of the disclosure in the record. CC ID 00162	Privacy protection for information and data	Establish/Maintain Documentation
Include personal data that is for the state's economic interest as a reason for denial in the personal data request denial procedures. CC ID 00446 [{contravene} An organisation shall not provide an individual with the individual's personal data or other information under subsection (1)if the provision of that round-color:#F0BBBC;" class="term_primary-noun">personal data or other information, as the case may be, could reasonably be expected to — be contrary to the national interest. § 21.(3)(e)]	Privacy protection for information and data	Data and Information Management
Confirm the data quality of personal data collected from third parties. CC ID 13510	Privacy protection for information and data	Investigate
Review the methods for collecting personal data, as necessary. CC ID 13511	Privacy protection for information and data	Investigate
Investigate privacy rights violation complaints. CC ID 00480	Privacy protection for information and data	Behavior
Record restricted data correctly. CC ID 00089	Privacy protection for information and data	Testing
Include information identifying the organization hired to send commercial electronic messages when sending commercial electronic messages through a third party. CC ID 00286	Privacy protection for information and data	Establish/Maintain Documentation
Refrain from unknowingly including hyperlinks in commercial electronic messages to the anti-spam policy's country of origin. CC ID 00305	Privacy protection for information and data	Testing

IT Impact Zone

Mandated - bold Implied - italic Implementation - regular	IMPACT ZONE	TYPE
KEY: Primary Verb Primary Noun Secondary Verb Secondary Noun Limiting Term
Audits and risk management CC ID 00677	Audits and risk management	IT Impact Zone
Human Resources management CC ID 00763	Human Resources management	IT Impact Zone
Operational management CC ID 00805	Operational management	IT Impact Zone
Privacy protection for information and data CC ID 00008	Privacy protection for information and data	IT Impact Zone

Preventive

969

Mandated - bold Implied - italic Implementation - regular	IMPACT ZONE	TYPE
KEY: Primary Verb Primary Noun Secondary Verb Secondary Noun Limiting Term
Establish, implement, and maintain a risk management program. CC ID 12051	Audits and risk management	Establish/Maintain Documentation
Establish, implement, and maintain the risk assessment framework. CC ID 00685	Audits and risk management	Establish/Maintain Documentation
Establish, implement, and maintain a risk assessment program. CC ID 00687	Audits and risk management	Establish/Maintain Documentation
Establish, implement, and maintain Data Protection Impact Assessments. CC ID 14830 [For the purposes of subsection (2)(a), the organisation must, before collecting, using or disclosing any personal data about the individual — conduct an assessment to determine that the proposed collection, use or disclosure of the personal data is not likely to have an adverse effect on the individual; § 15A.(4)(a) {legitimate interest}For the purposes of sub-paragraph (1), the organisation must — conduct an assessment, before collecting, using or disclosing the personal data (as the case may be), to determine whether sub-paragraph (1) is satisfied; and FIRST SCHEDULE PART 3 § 1.(2)(a) {legitimate interest}For the purposes of sub-paragraph (1), the organisation must — conduct an assessment, before collecting, using or disclosing the personal data (as the case may be), to determine whether sub-paragraph (1) is satisfied; and FIRST SCHEDULE PART 3 § 1.(2)(a) {legitimate interest}For the purposes of sub-paragraph (1), the organisation must — conduct an assessment, before collecting, using or disclosing the personal data (as the case may be), to determine whether sub-paragraph (1) is satisfied; and FIRST SCHEDULE PART 3 § 1.(2)(a)]	Audits and risk management	Process or Activity
Include a Data Protection Impact Assessment in the risk assessment program. CC ID 12630	Audits and risk management	Establish/Maintain Documentation
Include an assessment of the necessity and proportionality of the processing operations in relation to the purposes in the Data Protection Impact Assessment. CC ID 12681	Audits and risk management	Establish/Maintain Documentation
Include an assessment of the relationship between the data subject and the parties processing the data in the Data Protection Impact Assessment. CC ID 16371	Audits and risk management	Establish/Maintain Documentation
Include a risk assessment of data subject's rights in the Data Protection Impact Assessment. CC ID 12674	Audits and risk management	Establish/Maintain Documentation
Include the description and purpose of processing restricted data in the Data Protection Impact Assessment. CC ID 12673	Audits and risk management	Establish/Maintain Documentation
Disseminate and communicate the Data Protection Impact Assessment to interested personnel and affected parties. CC ID 15313	Audits and risk management	Communicate
Include consideration of the data subject's expectations in the Data Protection Impact Assessment. CC ID 16370	Audits and risk management	Establish/Maintain Documentation
Include monitoring unsecured areas in the Data Protection Impact Assessment. CC ID 12671	Audits and risk management	Establish/Maintain Documentation
Include security measures for protecting restricted data in the Data Protection Impact Assessment. CC ID 12635 [{legitimate interest}The organisation must, in respect of the assessment mentioned in sub-paragraph (2)(a) — identify and implement reasonable measures — to eliminate the adverse effect; FIRST SCHEDULE PART 3 § 1.(3)(b)(i) {legitimate interest}The organisation must, in respect of the assessment mentioned in sub-paragraph (2)(a) — identify and implement reasonable measures — to reduce the likelihood that the adverse effect will occur; or FIRST SCHEDULE PART 3 § 1.(3)(b)(ii) {legitimate interest}The organisation must, in respect of the assessment mentioned in sub-paragraph (2)(a) — identify and implement reasonable measures — to mitigate the adverse effect; and FIRST SCHEDULE PART 3 § 1.(3)(b)(iii)]	Audits and risk management	Establish/Maintain Documentation
Define and assign workforce roles and responsibilities. CC ID 13267	Human Resources management	Human Resources Management
Identify and define all critical roles. CC ID 00777	Human Resources management	Establish Roles
Define and assign the data controller's roles and responsibilities. CC ID 00471 [An organisation is responsible for personal data in its possession or under its yle="background-color:#F0BBBC;" class="term_primary-noun">control. § 11.(2)]	Human Resources management	Establish Roles
Assign the role of data controller to be the Point of Contact for the supervisory authority. CC ID 12616	Human Resources management	Human Resources Management
Assign the role of the Data Controller to cooperate with the supervisory authority. CC ID 12615	Human Resources management	Human Resources Management
Assign the data controller to facilitate the exercise of the data subject's rights. CC ID 12666	Human Resources management	Human Resources Management
Assign the role of data controller to applicable controls. CC ID 00354	Human Resources management	Establish Roles
Assign the role of data controller to provide advice, when requested. CC ID 12611	Human Resources management	Human Resources Management
Assign the role of data controller to additional personnel, as necessary. CC ID 00473	Human Resources management	Establish Roles
Establish and maintain the staff structure in line with the strategic plan. CC ID 00764	Human Resources management	Establish Roles
Delegate authority for specific processes, as necessary. CC ID 06780 [An individual designated under subsection (3) may delegate to another individual the responsibility conferred by that BBBC;" class="term_primary-noun">designation. § 11.(4)]	Human Resources management	Behavior
Establish, implement, and maintain a Governance, Risk, and Compliance framework. CC ID 01406 [An organisation shall — develop and implement policies and practices that are necessary for the organisation to meet the obligations of the organisation under this Act; § 12.(a)]	Operational management	Establish/Maintain Documentation
Include enterprise architecture in the Governance, Risk, and Compliance framework. CC ID 13266	Operational management	Establish/Maintain Documentation
Disseminate and communicate updates to the Governance, Risk, and Compliance framework to interested personnel and affected parties. CC ID 06955	Operational management	Behavior
Establish, implement, and maintain security requirements based on applicable regulations. CC ID 16283	Operational management	Establish/Maintain Documentation
Acquire resources necessary to support Governance, Risk, and Compliance. CC ID 12861	Operational management	Acquisition/Sale of Assets or Services
Establish, implement, and maintain a prioritized plan for updating the Governance, Risk, and Compliance framework. CC ID 12853	Operational management	Establish/Maintain Documentation
Integrate the use of technology in supporting the Governance, Risk, and Compliance capabilities. CC ID 12915	Operational management	Process or Activity
Evaluate the use of technology in supporting Governance, Risk, and Compliance capabilities. CC ID 12895	Operational management	Process or Activity
Analyze the effect of the Governance, Risk, and Compliance capability to achieve organizational objectives. CC ID 12809	Operational management	Audits and Risk Management
Assign accountability for maintaining the Governance, Risk, and Compliance framework. CC ID 12523	Operational management	Human Resources Management
Assign defining the program for disseminating and communicating the Governance, Risk, and Compliance framework. CC ID 12524	Operational management	Human Resources Management
Establish, implement, and maintain a compliance policy. CC ID 14807	Operational management	Establish/Maintain Documentation
Include the standard of conduct and accountability in the compliance policy. CC ID 14813	Operational management	Establish/Maintain Documentation
Include the scope in the compliance policy. CC ID 14812	Operational management	Establish/Maintain Documentation
Include roles and responsibilities in the compliance policy. CC ID 14811	Operational management	Establish/Maintain Documentation
Include a commitment to continual improvement in the compliance policy. CC ID 14810	Operational management	Establish/Maintain Documentation
Disseminate and communicate the compliance policy to interested personnel and affected parties. CC ID 14809	Operational management	Communicate
Include management commitment in the compliance policy. CC ID 14808	Operational management	Establish/Maintain Documentation
Establish, implement, and maintain a governance policy. CC ID 15587	Operational management	Establish/Maintain Documentation
Disseminate and communicate the governance policy to all interested personnel and affected parties. CC ID 15625	Operational management	Communicate
Include a commitment to continuous improvement in the governance policy. CC ID 15595	Operational management	Establish/Maintain Documentation
Include roles and responsibilities in the governance policy. CC ID 15594	Operational management	Establish/Maintain Documentation
Establish, implement, and maintain a positive information control environment. CC ID 00813	Operational management	Business Processes
Make compliance and governance decisions in a timely manner. CC ID 06490	Operational management	Behavior
Establish, implement, and maintain an internal control framework. CC ID 00820	Operational management	Establish/Maintain Documentation
Define the scope for the internal control framework. CC ID 16325	Operational management	Business Processes
Assign ownership of the internal control framework to the appropriate organizational role. CC ID 06437	Operational management	Establish Roles
Assign resources to implement the internal control framework. CC ID 00816	Operational management	Business Processes
Define and assign the roles and responsibilities for interested personnel and affected parties when establishing, implementing, and maintaining the internal control framework. CC ID 07146	Operational management	Establish Roles
Establish, implement, and maintain a baseline of internal controls. CC ID 12415	Operational management	Business Processes
Include the business need justification for excluding controls in the baseline of internal controls. CC ID 16129	Operational management	Establish/Maintain Documentation
Include the implementation status of controls in the baseline of internal controls. CC ID 16128	Operational management	Establish/Maintain Documentation
Leverage actionable information to support internal controls. CC ID 12414	Operational management	Business Processes
Include procedures for continuous quality improvement in the internal control framework. CC ID 00819	Operational management	Establish/Maintain Documentation
Include continuous service account management procedures in the internal control framework. CC ID 13860	Operational management	Establish/Maintain Documentation
Include threat assessment in the internal control framework. CC ID 01347	Operational management	Establish/Maintain Documentation
Automate threat assessments, as necessary. CC ID 06877	Operational management	Configuration
Include vulnerability management and risk assessment in the internal control framework. CC ID 13102	Operational management	Establish/Maintain Documentation
Automate vulnerability management, as necessary. CC ID 11730	Operational management	Configuration
Include personnel security procedures in the internal control framework. CC ID 01349	Operational management	Establish/Maintain Documentation
Include continuous security warning monitoring procedures in the internal control framework. CC ID 01358	Operational management	Establish/Maintain Documentation
Include incident alert thresholds in the continuous security warning monitoring procedures. CC ID 13205	Operational management	Establish/Maintain Documentation
Include security information sharing procedures in the internal control framework. CC ID 06489	Operational management	Establish/Maintain Documentation
Share security information with interested personnel and affected parties. CC ID 11732	Operational management	Communicate
Evaluate information sharing partners, as necessary. CC ID 12749	Operational management	Process or Activity
Include security incident response procedures in the internal control framework. CC ID 01359	Operational management	Establish/Maintain Documentation
Include incident response escalation procedures in the internal control framework. CC ID 11745	Operational management	Establish/Maintain Documentation
Include continuous user account management procedures in the internal control framework. CC ID 01360	Operational management	Establish/Maintain Documentation
Authorize and document all exceptions to the internal control framework. CC ID 06781	Operational management	Establish/Maintain Documentation
Disseminate and communicate the internal control framework to all interested personnel and affected parties. CC ID 15229	Operational management	Communicate
Disseminate and communicate the cybersecurity policy to interested personnel and affected parties. CC ID 16835	Operational management	Communicate
Establish, implement, and maintain a cybersecurity policy. CC ID 16833	Operational management	Establish/Maintain Documentation
Establish, implement, and maintain an information security program. CC ID 00812	Operational management	Establish/Maintain Documentation
Include physical safeguards in the information security program. CC ID 12375	Operational management	Establish/Maintain Documentation
Include technical safeguards in the information security program. CC ID 12374	Operational management	Establish/Maintain Documentation
Include administrative safeguards in the information security program. CC ID 12373	Operational management	Establish/Maintain Documentation
Include system development in the information security program. CC ID 12389	Operational management	Establish/Maintain Documentation
Include system maintenance in the information security program. CC ID 12388	Operational management	Establish/Maintain Documentation
Include system acquisition in the information security program. CC ID 12387	Operational management	Establish/Maintain Documentation
Include access control in the information security program. CC ID 12386	Operational management	Establish/Maintain Documentation
Include operations management in the information security program. CC ID 12385	Operational management	Establish/Maintain Documentation
Include communication management in the information security program. CC ID 12384	Operational management	Establish/Maintain Documentation
Include environmental security in the information security program. CC ID 12383	Operational management	Establish/Maintain Documentation
Include physical security in the information security program. CC ID 12382	Operational management	Establish/Maintain Documentation
Include human resources security in the information security program. CC ID 12381	Operational management	Establish/Maintain Documentation
Include asset management in the information security program. CC ID 12380	Operational management	Establish/Maintain Documentation
Include a continuous monitoring program in the information security program. CC ID 14323	Operational management	Establish/Maintain Documentation
Include change management procedures in the continuous monitoring plan. CC ID 16227	Operational management	Establish/Maintain Documentation
include recovery procedures in the continuous monitoring plan. CC ID 16226	Operational management	Establish/Maintain Documentation
Include mechanisms for decommissioning a system in the continuous monitoring plan. CC ID 16225	Operational management	Establish/Maintain Documentation
Include mechanisms for appeal and override in the continuous monitoring plan. CC ID 16223	Operational management	Establish/Maintain Documentation
Include how the information security department is organized in the information security program. CC ID 12379	Operational management	Establish/Maintain Documentation
Include risk management in the information security program. CC ID 12378	Operational management	Establish/Maintain Documentation
Include mitigating supply chain risks in the information security program. CC ID 13352	Operational management	Establish/Maintain Documentation
Provide management direction and support for the information security program. CC ID 11999	Operational management	Process or Activity
Monitor and review the effectiveness of the information security program. CC ID 12744	Operational management	Monitor and Evaluate Occurrences
Establish, implement, and maintain an information security policy. CC ID 11740	Operational management	Establish/Maintain Documentation
Align the information security policy with the organization's risk acceptance level. CC ID 13042	Operational management	Business Processes
Include business processes in the information security policy. CC ID 16326	Operational management	Establish/Maintain Documentation
Include the information security strategy in the information security policy. CC ID 16125	Operational management	Establish/Maintain Documentation
Include a commitment to continuous improvement in the information security policy. CC ID 16123	Operational management	Establish/Maintain Documentation
Include roles and responsibilities in the information security policy. CC ID 16120	Operational management	Establish/Maintain Documentation
Include a commitment to the information security requirements in the information security policy. CC ID 13496	Operational management	Establish/Maintain Documentation
Include information security objectives in the information security policy. CC ID 13493	Operational management	Establish/Maintain Documentation
Include the use of Cloud Services in the information security policy. CC ID 13146	Operational management	Establish/Maintain Documentation
Include notification procedures in the information security policy. CC ID 16842	Operational management	Establish/Maintain Documentation
Approve the information security policy at the organization's management level or higher. CC ID 11737	Operational management	Process or Activity
Establish, implement, and maintain information security procedures. CC ID 12006	Operational management	Business Processes
Describe the group activities that protect restricted data in the information security procedures. CC ID 12294	Operational management	Establish/Maintain Documentation
Disseminate and communicate the information security procedures to all interested personnel and affected parties. CC ID 16303	Operational management	Communicate
Document the roles and responsibilities for all activities that protect restricted data in the information security procedures. CC ID 12304	Operational management	Establish/Maintain Documentation
Define thresholds for approving information security activities in the information security program. CC ID 15702	Operational management	Process or Activity
Assign ownership of the information security program to the appropriate role. CC ID 00814	Operational management	Establish Roles
Assign the responsibility for establishing, implementing, and maintaining the information security program to the appropriate role. CC ID 11884	Operational management	Human Resources Management
Assign information security responsibilities to interested personnel and affected parties in the information security program. CC ID 11885	Operational management	Establish/Maintain Documentation
Assign the responsibility for distributing the information security program to the appropriate role. CC ID 11883	Operational management	Human Resources Management
Disseminate and communicate the information security policy to interested personnel and affected parties. CC ID 11739	Operational management	Communicate
Establish, implement, and maintain a social media governance program. CC ID 06536	Operational management	Establish/Maintain Documentation
Refrain from requiring supervision when users are accessing social media applications. CC ID 14011	Operational management	Business Processes
Refrain from requiring users to disclose social media account usernames or authenticators. CC ID 14009	Operational management	Business Processes
Refrain from accepting instant messages from unknown senders. CC ID 12537	Operational management	Behavior
Include instant messaging, texting, and tweeting in the social media acceptable use policy. CC ID 04578	Operational management	Establish/Maintain Documentation
Include explicit restrictions in the social media acceptable use policy. CC ID 06655	Operational management	Establish/Maintain Documentation
Include contributive content sites in the social media acceptable use policy. CC ID 06656	Operational management	Establish/Maintain Documentation
Establish, implement, and maintain operational control procedures. CC ID 00831	Operational management	Establish/Maintain Documentation
Include assigning and approving operations in operational control procedures. CC ID 06382	Operational management	Establish/Maintain Documentation
Include startup processes in operational control procedures. CC ID 00833	Operational management	Establish/Maintain Documentation
Include change control processes in the operational control procedures. CC ID 16793	Operational management	Establish/Maintain Documentation
Establish and maintain a data processing run manual. CC ID 00832	Operational management	Establish/Maintain Documentation
Establish, implement, and maintain a Standard Operating Procedures Manual. CC ID 00826	Operational management	Establish/Maintain Documentation
Use systems in accordance with the standard operating procedures manual. CC ID 15049	Operational management	Process or Activity
Include metrics in the standard operating procedures manual. CC ID 14988	Operational management	Establish/Maintain Documentation
Include maintenance measures in the standard operating procedures manual. CC ID 14986	Operational management	Establish/Maintain Documentation
Include the expected lifetime of the system in the standard operating procedures manual. CC ID 14984	Operational management	Establish/Maintain Documentation
Include technical measures used to interpret output in the standard operating procedures manual. CC ID 14982	Operational management	Establish/Maintain Documentation
Include predetermined changes in the standard operating procedures manual. CC ID 14977	Operational management	Establish/Maintain Documentation
Include specifications for input data in the standard operating procedures manual. CC ID 14975	Operational management	Establish/Maintain Documentation
Include risks to health and safety or fundamental rights in the standard operating procedures manual. CC ID 14973	Operational management	Establish/Maintain Documentation
Include circumstances that may impact the system in the standard operating procedures manual. CC ID 14972	Operational management	Establish/Maintain Documentation
Include what the system was tested and validated for in the standard operating procedures manual. CC ID 14969	Operational management	Establish/Maintain Documentation
Include the intended purpose in the standard operating procedures manual. CC ID 14967	Operational management	Establish/Maintain Documentation
Include information on system performance in the standard operating procedures manual. CC ID 14965	Operational management	Establish/Maintain Documentation
Include contact details in the standard operating procedures manual. CC ID 14962	Operational management	Establish/Maintain Documentation
Include information sharing procedures in standard operating procedures. CC ID 12974	Operational management	Records Management
Establish, implement, and maintain information sharing agreements. CC ID 15645	Operational management	Business Processes
Provide support for information sharing activities. CC ID 15644	Operational management	Process or Activity
Adhere to operating procedures as defined in the Standard Operating Procedures Manual. CC ID 06328	Operational management	Business Processes
Disseminate and communicate the Standard Operating Procedures Manual to all interested personnel and affected parties. CC ID 12026	Operational management	Communicate
Establish, implement, and maintain a job scheduling methodology. CC ID 00834	Operational management	Establish/Maintain Documentation
Establish and maintain a job schedule exceptions list. CC ID 00835	Operational management	Establish/Maintain Documentation
Establish, implement, and maintain a data processing continuity plan. CC ID 00836	Operational management	Establish/Maintain Documentation
Establish, implement, and maintain Voice over Internet Protocol operating procedures. CC ID 04583	Operational management	Establish/Maintain Documentation
Establish, implement, and maintain the Acceptable Use Policy. CC ID 01350	Operational management	Establish/Maintain Documentation
Include that explicit management authorization must be given for the use of all technologies and their documentation in the Acceptable Use Policy. CC ID 01351	Operational management	Establish/Maintain Documentation
Include requiring users to protect restricted data in accordance with the Governance, Risk, and Compliance framework in the Acceptable Use Policy. CC ID 11894	Operational management	Establish/Maintain Documentation
Include Bring Your Own Device agreements in the Acceptable Use Policy. CC ID 15703	Operational management	Establish/Maintain Documentation
Include the obligations of users in the Bring Your Own Device agreement. CC ID 15708	Operational management	Establish/Maintain Documentation
Include the rights of the organization in the Bring Your Own Device agreement. CC ID 15707	Operational management	Establish/Maintain Documentation
Include the circumstances in which the organization may confiscate, audit, or inspect assets in the Bring Your Own Device agreement. CC ID 15706	Operational management	Establish/Maintain Documentation
Include the circumstances in which the organization may manage assets in the Bring Your Own Device agreement. CC ID 15705	Operational management	Establish/Maintain Documentation
Include Bring Your Own Device usage in the Acceptable Use Policy. CC ID 12293	Operational management	Establish/Maintain Documentation
Include a web usage policy in the Acceptable Use Policy. CC ID 16496	Operational management	Establish/Maintain Documentation
Include Bring Your Own Device security guidelines in the Acceptable Use Policy. CC ID 01352	Operational management	Establish/Maintain Documentation
Include asset tags in the Acceptable Use Policy. CC ID 01354	Operational management	Establish/Maintain Documentation
Specify the owner of applicable assets in the Acceptable Use Policy. CC ID 15699	Operational management	Establish/Maintain Documentation
Include asset use policies in the Acceptable Use Policy. CC ID 01355	Operational management	Establish/Maintain Documentation
Include authority for access authorization lists for assets in all relevant Acceptable Use Policies. CC ID 11872	Operational management	Establish/Maintain Documentation
Include access control mechanisms in the Acceptable Use Policy. CC ID 01353	Operational management	Establish/Maintain Documentation
Include temporary activation of remote access technologies for third parties in the Acceptable Use Policy. CC ID 11892	Operational management	Technical Security
Include prohibiting the copying or moving of restricted data from its original source onto local hard drives or removable storage media in the Acceptable Use Policy. CC ID 11893	Operational management	Establish/Maintain Documentation
Include a removable storage media use policy in the Acceptable Use Policy. CC ID 06772	Operational management	Data and Information Management
Correlate the Acceptable Use Policy with the network security policy. CC ID 01356	Operational management	Establish/Maintain Documentation
Include appropriate network locations for each technology in the Acceptable Use Policy. CC ID 11881	Operational management	Establish/Maintain Documentation
Correlate the Acceptable Use Policy with the approved product list. CC ID 01357	Operational management	Establish/Maintain Documentation
Include facility access and facility use in the Acceptable Use Policy. CC ID 06441	Operational management	Establish/Maintain Documentation
Include the usage restrictions of mobile code technologies in the Acceptable Use Policy. CC ID 15311	Operational management	Establish/Maintain Documentation
Include a software installation policy in the Acceptable Use Policy. CC ID 06749	Operational management	Establish/Maintain Documentation
Document idle session termination and logout for remote access technologies in the Acceptable Use Policy. CC ID 12472	Operational management	Establish/Maintain Documentation
Disseminate and communicate the Acceptable Use Policy to all interested personnel and affected parties. CC ID 12431	Operational management	Communicate
Require interested personnel and affected parties to sign Acceptable Use Policies. CC ID 06661	Operational management	Establish/Maintain Documentation
Require interested personnel and affected parties to re-sign Acceptable Use Policies, as necessary. CC ID 06663	Operational management	Establish/Maintain Documentation
Establish, implement, and maintain an Intellectual Property Right program. CC ID 00821	Operational management	Establish/Maintain Documentation
Establish, implement, and maintain domain name registration and renewal procedures. CC ID 07075	Operational management	Business Processes
Establish, implement, and maintain Intellectual Property Rights protection procedures. CC ID 11512	Operational management	Establish/Maintain Documentation
Protect against circumvention of the organization's Intellectual Property Rights. CC ID 11513	Operational management	Establish/Maintain Documentation
Establish, implement, and maintain an e-mail policy. CC ID 06439	Operational management	Establish/Maintain Documentation
Include business use of personal e-mail in the e-mail policy. CC ID 14381	Operational management	Establish/Maintain Documentation
Identify the sender in all electronic messages. CC ID 13996 [{be clear}{be accurate}Subject to section 48(2), a person must not send a specified message addressed to a Singapore telephone number unless — the specified message includes clear and accurate information identifying the individual or organisation that sent or authorised the sending of the specified message; § 44.(a) {be clear}{be accurate}Subject to section 48(2), a person must not send a specified message addressed to a Singapore telephone number unless — the specified message includes clear and accurate information about how the recipient can readily contact that individual or organisation; § 44.(b) Subject to section 48(3), a person that makes a voice call containing a specified message or causes a voice call containing a specified message to be made or authorises the making of a voice call containing a specified message, addressed to a Singapore telephone number, from a telephone number or fax number, must not do any of the following: conceal or withhold from the recipient the calling line identity of the sender; § 45.(a) Subject to section 48(3), a person that makes a voice call containing a specified message or causes a voice call containing a specified message to be made or authorises the making of a voice call containing a specified message, addressed to a Singapore telephone number, from a telephone number or fax number, must not do any of the following: perform any operation or issue any instruction in connection with the sending of the specified message for the purpose of, or that has the effect of, concealing or withholding from the recipient the calling line identity of the sender. § 45.(b)]	Operational management	Data and Information Management
Protect policies, standards, and procedures from unauthorized modification or disclosure. CC ID 10603	Operational management	Establish/Maintain Documentation
Establish, implement, and maintain nondisclosure agreements. CC ID 04536	Operational management	Establish/Maintain Documentation
Disseminate and communicate nondisclosure agreements to interested personnel and affected parties. CC ID 16191	Operational management	Communicate
Require interested personnel and affected parties to sign nondisclosure agreements. CC ID 06667	Operational management	Establish/Maintain Documentation
Require interested personnel and affected parties to re-sign nondisclosure agreements, as necessary. CC ID 06669	Operational management	Establish/Maintain Documentation
Establish, implement, and maintain a use of information agreement. CC ID 06215	Operational management	Establish/Maintain Documentation
Include use limitations in the use of information agreement. CC ID 06244	Operational management	Establish/Maintain Documentation
Include disclosure requirements in the use of information agreement. CC ID 11735	Operational management	Establish/Maintain Documentation
Include information recipients in the use of information agreement. CC ID 06245	Operational management	Establish/Maintain Documentation
Include reporting out of scope use of information in the use of information agreement. CC ID 06246	Operational management	Establish/Maintain Documentation
Include disclosure of information in the use of information agreement. CC ID 11830	Operational management	Establish/Maintain Documentation
Include information security procedures assigned to the information recipient in the use of information agreement. CC ID 07130	Operational management	Establish/Maintain Documentation
Include information security procedures assigned to the originator in the use of information agreement. CC ID 14418	Operational management	Establish/Maintain Documentation
Include a do not contact rule for the individuals identified in a data set in the use of information agreement. CC ID 07131	Operational management	Establish/Maintain Documentation
Include the information recipient's third parties accepting the agreement in the use of information agreement. CC ID 07132	Operational management	Establish/Maintain Documentation
Implement and comply with the Governance, Risk, and Compliance framework. CC ID 00818	Operational management	Business Processes
Analyze how policies used to create management boundaries relates to the Governance, Risk, and Compliance approach. CC ID 12821	Operational management	Process or Activity
Analyze how the organization sets limits in policies relating to the Governance, Risk, and Compliance approach. CC ID 12819	Operational management	Process or Activity
Analyze how the Board of Directors' and senior management's tone influences the Governance, Risk, and Compliance approach. CC ID 12818	Operational management	Process or Activity
Analyze the degree to which the governing body is engaged in the Governance, Risk, and Compliance approach. CC ID 12817	Operational management	Process or Activity
Analyze the Governance, Risk, and Compliance approach. CC ID 12816	Operational management	Process or Activity
Analyze the organizational culture. CC ID 12899	Operational management	Process or Activity
Include employee engagement in the analysis of the organizational culture. CC ID 12914	Operational management	Behavior
Include contractual relationships with workforce members in the analysis of the organizational culture. CC ID 15674	Operational management	Business Processes
Include the number of workforce members who are not employees in the analysis of the organizational culture. CC ID 15673	Operational management	Business Processes
Include the type of work performed by workforce members in the analysis of the organizational culture. CC ID 15675	Operational management	Business Processes
Include skill development in the analysis of the organizational culture. CC ID 12913	Operational management	Behavior
Include employee turnover rates in the analysis of the organizational culture. CC ID 12912	Operational management	Behavior
Include demographic characteristics of employees in the analysis of the organizational culture. CC ID 15671	Operational management	Business Processes
Include employee loyalty in the analysis of the organizational culture. CC ID 12911	Operational management	Behavior
Include employee satisfaction in the analysis of the organizational culture. CC ID 12910	Operational management	Behavior
Comply with all implemented policies in the organization's compliance framework. CC ID 06384 [{reasonable and appropriate measure} In meeting its responsibilities under this Act, an organisation shall "term_primary-verb">consider what a reasonable person would consider appropriate in the circumstances. § 11.(1) {reasonable and appropriate measure} In meeting its responsibilities under this Act, an organisation shall "term_primary-verb">consider what a reasonable person would consider appropriate in the circumstances. § 11.(1) The designation of an individual by an organisation under subsection (3) shall not relieve the organisation of any of its obligations under this Act. § 11.(6) {legitimate interest}{personal data}The organisation must, in respect of the assessment mentioned in sub-paragraph (2)(a) — comply with any other prescribed requirements. FIRST SCHEDULE PART 3 § 1.(3)(c)]	Operational management	Establish/Maintain Documentation
Provide assurance to interested personnel and affected parties that the Governance, Risk, and Compliance capability is reliable, effective, efficient, and responsive. CC ID 12788	Operational management	Communicate
Review systems for compliance with organizational information security policies. CC ID 12004	Operational management	Business Processes
Disseminate and communicate the Governance, Risk, and Compliance framework to all interested personnel and affected parties. CC ID 00815 [An organisation shall — communicate to its staff information about the organisation's policies and practices referred to in paragraph (a); and § 12.(c) An organisation shall — make information available on request about— the policies and practices referred to in paragraph (a); and § 12.(d)(i)]	Operational management	Behavior
Establish, implement, and maintain a customer service program. CC ID 00846	Operational management	Establish/Maintain Documentation
Establish, implement, and maintain an Incident Management program. CC ID 00853	Operational management	Business Processes
Include detection procedures in the Incident Management program. CC ID 00588	Operational management	Establish/Maintain Documentation
Comply with privacy regulations and civil liberties requirements when sharing data loss event information. CC ID 10036	Operational management	Data and Information Management
Notify interested personnel and affected parties of an extortion payment in the event of a cybersecurity event. CC ID 16539	Operational management	Communicate
Notify interested personnel and affected parties of the reasons for the extortion payment, along with any alternative solutions. CC ID 16538	Operational management	Communicate
Document the justification for not reporting incidents to interested personnel and affected parties. CC ID 16547	Operational management	Establish/Maintain Documentation
Report to breach notification organizations the reasons for a delay in sending breach notifications. CC ID 16797	Operational management	Communicate
Report to breach notification organizations the distribution list to which the organization will send data loss event notifications. CC ID 16782	Operational management	Communicate
Include data loss event notifications in the Incident Response program. CC ID 00364	Operational management	Establish/Maintain Documentation
Include required information in the written request to delay the notification to affected parties. CC ID 16785	Operational management	Establish/Maintain Documentation
Submit written requests to delay the notification of affected parties. CC ID 16783	Operational management	Communicate
Revoke the written request to delay the notification. CC ID 16843	Operational management	Process or Activity
Design the text of the notice for all incident response notifications to be no smaller than 10-point type. CC ID 12985	Operational management	Establish/Maintain Documentation
Refrain from charging for providing incident response notifications. CC ID 13876	Operational management	Business Processes
Title breach notifications "Notice of Data Breach". CC ID 12977	Operational management	Establish/Maintain Documentation
Display titles of incident response notifications clearly and conspicuously. CC ID 12986	Operational management	Establish/Maintain Documentation
Display headings in incident response notifications clearly and conspicuously. CC ID 12987	Operational management	Establish/Maintain Documentation
Design the incident response notification to call attention to its nature and significance. CC ID 12984	Operational management	Establish/Maintain Documentation
Use plain language to write incident response notifications. CC ID 12976	Operational management	Establish/Maintain Documentation
Include directions for changing the user's authenticator or security questions and answers in the breach notification. CC ID 12983	Operational management	Establish/Maintain Documentation
Refrain from including restricted information in the incident response notification. CC ID 16806	Operational management	Actionable Reports or Measurements
Include the affected parties rights in the incident response notification. CC ID 16811	Operational management	Establish/Maintain Documentation
Include details of the investigation in incident response notifications. CC ID 12296	Operational management	Establish/Maintain Documentation
Include the issuer's name in incident response notifications. CC ID 12062	Operational management	Establish/Maintain Documentation
Include a "What Happened" heading in breach notifications. CC ID 12978	Operational management	Establish/Maintain Documentation
Include a general description of the data loss event in incident response notifications. CC ID 04734	Operational management	Establish/Maintain Documentation
Include time information in incident response notifications. CC ID 04745	Operational management	Establish/Maintain Documentation
Include the identification of the data source in incident response notifications. CC ID 12305	Operational management	Establish/Maintain Documentation
Include a "What Information Was Involved" heading in the breach notification. CC ID 12979	Operational management	Establish/Maintain Documentation
Include the type of information that was lost in incident response notifications. CC ID 04735	Operational management	Establish/Maintain Documentation
Include the type of information the organization maintains about the affected parties in incident response notifications. CC ID 04776	Operational management	Establish/Maintain Documentation
Include a "What We Are Doing" heading in the breach notification. CC ID 12982	Operational management	Establish/Maintain Documentation
Include what the organization has done to enhance data protection controls in incident response notifications. CC ID 04736	Operational management	Establish/Maintain Documentation
Include what the organization is offering or has already done to assist affected parties in incident response notifications. CC ID 04737	Operational management	Establish/Maintain Documentation
Include a "For More Information" heading in breach notifications. CC ID 12981	Operational management	Establish/Maintain Documentation
Include details of the companies and persons involved in incident response notifications. CC ID 12295	Operational management	Establish/Maintain Documentation
Include the credit reporting agencies' contact information in incident response notifications. CC ID 04744	Operational management	Establish/Maintain Documentation
Include the reporting individual's contact information in incident response notifications. CC ID 12297	Operational management	Establish/Maintain Documentation
Include any consequences in the incident response notifications. CC ID 12604	Operational management	Establish/Maintain Documentation
Include whether the notification was delayed due to a law enforcement investigation in incident response notifications. CC ID 04746	Operational management	Establish/Maintain Documentation
Include a "What You Can Do" heading in the breach notification. CC ID 12980	Operational management	Establish/Maintain Documentation
Include contact information in incident response notifications. CC ID 04739	Operational management	Establish/Maintain Documentation
Include a copy of the incident response notification in breach notifications, as necessary. CC ID 13085	Operational management	Communicate
Post the incident response notification on the organization's website. CC ID 16809	Operational management	Process or Activity
Document the determination for providing a substitute incident response notification. CC ID 16841	Operational management	Process or Activity
Send electronic substitute incident response notifications to affected parties, as necessary. CC ID 04747	Operational management	Behavior
Include contact information in the substitute incident response notification. CC ID 16776	Operational management	Establish/Maintain Documentation
Post substitute incident response notifications to the organization's website, as necessary. CC ID 04748	Operational management	Establish/Maintain Documentation
Send substitute incident response notifications to breach notification organizations, as necessary. CC ID 04750	Operational management	Behavior
Publish the substitute incident response notification in a general circulation periodical, as necessary. CC ID 04769	Operational management	Behavior
Establish, implement, and maintain a privacy framework that protects restricted data. CC ID 11850	Privacy protection for information and data	Establish/Maintain Documentation
Establish, implement, and maintain a personal data transparency program. CC ID 00375	Privacy protection for information and data	Data and Information Management
Establish, implement, and maintain opt-out notices. CC ID 13448 [A subscriber may apply to the Commission, in the form and manner prescribed — to remove his Singapore y-verb">oun">telephone numberspan> from a register. § 40.(1)(b)]	Privacy protection for information and data	Establish/Maintain Documentation
Include how opt out directions for joint consumers are treated in the opt-out notice. CC ID 13465	Privacy protection for information and data	Establish/Maintain Documentation
Include the opt out method for data subjects in the opt-out notice. CC ID 13467	Privacy protection for information and data	Establish/Maintain Documentation
Include the data subject's right to opt out of personal data disclosure in the opt-out notice. CC ID 13463	Privacy protection for information and data	Establish/Maintain Documentation
Explain the right to opt out in the opt-out notice. CC ID 13462	Privacy protection for information and data	Establish/Maintain Documentation
Include the organization's right to share personal data in the opt-out notice. CC ID 13450	Privacy protection for information and data	Establish/Maintain Documentation
Establish, implement, and maintain adequate openness procedures. CC ID 00377 [{absent consent} An organisation, on or before collecting personal data about an individual from another organisation without the consent of the individual, shall provide the other organisation with sufficient :#CBD0E5;" class="term_secondary-verb">ary-noun">informationpan> regarding the purpose of the an style="background-color:#F0BBBC;" class="term_primary-noun">collection to allow that other organisation to determine whether the disclosure would be in accordance with this Act. § 20.(2) An organisation shall — make information available on request about — § 12.(d)]	Privacy protection for information and data	Data and Information Management
Provide public proof the organization participates in a privacy program. CC ID 12349	Privacy protection for information and data	Communicate
Publish a description of processing activities in an official register. CC ID 00379	Privacy protection for information and data	Establish/Maintain Documentation
Establish and maintain a records request manual. CC ID 00381	Privacy protection for information and data	Establish/Maintain Documentation
Establish and maintain a description of voluntary disclosure and automatic availability of certain records. CC ID 00382	Privacy protection for information and data	Establish/Maintain Documentation
Register with public bodies and notify the Data Commissioner before processing personal data. CC ID 00383	Privacy protection for information and data	Behavior
Define what is included in registration notices. CC ID 00386	Privacy protection for information and data	Establish/Maintain Documentation
Include roles and responsibilities in the registration notice. CC ID 16803	Privacy protection for information and data	Establish Roles
Include the verification method in the registration notice. CC ID 16798	Privacy protection for information and data	Establish/Maintain Documentation
Include the statutory authority in the registration notice. CC ID 16799	Privacy protection for information and data	Establish/Maintain Documentation
Include the address where the file or hardware supporting the data processing is located in the registration notice. CC ID 00387	Privacy protection for information and data	Establish/Maintain Documentation
Include a purpose specification description in the registration notice. CC ID 00388	Privacy protection for information and data	Establish/Maintain Documentation
Include information about the dispute resolution body in the registration notice. CC ID 16800	Privacy protection for information and data	Establish/Maintain Documentation
Include the data subject category being processed in the registration notice. CC ID 00389	Privacy protection for information and data	Establish/Maintain Documentation
Include the time period for data processing in the registration notice. CC ID 00390	Privacy protection for information and data	Establish/Maintain Documentation
Include procedures for when the registration notice for processing personal data is insufficient in the registration notice. CC ID 00392	Privacy protection for information and data	Establish/Maintain Documentation
Provide legal authorities access to personal data, upon request. CC ID 06818	Privacy protection for information and data	Data and Information Management
Provide the data subject with information about automated decision-making during personal data processing. CC ID 12609	Privacy protection for information and data	Process or Activity
Provide the data subject with information about obtaining automated decision-making used during personal data processing. CC ID 12618	Privacy protection for information and data	Establish/Maintain Documentation
Provide the data subject with the name, title, and address of the individual accountable for the organizational policies. CC ID 00394 [For the purposes of sections 14(1)(a) and 18(b), an organisation shall inform the individual of— on request by the individual, the business contact information of a person who is able to econdary-verb">answer on behalf of the organisation the individual's questions about the collection, use or disclosure of the personal data. § 20.(1)(c) An organisation shall make available to the public the business contact information of at least one of the individuals designated under subsection (3) or delegated under subsection (4). § 11.(5) Without limiting subsection (5), an organisation is deemed to have satisfied that subsection if the organisation makes available the business contact information of any individual mentioned in subsection (3) in any prescribed manner. 11.(5A)]	Privacy protection for information and data	Establish/Maintain Documentation
Provide the data subject with a copy of any brochures or other information that explain policies, standards, or codes. CC ID 00398 [An organisation shall — make information available on request about — the complaint process referred to in paragraph (b). § 12.(d).(ii)]	Privacy protection for information and data	Establish/Maintain Documentation
Provide the data subject with contractual requirements requiring the provision of personal data. CC ID 12588 [{person]A checker must — provide the applicable information to P in accordance with any prescribed requirements. § 43A.(2)(b)]	Privacy protection for information and data	Process or Activity
Document the countries where restricted data may be stored. CC ID 12750	Privacy protection for information and data	Data and Information Management
Protect the rights of students and their parents or legal representatives. CC ID 00222	Privacy protection for information and data	Data and Information Management
Refrain from allowing access rights to education records maintained by another educational institution. CC ID 13014	Privacy protection for information and data	Technical Security
Refrain from allowing students the right to inspect the financial records of their parent or legal representative. CC ID 13025	Privacy protection for information and data	Records Management
Refrain from allowing students the right to inspect confidential letters and confidential letters of recommendation. CC ID 13019	Privacy protection for information and data	Records Management
Define the criteria for waivers of data subjects' rights. CC ID 16858	Privacy protection for information and data	Behavior
Revoke waivers of data subject's rights, as necessary. CC ID 16859	Privacy protection for information and data	Behavior
Disseminate and communicate the notification of rights to students and their parent or legal representative. CC ID 12996	Privacy protection for information and data	Establish/Maintain Documentation
Include the criteria for determining what constitutes a legitimate educational interest in the notification of rights. CC ID 13004	Privacy protection for information and data	Establish/Maintain Documentation
Include the criteria for determining what constitutes a school official in the notification of rights. CC ID 13003	Privacy protection for information and data	Establish/Maintain Documentation
Disclose educational data, as necessary. CC ID 00223 [{disclose}{without consent} The disclosure of personal data about an individual who is a current or former student of an educational institution to a public agency for the purposes of policy formulation or review. SECOND SCHEDULE PART 3 Division 1 § 2.]	Privacy protection for information and data	Data and Information Management
Grant access to education records in support of educational program audits. CC ID 13032	Privacy protection for information and data	Records Management
Grant access to education records in support of external requirements. CC ID 13033	Privacy protection for information and data	Records Management
Disclose statements added to education records, as necessary. CC ID 12990	Privacy protection for information and data	Communicate
Obtain explicit consent from students or their parent or legal representative prior to using or disclosing educational data. CC ID 00220	Privacy protection for information and data	Data and Information Management
Disclose education records when written consent is received. CC ID 00224	Privacy protection for information and data	Data and Information Management
Specify the parties to whom education records may be disclosed in the written consent. CC ID 13002	Privacy protection for information and data	Establish/Maintain Documentation
Specify the purpose of the disclosure in the written consent. CC ID 13001	Privacy protection for information and data	Establish/Maintain Documentation
Specify which education records may be disclosed in the written consent. CC ID 13000	Privacy protection for information and data	Establish/Maintain Documentation
Document the conditions when consent is not required to disclose educational data. CC ID 00225	Privacy protection for information and data	Establish/Maintain Documentation
Disclose educational data absent consent when disclosure is in connection with a disciplinary proceeding. CC ID 13005	Privacy protection for information and data	Communicate
Refrain from disclosing disciplinary proceeding results unless the student has violated the institution's rules or policies. CC ID 13023	Privacy protection for information and data	Communicate
Disclose educational data absent consent when it concerns sex offenders. CC ID 13013	Privacy protection for information and data	Communicate
Disclose educational data absent consent to other school officials. CC ID 00226	Privacy protection for information and data	Data and Information Management
Disclose educational data absent consent to another institution's school officials. CC ID 00227	Privacy protection for information and data	Data and Information Management
Disclose educational data absent consent in connection with financial aid. CC ID 00229	Privacy protection for information and data	Data and Information Management
Disclose educational data absent consent to organizations conducting studies on tests. CC ID 00230	Privacy protection for information and data	Data and Information Management
Disclose educational data absent consent to organizations conducting studies if educational data is destroyed when no longer required. CC ID 12995	Privacy protection for information and data	Communicate
Disclose educational data absent consent to accrediting organizations. CC ID 00231	Privacy protection for information and data	Data and Information Management
Disclose educational data absent consent to a dependent student's parent or legal representative. CC ID 00232	Privacy protection for information and data	Data and Information Management
Disclose educational data absent consent in order to comply with a judicial order. CC ID 00233	Privacy protection for information and data	Data and Information Management
Disclose educational data absent consent for a health and safety emergency. CC ID 00234	Privacy protection for information and data	Data and Information Management
Disclose educational data absent consent when it is merely directory information. CC ID 00235	Privacy protection for information and data	Data and Information Management
Disclose educational data absent consent to a crime victim. CC ID 00236	Privacy protection for information and data	Data and Information Management
Record the health and safety threats of students when disclosing personal data. CC ID 12997	Privacy protection for information and data	Establish/Maintain Documentation
Refrain from providing information to the data subject, as necessary. CC ID 12625 [An organisation is not required to provide information under section 21(1) in respect of— any examination conducted by an education institution, und-color:#F0BBBC;" class="term_primary-noun">examination scripts and, prior to the release of examination results, lass="term_primary-noun">examination results; FIFTH SCHEDULE § 1.(b) An organisation is not required to provide information under section 21(1) in respect of— the personal data of the beneficiaries of a F0BBBC;" class="term_primary-noun">private trust ss="term_primary-verb">kept solely for the purpose of administering the trust; FIFTH SCHEDULE § 1.(c) An organisation is not required to provide information under section 21(1) in respect of— personal data kept by an arbitral institution or a mediation centre solely for the >purposespan> of an style="background-color:#F0BBBC;" class="term_primary-noun">arbitration or mediation proceedings administered by the arbitral institution or mediation centre; FIFTH SCHEDULE § 1.(d) An organisation is not required to provide information under section 21(1) in respect of— a document related to a prosecution if all 0BBBC;" class="term_primary-noun">proceedings related to the prosecution haground-color:#CBD0E5;" class="term_secondary-verb">ve n style="background-color:#B7D8ED;" class="term_primary-verb">not been completed; FIFTH SCHEDULE § 1.(e) An organisation is not required to provide information under section 21(1) in respect of— personal data which is primary-verb">subjectspan> to an style="background-color:#F0BBBC;" class="term_primary-noun">legal privilege; FIFTH SCHEDULE § 1.(f) An organisation is not required to provide information under section 21(1) in respect of— personal data kept by an arbitral institution or a mediation centre solely for the >purposespan> of an style="background-color:#F0BBBC;" class="term_primary-noun">arbitration or mediation proceedings administered by the arbitral institution or mediation centre; SIXTH SCHEDULE § 1.(d) {notifiable data breach}An organisation must not notify any affected individual in accordance with subsection (2) if — the Commission so directs. § 26D.(6)(b) An organisation is not required to provide information under section 21(1) in respect of — derived personal data. SIXTH SCHEDULE § 1.(f)]	Privacy protection for information and data	Communicate
Refrain from providing information to the data subject when it is forbidden by law. CC ID 12651 [{notifiable data breach}An organisation must not notify any affected individual in accordance with subsection (2) if — a prescribed law enforcement agency so instructs; or § 26D.(6)(a)]	Privacy protection for information and data	Communicate
Refrain from providing information to the data subject when it proves impossible due to statistical purposes. CC ID 12645	Privacy protection for information and data	Communicate
Provide the data subject with information about lifting any restriction of processing, as necessary. CC ID 12634	Privacy protection for information and data	Communicate
Refrain from providing information to the data subject when it proves impossible due to historical research purposes. CC ID 12633	Privacy protection for information and data	Communicate
Refrain from providing information to the data subject when it proves impossible due to scientific research purposes. CC ID 12632	Privacy protection for information and data	Communicate
Refrain from providing information to the data subject when it proves impossible due to archival purposes. CC ID 12631	Privacy protection for information and data	Communicate
Refrain from providing information to the data subject when providing information involves disproportionate effort. CC ID 12629	Privacy protection for information and data	Communicate
Refrain from providing information to the data subject when the data subject has the information. CC ID 12628	Privacy protection for information and data	Communicate
Provide adequate structures, policies, procedures, and mechanisms to support direct access by the data subject to personal data that is provided upon request. CC ID 00393	Privacy protection for information and data	Establish/Maintain Documentation
Provide the data subject with the means of gaining access to personal data held by the organization. CC ID 00396 [{legitimate interest}For the purposes of sub-paragraph (1), the organisation must — provide the individual with reasonable access to information about the organisation's collection, use or disclosure of personal data (as the case may be) in accordance with sub-paragraph (1). FIRST SCHEDULE PART 3 § 1.(2)(b)]	Privacy protection for information and data	Data and Information Management
Refrain from requiring the data subject to create an account in order to submit a consumer request. CC ID 13780	Privacy protection for information and data	Business Processes
Provide the data subject with the data protection officer's contact information. CC ID 12573	Privacy protection for information and data	Business Processes
Notify the data subject of the right to data portability. CC ID 12603	Privacy protection for information and data	Process or Activity
Provide the data subject with information about the right to erasure. CC ID 12602	Privacy protection for information and data	Process or Activity
Provide the data subject with a description of the type of information held by the organization and a general account of its use. CC ID 00397 [Any person may apply to the Commission, in the form and manner required by the Commission, to confirm whether any Singapore ;" class="term_primary-noun">telephone number is listed in a oun">register. § 40.(2)]	Privacy protection for information and data	Establish/Maintain Documentation
Provide the data subject with what personal data is made available to related organizations or subsidiaries. CC ID 00399	Privacy protection for information and data	Data and Information Management
Establish and maintain a disclosure accounting record. CC ID 13022	Privacy protection for information and data	Establish/Maintain Documentation
Include what information was disclosed and to whom in the disclosure accounting record. CC ID 04680	Privacy protection for information and data	Establish/Maintain Documentation
Include the disclosure purpose in the disclosure accounting record. CC ID 07135 [For the purposes of subsection (2)(a), the organisation must, before collecting, using or disclosing any personal data about the individual — take reasonable steps to bring the following information to the attention of the individual: the organisation's intention to collect, use or disclose the personal data; § 15A.(4)(b)(i)]	Privacy protection for information and data	Establish/Maintain Documentation
Disseminate and communicate the disclosure accounting record to interested personnel and affected parties. CC ID 14433 [For the purposes of subsection (2)(a), the organisation must, before collecting, using or disclosing any personal data about the individual — take reasonable steps to bring the following information to the attention of the individual: the purpose for which the personal data will be collected, used or disclosed; § 15A.(4)(b)(ii)]	Privacy protection for information and data	Communicate
Establish, implement, and maintain personal data choice and consent program. CC ID 12569 [A subscriber may apply to the Commission, in the form and manner prescribed — to add his Singapore y-verb">">telephone numbern> to a register; or § 40.(1)(a) A person does not contravene subsection (1) if the subscriber or user of the Singapore telephone number to which a specified message is sent — gave clear and unambiguous consent to the sending of the specified message to that Singapore telephone number; and § 43.(4)(a)]	Privacy protection for information and data	Establish/Maintain Documentation
Establish, implement, and maintain data request procedures. CC ID 16546	Privacy protection for information and data	Establish/Maintain Documentation
Refrain from discriminating against data subjects who have exercised privacy rights. CC ID 13435	Privacy protection for information and data	Human Resources Management
Refrain from charging a fee to implement an opt-out request. CC ID 13877	Privacy protection for information and data	Business Processes
Establish and maintain disclosure authorization forms for authorization of consent to use personal data. CC ID 13433 [A person does not contravene subsection (1) if the subscriber or user of the Singapore telephone number to which a specified message is sent — the consent is evidenced in written or other form so as to be accessible for subsequent reference. § 43.(4)(b)]	Privacy protection for information and data	Establish/Maintain Documentation
Include procedures for revoking authorization of consent to use personal data in the disclosure authorization form. CC ID 13438	Privacy protection for information and data	Establish/Maintain Documentation
Include the identity of the person seeking consent in the disclosure authorization. CC ID 13999	Privacy protection for information and data	Establish/Maintain Documentation
Include the recipients of the disclosed personal data in the disclosure authorization form. CC ID 13440	Privacy protection for information and data	Establish/Maintain Documentation
Include the signature of the data subject and the signing date in the disclosure authorization form. CC ID 13439	Privacy protection for information and data	Establish/Maintain Documentation
Include the identity of the data subject in the disclosure authorization form. CC ID 13436	Privacy protection for information and data	Establish/Maintain Documentation
Include the types of personal data to be disclosed in the disclosure authorization form. CC ID 13442	Privacy protection for information and data	Establish/Maintain Documentation
Include how personal data will be used in the disclosure authorization form. CC ID 13441	Privacy protection for information and data	Establish/Maintain Documentation
Include agreement termination information in the disclosure authorization form. CC ID 13437	Privacy protection for information and data	Establish/Maintain Documentation
Offer incentives for consumers to opt-in to provide their personal data to the organization. CC ID 13781	Privacy protection for information and data	Business Processes
Refrain from using coercive financial incentive programs to entice opt-in consent. CC ID 13795	Privacy protection for information and data	Business Processes
Allow data subjects to opt out and refrain from granting an authorization of consent to use personal data. CC ID 00391	Privacy protection for information and data	Data and Information Management
Treat an opt-out direction by an individual joint consumer as applying to all associated joint consumers. CC ID 13452	Privacy protection for information and data	Business Processes
Treat opt-out directions separately for each customer relationship the data subject establishes with the organization. CC ID 13454	Privacy protection for information and data	Business Processes
Establish, implement, and maintain an opt-out method in accordance with organizational standards. CC ID 16526	Privacy protection for information and data	Data and Information Management
Comply with opt-out directions by the data subject, unless otherwise directed by compliance requirements. CC ID 13451 [{allow} On giving notice, a subscriber or user of a Singapore telephone number may at any time withdraw any consent given to a person for the ="background-color:#CBD0E5;" class="term_secondary-verb">sending of any specified message to that Singapore telephone number. § 47.(1)]	Privacy protection for information and data	Business Processes
Confirm the individual's identity before granting an opt-out request. CC ID 16813	Privacy protection for information and data	Process or Activity
Highlight the section regarding data subject's consent from other sections in contracts and agreements. CC ID 13988	Privacy protection for information and data	Establish/Maintain Documentation
Allow consent requests to be provided in any official languages. CC ID 16530	Privacy protection for information and data	Business Processes
Notify interested personnel and affected parties of the reasons the opt-out request was refused. CC ID 16537	Privacy protection for information and data	Communicate
Collect and retain disclosure authorizations for each data subject. CC ID 13434	Privacy protection for information and data	Records Management
Refrain from requiring consent to collect, use, or disclose personal data beyond specified, legitimate reasons in order to receive products and services. CC ID 13605 [{refrain from requiring}(is unreasonable} A person shall not, as a condition for supplying goods, services, land, interest or opportunity, require a subscriber or user of a Singapore telephone number to give -verb">ound-color:#F0BBBC;" class="term_primary-noun">consentspan> for the sending of a specified le="background-color:#F0BBBC;" class="term_primary-noun">message to that Singapore telephone number or any other Singapore telephone number beyond what is reasonable to provide the goods, services, land, interest or opportunity to that subscriber or user, and any consent given in such circumstance is not validly given. § 46.(1) An organisation shall not — as a condition of providing a product or service, require an individual to consent to the collection, use or disclosure of personal data about the individual beyond what is reasonable to provide the product or service to that individual; or § 14.(2)(a)]	Privacy protection for information and data	Data and Information Management
Refrain from obtaining consent through deception. CC ID 13556 [{deceptive act or practice}{refrain from accepting} If a person obtains or attempts to obtain consent for sending a specified message to a Singapore telephone number— by providing="term_secondary-verb"> false or misleading information with respect to the sending of the specified message; or by using deceptive or misleading practices, any und-coloy-verb">r:#F0BBBC;" class="term_primary-noun">consent given in such circumstances is not validly given. § 46.(2) ¶ 1 An organisation shall not — obtain or attempt to obtain consent for collecting, using, or disclosing personal data by providing false or misleading information with respect to the collection, use, or disclosure of the personal data, or using deceptive or misleading practices. § 14.(2)(b)]	Privacy protection for information and data	Data and Information Management
Give individuals the ability to change the uses of their personal data. CC ID 00469 [{refrain from using} Notwithstanding the other provisions in this Part, an organisation may use personal data about an individual collected before the appointed day for the purposes for which the personal data was collected unless — consent for such use is withdrawn in accordance with section 16; or § 19.(a) A person shall not prohibit a subscriber or user of a Singapore telephone number from withdrawing his consent to the sending of a specified ound-color:#F0BBBC;" class="terd-color:#CBD0E5;" class="term_secondary-verb">m_primary-noun">message to that Singapore telephone number, but this section shall not affect any legal consequences arising from such withdrawal. § 47.(2)]	Privacy protection for information and data	Data and Information Management
Notify data subjects of the implications of withdrawing consent. CC ID 13551 [On receipt of the notice referred to in subsection (1), the organisation concerned shall inform the individual of the likely consequences of withdrawing his consent. § 16.(2) An organisation shall not prohibit an individual from withdrawing his consent to the collection, use or disclosure of personal data about the individual, but this section shall not affect any legal consequences arising from such withdrawal. § 16.(3)]	Privacy protection for information and data	Data and Information Management
Establish, implement, and maintain a personal data accountability program. CC ID 13432	Privacy protection for information and data	Establish/Maintain Documentation
Assign ownership of the privacy program to the appropriate organizational role. CC ID 11848 [An organisation shall designate one or more individuals to be responsible for ensuring that the organisation verb">complies with this Act. § 11.(3)]	Privacy protection for information and data	Human Resources Management
Require data controllers to be accountable for their actions. CC ID 00470	Privacy protection for information and data	Establish Roles
Notify the supervisory authority. CC ID 00472 [{terminated telephone number} Every telecommunications service provider shall report to the ground-color:#F0BBBC;" class="term_primary-noun">Commission, in the form and manner prescribed, all terminated Singapore telephone numbers. § 42.(1) {report}{terminated telephone number}For the purpose of subsection (1), where — it shall be the responsibility of the first provider to satisfy subsection (1). § 42.(4) ¶ 1]	Privacy protection for information and data	Behavior
Establish, implement, and maintain approval applications. CC ID 16778	Privacy protection for information and data	Establish/Maintain Documentation
Define the requirements for approving or denying approval applications. CC ID 16780	Privacy protection for information and data	Business Processes
Submit approval applications to the supervisory authority. CC ID 16627	Privacy protection for information and data	Communicate
Include required information in the approval application. CC ID 16628	Privacy protection for information and data	Establish/Maintain Documentation
Extend the time limit for approving or denying approval applications. CC ID 16779	Privacy protection for information and data	Business Processes
Approve the approval application unless applicant has been convicted. CC ID 16603	Privacy protection for information and data	Process or Activity
Provide the supervisory authority with any information requested by the supervisory authority. CC ID 12606	Privacy protection for information and data	Process or Activity
Notify the supervisory authority of the safeguards employed to protect the data subject's rights. CC ID 12605	Privacy protection for information and data	Communicate
Establish, implement, and maintain Binding Corporate Rules for the international transfers of restricted data. CC ID 12584 [{business improvement purpose}Sub-paragraph (1)(a) and (c) applies only if — X and Y are bound by any contract or other agreement or binding corporate rules requiring the recipient of personal data about P to implement and maintain appropriate safeguards for the personal data. FIRST SCHEDULE PART 5 § 1.(3)(c)]	Privacy protection for information and data	Establish/Maintain Documentation
Include cooperation mechanisms with the supervisory authority in the Binding Corporate Rules. CC ID 12682	Privacy protection for information and data	Establish/Maintain Documentation
Include the tasks assigned to the role of data controller in the Binding Corporate Rules. CC ID 12612	Privacy protection for information and data	Establish/Maintain Documentation
Include data subject's rights in the Binding Corporate Rules. CC ID 12596	Privacy protection for information and data	Establish/Maintain Documentation
Include the means to exercise the data subject's rights in the Binding Corporate Rules. CC ID 12597	Privacy protection for information and data	Establish/Maintain Documentation
Include the organizational structure and contact information in the Binding Corporate Rules. CC ID 12595	Privacy protection for information and data	Establish/Maintain Documentation
Include the acceptance of liability for breaches of the binding corporate rules in the Binding Corporate Rules. CC ID 12594	Privacy protection for information and data	Establish/Maintain Documentation
Include the mechanisms for reporting legal requirements causing adverse effects on protecting restricted data in the Binding Corporate Rules. CC ID 12620	Privacy protection for information and data	Establish/Maintain Documentation
Include provisions for providing information on the binding corporate rules to the data subject in the Binding Corporate Rules. CC ID 12593	Privacy protection for information and data	Establish/Maintain Documentation
Include reporting changes to the binding corporate rules in the Binding Corporate Rules. CC ID 12591	Privacy protection for information and data	Establish/Maintain Documentation
Include reporting changes of the binding corporate rules to the supervisory authority in the Binding Corporate Rules. CC ID 12592	Privacy protection for information and data	Establish/Maintain Documentation
Include complaint procedures in the Binding Corporate Rules. CC ID 12613	Privacy protection for information and data	Establish/Maintain Documentation
Include the data transfers in the Binding Corporate Rules. CC ID 12590	Privacy protection for information and data	Establish/Maintain Documentation
Include specifying the mechanisms for verifying compliance of the binding corporate rules in the Binding Corporate Rules. CC ID 12662	Privacy protection for information and data	Establish/Maintain Documentation
Include the identification of the countries in question for the data transfers in the Binding Corporate Rules. CC ID 12601	Privacy protection for information and data	Establish/Maintain Documentation
Include the type of data subjects affected by the data transfers in the Binding Corporate Rules. CC ID 12600	Privacy protection for information and data	Establish/Maintain Documentation
Include all pertinent data processing information for data transfers in the Binding Corporate Rules. CC ID 12599	Privacy protection for information and data	Establish/Maintain Documentation
Include the categories of personal data for data transfers in the Binding Corporate Rules. CC ID 12598	Privacy protection for information and data	Establish/Maintain Documentation
Include specifying the legally binding nature of the binding corporate rules in the Binding Corporate Rules. CC ID 12627	Privacy protection for information and data	Establish/Maintain Documentation
Include privacy awareness and training in the Binding Corporate Rules. CC ID 12626	Privacy protection for information and data	Establish/Maintain Documentation
Establish, implement, and maintain Data Processing Contracts. CC ID 12650	Privacy protection for information and data	Establish/Maintain Documentation
Include the stipulation of complying with external requirements in the Data Processing Contract. CC ID 12676 [For the purposes of subsection (2)(a), the organisation must, before collecting, using or disclosing any personal data about the individual — satisfy any other prescribed requirements. § 15A.(4)(c) The organisation must, in respect of the assessment mentioned in subsection (4)(a) — comply with any other prescribed requirements. § 15A.(5)(c) {person}A checker is deemed to have complied with subsection (2)(a) if — the applicable information that the checker provides to P is in accordance with a reply from the Commission in response to the checker's application under section 40(2); and § 43A.(3)(a)]	Privacy protection for information and data	Establish/Maintain Documentation
Include the stipulation that personal data will be disposed or returned to the data subject in the Data Processing Contract. CC ID 12669 [{prospective party}{organization}If X enters into the business asset transaction, the following conditions apply: if any personal data X collects from Y does not relate directly to the part of Y or Y's business assets with which the business asset transaction entered into is concerned, X must destroy, or return to Y, that personal data; FIRST SCHEDULE PART 4 § 1.(4)(b)]	Privacy protection for information and data	Establish/Maintain Documentation
Establish, implement, and maintain a personal data use limitation program. CC ID 13428	Privacy protection for information and data	Establish/Maintain Documentation
Establish, implement, and maintain a personal data use purpose specification. CC ID 00093	Privacy protection for information and data	Establish/Maintain Documentation
Notify the data subject of the collection purpose. CC ID 00095 [For the purposes of sections 14(1)(a) and 18(b), an organisation shall inform the individual of— the purposes for the collection, use or disclosure of the personal data, as the case may be, on or before pan style="background-color:#CBD0E5;" class="term_secondary-verb">collecting the personal data; § 20.(1)(a) For the purposes of subsection (4), the organisation must inform the individual of the following: the purpose for which the organisation is collecting, using or disclosing (as the case may be) the personal data about the individual; § 20.(5)(a) For the purposes of subsection (2)(a), the organisation must, before collecting, using or disclosing any personal data about the individual — take reasonable steps to bring the following information to the attention of the individual: the purpose for which the personal data will be collected, used or disclosed; § 15A.(4)(b)(ii) For the purposes of subsection (2)(a), the organisation must, before collecting, using or disclosing any personal data about the individual — take reasonable steps to bring the following information to the attention of the individual: the organisation's intention to collect, use or disclose the personal data; § 15A.(4)(b)(i) {individual's vital interest} Where the organisation collects, uses or discloses (as the case may be) personal data about the individual under sub-paragraph (1), the organisation must, as soon as is practicable, notify the individual of the collection, use or disclosure (as the case may be) and the purpose for the collection, use or disclosure, as the case may be. FIRST SCHEDULE PART 1 § 1.(2)]	Privacy protection for information and data	Behavior
Refrain from using restricted data collected for research and statistics for other purposes. CC ID 00096	Privacy protection for information and data	Data and Information Management
Notify the data subject of changes to personal data use. CC ID 00105 [For the purposes of sections 14(1)(a) and 18(b), an organisation shall inform the individual of— any other purpose of the use or disclosure of the personal data of which the individual has not been informed under paragraph (a), before the un">usepan> or disclosure of the personal data for that purpose; and § 20.(1)(b)]	Privacy protection for information and data	Behavior
Establish, implement, and maintain data use change of purpose procedures. CC ID 00106	Privacy protection for information and data	Establish/Maintain Documentation
Document the use of publicly accessible personal data as an acceptable secondary purpose. CC ID 00108	Privacy protection for information and data	Establish/Maintain Documentation
Document the use of privacy-related data as acceptable if the information being used is publicly available information, the secondary use is marketing, and it is not practical to seek consent from the individual before use. CC ID 00110	Privacy protection for information and data	Establish/Maintain Documentation
Document the use of personal data as an acceptable secondary purpose when the data subject is not charged to request to opt out of direct marketing communications. CC ID 00111	Privacy protection for information and data	Establish/Maintain Documentation
Document the use of personal data as an acceptable secondary purpose when the data subject has not requested to opt out of direct marketing communications. CC ID 00112	Privacy protection for information and data	Establish/Maintain Documentation
Document the use of personal data as an acceptable secondary purpose when the organization highlights the opt out option during each direct marketing communication. CC ID 00113	Privacy protection for information and data	Establish/Maintain Documentation
Document the use of personal data as an acceptable secondary purpose when the organization displays contact information in each written direct marketing communication. CC ID 00114	Privacy protection for information and data	Establish/Maintain Documentation
Document the use of personal data as an acceptable secondary purpose when the data subject gives consent. CC ID 00115 [If an individual gives or is deemed to have given, consent to the disclosure of personal data about the individual by one organisation to another organisation for a particular purpose, the individual is deemed to consent to the collection, use, or disclosure of the personal data for that particular purpose by that other organisation. § 15.(2) {consent}{disclosure} Where an organisation collects personal data disclosed to it by B under subsection (3)(c), subsection (3)(b) and (c) applies to the organisation as if the personal data were disclosed by A to the organisation under subsection (3)(a). § 15.(4)]	Privacy protection for information and data	Establish/Maintain Documentation
Document the use of personal data as an acceptable secondary purpose when the personal data is Individually Identifiable Health Information used for research. CC ID 00116	Privacy protection for information and data	Establish/Maintain Documentation
Document the use of personal data as an acceptable secondary purpose when the personal data is used for statistical research, scholarly research, or scientific research and the data subject is anonymous. CC ID 00117	Privacy protection for information and data	Establish/Maintain Documentation
Document the use of personal data as an acceptable secondary purpose when the data controller believes the use is necessary to prevent a life-threatening emergency. CC ID 00118	Privacy protection for information and data	Establish/Maintain Documentation
Document the use of personal data as an acceptable secondary purpose when required by law. CC ID 00119	Privacy protection for information and data	Establish/Maintain Documentation
Document the use of personal data as an acceptable secondary purpose when the personal data is necessary for public emergencies, public health and safety, or individual emergencies. CC ID 00121	Privacy protection for information and data	Establish/Maintain Documentation
Document the use of personal data as an acceptable secondary purpose when the primary purpose is directly related to the secondary purpose. CC ID 00123	Privacy protection for information and data	Establish/Maintain Documentation
Document the use of personal data as an acceptable secondary purpose when it is necessary for the enforcement of care and custody. CC ID 15453	Privacy protection for information and data	Establish/Maintain Documentation
Document the use of data as an acceptable secondary purpose when it is necessary for use in a legal proceeding. CC ID 15451	Privacy protection for information and data	Establish/Maintain Documentation
Document the use of personal data as an acceptable secondary purpose when it is necessary for a law enforcement investigation. CC ID 15449	Privacy protection for information and data	Establish/Maintain Documentation
Document the use of personal data as an acceptable secondary purpose when it is necessary to perform a treaty with a foreign government. CC ID 15447	Privacy protection for information and data	Establish/Maintain Documentation
Dispose of media and restricted data in a timely manner. CC ID 00125 [{dispose}{deidentify}{no longer appropriate} An organisation shall cease to retain its documents containing personal data, or remove the means by which the personal data can be associated with particular individuals, as soon as it is reasonable to assume that — the ass="term_primastyle="background-color:#CBD0E5;" class="term_secondary-verb">ry-noun">purpose for which that personal data was collected is no longer being served by retention of the personal data; and § 25.(a) {dispose}{deidentify} An organisation shall cease to retain its documents containing personal data, or remove the means by which the personal data can be associated with particular individuals, as soon as it is reasonable to assume that— <span style="background-color:#F0BBBC;" class="term_primary-noun">retention is style="background-color:#CBD0E5;" class="term_secondary-verb">rm_primary-verb">no longer necessaryspan> for legal or business purposes. § 25.(b) {prospective party}{organization} If the business asset transaction does not proceed or is not completed, X must destroy, or return to Y, all personal data collected. FIRST SCHEDULE PART 4 § 1.(5) {organization}{prospective party}{business asset transaction}{individual}If the relevant transaction does not proceed or is not completed — X must destroy, or return to Y or Z (as the case may be), all personal data collected; and FIRST SCHEDULE PART 4 § 2.(4)(a) {business asset transaction}{organization}If the relevant transaction does not proceed or is not completed — Y must destroy, or return to Z, all personal data collected. FIRST SCHEDULE PART 4 § 2.(4)(b)]	Privacy protection for information and data	Data and Information Management
Refrain from destroying records being inspected or reviewed. CC ID 13015	Privacy protection for information and data	Records Management
Notify the data subject after their personal data is disposed, as necessary. CC ID 13502	Privacy protection for information and data	Communicate
Establish, implement, and maintain data access procedures. CC ID 00414	Privacy protection for information and data	Establish/Maintain Documentation
Provide individuals with information about the processing purpose of their personal data. CC ID 00416 [An organisation may collect, use or disclose personal data about an individual only for purposes— that the -noun">individual has been n style="background-color:#B7D8ED;" class="term_primary-verb">informed of under section 20, if applicable. § 18.(b) Subject to subsections (2), (3) and (4), on request of an individual, an organisation shall, as soon as reasonably possible, provide the individual with— information about the ways in which the personal data referred to in paragraph (a) has been or may have been used or disclosed by the organisation within a year before the date of the request. § 21.(1)(b) For the purposes of subsection (2)(a), the organisation must, before collecting, using or disclosing any personal data about the individual — take reasonable steps to bring the following information to the attention of the individual: the purpose for which the personal data will be collected, used or disclosed; § 15A.(4)(b)(ii) For the purposes of subsection (2)(a), the organisation must, before collecting, using or disclosing any personal data about the individual — take reasonable steps to bring the following information to the attention of the individual: the organisation's intention to collect, use or disclose the personal data; § 15A.(4)(b)(i) {individual's vital interest} Where the organisation collects, uses or discloses (as the case may be) personal data about the individual under sub-paragraph (1), the organisation must, as soon as is practicable, notify the individual of the collection, use or disclosure (as the case may be) and the purpose for the collection, use or disclosure, as the case may be. FIRST SCHEDULE PART 1 § 1.(2) For the purposes of subsection (4), the organisation must inform the individual of the following: the purpose for which the organisation is collecting, using or disclosing (as the case may be) the personal data about the individual; § 20.(5)(a) {inform}Despite subsection (3), an organisation must comply with subsection (5) on or before collecting, using or disclosing personal data about an individual for the purpose of or in relation to the organisation — entering into an employment relationship with the individual or appointing the individual to any office; or § 20.(4)(a) {inform}Despite subsection (3), an organisation must comply with subsection (5) on or before collecting, using or disclosing personal data about an individual for the purpose of or in relation to the organisation — entering into an employment relationship with the individual or appointing the individual to any office; or § 20.(4)(a) {inform}Despite subsection (3), an organisation must comply with subsection (5) on or before collecting, using or disclosing personal data about an individual for the purpose of or in relation to the organisation — entering into an employment relationship with the individual or appointing the individual to any office; or § 20.(4)(a) {inform}Despite subsection (3), an organisation must comply with subsection (5) on or before collecting, using or disclosing personal data about an individual for the purpose of or in relation to the organisation — managing or terminating the employment relationship with or appointment of the individual. § 20.(4)(b) {inform}Despite subsection (3), an organisation must comply with subsection (5) on or before collecting, using or disclosing personal data about an individual for the purpose of or in relation to the organisation — managing or terminating the employment relationship with or appointment of the individual. § 20.(4)(b) {inform}Despite subsection (3), an organisation must comply with subsection (5) on or before collecting, using or disclosing personal data about an individual for the purpose of or in relation to the organisation — managing or terminating the employment relationship with or appointment of the individual. § 20.(4)(b)]	Privacy protection for information and data	Data and Information Management
Provide individuals with information about disclosure of their personal data. CC ID 00417 [{individual's vital interest} Where the organisation collects, uses or discloses (as the case may be) personal data about the individual under sub-paragraph (1), the organisation must, as soon as is practicable, notify the individual of the collection, use or disclosure (as the case may be) and the purpose for the collection, use or disclosure, as the case may be. FIRST SCHEDULE PART 1 § 1.(2)]	Privacy protection for information and data	Data and Information Management
Allow guardians and legal representatives access to personal data about the individual for whom they are guardians or legal representatives. CC ID 00418	Privacy protection for information and data	Data and Information Management
Establish, implement, and maintain procedures for individuals to be able to modify their personal data, as necessary. CC ID 11811 [{allow} An individual may request an organisation to correct an error or omission in the personal data about the individual that is in the possession or under the control of the organisation. § 22.(1)]	Privacy protection for information and data	Establish/Maintain Documentation
Submit personal data removal requests in writing. CC ID 11973	Privacy protection for information and data	Records Management
Include a liability waiver for any harm caused by the exclusion of personal data in the personal data removal request. CC ID 11975	Privacy protection for information and data	Establish/Maintain Documentation
Establish, implement, and maintain restricted data use limitation procedures. CC ID 00128 [Subject to subsection (3), an individual is deemed to consent to the collection, use or disclosure of personal data about the individual by an organisation if — the organisation satisfies the requirements in subsection (4); and § 15A.(2)(a)]	Privacy protection for information and data	Establish/Maintain Documentation
Identify any adverse effects the processing of personal data will have on the data subject. CC ID 15299 [The organisation must, in respect of the assessment mentioned in subsection (4)(a) — identify any adverse effect that the proposed collection, use or disclosure of the personal data for the purpose concerned is likely to have on the individual; § 15A.(5)(a) {legitimate interest}{collect}{disclose}The organisation must, in respect of the assessment mentioned in sub-paragraph (2)(a) — identify any adverse effect that the proposed collection, use or disclosure (as the case may be) of personal data about an individual is likely to have on the individual; FIRST SCHEDULE PART 3 § 1.(3)(a)]	Privacy protection for information and data	Data and Information Management
Disclose de-identified data, as necessary. CC ID 13034	Privacy protection for information and data	Communicate
Notify the data subject after personal data is used or disclosed. CC ID 06247 [{business asset transaction}{organization}{prospective party}If X enters into the relevant transaction, the following conditions apply: X, Y or Z must notify the applicable individuals of Z whose personal data is disclosed that — the relevant transaction has taken place; and FIRST SCHEDULE PART 4 § 2.(3)(c)(i) {business asset transaction}{organization}{prospective party}If X enters into the relevant transaction, the following conditions apply: X, Y or Z must notify the applicable individuals of Z whose personal data is disclosed that — the personal data about them has been disclosed to X. FIRST SCHEDULE PART 4 § 2.(3)(c)(ii) If X enters into the business asset transaction, the following conditions apply: X or Y must notify the applicable individuals of Y whose personal data is disclosed that — the business asset transaction has taken place; and FIRST SCHEDULE PART 4 § 1.(4)(c)(i)]	Privacy protection for information and data	Behavior
Refrain from processing restricted data, as necessary. CC ID 12551 [Notwithstanding the other provisions in this Part, an organisation may use personal data about an individual collected before the appointed day for the purposes for which the personal data was collected unless — the individual, whether before, on or after the appointed day, has otherwise indicated to the organisation that he does not consent to the use of the personal data. § 19.(b) An organisation shall not, on or after the appointed day, collect, use or disclose personal data about an individual unless — § 13.]	Privacy protection for information and data	Records Management
Refrain from processing restricted data if the restricted data is involved in a legal claim. CC ID 12668	Privacy protection for information and data	Process or Activity
Refrain from providing information to the data subject when the organization cannot identify the data subject. CC ID 12667	Privacy protection for information and data	Process or Activity
Refrain from erasing personal data when the data subject consents to retention. CC ID 14326	Privacy protection for information and data	Business Processes
Refrain from erasing personal data upon data subject request when personal data processing is necessary for statistical purposes. CC ID 12656	Privacy protection for information and data	Process or Activity
Refrain from erasing personal data upon data subject request when personal data processing is necessary for historical research purposes. CC ID 12655	Privacy protection for information and data	Process or Activity
Refrain from erasing personal data upon data subject request when personal data processing is necessary for scientific research purposes. CC ID 12654	Privacy protection for information and data	Process or Activity
Refrain from erasing personal data upon data subject request when personal data processing is necessary for exercising freedom of expression. CC ID 12684	Privacy protection for information and data	Process or Activity
Refrain from erasing personal data upon data subject request when it is used to provide a service. CC ID 13779	Privacy protection for information and data	Process or Activity
Refrain from erasing personal data upon data subject request when personal data processing is necessary for archival purposes. CC ID 12653	Privacy protection for information and data	Process or Activity
Refrain from erasing personal data upon data subject request when personal data processing is for compliance with a legal obligation. CC ID 12652	Privacy protection for information and data	Process or Activity
Refrain from erasing personal data upon data subject request when personal data processing is necessary for the public interest. CC ID 12649	Privacy protection for information and data	Process or Activity
Refrain from erasing personal data upon data subject request when personal data processing concerns legal claims. CC ID 12644	Privacy protection for information and data	Process or Activity
Refrain from processing personal data when it is likely to cause unlawful discrimination or arbitrary discrimination. CC ID 00197	Privacy protection for information and data	Data and Information Management
Refrain from processing personal data when it is used for behavioral monitoring. CC ID 16528	Privacy protection for information and data	Data and Information Management
Refrain from processing personal data when it reveals trade union membership. CC ID 12583	Privacy protection for information and data	Business Processes
Refrain from processing personal data when it concerns an individual's sexual orientation. CC ID 12582	Privacy protection for information and data	Business Processes
Refrain from processing personal data when it concerns an individual's sex life. CC ID 12581	Privacy protection for information and data	Business Processes
Refrain from processing personal data when it contains Individually Identifiable Health Information. CC ID 12580	Privacy protection for information and data	Business Processes
Refrain from processing personal data when biometric data is used for the purpose of identifying an individual. CC ID 12579	Privacy protection for information and data	Business Processes
Refrain from processing personal data when the genetic data is used for the purpose of identifying individuals. CC ID 12578	Privacy protection for information and data	Business Processes
Refrain from processing personal data when it reveals philosophical beliefs. CC ID 12577	Privacy protection for information and data	Business Processes
Refrain from processing personal data when it reveals religious beliefs. CC ID 12576	Privacy protection for information and data	Business Processes
Refrain from processing personal data when it reveals political opinions. CC ID 12575	Privacy protection for information and data	Business Processes
Refrain from processing personal data if it reveals ethnic origin. CC ID 12574	Privacy protection for information and data	Business Processes
Refrain from processing personal data if the data subject opposes the data erasure of personal data. CC ID 12619	Privacy protection for information and data	Process or Activity
Establish and maintain a record of processing activities when processing restricted data. CC ID 12636	Privacy protection for information and data	Establish/Maintain Documentation
Refrain from maintaining a record of processing activities if the data processor employs a limited number of persons. CC ID 13378	Privacy protection for information and data	Establish/Maintain Documentation
Refrain from maintaining a record of processing activities if the personal data relates to criminal records. CC ID 13377	Privacy protection for information and data	Establish/Maintain Documentation
Refrain from maintaining a record of processing activities if the data being processed is restricted data. CC ID 13376	Privacy protection for information and data	Establish/Maintain Documentation
Refrain from maintaining a record of processing activities if it could result in a risk to the data subject's rights or data subject's freedom. CC ID 13375	Privacy protection for information and data	Establish/Maintain Documentation
Include the data protection officer's contact information in the record of processing activities. CC ID 12640	Privacy protection for information and data	Records Management
Include the data processor's contact information in the record of processing activities. CC ID 12657	Privacy protection for information and data	Records Management
Include the data processor's representative's contact information in the record of processing activities. CC ID 12658	Privacy protection for information and data	Records Management
Include a general description of the implemented security measures in the record of processing activities. CC ID 12641	Privacy protection for information and data	Records Management
Include a description of the data subject categories in the record of processing activities. CC ID 12659	Privacy protection for information and data	Records Management
Include the purpose of processing restricted data in the record of processing activities. CC ID 12663	Privacy protection for information and data	Records Management
Include the personal data processing categories in the record of processing activities. CC ID 12661	Privacy protection for information and data	Records Management
Include the time limits for erasing each data category in the record of processing activities. CC ID 12690	Privacy protection for information and data	Records Management
Include the data recipient categories to whom restricted data has been or will be disclosed in the record of processing activities. CC ID 12664	Privacy protection for information and data	Records Management
Include a description of the personal data categories in the record of processing activities. CC ID 12660	Privacy protection for information and data	Records Management
Include the joint data controller's contact information in the record of processing activities. CC ID 12639	Privacy protection for information and data	Records Management
Include the data controller's representative's contact information in the record of processing activities. CC ID 12638	Privacy protection for information and data	Records Management
Include documentation of the transferee's safeguards for transferring restricted data in the record of processing activities. CC ID 12643	Privacy protection for information and data	Records Management
Include the identification of transferees for transferring restricted data in the record of processing activities. CC ID 12642	Privacy protection for information and data	Records Management
Include the data controller's contact information in the record of processing activities. CC ID 12637	Privacy protection for information and data	Records Management
Process restricted data lawfully and carefully. CC ID 00086 [{be appropriate} An organisation may collect, use or disclose personal data> about an individual only for purposes— that a reasonable person would consider appropriate in the n style="background-color:#F0BBBC;" class="term_primary-noun">circumstances; and § 18.(a)]	Privacy protection for information and data	Establish Roles
Implement technical controls that limit processing restricted data for specific purposes. CC ID 12646	Privacy protection for information and data	Technical Security
Process personal data pertaining to a patient's health in order to treat those patients. CC ID 00200	Privacy protection for information and data	Data and Information Management
Refrain from disclosing Individually Identifiable Health Information when in violation of territorial or federal law. CC ID 11966	Privacy protection for information and data	Records Management
Document the conditions for the use or disclosure of Individually Identifiable Health Information by a covered entity to another covered entity. CC ID 00210	Privacy protection for information and data	Establish/Maintain Documentation
Disclose Individually Identifiable Health Information for a covered entity's own use. CC ID 00211	Privacy protection for information and data	Data and Information Management
Disclose Individually Identifiable Health Information for a healthcare provider's treatment activities by a covered entity. CC ID 00212	Privacy protection for information and data	Data and Information Management
Rely upon the warranty of the covered entity that the record disclosure request for Individually Identifiable Health Information is permitted with the consent of the data subject. CC ID 11970	Privacy protection for information and data	Records Management
Rely upon the warranty of the covered entity that the record disclosure request for Individually Identifiable Health Information is to support the treatment of the individual. CC ID 11969	Privacy protection for information and data	Process or Activity
Rely upon the warranty of the covered entity that the record disclosure request for Individually Identifiable Health Information is permitted by law. CC ID 11976	Privacy protection for information and data	Records Management
Disclose Individually Identifiable Health Information for payment activities between covered entities or healthcare providers. CC ID 00213	Privacy protection for information and data	Data and Information Management
Disclose Individually Identifiable Health Information for Treatment, Payment, and Health Care Operations activities when both covered entities have a relationship with the data subject. CC ID 00214	Privacy protection for information and data	Data and Information Management
Disclose Individually Identifiable Health Information for Treatment, Payment, and Health Care Operations activities between a covered entity and a participating healthcare provider when the information is collected from the data subject and a third party. CC ID 00215	Privacy protection for information and data	Data and Information Management
Disclose Individually Identifiable Health Information in accordance with agreed upon restrictions. CC ID 06249	Privacy protection for information and data	Data and Information Management
Disclose Individually Identifiable Health Information in accordance with the privacy notice. CC ID 06250	Privacy protection for information and data	Data and Information Management
Disclose permitted Individually Identifiable Health Information for facility directories. CC ID 06251	Privacy protection for information and data	Data and Information Management
Disclose Individually Identifiable Health Information for cadaveric organ donation purposes, eye donation purposes, or tissue donation purposes. CC ID 06252	Privacy protection for information and data	Data and Information Management
Disclose Individually Identifiable Health Information for medical suitability determinations. CC ID 06253	Privacy protection for information and data	Data and Information Management
Disclose Individually Identifiable Health Information for armed forces personnel appropriately. CC ID 06254	Privacy protection for information and data	Data and Information Management
Disclose Individually Identifiable Health Information in order to provide public benefits by government agencies. CC ID 06255	Privacy protection for information and data	Data and Information Management
Disclose Individually Identifiable Health Information for fundraising. CC ID 06256	Privacy protection for information and data	Data and Information Management
Disclose Individually Identifiable Health Information for research use when the appropriate requirements are included in the approval documentation or waiver documentation. CC ID 06257	Privacy protection for information and data	Establish/Maintain Documentation
Document the conditions for the disclosure of Individually Identifiable Health Information by an organization providing healthcare services to organizations other than business associates or other covered entities. CC ID 00201	Privacy protection for information and data	Establish/Maintain Documentation
Disclose Individually Identifiable Health Information when the data subject cannot physically or legally provide consent and the disclosing organization is a healthcare provider. CC ID 00202	Privacy protection for information and data	Data and Information Management
Disclose Individually Identifiable Health Information to provide appropriate treatment to the data subject when the disclosing organization is a healthcare provider. CC ID 00203	Privacy protection for information and data	Data and Information Management
Disclose Individually Identifiable Health Information when it is not contrary to the data subject's wish prior to becoming unable to provide consent and the disclosing organization is a healthcare provider. CC ID 00204	Privacy protection for information and data	Data and Information Management
Disclose Individually Identifiable Health Information that is reasonable or necessary for the disclosure purpose when the disclosing organization is a healthcare provider. CC ID 00205 [{disclose}The disclosure of personal data about an individual who is a current or former patient of any of the following to a public agency for the purposes of policy formulation or review: a healthcare institution licensed under the Private Hospitals and Medical Clinics Act (Cap. 248); SECOND SCHEDULE PART 3 Division 1 § 3.(a)]	Privacy protection for information and data	Data and Information Management
Disclose Individually Identifiable Health Information consistent with the law when the disclosing organization is a healthcare provider. CC ID 00206 [{disclose}The disclosure of personal data about an individual who is a current or former patient of any of the following to a public agency for the purposes of policy formulation or review: a prescribed healthcare body. SECOND SCHEDULE PART 3 Division 1 § 3.(c) {disclose}The disclosure of personal data about an individual who is a current or former patient of any of the following to a public agency for the purposes of policy formulation or review: a licensee under the Healthcare Services Act 2020 (Act 3 of 2020); SECOND SCHEDULE PART 3 Division 1 § 3.(b)]	Privacy protection for information and data	Data and Information Management
Disclose Individually Identifiable Health Information in order to carry out treatment when the disclosing organization is a healthcare provider. CC ID 00207	Privacy protection for information and data	Data and Information Management
Disclose Individually Identifiable Health Information in order to carry out treatment when the data subject has provided consent and the disclosing organization is a healthcare provider. CC ID 00208	Privacy protection for information and data	Data and Information Management
Disclose Individually Identifiable Health Information in order to carry out treatment when the data subject's guardian or representative has provided consent and the disclosing organization is a healthcare provider. CC ID 00209	Privacy protection for information and data	Data and Information Management
Disclose Individually Identifiable Health Information when the disclosing organization is a healthcare provider that supports public health and safety activities. CC ID 06248	Privacy protection for information and data	Data and Information Management
Disclose Individually Identifiable Health Information in order to report abuse or neglect when the disclosing organization is a healthcare provider. CC ID 06819	Privacy protection for information and data	Data and Information Management
Document how Individually Identifiable Health Information is used and disclosed when authorization has been granted. CC ID 00216	Privacy protection for information and data	Establish/Maintain Documentation
Define and implement valid authorization control requirements. CC ID 06258	Privacy protection for information and data	Establish/Maintain Documentation
Obtain explicit consent for authorization to release Individually Identifiable Health Information. CC ID 00217	Privacy protection for information and data	Data and Information Management
Obtain explicit consent for authorization to release psychotherapy notes. CC ID 00218	Privacy protection for information and data	Data and Information Management
Refrain from using Individually Identifiable Health Information to determine eligibility or continued eligibility for credit. CC ID 00219	Privacy protection for information and data	Data and Information Management
Process personal data after the data subject has granted explicit consent. CC ID 00180 [{refrain from processing} An organisation shall not, on or after the appointed day, collect, use or disclose personal data about an individual unless— the individual rb">gives</span>, or is deemed to have given, his consent under this Act to the collection, use or disclosure, as the case may be; or § 13.(a)]	Privacy protection for information and data	Data and Information Management
Process personal data in order to perform a legal obligation or exercise a legal right. CC ID 00182	Privacy protection for information and data	Data and Information Management
Process personal data relating to criminal offenses when required by law. CC ID 00237	Privacy protection for information and data	Data and Information Management
Process personal data in order to prevent personal injury or damage to the data subject's health. CC ID 00183	Privacy protection for information and data	Data and Information Management
Process personal data in order to prevent personal injury or damage to a third party's health. CC ID 00184	Privacy protection for information and data	Data and Information Management
Process personal data for statistical purposes or scientific purposes. CC ID 00256	Privacy protection for information and data	Data and Information Management
Process personal data during legitimate activities with safeguards for the data subject's legal rights. CC ID 00185 [{collect}{disclose}Subject to sub-paragraphs (2), (3) and (4) — the collection, use or disclosure (as the case may be) of personal data about an individual is in the legitimate interests of the organisation or another person; and FIRST SCHEDULE PART 3 § 1.(1)(a)]	Privacy protection for information and data	Data and Information Management
Process traffic data in a controlled manner. CC ID 00130	Privacy protection for information and data	Data and Information Management
Process personal data for health insurance, social insurance, state social benefits, social welfare, or child protection. CC ID 00186	Privacy protection for information and data	Data and Information Management
Process personal data when it is publicly accessible. CC ID 00187 [{without consent}{collect}{disclose} The collection, use or disclosure (as the case may be) of personal data about an individual that is publicly available. FIRST SCHEDULE PART 2 § 1.]	Privacy protection for information and data	Data and Information Management
Process personal data for direct marketing and other personalized mail programs. CC ID 00188	Privacy protection for information and data	Data and Information Management
Refrain from processing personal data for marketing or advertising to children. CC ID 14010	Privacy protection for information and data	Business Processes
Process personal data for the purposes of employment. CC ID 16527	Privacy protection for information and data	Data and Information Management
Process personal data for justice administration, lawsuits, judicial decisions, and investigations. CC ID 00189 [{collect}{disclose} The collection, use or disclosure (as the case may be) of personal data about an individual is necessary for the provision of legal services by the organisation to another person, or for the organisation to obtain legal services. FIRST SCHEDULE PART 3 § 5.]	Privacy protection for information and data	Data and Information Management
Process personal data for debt collection or benefit payments. CC ID 00190 [{without consent}{collect}{disclose}The collection, use or disclosure (as the case may be) of personal data about an individual is necessary for the organisation — to recover a debt owed by the individual to the organisation; or FIRST SCHEDULE PART 3 § 4.(a) {collect}{disclose}The collection, use or disclosure (as the case may be) of personal data about an individual is necessary for the organisation — to pay to the individual a debt owed by the organisation. FIRST SCHEDULE PART 3 § 4.(b) {legitimate interest}{collect}{disclose}The collection, use or disclosure (as the case may be) of personal data about an individual is to — confer an interest or a benefit on the individual under a private trust or benefit plan; and FIRST SCHEDULE PART 3 § 7.(a)]	Privacy protection for information and data	Data and Information Management
Process personal data in order to advance the public interest. CC ID 00191 [The use of personal data about an individual for a research purpose (including historical or statistical research), if — there is a clear public benefit to using the personal data for the research purpose; SECOND SCHEDULE PART 2 Division 3 § 1.(b)]	Privacy protection for information and data	Data and Information Management
Process personal data for surveys, archives, or scientific research. CC ID 00192	Privacy protection for information and data	Data and Information Management
Process personal data absent consent for journalistic purposes, artistic purposes, or literary purposes. CC ID 00193 [{without consent} The personal data about an individual is collected, used or disclosed (as the case may be) by a news organisation solely for its news activity. FIRST SCHEDULE PART 2 § 5. {without consent}{artistic purpose}{collect}{disclose} The collection, use or disclosure (as the case may be) of personal data about an individual is solely for artistic or literary purposes. FIRST SCHEDULE PART 2 § 3.]	Privacy protection for information and data	Data and Information Management
Process personal data for academic purposes or religious purposes. CC ID 00194	Privacy protection for information and data	Data and Information Management
Process personal data when it is used by a public authority for National Security policy or criminal policy. CC ID 00195	Privacy protection for information and data	Data and Information Management
Refrain from storing data in newly created files or registers which directly or indirectly reveals the restricted data. CC ID 00196	Privacy protection for information and data	Data and Information Management
Follow legal obligations while processing personal data. CC ID 04794	Privacy protection for information and data	Data and Information Management
Start personal data processing only after the needed notifications are submitted. CC ID 04791	Privacy protection for information and data	Data and Information Management
Process personal data absent consent for specific and well-documented circumstances. CC ID 13537 [An individual is deemed to consent to the collection, use or disclosure of personal data about the individual by an organisation for a purpose if— it is reasonable that the individual would voluntarily provide the y-verb">le="background-color:#F0BBBC;" class="term_primary-noun">data. § 15.(1)(b) An organisation may — use personal data about an individual without the consent of the individual, in the circumstances or for the purposes, and subject to any condition, in the First Schedule or Part 2 of the Second Schedule; or § 17.(1)(b) {individual's vital interest}{without consent}Subject to sub-paragraph (2), the collection, use or disclosure (as the case may be) of personal data about an individual is necessary for any purpose which is clearly in the interests of the individual, and — the individual would not reasonably be expected to withhold consent. FIRST SCHEDULE PART 1 § 1.(1)(b) {without consent}{collect}{disclose} The collection, use or disclosure (as the case may be) of personal data about an individual is in the national interest. FIRST SCHEDULE PART 2 § 2. {business improvement purpose}{organization}Subject to the conditions in sub-paragraphs (3), (4) and (5), personal data about an individual (P) — is used by X for a relevant purpose; or FIRST SCHEDULE PART 5 § 1.(1)(b) {business improvement purpose}Sub-paragraph (1)(b) applies only if — a reasonable person would consider the use of personal data about P for the relevant purpose to be appropriate in the circumstances. FIRST SCHEDULE PART 5 § 1.(4)(b) {business improvement purpose}{refrain from achieving}Sub-paragraph (1)(b) applies only if — the relevant purpose for which X uses personal data about P cannot reasonably be achieved without the use of the personal data in an individually identifiable form; and FIRST SCHEDULE PART 5 § 1.(4)(a)]	Privacy protection for information and data	Data and Information Management
Process personal data absent consent in order to protect the vital interests of the data subject. CC ID 14012 [{individual's vital interest}{collect}{disclose} Subject to sub-paragraph (2), the collection, use or disclosure (as the case may be) of personal data about an individual is necessary for any purpose which is clearly in the interests of the individual, and — FIRST SCHEDULE PART 1 § 1.(1)]	Privacy protection for information and data	Process or Activity
Process personal data absent consent when the data subject has been notified the personal data may be collected, used, or disclosed. CC ID 13617	Privacy protection for information and data	Data and Information Management
Process personal data absent consent in order to establish, manage, or terminate employment contracts. CC ID 13615 [{without consent}The personal data about an individual is collected, used or disclosed (as the case may be) by the organisation, and the collection, use or disclosure (as the case may be) of the personal data is reasonable for the purpose of or in relation to the organisation — entering into an employment relationship with the individual or appointing the individual to any office; or FIRST SCHEDULE PART 3 § 10.(a) {without consent}The personal data about an individual is collected, used or disclosed (as the case may be) by the organisation, and the collection, use or disclosure (as the case may be) of the personal data is reasonable for the purpose of or in relation to the organisation — managing or terminating the employment relationship with or appointment of the individual. FIRST SCHEDULE PART 3 § 10.(b)]	Privacy protection for information and data	Data and Information Management
Process personal data absent consent when the data subject is notified that the business transaction is completed and their information was disclosed. CC ID 13612	Privacy protection for information and data	Data and Information Management
Process personal data absent consent when the disclosure concerns the data subject's products and services obtained from the organization. CC ID 13611 [Subject to the conditions in sub-paragraph (2), personal data about an individual (P) is used by the organisation for any of the following purposes: improving or enhancing any goods or services provided, or developing new goods or services to be provided, by the organisation; SECOND SCHEDULE PART 2 Division 2 § 1.(1)(a) Subject to the conditions in sub-paragraph (2), personal data about an individual (P) is used by the organisation for any of the following purposes: learning about and understanding the behaviour and preferences of P or another individual in relation to the goods or services provided by the organisation; SECOND SCHEDULE PART 2 Division 2 § 1.(1)(c) Subject to the conditions in sub-paragraph (2), personal data about an individual (P) is used by the organisation for any of the following purposes: identifying any goods or services provided by the organisation that may be suitable for P or another individual, or personalising or customising any such goods or services for P or another individual. SECOND SCHEDULE PART 2 Division 2 § 1.(1)(d) Subject to the conditions in sub-paragraph (2), personal data about an individual (P) is used by the organisation for any of the following purposes: identifying any goods or services provided by the organisation that may be suitable for P or another individual, or personalising or customising any such goods or services for P or another individual. SECOND SCHEDULE PART 2 Division 2 § 1.(1)(d)]	Privacy protection for information and data	Data and Information Management
Process personal data absent consent when it is impracticable to obtain consent. CC ID 13580 [{individual's vital interest}The collection, use or disclosure (as the case may be) of personal data about an individual, where — consent for the collection, use or disclosure (as the case may be) cannot be obtained in a timely way; and FIRST SCHEDULE PART 1 § 3.(a)]	Privacy protection for information and data	Data and Information Management
Process personal data absent consent when it is in the data subject's interest and consent cannot be obtained in a timely manner. CC ID 15282 [{individual's vital interest}Subject to sub-paragraph (2), the collection, use or disclosure (as the case may be) of personal data about an individual is necessary for any purpose which is clearly in the interests of the individual, and — consent for the collection, use or disclosure (as the case may be) cannot be obtained in a timely way; or FIRST SCHEDULE PART 1 § 1.(1)(a)]	Privacy protection for information and data	Data and Information Management
Process personal data absent consent to determine whether to proceed with business transactions. CC ID 13587 [{without consent}Subject to the conditions in sub-paragraphs (2), (3), (4) and (5), where an organisation (X) is a party or a prospective party to a business asset transaction with another organisation (Y), personal data about an applicable individual of Y — is used or disclosed by X in relation to the business asset transaction; or FIRST SCHEDULE PART 4 § 1.(1)(b) Subject to the conditions in sub-paragraphs (2), (3) and (4), where an organisation (X) is a party or a prospective party to a business asset transaction with another organisation (Y) in respect of Y's interest in a third organisation (Z) (called in this paragraph the relevant transaction), personal data about an applicable individual of Z — is used or disclosed by X or Y in relation to the relevant transaction; or FIRST SCHEDULE PART 4 § 2.(1)(b) {legitimate interest}{collect}{disclose}Subject to sub-paragraph (2), the collection, use or disclosure (as the case may be) of personal data about an individual — relates to a credit report provided by a credit bureau to a member of the credit bureau in relation to a transaction between the member and the individual. FIRST SCHEDULE PART 3 § 6.(1)(b) {business asset transaction}{organization}{prospective party}{individual}If X enters into the relevant transaction, the following conditions apply: X may use or disclose the personal data collected from Y or Z (as the case may be) only for the same purposes for which Y or Z (as the case may be) would have been permitted to use or disclose the personal data; FIRST SCHEDULE PART 4 § 2.(3)(a)]	Privacy protection for information and data	Data and Information Management
Process personal data absent consent in order to perform a contract. CC ID 13586 [{prospective party}{organization}If X enters into the business asset transaction, the following conditions apply: X may use or disclose the personal data X collected from Y only for the same purposes for which Y would have been permitted to use or disclose the personal data; FIRST SCHEDULE PART 4 § 1.(4)(a) {organization}If X is a prospective party to the business asset transaction, the following conditions apply: X and Y must have entered into an agreement that requires X to use or disclose the personal data solely for purposes related to the business asset transaction. FIRST SCHEDULE PART 4 § 1.(3)(b) {business asset transaction}{organization}{individual}If X is a prospective party to the relevant transaction, the following conditions apply: where Y collects the personal data mentioned in sub-paragraph (1) from Z — Y and Z must have entered into an agreement that requires Y to use or disclose the personal data solely for purposes related to the relevant transaction. FIRST SCHEDULE PART 4 § 2.(2)(b)(ii)]	Privacy protection for information and data	Data and Information Management
Process personal data absent consent when the privacy commissioner is notified before the information is used. CC ID 13581	Privacy protection for information and data	Data and Information Management
Process personal data absent consent to perform obligations in the field of employment law. CC ID 16814	Privacy protection for information and data	Data and Information Management
Process personal data absent consent if the disclosure is to the next of kin or authorized representative. CC ID 15294 [{is necessary}{without consent} The collection, use or disclosure of personal data is for the purpose of contacting the next-of-kin or a friend of any injured, ill or deceased individual. FIRST SCHEDULE PART 1 § 4.]	Privacy protection for information and data	Data and Information Management
Process personal data absent consent when it is used in a manner to ensure confidentiality. CC ID 13579	Privacy protection for information and data	Data and Information Management
Process personal data absent consent when it is used for statistical research, scientific research, or scholarly research. CC ID 13578 [{refrain from achieving}The use of personal data about an individual for a research purpose (including historical or statistical research), if — the research purpose cannot reasonably be accomplished unless the personal data is used in an individually identifiable form; SECOND SCHEDULE PART 2 Division 3 § 1.(a) {collect}{disclose} The collection, use or disclosure (as the case may be) of personal data about an individual is necessary for evaluative purposes. FIRST SCHEDULE PART 3 § 2. The use of personal data about an individual for a research purpose (including historical or statistical research), if — the results of the research will not be used to make any decision that affects the individual; and SECOND SCHEDULE PART 2 Division 3 § 1.(c)]	Privacy protection for information and data	Data and Information Management
Process personal data absent consent when it is needed by law. CC ID 13577 [{refrain from processing} An organisation shall not, on or after the appointed day, collect,use or disclose personal data about an individual unless— the collection, use or disclosure, as the case may be, without the consent of the individual is 0E5;" class="term_secondary-verb">required or authorised under this Act or any other written law. § 13.(b) Subject to section 25, if an individual withdraws consent to the collection, use or disclosure of personal data about the individual by an organisation for any purpose, the organisation shall cease (and cause its data intermediaries and agents to cease) collecting, using or disclosing the personal data, as the case may be, unless such collection, use or disclosure, as the case may be, without the consent of the individual is required or authorised under this Act or other written law. § 16.(4)]	Privacy protection for information and data	Data and Information Management
Process personal data for public interests absent consent in order to protect historical records or archival records. CC ID 15296 [{without consent}{archival purpose} The collection, use or disclosure (as the case may be) of personal data about an individual is solely for archival or historical purposes, if a reasonable person would not consider the personal data to be too sensitive to the individual to be collected, used or disclosed (as the case may be) at the proposed time. FIRST SCHEDULE PART 2 § 4.]	Privacy protection for information and data	Data and Information Management
Process personal data absent consent when it is from publicly available information. CC ID 13576 [{without consent}The use of personal data about an individual, if — the personal data was disclosed by a public agency; and SECOND SCHEDULE PART 2 Division 1 § 1.(a)]	Privacy protection for information and data	Data and Information Management
Process personal data absent consent to create a credit report. CC ID 15288 [{legitimate interest}{collect}{disclose}Subject to sub-paragraph (2), the collection, use or disclosure (as the case may be) of personal data about an individual — is for the purpose of the preparation by a credit bureau of a credit report; or FIRST SCHEDULE PART 3 § 6.(1)(a)]	Privacy protection for information and data	Data and Information Management
Process personal data absent consent if its use is consistent with the intended purpose. CC ID 13575 [Unless otherwise provided under this Act, an organisation may — use or disclose personal data about an individual that — for purposes consistent with the purpose of that collection, or for any purpose permitted by subsection (1)(b) or (c), as the case may be. § 17.(2)(b) ¶ 1 Without limiting subsection (2) and subject to subsection (9), an individual (P) who enters into a contract with an organisation (A) and provides personal data to A pursuant or in relation to that contract is deemed to consent to the following: the collection and use of that personal data by B, where the collection and use are reasonably necessary for any purpose mentioned in paragraph (a); § 15.(6)(b) {without consent}The personal data about an individual — is collected, used or disclosed (as the case may be) for purposes consistent with the purpose for which the document was produced. FIRST SCHEDULE PART 3 § 9.(b) {personal purpose}{domestic purposes}The personal data about an individual — is collected, used or disclosed (as the case may be) by the organisation solely for the purpose in sub-paragraph (a). FIRST SCHEDULE PART 3 § 8.(b) {without consent}The use of personal data about an individual, if — the use of personal data by the organization is consistent with the purpose of the disclosure by the public agency. SECOND SCHEDULE PART 2 Division 1 § 1.(b)]	Privacy protection for information and data	Data and Information Management
Process personal data absent consent to administer a trust fund or benefit plan. CC ID 15291 [{collect}{disclose}The collection, use or disclosure (as the case may be) of personal data about an individual is to — administer that trust or benefit plan, at the request of the settlor or the person establishing the benefit plan, as the case may be. FIRST SCHEDULE PART 3 § 7.(b)]	Privacy protection for information and data	Data and Information Management
Process personal data absent consent when produced for business purposes. CC ID 13563 [Subject to the conditions in sub-paragraph (2), personal data about an individual (P) is used by the organisation for any of the following purposes: improving or enhancing any goods or services provided, or developing new goods or services to be provided, by the organisation; SECOND SCHEDULE PART 2 Division 2 § 1.(1)(a) Subject to the conditions in sub-paragraph (2), personal data about an individual (P) is used by the organisation for any of the following purposes: improving or enhancing the methods or processes, or developing new methods or processes, for the operations of the organisation; SECOND SCHEDULE PART 2 Division 2 § 1.(1)(b) Subject to the conditions in sub-paragraph (2), personal data about an individual (P) is used by the organisation for any of the following purposes: improving or enhancing the methods or processes, or developing new methods or processes, for the operations of the organisation; SECOND SCHEDULE PART 2 Division 2 § 1.(1)(b) {cannot achieve}Sub-paragraph (1) applies only if — the purpose for which the organisation uses personal data about P cannot reasonably be achieved without the use of the personal data in an individually identifiable form; and SECOND SCHEDULE PART 2 Division 2 § 1.(2)(a) {business improvement purpose}Sub-paragraph (1) applies only if — a reasonable person would consider the use of personal data about P for that purpose to be appropriate in the circumstances. SECOND SCHEDULE PART 2 Division 2 § 1.(2)(b)]	Privacy protection for information and data	Data and Information Management
Process personal data absent consent for handling insurance claims. CC ID 13561	Privacy protection for information and data	Data and Information Management
Process personal data absent consent when it is necessary for corporate restructuring. CC ID 16533	Privacy protection for information and data	Data and Information Management
Process personal data absent consent if the information is contained in a witness statement. CC ID 13560	Privacy protection for information and data	Data and Information Management
Process personal data absent consent for life-threatening emergencies. CC ID 13558 [{without consent}{collect}{disclose}The collection, use or disclosure (as the case may be) of personal data about an individual, where — there are reasonable grounds to believe that the health or safety of the individual or another individual will be seriously affected. FIRST SCHEDULE PART 1 § 3.(b)]	Privacy protection for information and data	Data and Information Management
Process personal data absent consent for reasonable investigative purposes. CC ID 13557 [{collect}{disclose} The collection, use or disclosure (as the case may be) of personal data about an individual is necessary for any investigation or proceedings. FIRST SCHEDULE PART 3 § 3.]	Privacy protection for information and data	Data and Information Management
Notify the individual before restricted data is collected, used, or disclosed. CC ID 00132 [{prospective party}{organization}If X enters into the business asset transaction, the following conditions apply: X or Y must notify the applicable individuals of Y whose personal data is disclosed that — the personal data about them has been disclosed to X. FIRST SCHEDULE PART 4 § 1.(4)(c)(ii)]	Privacy protection for information and data	Behavior
Define security breach notification requirement exceptions. CC ID 04797	Privacy protection for information and data	Establish/Maintain Documentation
Refrain from disclosing personal data absent consent of the individual or for defined exceptions. CC ID 11967 [An organisation shall not, on or after the appointed day, collect, use or disclose personal data about an individual unless — § 13.]	Privacy protection for information and data	Records Management
Disclose restricted data when the data subject has given unambiguous and implicit consent. CC ID 00157 [Without limiting subsection (2) and subject to subsection (9), an individual (P) who enters into a contract with an organisation (A) and provides personal data to A pursuant or in relation to that contract is deemed to consent to the following: the disclosure of that personal data by A to another organisation (B), where the disclosure is reasonably necessary — § 15.(6)(a)]	Privacy protection for information and data	Data and Information Management
Define what restricted data is not required to be disclosed absent consent. CC ID 00134	Privacy protection for information and data	Establish/Maintain Documentation
Define the exceptions to disclosure absent consent. CC ID 00135	Privacy protection for information and data	Establish/Maintain Documentation
Define opt-out exceptions for disclosing restricted data. CC ID 00159	Privacy protection for information and data	Establish/Maintain Documentation
Define how a data subject may give consent. CC ID 00160 [An individual has not given consent under this Act for the collection, use or disclosure of personal data about the individual by an organisation for a purpose unless— the individual has been provided with the information required under section 20; and § 14.(1)(a) {render invalid} Any consent given in any of the circumstances in subsection (2) is not validly given for the purposes of this Act. § 14.(3) An individual is deemed to consent to the collection, use or disclosure of personal data about the individual by an organisation for a purpose if— the individual, without actually giving consent referred to in section 14, voluntarily provides the personal data to the organisation for that purpose; and § 15.(1)(a) In this Act, references to the consent given or deemed to have been given, by an individual for the collection, use, or disclosure of personal data about the individual shall include consent given, or deemed to have been given, by any person validly acting on behalf of that individual for the collection, use or disclosure of such personal data. § 14.(4) An individual has not given consent under this Act for the collection, use or disclosure of personal data about the individual by an organisation for a purpose unless — the individual provided his consent for that purpose in accordance with this Act. § 14.(1)(b) Subject to subsection (3), an individual is deemed to consent to the collection, use or disclosure of personal data about the individual by an organisation if — the individual does not notify the organisation, before the expiry of the period mentioned in subsection (4)(b)(iii), that the individual does not consent to the proposed collection, use or disclosure of the personal data by the organisation. § 15A.(2)(b) For the purposes of subsection (2)(a), the organisation must, before collecting, using or disclosing any personal data about the individual — take reasonable steps to bring the following information to the attention of the individual: a reasonable period within which, and a reasonable manner by which, the individual may notify the organisation that the individual does not consent to the organisation's proposed collection, use or disclosure of the personal data; and § 15A.(4)(b)(iii)]	Privacy protection for information and data	Establish/Maintain Documentation
Disclose Personal Identification Numbers absent consent in order to update address information. CC ID 04793	Privacy protection for information and data	Data and Information Management
Disclose personal data absent consent for specific and well-documented circumstances. CC ID 15267 [An organisation may — disclose personal data about an individual without the consent of the individual, in the circumstances or for the purposes, and subject to any condition, in the First Schedule or Part 3 of the Second Schedule. § 17.(1)(c) {individual's vital interest}{without consent}Subject to sub-paragraph (2), the collection, use or disclosure (as the case may be) of personal data about an individual is necessary for any purpose which is clearly in the interests of the individual, and — the individual would not reasonably be expected to withhold consent. FIRST SCHEDULE PART 1 § 1.(1)(b) {organization}{corporation}{business improvement purpose}Subject to the conditions in sub-paragraphs (3), (4) and (5), personal data about an individual (P) — is disclosed by Y to X for a relevant purpose. FIRST SCHEDULE PART 5 § 1.(1)(c)]	Privacy protection for information and data	Communicate
Disclose restricted data absent consent when the law does not require consent. CC ID 00136	Privacy protection for information and data	Data and Information Management
Disclose data absent consent if its disclosure is consistent with the intended purpose. CC ID 15270 [Unless otherwise provided under this Act, an organisation may — use or disclose personal data about an individual that — for purposes consistent with the purpose of that collection, or for any purpose permitted by subsection (1)(b) or (c), as the case may be. § 17.(2)(b) ¶ 1 Without limiting subsection (2) and subject to subsection (9), an individual (P) who enters into a contract with an organisation (A) and provides personal data to A pursuant or in relation to that contract is deemed to consent to the following: the disclosure of that personal data by B to another organisation, where the disclosure is reasonably necessary for any purpose mentioned in paragraph (a). § 15.(6)(c) {personal purpose}{domestic purposes}The personal data about an individual — is collected, used or disclosed (as the case may be) by the organisation solely for the purpose in sub-paragraph (a). FIRST SCHEDULE PART 3 § 8.(b) {business improvement purpose}{refrain from achieving}Sub-paragraph (1)(a) and (c) applies only if — the relevant purpose for which X collects, or Y discloses, personal data about P cannot reasonably be achieved without the collection, use or disclosure (as the case may be) of the personal data in an individually identifiable form; FIRST SCHEDULE PART 5 § 1.(3)(a) {without consent}The personal data about an individual — is collected, used or disclosed (as the case may be) for purposes consistent with the purpose for which the document was produced. FIRST SCHEDULE PART 3 § 9.(b)]	Privacy protection for information and data	Data and Information Management
Disclose restricted data when a relevant connection exists between the data subject and the data controller's operations. CC ID 00137 [Without limiting subsection (2) and subject to subsection (9), an individual (P) who provides personal data to an organisation (A) with a view to P entering into a contract with A is deemed to consent to the following where reasonably necessary for the conclusion of the contract between P and A: the disclosure of that personal data by A to another organisation (B); § 15.(3)(a) Without limiting subsection (2) and subject to subsection (9), an individual (P) who provides personal data to an organisation (A) with a view to P entering into a contract with A is deemed to consent to the following where reasonably necessary for the conclusion of the contract between P and A: the disclosure of that personal data by B to another organisation. § 15.(3)(c) {business improvement purpose}Where X collects from Y, and Y discloses to X, personal data about P for a purpose mentioned in sub-paragraph (2)(c) or (d), P must be, at the time of the collection or disclosure, as the case may be — an existing customer of Y; and FIRST SCHEDULE PART 5 § 1.(5)(a) {business improvement purpose}Where X collects from Y, and Y discloses to X, personal data about P for a purpose mentioned in sub-paragraph (2)(c) or (d), P must be, at the time of the collection or disclosure, as the case may be — an existing customer or a prospective customer of X. FIRST SCHEDULE PART 5 § 1.(5)(b)]	Privacy protection for information and data	Data and Information Management
Disclose personal data absent consent if the disclosure with the consent or knowledge of the data subject would compromise the ability to prevent, detect, or suppress fraud. CC ID 13594	Privacy protection for information and data	Data and Information Management
Disclose personal data absent consent when it is in the data subject's interest and consent cannot be obtained in a timely manner. CC ID 15284 [{individual's vital interest}Subject to sub-paragraph (2), the collection, use or disclosure (as the case may be) of personal data about an individual is necessary for any purpose which is clearly in the interests of the individual, and — consent for the collection, use or disclosure (as the case may be) cannot be obtained in a timely way; or FIRST SCHEDULE PART 1 § 1.(1)(a)]	Privacy protection for information and data	Data and Information Management
Disclose personal data absent consent in order to establish, manage, or terminate employment contracts. CC ID 13616 [{without consent}The personal data about an individual is collected, used or disclosed (as the case may be) by the organisation, and the collection, use or disclosure (as the case may be) of the personal data is reasonable for the purpose of or in relation to the organisation — entering into an employment relationship with the individual or appointing the individual to any office; or FIRST SCHEDULE PART 3 § 10.(a) {without consent}The personal data about an individual is collected, used or disclosed (as the case may be) by the organisation, and the collection, use or disclosure (as the case may be) of the personal data is reasonable for the purpose of or in relation to the organisation — managing or terminating the employment relationship with or appointment of the individual. FIRST SCHEDULE PART 3 § 10.(b)]	Privacy protection for information and data	Data and Information Management
Disclose personal data absent consent when the data subject is notified that the business transaction is completed and their information was disclosed. CC ID 13613	Privacy protection for information and data	Data and Information Management
Disclose personal data absent consent when the data subject has been notified the personal data may be collected, used, or disclosed. CC ID 13603	Privacy protection for information and data	Data and Information Management
Disclose personal data absent consent if disclosure is made a predetermined number of years after the death of the data subject. CC ID 13598	Privacy protection for information and data	Data and Information Management
Disclose personal data absent consent when disclosure is made a predetermined number of years after the information was created. CC ID 13597	Privacy protection for information and data	Data and Information Management
Disclose personal data absent consent if the data subject is notified of the disclosure. CC ID 13596	Privacy protection for information and data	Data and Information Management
Disclose personal data absent consent to detect, suppress, or prevent fraud. CC ID 13592	Privacy protection for information and data	Data and Information Management
Disclose personal data absent consent to create a credit report. CC ID 15297 [{legitimate interest}{collect}{disclose}Subject to sub-paragraph (2), the collection, use or disclosure (as the case may be) of personal data about an individual — is for the purpose of the preparation by a credit bureau of a credit report; or FIRST SCHEDULE PART 3 § 6.(1)(a)]	Privacy protection for information and data	Data and Information Management
Disclose personal data absent consent if it is necessary to identify an individual who is injured, ill or deceased. CC ID 13595	Privacy protection for information and data	Data and Information Management
Disclose restricted data absent consent if the disclosure is to a government institution. CC ID 13583	Privacy protection for information and data	Data and Information Management
Disclose personal data absent consent for reasonable investigative purposes. CC ID 13593	Privacy protection for information and data	Data and Information Management
Disclose personal data absent consent to determine whether to proceed with business transactions. CC ID 15285 [{business asset transaction}{organization}{individual}If X is a prospective party to the relevant transaction, the following conditions apply: where Y collects the personal data mentioned in sub-paragraph (1) from Z — Y may collect, and Z may disclose, only personal data that is necessary for X or Y (as the case may be) to determine whether to proceed with the relevant transaction; and FIRST SCHEDULE PART 4 § 2.(2)(b)(i)]	Privacy protection for information and data	Data and Information Management
Disclose personal data absent consent for handling insurance claims. CC ID 13585	Privacy protection for information and data	Data and Information Management
Disclose personal data absent consent if the information is contained in a witness statement. CC ID 13584	Privacy protection for information and data	Data and Information Management
Disclose personal data absent consent if the data subject is believed to be a victim of financial abuse. CC ID 13555	Privacy protection for information and data	Data and Information Management
Disclose personal data absent consent for transactions related to the consumer. CC ID 14853	Privacy protection for information and data	Data and Information Management
Disclose restricted data absent consent to a government institution that has requested the information. CC ID 13582	Privacy protection for information and data	Data and Information Management
Disclose personal data absent consent if the disclosure is to the next of kin or authorized representative. CC ID 13554 [{is necessary}{without consent} The collection, use or disclosure of personal data is for the purpose of contacting the next-of-kin or a friend of any injured, ill or deceased individual. FIRST SCHEDULE PART 1 § 4.]	Privacy protection for information and data	Data and Information Management
Disclose restricted data absent consent when it is for the data controller's legitimate interest or third party's legitimate interest and it prevails over individual rights. CC ID 00138 [{collect}{disclose}Subject to sub-paragraphs (2), (3) and (4) — the collection, use or disclosure (as the case may be) of personal data about an individual is in the legitimate interests of the organisation or another person; and FIRST SCHEDULE PART 3 § 1.(1)(a)]	Privacy protection for information and data	Data and Information Management
Disclose personal data absent consent if the organization notifies the privacy commissioner before disclosing the information. CC ID 13553	Privacy protection for information and data	Data and Information Management
Disclose personal data absent consent if it is impracticable to obtain consent. CC ID 13552 [{individual's vital interest}The collection, use or disclosure (as the case may be) of personal data about an individual, where — consent for the collection, use or disclosure (as the case may be) cannot be obtained in a timely way; and FIRST SCHEDULE PART 1 § 3.(a) The disclosure of personal data about an individual for a research purpose (including historical or statistical research), if — it is impracticable for the organisation to seek the consent of the individual for the disclosure; SECOND SCHEDULE PART 3 Division 2 § 1.(b)]	Privacy protection for information and data	Data and Information Management
Disclose restricted data absent consent in order to perform a contract. CC ID 00139 [Without limiting subsection (2) and subject to subsection (9), an individual (P) who enters into a contract with an organisation (A) and provides personal data to A pursuant or in relation to that contract is deemed to consent to the following: the disclosure of that personal data by A to another organisation (B), where the disclosure is reasonably necessary — for the conclusion or performance of a contract between A and B which is entered into at P's request, or which a reasonable person would consider to be in P's interest; § 15.(6)(a)(ii) {without consent}Subject to the conditions in sub-paragraphs (2), (3), (4) and (5), where an organisation (X) is a party or a prospective party to a business asset transaction with another organisation (Y), personal data about an applicable individual of Y — is used or disclosed by X in relation to the business asset transaction; or FIRST SCHEDULE PART 4 § 1.(1)(b) {without consent}Subject to the conditions in sub-paragraphs (2), (3), (4) and (5), where an organisation (X) is a party or a prospective party to a business asset transaction with another organisation (Y), personal data about an applicable individual of Y — is disclosed by Y to X for the purposes of the business transaction. FIRST SCHEDULE PART 4 § 1.(1)(c) {organization}If X is a prospective party to the business asset transaction, the following conditions apply: X may collect, and Y may disclose, only personal data that is necessary for X to determine whether to proceed with the business asset transaction; FIRST SCHEDULE PART 4 § 1.(3)(a) {prospective party}{organization}If X enters into the business asset transaction, the following conditions apply: X may use or disclose the personal data X collected from Y only for the same purposes for which Y would have been permitted to use or disclose the personal data; FIRST SCHEDULE PART 4 § 1.(4)(a) {organization}If X is a prospective party to the business asset transaction, the following conditions apply: X and Y must have entered into an agreement that requires X to use or disclose the personal data solely for purposes related to the business asset transaction. FIRST SCHEDULE PART 4 § 1.(3)(b) Subject to the conditions in sub-paragraphs (2), (3) and (4), where an organisation (X) is a party or a prospective party to a business asset transaction with another organisation (Y) in respect of Y's interest in a third organisation (Z) (called in this paragraph the relevant transaction), personal data about an applicable individual of Z — is used or disclosed by X or Y in relation to the relevant transaction; or FIRST SCHEDULE PART 4 § 2.(1)(b) Without limiting subsection (2) and subject to subsection (9), an individual (P) who enters into a contract with an organisation (A) and provides personal data to A pursuant or in relation to that contract is deemed to consent to the following: the disclosure of that personal data by A to another organisation (B), where the disclosure is reasonably necessary — for the performance of the contract between P and A; or § 15.(6)(a)(i) {legitimate interest}{collect}{disclose}Subject to sub-paragraph (2), the collection, use or disclosure (as the case may be) of personal data about an individual — relates to a credit report provided by a credit bureau to a member of the credit bureau in relation to a transaction between the member and the individual. FIRST SCHEDULE PART 3 § 6.(1)(b) Subject to the conditions in sub-paragraphs (2), (3) and (4), where an organisation (X) is a party or a prospective party to a business asset transaction with another organisation (Y) in respect of Y's interest in a third organisation (Z) (called in this paragraph the relevant transaction), personal data about an applicable individual of Z — is disclosed by Y or Z (as the case may be) to X, or by Z to Y, for the purposes of the relevant transaction. FIRST SCHEDULE PART 4 § 2.(1)(c) {business asset transaction}If X is a prospective party to the relevant transaction, the following conditions apply: where X collects the personal data mentioned in sub-paragraph (1) from Y or Z — X may collect, and Y or Z (as the case may be) may disclose, only personal data that is necessary for X to determine whether to proceed with the relevant transaction; and FIRST SCHEDULE PART 4 § 2.(2)(a)(i) {business asset transaction}{organization}{prospective party}{individual}If X enters into the relevant transaction, the following conditions apply: X may use or disclose the personal data collected from Y or Z (as the case may be) only for the same purposes for which Y or Z (as the case may be) would have been permitted to use or disclose the personal data; FIRST SCHEDULE PART 4 § 2.(3)(a) {business asset transaction}If X is a prospective party to the relevant transaction, the following conditions apply: where X collects the personal data mentioned in sub-paragraph (1) from Y or Z — X and Y or Z (as the case may be) must have entered into an agreement that requires X to use or disclose the personal data solely for purposes related to the relevant transaction; FIRST SCHEDULE PART 4 § 2.(2)(a)(ii) {business asset transaction}{organization}{individual}If X is a prospective party to the relevant transaction, the following conditions apply: where Y collects the personal data mentioned in sub-paragraph (1) from Z — Y and Z must have entered into an agreement that requires Y to use or disclose the personal data solely for purposes related to the relevant transaction. FIRST SCHEDULE PART 4 § 2.(2)(b)(ii) {legitimate interest}{collect}{disclose}The collection, use or disclosure (as the case may be) of personal data about an individual is to — confer an interest or a benefit on the individual under a private trust or benefit plan; and FIRST SCHEDULE PART 3 § 7.(a)]	Privacy protection for information and data	Data and Information Management
Disclose restricted data absent consent in order to assist Telecommunications Ombudsmen in resolving complaints. CC ID 00140	Privacy protection for information and data	Data and Information Management
Disclose personal data absent consent to administer a trust fund or benefit plan. CC ID 15290 [{collect}{disclose}The collection, use or disclosure (as the case may be) of personal data about an individual is to — administer that trust or benefit plan, at the request of the settlor or the person establishing the benefit plan, as the case may be. FIRST SCHEDULE PART 3 § 7.(b)]	Privacy protection for information and data	Data and Information Management
Disclose personal data absent consent for research purposes and the data subject is not identified. CC ID 15286 [{disclose}The disclosure of personal data about an individual for a research purpose (including historical or statistical research), if — in the event that the results of the research are published, the organisation publishes the results in a form that does not identify the individual. SECOND SCHEDULE PART 3 Division 2 § 1.(e)]	Privacy protection for information and data	Data and Information Management
Disclose personal data absent consent when the personal data is disclosed by calling an emergency service number. CC ID 00141	Privacy protection for information and data	Data and Information Management
Disclose restricted data absent consent when the restricted data prevents life-threatening emergencies to third parties. CC ID 00142	Privacy protection for information and data	Data and Information Management
Disclose restricted data absent consent when the restricted data preserves human life at sea. CC ID 00143	Privacy protection for information and data	Data and Information Management
Disclose restricted data absent consent in order to process the restricted data for public interests. CC ID 00144 [{disclose}{without consent} The disclosure of personal data about an individual to a public agency, where the disclosure is necessary in the public interest. SECOND SCHEDULE PART 3 Division 1 § 1.]	Privacy protection for information and data	Data and Information Management
Disclose restricted data for public interests absent consent in order to provide social work assistance services. CC ID 00145	Privacy protection for information and data	Data and Information Management
Disclose restricted data for public interests absent consent if confidentiality is assured and the disclosure is for statistical research, scientific research, or scholarly research. CC ID 00146 [The use of personal data about an individual for a research purpose (including historical or statistical research), if — in the event that the results of the research are published, the organisation publishes the results in a form that does not identify the individual. SECOND SCHEDULE PART 2 Division 3 § 1.(d) {refrain from achieving}The disclosure of personal data about an individual for a research purpose (including historical or statistical research), if — the research purpose cannot reasonably be accomplished unless the personal data is disclosed in an individually identifiable form; SECOND SCHEDULE PART 3 Division 2 § 1.(a) The disclosure of personal data about an individual for a research purpose (including historical or statistical research), if — there is a clear public benefit to disclosing the personal data for the research purpose; SECOND SCHEDULE PART 3 Division 2 § 1.(c) {collect}{disclose} The collection, use or disclosure (as the case may be) of personal data about an individual is necessary for evaluative purposes. FIRST SCHEDULE PART 3 § 2. {disclose}The disclosure of personal data about an individual for a research purpose (including historical or statistical research), if — the results of the research will not be used to make a decision that affects the individual; and SECOND SCHEDULE PART 3 Division 2 § 1.(d)]	Privacy protection for information and data	Data and Information Management
Disclose restricted data for public interests absent consent in order to protect historical records or archival records. CC ID 00147 [{without consent}{archival purpose} The collection, use or disclosure (as the case may be) of personal data about an individual is solely for archival or historical purposes, if a reasonable person would not consider the personal data to be too sensitive to the individual to be collected, used or disclosed (as the case may be) at the proposed time. FIRST SCHEDULE PART 2 § 4.]	Privacy protection for information and data	Data and Information Management
Disclose restricted data absent consent for public economic interests. CC ID 00148	Privacy protection for information and data	Data and Information Management
Disclose restricted data for public interests absent consent for National Security reasons. CC ID 00149 [{without consent}{collect}{disclose} The collection, use or disclosure (as the case may be) of personal data about an individual is in the national interest. FIRST SCHEDULE PART 2 § 2.]	Privacy protection for information and data	Data and Information Management
Disclose restricted data absent consent for journalistic purposes, artistic purposes, or literary purposes. CC ID 00150 [{without consent} The personal data about an individual is collected, used or disclosed (as the case may be) by a news organisation solely for its news activity. FIRST SCHEDULE PART 2 § 5. {without consent}{artistic purpose}{collect}{disclose} The collection, use or disclosure (as the case may be) of personal data about an individual is solely for artistic or literary purposes. FIRST SCHEDULE PART 2 § 3.]	Privacy protection for information and data	Data and Information Management
Disclose restricted data absent consent when it is publicly accessible. CC ID 00151 [{without consent}{collect}{disclose} The collection, use or disclosure (as the case may be) of personal data about an individual that is publicly available. FIRST SCHEDULE PART 2 § 1.]	Privacy protection for information and data	Data and Information Management
Disclose restricted data absent consent when it is related to publicly available information. CC ID 00152	Privacy protection for information and data	Data and Information Management
Disclose publicly accessible restricted data absent consent when the data subject has already published it. CC ID 00153	Privacy protection for information and data	Data and Information Management
Disclose restricted data absent consent in order to protect the data subject's vital interests. CC ID 00154 [{individual's vital interest}{collect}{disclose} Subject to sub-paragraph (2), the collection, use or disclosure (as the case may be) of personal data about an individual is necessary for any purpose which is clearly in the interests of the individual, and — FIRST SCHEDULE PART 1 § 1.(1)]	Privacy protection for information and data	Data and Information Management
Disclose restricted data absent consent in order to protect the data subject's vital interests when there is a life-threatening emergency. CC ID 00155 [{without consent}{collect}{disclose}The collection, use or disclosure (as the case may be) of personal data about an individual, where — there are reasonable grounds to believe that the health or safety of the individual or another individual will be seriously affected. FIRST SCHEDULE PART 1 § 3.(b)]	Privacy protection for information and data	Data and Information Management
Disclose restricted data absent consent when it is for judicial decisions, lawsuits, and investigations. CC ID 00161 [{collect}{disclose} The collection, use or disclosure (as the case may be) of personal data about an individual is necessary for any investigation or proceedings. FIRST SCHEDULE PART 3 § 3. {collect}{disclose} The collection, use or disclosure (as the case may be) of personal data about an individual is necessary for the provision of legal services by the organisation to another person, or for the organisation to obtain legal services. FIRST SCHEDULE PART 3 § 5.]	Privacy protection for information and data	Data and Information Management
Disclose restricted data absent consent when it is needed by law. CC ID 00163	Privacy protection for information and data	Data and Information Management
Disclose personal data required by law absent consent for special cases involving security or law enforcement. CC ID 04796 [An organisation must not inform any individual under subsection (1)(b) that the organisation has disclosed personal data about the individual to a prescribed law enforcement agency if the disclosure was made under this Act or any other written law without the consent of the individual. § 21.(4) {disclose} The disclosure of personal data about any individual to any officer of a prescribed law enforcement agency, upon production of written authorisation signed by the head or director of that prescribed law enforcement agency or a person of a similar rank, certifying that the personal data is necessary for the purposes of the functions or duties of the officer. SECOND SCHEDULE PART 3 Division 1 § 4.]	Privacy protection for information and data	Data and Information Management
Disclose personal data absent consent when it is being disclosed to the data subject. CC ID 00164	Privacy protection for information and data	Data and Information Management
Disclose personal data absent consent for direct marketing or other personalized mail programs. CC ID 14855	Privacy protection for information and data	Data and Information Management
Disclose personal data absent consent in order to collect a debt owed by the data subject. CC ID 00165 [{without consent}{collect}{disclose}The collection, use or disclosure (as the case may be) of personal data about an individual is necessary for the organisation — to recover a debt owed by the individual to the organisation; or FIRST SCHEDULE PART 3 § 4.(a) {collect}{disclose}The collection, use or disclosure (as the case may be) of personal data about an individual is necessary for the organisation — to pay to the individual a debt owed by the organisation. FIRST SCHEDULE PART 3 § 4.(b)]	Privacy protection for information and data	Data and Information Management
Disclose personal data absent consent when the data subject or data owner is anonymous. CC ID 00166	Privacy protection for information and data	Data and Information Management
Disclose restricted data absent consent when the disclosure concerns the individual's products or services obtained from the organization. CC ID 13469	Privacy protection for information and data	Communicate
Establish, implement, and maintain restricted data retention procedures. CC ID 00167 [the organisation must preserve, for not less than the prescribed period, a copy of the personal data concerned. § 22A.(1) ¶ 1]	Privacy protection for information and data	Establish/Maintain Documentation
Establish, implement, and maintain personal data disposition procedures. CC ID 13498	Privacy protection for information and data	Establish/Maintain Documentation
Capture personal data removal requests. CC ID 13507	Privacy protection for information and data	Communicate
Remove personal data from records after receiving a personal data removal request. CC ID 11972	Privacy protection for information and data	Records Management
Refrain from erasing personal data upon receiving a personal data removal request when it is necessary for maintaining information assets. CC ID 13789	Privacy protection for information and data	Process or Activity
Refrain from erasing personal data upon receiving a personal data removal request when it is necessary to complete a payment transaction. CC ID 13788	Privacy protection for information and data	Process or Activity
Dispose of personal data removal requests, as necessary. CC ID 13512	Privacy protection for information and data	Business Processes
Limit the redisclosure and reuse of restricted data. CC ID 00168	Privacy protection for information and data	Data and Information Management
Refrain from redisclosing or reusing restricted data. CC ID 00169	Privacy protection for information and data	Data and Information Management
Document the redisclosing restricted data exceptions. CC ID 00170	Privacy protection for information and data	Establish/Maintain Documentation
Redisclose restricted data when the data subject consents. CC ID 00171	Privacy protection for information and data	Data and Information Management
Redisclose restricted data when it is for criminal law enforcement. CC ID 00172	Privacy protection for information and data	Data and Information Management
Redisclose restricted data in order to protect public revenue. CC ID 00173	Privacy protection for information and data	Data and Information Management
Redisclose restricted data in order to assist a Telecommunications Ombudsman. CC ID 00174	Privacy protection for information and data	Data and Information Management
Redisclose restricted data in order to prevent a life-threatening emergency. CC ID 00175	Privacy protection for information and data	Data and Information Management
Redisclose restricted data when it deals with installing, maintaining, operating, or providing access to a Public Telecommunications Network or a telecommunication facility. CC ID 00176	Privacy protection for information and data	Data and Information Management
Redisclose restricted data in order to preserve human life at sea. CC ID 00177	Privacy protection for information and data	Data and Information Management
Obtain explicit consent directly from the data subject prior to the use of that person's sensitive data. CC ID 00178	Privacy protection for information and data	Data and Information Management
Obtain consent from a parent or legal representative in order to use or disclose a child's data. CC ID 00198	Privacy protection for information and data	Data and Information Management
Obtain opt-in consent from teenagers prior to the collection, use, or disclosure of personal data. CC ID 00199	Privacy protection for information and data	Data and Information Management
Obtain explicit consent prior to using the data subject's Personal Identification Number. CC ID 00238	Privacy protection for information and data	Data and Information Management
Process Personal Identification Numbers with consent. CC ID 00239	Privacy protection for information and data	Data and Information Management
Refrain from requiring individuals to use Personal Identification Numbers as an account number or password. CC ID 00253	Privacy protection for information and data	Behavior
Obtain consent prior to selling a Personal Identification Number. CC ID 00240	Privacy protection for information and data	Data and Information Management
Obtain consent prior to displaying a Personal Identification Number. CC ID 00241	Privacy protection for information and data	Data and Information Management
Refrain from displaying Personal Identification Numbers on government-issued checks or other paperwork. CC ID 00254	Privacy protection for information and data	Data and Information Management
Refrain from displaying Personal Identification Numbers on identification cards or badges. CC ID 00255	Privacy protection for information and data	Data and Information Management
Document the conditions to use Personal Identification Numbers absent consent. CC ID 00242	Privacy protection for information and data	Establish/Maintain Documentation
Use Personal Identification Numbers absent consent for granting credit or collecting a debt. CC ID 00252	Privacy protection for information and data	Data and Information Management
Use Personal Identification Numbers absent consent for research purposes. CC ID 00247	Privacy protection for information and data	Data and Information Management
Refrain from requiring consent to use a Personal Identification Number when protecting the public health and safety or an individual's safety in an emergency. CC ID 00244	Privacy protection for information and data	Data and Information Management
Use Personal Identification Numbers absent consent when a federal law mandates its use. CC ID 00243	Privacy protection for information and data	Data and Information Management
Allow data subjects the ability to restrict the use and disclosure of personal data. CC ID 06821	Privacy protection for information and data	Data and Information Management
Establish, implement, and maintain data disclosure procedures. CC ID 00133 [Subject to subsection (3), an individual is deemed to consent to the collection, use or disclosure of personal data about the individual by an organisation if — the organisation satisfies the requirements in subsection (4); and § 15A.(2)(a) {business asset transaction}{organization}{prospective party}{individual}If X enters into the relevant transaction, the following conditions apply: Y may use or disclose the personal data collected from Z only for the same purposes for which Z would have been permitted to use or disclose the personal data; FIRST SCHEDULE PART 4 § 2.(3)(b)]	Privacy protection for information and data	Establish/Maintain Documentation
Identify any adverse effects the disclosure of personal data will have on the data subject. CC ID 15298 [The organisation must, in respect of the assessment mentioned in subsection (4)(a) — identify any adverse effect that the proposed collection, use or disclosure of the personal data for the purpose concerned is likely to have on the individual; § 15A.(5)(a) {legitimate interest}{collect}{disclose}The organisation must, in respect of the assessment mentioned in sub-paragraph (2)(a) — identify any adverse effect that the proposed collection, use or disclosure (as the case may be) of personal data about an individual is likely to have on the individual; FIRST SCHEDULE PART 3 § 1.(3)(a)]	Privacy protection for information and data	Data and Information Management
Review personal data disclosure requests. CC ID 07129	Privacy protection for information and data	Data and Information Management
Notify the data subject of the disclosure purpose. CC ID 15268 [For the purposes of subsection (4), the organisation must inform the individual of the following: the purpose for which the organisation is collecting, using or disclosing (as the case may be) the personal data about the individual; § 20.(5)(a)]	Privacy protection for information and data	Communicate
Establish, implement, and maintain data request denial procedures. CC ID 00434	Privacy protection for information and data	Establish/Maintain Documentation
Include frivolous requests or vexatious requests as a reason for denial in the personal data request denial procedures. CC ID 00435 [{personal data request} An organisation is not required to provide information under section 21(1) in respect of— any request— that would unreasonably interfere with the ound-color:#F0BBBC;" class="term_primary-noun">operations of the organisation because of the repetitious or systematic nature of the requests; FIFTH SCHEDULE § 1.(j)(i) {personal data request} An organisation is not required to provide information under section 21(1) in respect of— any request— for y-noun">informatground-color:#CBD0E5;" class="term_secondary-verb">ionan> that is trivial; or FIFTH SCHEDULE § 1.(j)(iv) {personal data request}{is unnecessary} An organisation is not required to provide information under section 21(1) in respect of— any request— that is otherwise frivolous or vexatious. FIFTH SCHEDULE § 1.(j)(v) {interfere}{operation} For the purposes of paragraph 1(j)(i), the organisation may have regard to the number and frequency of requests received. FIFTH SCHEDULE § 2.]	Privacy protection for information and data	Data and Information Management
Include when the required information is unavailable as a reason for denial in the personal data request denial procedures. CC ID 00436 [{personal data request} An organisation is not required to provide information under section 21(1) in respect of— any request— for information that lass="term_primary-verb">does not exist or cannot be found; FIFTH SCHEDULE § 1.(j)(iii)]	Privacy protection for information and data	Data and Information Management
Include when the disclosure of personal data constitutes contempt of court or contempt of House of Representatives as a reason for denial in the personal data request denial procedures. CC ID 00437	Privacy protection for information and data	Data and Information Management
Include disclosing personal data that would identify suppliers or breaches an express promise of privacy or implied promise of privacy as a reason for denial in the personal data request denial procedures. CC ID 00438 [{other person} An organisation shall not provide an individual with the individual's personal data or other information under subsection (1) if the provision of that personal data or other information, as the case may be, could reasonably be expected to— class="term_primary-verb">reveal personal data about another individual; § 21.(3)(c) {other person} An organisation shall not provide an individual with the individual's personal data or other information under subsection (1) if the provision of that personal data or other information, as the case may be, could reasonably be expected to — m_primary-verb">reveal the identity of an individual who has provided personal data about another individual and the individual providing the personal data does not consent to the disclosure of his identity; or § 21.(3)(d)]	Privacy protection for information and data	Data and Information Management
Include disclosing personal data that would compromise National Security as a reason for denial in the personal data request denial procedures. CC ID 00439	Privacy protection for information and data	Data and Information Management
Include information that is protected by attorney-client privilege as a reason for denial in the personal data request denial procedures. CC ID 00440	Privacy protection for information and data	Data and Information Management
Include disclosing personal data that would reveal trade secrets, commercial information, or harmful financial information as a reason for denial in the personal data request denial procedures. CC ID 00441 [An organisation is not required to provide information under section 21(1) in respect of— personal data which, if disclosed, would reveal or:#F0BBBC;" class="term_primary-noun">confidential commercial information that could, in the opispan>nion of a reasonable person, harm the ">competitive position of the organisation; FIFTH SCHEDULE § 1.(g)]	Privacy protection for information and data	Data and Information Management
Include disclosing personal data that would threaten an individual's life or an individual's security as a reason for denial in the personal data request denial procedures. CC ID 00442 [An organisation shall not provide an individual with the individual's personal data or other information under subsection (1) if the provision of that personal data or other information, as the case may be, could reasonably be expected to— <span style="background-color:#B7D8ED;" class="term_primary-verb">threaten the safety or physical or mental health of an individual other than the individual who made the request; § 21.(3)(a) An organisation shall not provide an individual with the individual's personal data or other information under subsection (1) if the provision of that personal data or other information, as the case may be, could reasonably be expected to— cause immediate or grave harm> to the ackground-color:#F0BBBC;" class="term_primary-noun">safety or to the physical or mental style="background-color:#F0BBBC;" class="term_primary-noun">health of the individual who made the request; § 21.(3)(b)]	Privacy protection for information and data	Data and Information Management
Include disclosing personal data that would have an unreasonable impact on another individual's privacy as a reason for denial in the personal data request denial procedures. CC ID 00443	Privacy protection for information and data	Data and Information Management
Include disclosing personal data that would threaten facilities, property, transport, or communication systems as a reason for denial in the personal data request denial procedures. CC ID 08702	Privacy protection for information and data	Process or Activity
Include responding to access requests after the time limit as a reason for denial in the personal data request denial procedures. CC ID 13600	Privacy protection for information and data	Data and Information Management
Include information that was generated from a formal dispute as a reason for denial in the personal data request denial procedures. CC ID 00444	Privacy protection for information and data	Data and Information Management
Include personal data that is used solely for scientific research, scholarly research, statistical research, library purposes, museum purposes, or archival purposes as a reason for denial in the personal data request denial procedures. CC ID 00445 [An organisation is not required to provide information under section 21(1) in respect of— opinion data rb">keptan> solely for an style="background-color:#F0BBBC;" class="term_primary-noun">evaluative purpose; FIFTH SCHEDULE § 1.(a)]	Privacy protection for information and data	Data and Information Management
Include personal data that is for protecting the civil rights or other's freedoms as a reason for denial in the personal data request denial procedures. CC ID 00447	Privacy protection for information and data	Data and Information Management
Include disclosing personal data that constitutes a state secret as a reason for denial in the personal data request denial procedures. CC ID 00448	Privacy protection for information and data	Data and Information Management
Include disclosing personal data that would result in interference with the operation of public functions as a reason for denial in the personal data request denial procedures. CC ID 00449	Privacy protection for information and data	Data and Information Management
Include disclosing personal data that would interrupt criminal investigation and surveillance or other legal purposes as a reason for denial in the personal data request denial procedures. CC ID 00450 [An organisation is not required to provide information under section 21(1) in respect of — personal data collected, used or disclosed without consent, under paragraph 3 of Part 3 of the First Schedule, for the purposes of an investigation if the investigation and associated proceedings and appeals have not been completed; FIFTH SCHEDULE § 1.(h)]	Privacy protection for information and data	Data and Information Management
Include when a country's laws prevent disclosure as a reason for denial in the personal data request denial procedures. CC ID 00451	Privacy protection for information and data	Data and Information Management
Include disclosing personal data that would interfere with grievance proceeding or employee security investigations as a reason for denial in the personal data request denial procedures. CC ID 06873 [An organisation is not required to provide information under section 21(1) in respect of— the personal data was collected or created by a mediator or arbitrator in the conduct of a mediation or arbitration for which he was appointed to act— under a un">collective agreement under the Industrial Relations Act (Cap. 136) or by agreement between the parties to the mediation or arbitration; FIFTH SCHEDULE § 1.(i)(i) An organisation is not required to provide information under section 21(1) in respect of— the personal data was collected or created by a mediator or arbitrator in the conduct of a ry-noun">mediationn> or arbitrationan> for which he was appointed to act— under any written m_primary-noun">law; or FIFTH SCHEDULE § 1.(i)(ii) An organisation is not required to provide information under section 21(1) in respect of— the personal data was collected or created by a mediator or arbitrator in the conduct of a mediation or arbitration for which he was style="background-color:#CBD0E5;" class="term_secondary-verb">ED;" class="term_primary-verb">appointed to act— by a pan style="background-color:#F0BBBC;" class="term_primary-noun">court, arbitral institution or mediation centre; or FIFTH SCHEDULE § 1.(i)(iii)]	Privacy protection for information and data	Data and Information Management
Include disclosing personal data that would interfere with commercial acquisitions or reorganizations as a reason for denial in the personal data request denial procedures. CC ID 06874	Privacy protection for information and data	Data and Information Management
Include if the cost or burden of disclosing the personal data is disproportionate as a reason for denial in the personal data request denial procedures. CC ID 06875 [{personal data request}{be disproportionate} An organisation is not required to provide information under section 21(1) in respect of—any request— if the burden or expense of providing access would "background-color:#B7D8ED;" class="term_primary-verb">be unreasonable to the organisation or disproportionate to the individual's interests; FIFTH SCHEDULE § 1.(j)(ii) {personal data request}{be disproportionate} An organisation is not required to provide information under section 21(1) in respect of—any request— if the burden or expense of providing access would "background-color:#B7D8ED;" class="term_primary-verb">be unreasonable to the organisation or disproportionate to the individual's interests; FIFTH SCHEDULE § 1.(j)(ii)]	Privacy protection for information and data	Data and Information Management
Notify interested personnel and affected parties of the reasons the data access request was refused. CC ID 00453 [the organisation must, within the prescribed time and in accordance with the prescribed requirements, notify the individual of the rejection. § 21.(6) ¶ 1]	Privacy protection for information and data	Data and Information Management
Notify the individual of the organization's legal rights to refuse the personal data access request, as necessary. CC ID 13509	Privacy protection for information and data	Communicate
Notify individuals of their right to challenge a refusal to a data access request. CC ID 00454	Privacy protection for information and data	Data and Information Management
Include if the record would constitute an action for breach of a duty of confidence as a reason for denial in the personal data request denial procedures. CC ID 08700	Privacy protection for information and data	Process or Activity
Disseminate and communicate personal data to the individual that it relates to. CC ID 00428 [Subject to subsections (2), (3) and (4), on request of an individual, an organisation shall, as soon as reasonably possible, provide the individual with— personal data> about the individual that is in the possession or under the control of the organisation; and § 21.(1)(a) {is complete} If an organisation is able to provide the individual with the individual's personal data and other information requested under subsection (1) without the personal data or other information excluded under subsections (2), (3) and (4), the organisation shall d-color:#B7D8ED;" class="term_primary-verb">provide the individual with ="term_primary-noun">access to the personal data and other information without the personal data or other information excluded under subsections (2), (3) and (4). § 21.(5)]	Privacy protection for information and data	Data and Information Management
Provide personal data to an individual after the individual's identity has been confirmed. CC ID 06876	Privacy protection for information and data	Data and Information Management
Notify that data subject of any exclusions to requested personal data. CC ID 15271 [the organisation must notify the individual of the exclusion, under subsection (2) or (3), of any of the personal data or other information so requested. § 21.(7) ¶ 1]	Privacy protection for information and data	Communicate
Provide data or records in a reasonable time frame. CC ID 00429 [{person}A checker is deemed to have complied with subsection (2)(a) if — the checker provides the applicable information to P before the expiry of the prescribed period mentioned in section 43(2)(b)(i). § 43A.(3)(b)]	Privacy protection for information and data	Data and Information Management
Notify individuals of the new time limit for responding to an access request in a notice of extension. CC ID 13599	Privacy protection for information and data	Communicate
Extend the time limit for providing personal data in order to convert it to an alternative format. CC ID 13591	Privacy protection for information and data	Data and Information Management
Extend the time limit for providing personal data if the time is impracticable to respond to the access request. CC ID 13590	Privacy protection for information and data	Data and Information Management
Extend the time limit for providing data if it would unreasonably interfere with the organization's activities. CC ID 13589	Privacy protection for information and data	Data and Information Management
Provide data at a cost that is not excessive. CC ID 00430	Privacy protection for information and data	Data and Information Management
Provide records or data in a reasonable manner. CC ID 00431	Privacy protection for information and data	Data and Information Management
Provide personal data in a form that is intelligible. CC ID 00432	Privacy protection for information and data	Data and Information Management
Provide restricted data that would threaten the life or security of another individual after that information has been redacted. CC ID 13604	Privacy protection for information and data	Data and Information Management
Provide restricted data that would reveal confidential commercial information after that information has been redacted. CC ID 13602	Privacy protection for information and data	Data and Information Management
Remove data pertaining to third parties before giving the requestor access to the information. CC ID 13601	Privacy protection for information and data	Data and Information Management
Document that a data search was conducted in case the requested data cannot be found. CC ID 06953	Privacy protection for information and data	Establish/Maintain Documentation
Establish, implement, and maintain a personal data collection program. CC ID 06487	Privacy protection for information and data	Establish/Maintain Documentation
Identify any adverse effects the collection of personal data will have on the data subject. CC ID 15279 [The organisation must, in respect of the assessment mentioned in subsection (4)(a) — identify any adverse effect that the proposed collection, use or disclosure of the personal data for the purpose concerned is likely to have on the individual; § 15A.(5)(a) {legitimate interest}{collect}{disclose}The organisation must, in respect of the assessment mentioned in sub-paragraph (2)(a) — identify any adverse effect that the proposed collection, use or disclosure (as the case may be) of personal data about an individual is likely to have on the individual; FIRST SCHEDULE PART 3 § 1.(3)(a)]	Privacy protection for information and data	Data and Information Management
Refrain from collecting personal data, as necessary. CC ID 15269 [An organisation shall not, on or after the appointed day, collect, use or disclose personal data about an individual unless — § 13.]	Privacy protection for information and data	Data and Information Management
Establish, implement, and maintain personal data collection limitation boundaries. CC ID 00507 [Subject to subsection (3), an individual is deemed to consent to the collection, use or disclosure of personal data about the individual by an organisation if — the organisation satisfies the requirements in subsection (4); and § 15A.(2)(a)]	Privacy protection for information and data	Establish/Maintain Documentation
Establish, implement, and maintain a personal data use policy. CC ID 00076	Privacy protection for information and data	Establish/Maintain Documentation
Use personal data for specified purposes. CC ID 11831 [{business asset transaction}{organization}{prospective party}{individual}If X enters into the relevant transaction, the following conditions apply: Y may use or disclose the personal data collected from Z only for the same purposes for which Z would have been permitted to use or disclose the personal data; FIRST SCHEDULE PART 4 § 2.(3)(b)]	Privacy protection for information and data	Data and Information Management
Post the collection purpose. CC ID 00101	Privacy protection for information and data	Establish/Maintain Documentation
Obtain the data subject's consent and acknowledgment before collecting data. CC ID 00012 [Without limiting subsection (2) and subject to subsection (9), an individual (P) who enters into a contract with an organisation (A) and provides personal data to A pursuant or in relation to that contract is deemed to consent to the following: § 15.(6)]	Privacy protection for information and data	Data and Information Management
Document each individual's personal data collection consent preferences. CC ID 06945	Privacy protection for information and data	Establish/Maintain Documentation
Provide explicit consent that is clear and unambiguous. CC ID 00181	Privacy protection for information and data	Data and Information Management
Allow individuals to change their personal data collection consent preferences. CC ID 06946 [{allow} On giving reasonable notice to the organisation, an individual may at any time withdraw any consent given, or deemed to have been given under this Act, in respect of the collection, use or disclosure by that organisation of personal data about the individual for any purpose. § 16.(1) An organisation shall not prohibit an individual from withdrawing his consent to the collection, use or disclosure of personal data about the individual, but this section shall not affect any legal consequences arising from such withdrawal. § 16.(3)]	Privacy protection for information and data	Data and Information Management
Adhere to each individual's personal data collection consent preferences. CC ID 06947	Privacy protection for information and data	Data and Information Management
Notify the data subject of the source of collected personal data. CC ID 00083	Privacy protection for information and data	Behavior
Furnish disclosure of information and usage of information to data subjects when oral consent is given. CC ID 04717	Privacy protection for information and data	Data and Information Management
Disclose the direct marketing purpose before obtaining consent for collecting information. CC ID 04718	Privacy protection for information and data	Data and Information Management
Establish and maintain a personal data definition. CC ID 00028	Privacy protection for information and data	Establish/Maintain Documentation
Include an individual's name in the personal data definition. CC ID 04710	Privacy protection for information and data	Data and Information Management
Include an individual's name combined with other personal data in the personal data definition. CC ID 04709	Privacy protection for information and data	Data and Information Management
Include the legal surname of the parent or legal representative prior to marriage in the personal data definition. CC ID 04686	Privacy protection for information and data	Data and Information Management
Include an individual's signature in the personal data definition. CC ID 04711	Privacy protection for information and data	Data and Information Management
Include an individual's date of birth in the personal data definition. CC ID 04770	Privacy protection for information and data	Data and Information Management
Include the number of children in the personal data definition. CC ID 13759	Privacy protection for information and data	Establish/Maintain Documentation
Include the individual's religion in the personal data definition. CC ID 13765	Privacy protection for information and data	Establish/Maintain Documentation
Include an individual's physical characteristics or description in the personal data definition. CC ID 04712	Privacy protection for information and data	Data and Information Management
Include an individual's biometric data in the personal data definition. CC ID 04698	Privacy protection for information and data	Data and Information Management
Include an individual's photographic image in the personal data definition. CC ID 04779	Privacy protection for information and data	Data and Information Management
Include an individual's fingerprints in the personal data definition. CC ID 04689	Privacy protection for information and data	Data and Information Management
Include an individual's address in the personal data definition. CC ID 04687	Privacy protection for information and data	Data and Information Management
Include an individual's telephone number in the personal data definition. CC ID 04688	Privacy protection for information and data	Data and Information Management
Include an individual's fax number in the personal data definition. CC ID 07120	Privacy protection for information and data	Data and Information Management
Include an individual's political party affiliation in the personal data definition. CC ID 13764	Privacy protection for information and data	Establish/Maintain Documentation
Include an individual's license plate number in the personal data definition. CC ID 13763	Privacy protection for information and data	Establish/Maintain Documentation
Include an individual's financial account number in the personal data definition. CC ID 04692	Privacy protection for information and data	Data and Information Management
Include an individual's account balances in the personal data definition. CC ID 13770	Privacy protection for information and data	Establish/Maintain Documentation
Include stock numbers, bond numbers, and other security certificate numbers in the personal data definition. CC ID 04768	Privacy protection for information and data	Data and Information Management
Include an individual's electronic identification name or number in the personal data definition. CC ID 04694	Privacy protection for information and data	Data and Information Management
Include an individual's logon credentials in the personal data definition. CC ID 13771	Privacy protection for information and data	Establish/Maintain Documentation
Include an individual's Alien Registration Number in the personal data definition. CC ID 04743	Privacy protection for information and data	Data and Information Management
Include an individual's passport number in the personal data definition. CC ID 04713	Privacy protection for information and data	Data and Information Management
Include an individual's driver's license number or an individual's state identification card number in the personal data definition. CC ID 04691	Privacy protection for information and data	Data and Information Management
Include an individual's Social Security Number or Personal Identification Number in the personal data definition. CC ID 04690	Privacy protection for information and data	Data and Information Management
Include an individual's military identification number in the personal data definition. CC ID 13083	Privacy protection for information and data	Establish/Maintain Documentation
Include an individual's e-mail address in the personal data definition. CC ID 04696	Privacy protection for information and data	Data and Information Management
Include electronic signatures in the personal data definition. CC ID 04697	Privacy protection for information and data	Data and Information Management
Include an individual's payment card information in the personal data definition. CC ID 04751	Privacy protection for information and data	Data and Information Management
Include an individual's credit card number or an individual's debit card number in the personal data definition. CC ID 04693	Privacy protection for information and data	Data and Information Management
Include an individual's payment card service code in the personal data definition. CC ID 04753	Privacy protection for information and data	Data and Information Management
Include an individual's payment card expiration date in the personal data definition. CC ID 04755	Privacy protection for information and data	Data and Information Management
Include the payment transaction data and transaction authentication data in the personal data definition. CC ID 04825	Privacy protection for information and data	Data and Information Management
Include an individual's Individually Identifiable Health Information in the personal data definition. CC ID 04700	Privacy protection for information and data	Data and Information Management
Include an individual's medical history in the personal data definition. CC ID 04701	Privacy protection for information and data	Data and Information Management
Include an individual's medical treatment in the personal data definition. CC ID 04702	Privacy protection for information and data	Data and Information Management
Include an individual's medical diagnosis in the personal data definition. CC ID 04703	Privacy protection for information and data	Data and Information Management
Include an individual's mental condition or an individual's physical condition in the personal data definition. CC ID 04704	Privacy protection for information and data	Data and Information Management
Include an individual's medical record numbers in the personal data definition. CC ID 07121	Privacy protection for information and data	Data and Information Management
Include an individual's health insurance information in the personal data definition. CC ID 04705	Privacy protection for information and data	Data and Information Management
Include an individual's health insurance policy number in the personal data definition. CC ID 04706	Privacy protection for information and data	Data and Information Management
Include an individual's health insurance application and health insurance claims history (including appeals) in the personal data definition. CC ID 04707	Privacy protection for information and data	Data and Information Management
Include an individual's education information in the personal data definition. CC ID 04714	Privacy protection for information and data	Data and Information Management
Include an individual's professional certification numbers or an individual's professional license numbers in the personal data definition. CC ID 07122	Privacy protection for information and data	Data and Information Management
Include an individual's employment information in the personal data definition. CC ID 04715	Privacy protection for information and data	Data and Information Management
Include an employer's Taxpayer Identification Number in the personal data definition. CC ID 04767	Privacy protection for information and data	Data and Information Management
Include an individual's Taxpayer Identification Number in the personal data definition. CC ID 04763	Privacy protection for information and data	Data and Information Management
Include an individual's employment history in the personal data definition. CC ID 04716	Privacy protection for information and data	Data and Information Management
Include an individual's place of employment in the personal data definition. CC ID 04765	Privacy protection for information and data	Data and Information Management
Include an individual's Employee Identification Number in the personal data definition. CC ID 04766	Privacy protection for information and data	Data and Information Management
Include an individual's property information in the personal data definition. CC ID 04780	Privacy protection for information and data	Data and Information Management
Include an individual's property title in the personal data definition. CC ID 04781	Privacy protection for information and data	Data and Information Management
Include an individual's vehicle registration in the personal data definition. CC ID 04782	Privacy protection for information and data	Data and Information Management
Include hardware asset identification information in the personal data definition. CC ID 07123	Privacy protection for information and data	Data and Information Management
Include MAC addresses in the personal data definition. CC ID 04778	Privacy protection for information and data	Data and Information Management
Include Internet Protocol addresses in the personal data definition. CC ID 04777	Privacy protection for information and data	Data and Information Management
Include asset serial numbers in the personal data definition. CC ID 07124	Privacy protection for information and data	Data and Information Management
Include Uniform Resource Locators in the personal data definition. CC ID 07125	Privacy protection for information and data	Data and Information Management
Refrain from including publicly available information in the personal data definition. CC ID 13084	Privacy protection for information and data	Establish/Maintain Documentation
Define specially restricted data. CC ID 00037	Privacy protection for information and data	Data and Information Management
Protect an individual's civil rights during personal data collection and personal data processing. CC ID 00079	Privacy protection for information and data	Data and Information Management
Refrain from compiling data that is likely to give rise to unlawful discrimination or arbitrary discrimination. CC ID 00075	Privacy protection for information and data	Data and Information Management
Refrain from subjecting an individual to a solely automated decision process that produces legal effects based on the evaluation of certain characteristics. CC ID 00080	Privacy protection for information and data	Data and Information Management
Implement a nondiscrimination principle. CC ID 00081	Privacy protection for information and data	Data and Information Management
Include the collection and use of personal data in the nondiscrimination principle. CC ID 11799	Privacy protection for information and data	Data and Information Management
Preserve each individual's right to human dignity. CC ID 00082	Privacy protection for information and data	Data and Information Management
Manage Personal Identification Numbers and PIN verification code numbers. CC ID 00058	Privacy protection for information and data	Data and Information Management
Employ a random number generator to create authenticators. CC ID 13782	Privacy protection for information and data	Technical Security
Collect Personal Identification Numbers with the individual's consent. CC ID 00059	Privacy protection for information and data	Data and Information Management
Collect Personal Identification Numbers absent consent when the law mandates. CC ID 00061	Privacy protection for information and data	Data and Information Management
Collect Personal Identification Numbers absent consent for research purposes. CC ID 00065	Privacy protection for information and data	Data and Information Management
Collect Personal Identification Numbers absent consent to realize the rights or duties of the data subject or data controller. CC ID 04792	Privacy protection for information and data	Data and Information Management
Refrain from requiring a Personal Identification Number to purchase goods or services. CC ID 00069	Privacy protection for information and data	Behavior
Manage health data collection. CC ID 00050	Privacy protection for information and data	Data and Information Management
Collect Individually Identifiable Health Information to provide health care services. CC ID 00052	Privacy protection for information and data	Data and Information Management
Collect Individually Identifiable Health Information when the law dictates. CC ID 00053	Privacy protection for information and data	Data and Information Management
Collect Individually Identifiable Health Information for research. CC ID 00054	Privacy protection for information and data	Data and Information Management
Remove personal data before disclosing health data. CC ID 00055	Privacy protection for information and data	Data and Information Management
Give special attention to collecting children's data. CC ID 00038	Privacy protection for information and data	Data and Information Management
Use simple understandable language to collect information from children. CC ID 00039	Privacy protection for information and data	Behavior
Notify parents or legal representatives of what information is collected from children. CC ID 00040	Privacy protection for information and data	Establish/Maintain Documentation
Obtain consent from a parent or legal representative before collecting information from children. CC ID 00041	Privacy protection for information and data	Data and Information Management
Waive verifiable consent from a parent or legal representative for collecting information from children in order to collect online contact information for a one-time only response to a specific request. CC ID 00043	Privacy protection for information and data	Data and Information Management
Waive verifiable consent from a parent or legal representative for collecting information from children in order to request the parent or legal representative's information to obtain consent. CC ID 00044	Privacy protection for information and data	Data and Information Management
Waive verifiable consent from a parent or legal representative for collecting information from children in order to respond to additional requests which do not go beyond the scope of the request. CC ID 00045	Privacy protection for information and data	Data and Information Management
Waive verifiable consent from a parent or legal representative for collecting information from children in order to protect the child's safety. CC ID 00046	Privacy protection for information and data	Data and Information Management
Waive verifiable consent from a parent or legal representative for collecting information from children in order to take liability precautions. CC ID 00047	Privacy protection for information and data	Data and Information Management
Waive verifiable consent from a parent or legal representative for collecting information from children in order to respond to a judicial process. CC ID 00048	Privacy protection for information and data	Data and Information Management
Waive verifiable consent from a parent or legal representative for collecting information from children in order to respond to a request for law enforcement purposes. CC ID 00049	Privacy protection for information and data	Data and Information Management
Waive verifiable consent from a parent or legal representative for collecting information from children in order to protect the website's security or integrity or the online service's security or integrity. CC ID 06199	Privacy protection for information and data	Data and Information Management
Establish, implement, and maintain a personal data collection policy. CC ID 00029	Privacy protection for information and data	Establish/Maintain Documentation
Collect personal data directly from the data subject. CC ID 00011	Privacy protection for information and data	Data and Information Management
Create and manage user account aliases to maintain pseudonymity. CC ID 04549	Privacy protection for information and data	Data and Information Management
Provide unlinkability for users and resources. CC ID 04550	Privacy protection for information and data	Data and Information Management
Provide unobservability of users and resources. CC ID 04551	Privacy protection for information and data	Technical Security
Collect restricted data in a fair and lawful manner. CC ID 00010 [Without limiting subsection (2) and subject to subsection (9), an individual (P) who provides personal data to an organisation (A) with a view to P entering into a contract with A is deemed to consent to the following where reasonably necessary for the conclusion of the contract between P and A: the collection and use of that personal data by B; § 15.(3)(b)]	Privacy protection for information and data	Data and Information Management
Collect restricted data absent consent for specific and well-documented circumstances. CC ID 00013 [An organisation may — collect personal data about an individual, without the consent of the individual or from a source other than the individual, in the circumstances or for the purposes, and subject to any condition, in the First Schedule or Part 1 of the Second Schedule; § 17.(1)(a) {individual's vital interest}{without consent}Subject to sub-paragraph (2), the collection, use or disclosure (as the case may be) of personal data about an individual is necessary for any purpose which is clearly in the interests of the individual, and — the individual would not reasonably be expected to withhold consent. FIRST SCHEDULE PART 1 § 1.(1)(b) {without consent}{collect}{disclose} The collection, use or disclosure (as the case may be) of personal data about an individual is in the national interest. FIRST SCHEDULE PART 2 § 2. {business improvement purpose}Sub-paragraph (1)(a) and (c) applies only if — a reasonable person would consider the collection or disclosure of personal data about P for the relevant purpose to be appropriate in the circumstances; and FIRST SCHEDULE PART 5 § 1.(3)(b) Unless otherwise provided under this Act, an organisation may — collect personal data about an individual that the organisation receives by way of a disclosure to the organisation — § 17.(2)(a) Subject to the conditions in sub-paragraphs (3), (4) and (5), personal data about an individual (P) — is collected by an organisation (X) that is a corporation from a related corporation (Y) for a purpose specified in sub-paragraph (2) (called the relevant purpose); FIRST SCHEDULE PART 5 § 1.(1)(a) {business improvement purpose}Where X collects from Y, and Y discloses to X, personal data about P for a purpose mentioned in sub-paragraph (2)(c) or (d), P must be, at the time of the collection or disclosure, as the case may be — an existing customer of Y; and FIRST SCHEDULE PART 5 § 1.(5)(a) {business improvement purpose}Where X collects from Y, and Y discloses to X, personal data about P for a purpose mentioned in sub-paragraph (2)(c) or (d), P must be, at the time of the collection or disclosure, as the case may be — an existing customer or a prospective customer of X. FIRST SCHEDULE PART 5 § 1.(5)(b) {personal purpose}The personal data about an individual — is provided to the organisation by another individual to enable the organisation to provide a service for the personal or domestic purposes of that other individual; and FIRST SCHEDULE PART 3 § 8.(a) {without consent}Unless otherwise provided under this Act, an organisation may — collect personal data about an individual that the organisation receives by way of a disclosure to the organisation — on or after the specified date in accordance with subsection (1)(c); or § 17.(2)(a)(i) {without consent}Unless otherwise provided under this Act, an organisation may — collect personal data about an individual that the organisation receives by way of a disclosure to the organisation — before the specified date in accordance with section 17(3) as in force before the specified date, § 17.(2)(a)(ii)]	Privacy protection for information and data	Data and Information Management
Collect restricted data absent consent when the data collection is in the individual's interests and consent can not be obtained in a timely manner. CC ID 00014 [{individual's vital interest}The collection, use or disclosure (as the case may be) of personal data about an individual, where — consent for the collection, use or disclosure (as the case may be) cannot be obtained in a timely way; and FIRST SCHEDULE PART 1 § 3.(a) {individual's vital interest}Subject to sub-paragraph (2), the collection, use or disclosure (as the case may be) of personal data about an individual is necessary for any purpose which is clearly in the interests of the individual, and — consent for the collection, use or disclosure (as the case may be) cannot be obtained in a timely way; or FIRST SCHEDULE PART 1 § 1.(1)(a) {legitimate interest}{collect}{disclose}The collection, use or disclosure (as the case may be) of personal data about an individual is to — confer an interest or a benefit on the individual under a private trust or benefit plan; and FIRST SCHEDULE PART 3 § 7.(a)]	Privacy protection for information and data	Data and Information Management
Collect restricted data absent consent when consent compromises data accuracy. CC ID 00015	Privacy protection for information and data	Data and Information Management
Collect personal data absent consent in order to make a disclosure. CC ID 13550 [{individual}{consent} Where an organisation collects personal data disclosed to it by B under subsection (6)(c), subsection (6)(b) and (c) applies to the organisation as if the personal data were disclosed by A to the organisation under subsection (6)(a). § 15.(7) {without consent}{collect}The collection of personal data about an individual, if — the personal data was disclosed by a public agency; and SECOND SCHEDULE PART 1 § 1.(a)]	Privacy protection for information and data	Data and Information Management
Collect personal data absent consent for reasonable investigative purposes. CC ID 11801 [{collect}{disclose} The collection, use or disclosure (as the case may be) of personal data about an individual is necessary for any investigation or proceedings. FIRST SCHEDULE PART 3 § 3.]	Privacy protection for information and data	Data and Information Management
Collect personal data absent consent if the collection is consistent with the intended purpose. CC ID 13548 [Without limiting subsection (2) and subject to subsection (9), an individual (P) who enters into a contract with an organisation (A) and provides personal data to A pursuant or in relation to that contract is deemed to consent to the following: the collection and use of that personal data by B, where the collection and use are reasonably necessary for any purpose mentioned in paragraph (a); § 15.(6)(b) {without consent}The personal data about an individual — is collected, used or disclosed (as the case may be) for purposes consistent with the purpose for which the document was produced. FIRST SCHEDULE PART 3 § 9.(b) {business improvement purpose}{refrain from achieving}Sub-paragraph (1)(a) and (c) applies only if — the relevant purpose for which X collects, or Y discloses, personal data about P cannot reasonably be achieved without the collection, use or disclosure (as the case may be) of the personal data in an individually identifiable form; FIRST SCHEDULE PART 5 § 1.(3)(a) {collect}{without consent}The collection of personal data about an individual, if — the collection of personal data by the organisation is consistent with the purpose of the disclosure by the public agency. SECOND SCHEDULE PART 1 § 1.(b) {personal purpose}{domestic purposes}The personal data about an individual — is collected, used or disclosed (as the case may be) by the organisation solely for the purpose in sub-paragraph (a). FIRST SCHEDULE PART 3 § 8.(b)]	Privacy protection for information and data	Data and Information Management
Collect personal data absent consent when the personal data was produced by the data subject in the course of employment, business, or profession. CC ID 13544 [{collect}{without consent}The personal data about an individual — is included in a document produced in the course, and for the purposes, of the individual's employment, business or profession; and FIRST SCHEDULE PART 3 § 9.(a) {without consent}Subject to the conditions in sub-paragraphs (2), (3), (4) and (5), where an organisation (X) is a party or a prospective party to a business asset transaction with another organisation (Y), personal data about an applicable individual of Y — is collected from Y by X for the purposes of the business asset transaction; FIRST SCHEDULE PART 4 § 1.(1)(a) {organization}{party} Where the business asset transaction concerns any part of Y or Y's business assets, the personal data mentioned in sub-paragraph (1) must relate directly to that part of Y or Y's business assets, as the case may be. FIRST SCHEDULE PART 4 § 1.(2) {organization}If X is a prospective party to the business asset transaction, the following conditions apply: X may collect, and Y may disclose, only personal data that is necessary for X to determine whether to proceed with the business asset transaction; FIRST SCHEDULE PART 4 § 1.(3)(a) Subject to the conditions in sub-paragraphs (2), (3) and (4), where an organisation (X) is a party or a prospective party to a business asset transaction with another organisation (Y) in respect of Y's interest in a third organisation (Z) (called in this paragraph the relevant transaction), personal data about an applicable individual of Z — is collected from Y or Z by X, or from Z by Y, for the purposes of the relevant transaction; FIRST SCHEDULE PART 4 § 2.(1)(a) {legitimate interest}{collect}{disclose}Subject to sub-paragraph (2), the collection, use or disclosure (as the case may be) of personal data about an individual — relates to a credit report provided by a credit bureau to a member of the credit bureau in relation to a transaction between the member and the individual. FIRST SCHEDULE PART 3 § 6.(1)(b) {business asset transaction}If X is a prospective party to the relevant transaction, the following conditions apply: where X collects the personal data mentioned in sub-paragraph (1) from Y or Z — X may collect, and Y or Z (as the case may be) may disclose, only personal data that is necessary for X to determine whether to proceed with the relevant transaction; and FIRST SCHEDULE PART 4 § 2.(2)(a)(i) {business asset transaction}{organization}{individual}If X is a prospective party to the relevant transaction, the following conditions apply: where Y collects the personal data mentioned in sub-paragraph (1) from Z — Y may collect, and Z may disclose, only personal data that is necessary for X or Y (as the case may be) to determine whether to proceed with the relevant transaction; and FIRST SCHEDULE PART 4 § 2.(2)(b)(i) {business asset transaction}If X is a prospective party to the relevant transaction, the following conditions apply: where X collects the personal data mentioned in sub-paragraph (1) from Y or Z — X and Y or Z (as the case may be) must have entered into an agreement that requires X to use or disclose the personal data solely for purposes related to the relevant transaction; FIRST SCHEDULE PART 4 § 2.(2)(a)(ii)]	Privacy protection for information and data	Data and Information Management
Collect personal data absent consent for handling insurance claims. CC ID 13543	Privacy protection for information and data	Data and Information Management
Collect personal data absent consent when the data subject has authorized the collection through another individual. CC ID 00016	Privacy protection for information and data	Data and Information Management
Collect personal data absent consent if the disclosure is to the next of kin or authorized representative. CC ID 15295 [{is necessary}{without consent} The collection, use or disclosure of personal data is for the purpose of contacting the next-of-kin or a friend of any injured, ill or deceased individual. FIRST SCHEDULE PART 1 § 4.]	Privacy protection for information and data	Data and Information Management
Collect personal data absent consent in order to establish, manage, or terminate employment contracts. CC ID 13614 [{without consent}The personal data about an individual is collected, used or disclosed (as the case may be) by the organisation, and the collection, use or disclosure (as the case may be) of the personal data is reasonable for the purpose of or in relation to the organisation — entering into an employment relationship with the individual or appointing the individual to any office; or FIRST SCHEDULE PART 3 § 10.(a) {without consent}The personal data about an individual is collected, used or disclosed (as the case may be) by the organisation, and the collection, use or disclosure (as the case may be) of the personal data is reasonable for the purpose of or in relation to the organisation — managing or terminating the employment relationship with or appointment of the individual. FIRST SCHEDULE PART 3 § 10.(b)]	Privacy protection for information and data	Data and Information Management
Collect personal data absent consent in order to protect the data subject's vital interests. CC ID 15277 [{individual's vital interest}{collect}{disclose} Subject to sub-paragraph (2), the collection, use or disclosure (as the case may be) of personal data about an individual is necessary for any purpose which is clearly in the interests of the individual, and — FIRST SCHEDULE PART 1 § 1.(1)]	Privacy protection for information and data	Data and Information Management
Collect personal data for public interests absent consent in order to protect historical records or archival records. CC ID 15289 [{without consent}{archival purpose} The collection, use or disclosure (as the case may be) of personal data about an individual is solely for archival or historical purposes, if a reasonable person would not consider the personal data to be too sensitive to the individual to be collected, used or disclosed (as the case may be) at the proposed time. FIRST SCHEDULE PART 2 § 4.]	Privacy protection for information and data	Data and Information Management
Collect personal data absent consent to administer a trust fund or benefit plan. CC ID 15292 [{collect}{disclose}The collection, use or disclosure (as the case may be) of personal data about an individual is to — administer that trust or benefit plan, at the request of the settlor or the person establishing the benefit plan, as the case may be. FIRST SCHEDULE PART 3 § 7.(b)]	Privacy protection for information and data	Data and Information Management
Collect restricted data absent consent for journalistic purposes, artistic purposes, or literary purposes. CC ID 00017 [{without consent}{artistic purpose}{collect}{disclose} The collection, use or disclosure (as the case may be) of personal data about an individual is solely for artistic or literary purposes. FIRST SCHEDULE PART 2 § 3. {without consent} The personal data about an individual is collected, used or disclosed (as the case may be) by a news organisation solely for its news activity. FIRST SCHEDULE PART 2 § 5.]	Privacy protection for information and data	Data and Information Management
Collect personal data absent consent in order to collect a debt owed by the data subject. CC ID 15293 [{without consent}{collect}{disclose}The collection, use or disclosure (as the case may be) of personal data about an individual is necessary for the organisation — to recover a debt owed by the individual to the organisation; or FIRST SCHEDULE PART 3 § 4.(a) {collect}{disclose}The collection, use or disclosure (as the case may be) of personal data about an individual is necessary for the organisation — to pay to the individual a debt owed by the organisation. FIRST SCHEDULE PART 3 § 4.(b)]	Privacy protection for information and data	Data and Information Management
Collect personal data absent consent for statistical purposes or research purposes and the data subject is not identified. CC ID 00018 [{collect}{disclose} The collection, use or disclosure (as the case may be) of personal data about an individual is necessary for evaluative purposes. FIRST SCHEDULE PART 3 § 2.]	Privacy protection for information and data	Data and Information Management
Collect restricted data absent consent from publicly available information. CC ID 00019 [{without consent}{collect}{disclose} The collection, use or disclosure (as the case may be) of personal data about an individual that is publicly available. FIRST SCHEDULE PART 2 § 1.]	Privacy protection for information and data	Data and Information Management
Collect restricted data absent consent when needed by law. CC ID 00020	Privacy protection for information and data	Data and Information Management
Collect personal data absent consent to create a credit report. CC ID 15287 [{legitimate interest}{collect}{disclose}Subject to sub-paragraph (2), the collection, use or disclosure (as the case may be) of personal data about an individual — is for the purpose of the preparation by a credit bureau of a credit report; or FIRST SCHEDULE PART 3 § 6.(1)(a)]	Privacy protection for information and data	Data and Information Management
Collect restricted data absent consent when no potential harm can come to the data subject. CC ID 00021	Privacy protection for information and data	Data and Information Management
Collect personal data absent consent when collecting personal data from the data subject is impossible or the data collection involves a disproportionate effort. CC ID 00022	Privacy protection for information and data	Data and Information Management
Collect the minimum amount of restricted data necessary. CC ID 00078	Privacy protection for information and data	Data and Information Management
Collect restricted data in a proper information framework. CC ID 00009	Privacy protection for information and data	Data and Information Management
Collect and record restricted data for specific, explicit, and legitimate purposes. CC ID 00027 [Unless otherwise provided under this Act, an organisation may — collect personal data about an individual that the organisation receives by way of a disclosure to the organisation — for purposes consistent with the purpose of that disclosure, or for any purpose permitted by subsection (1)(a); or § 17.(2)(a) ¶ 1 {collect}{disclose}Subject to sub-paragraphs (2), (3) and (4) — the collection, use or disclosure (as the case may be) of personal data about an individual is in the legitimate interests of the organisation or another person; and FIRST SCHEDULE PART 3 § 1.(1)(a)]	Privacy protection for information and data	Data and Information Management
Collect restricted data when required by law. CC ID 00031	Privacy protection for information and data	Data and Information Management
Collect restricted data to prevent life-threatening emergencies. CC ID 00032 [{without consent}{collect}{disclose}The collection, use or disclosure (as the case may be) of personal data about an individual, where — there are reasonable grounds to believe that the health or safety of the individual or another individual will be seriously affected. FIRST SCHEDULE PART 1 § 3.(b)]	Privacy protection for information and data	Data and Information Management
Collect restricted data relating solely to nonprofit organization members or individuals who are in regular contact during the nonprofit organization's activities. CC ID 00034	Privacy protection for information and data	Data and Information Management
Collect restricted data for legal purposes. CC ID 00036 [{collect}{disclose} The collection, use or disclosure (as the case may be) of personal data about an individual is necessary for the provision of legal services by the organisation to another person, or for the organisation to obtain legal services. FIRST SCHEDULE PART 3 § 5.]	Privacy protection for information and data	Data and Information Management
Provide the data subject with information about the data controller during the collection process. CC ID 00023	Privacy protection for information and data	Establish/Maintain Documentation
Disseminate and communicate the data collector's name and contact information to all interested personnel. CC ID 13760	Privacy protection for information and data	Communicate
Provide the data subject with the data collector's name and contact information. CC ID 00024 [For the purposes of subsection (4), the organisation must inform the individual of the following: on request by the individual, the business contact information of a person who is able to answer the individual's questions about that collection, use or disclosure (as the case may be) on behalf of the organisation. § 20.(5)(b)]	Privacy protection for information and data	Establish/Maintain Documentation
Provide the data subject with the name of the data collector who will hold the collected restricted data. CC ID 00025	Privacy protection for information and data	Establish/Maintain Documentation
Provide the data subject with the third party processor's contact information when the data controller is not processing the restricted data. CC ID 00026	Privacy protection for information and data	Establish/Maintain Documentation
Establish, implement, and maintain a data handling program. CC ID 13427	Privacy protection for information and data	Establish/Maintain Documentation
Establish, implement, and maintain data handling policies. CC ID 00353	Privacy protection for information and data	Establish/Maintain Documentation
Establish, implement, and maintain data and information confidentiality policies. CC ID 00361	Privacy protection for information and data	Establish/Maintain Documentation
Implement security measures to protect personal data. CC ID 13606 [{storage device}An organisation must protect personal data in its possession or under its control by making reasonable security arrangements to prevent — the loss of any storage medium or device on which personal data is stored. § 24.(b) {absent authorization}An organisation must protect personal data in its possession or under its control by making reasonable security arrangements to prevent — unauthorised access, collection, use, disclosure, copying, modification or disposal, or similar risks; and § 24.(a)]	Privacy protection for information and data	Technical Security
Establish, implement, and maintain a personal data transfer program. CC ID 00307	Privacy protection for information and data	Establish/Maintain Documentation
Include procedures for transferring personal data to third parties in the personal data transfer program. CC ID 00333	Privacy protection for information and data	Establish/Maintain Documentation
Define the personal data transfer exceptions for transferring personal data to another country when adequate protection level standards are not met. CC ID 00315 [{other country} An organisation shall not transfer any personal data to a country or territory outside Singapore except in accordance with requirements verb">prescribed under this Act to ensure that organisations provide a standard of protection to personal data so transferred that is comparable to the protection under this Act. § 26.(1)]	Privacy protection for information and data	Establish/Maintain Documentation
Include publicly available information as a personal data transfer exception for transferring personal data to another country outside an adequate data protection level. CC ID 00316	Privacy protection for information and data	Data and Information Management
Include transfer agreements between data controllers and third parties when it is for the data subject's interest as a personal data transfer exception for transferring personal data to another country outside an adequate data protection level. CC ID 00317	Privacy protection for information and data	Data and Information Management
Include personal data for the health field and for treatment as a personal data transfer exception for transferring personal data to another country outside an adequate data protection level. CC ID 00318	Privacy protection for information and data	Data and Information Management
Include personal data for journalistic purposes or private purposes as a personal data transfer exception for transferring personal data to another country outside an adequate data protection level. CC ID 00319	Privacy protection for information and data	Data and Information Management
Include personal data for important public interest as a personal data transfer exception for transferring personal data to another country outside an adequate data protection level. CC ID 00320	Privacy protection for information and data	Data and Information Management
Include consent by the data subject as a personal data transfer exception for transferring personal data to another country outside an adequate data protection level. CC ID 00321	Privacy protection for information and data	Data and Information Management
Include personal data used for a contract as a personal data transfer exception for transferring personal data to another country outside an adequate data protection level. CC ID 00322	Privacy protection for information and data	Data and Information Management
Include personal data for protecting the data subject or the data subject's interests, such as saving his/her life or providing healthcare as a personal data transfer exception for transferring personal data to another country outside an adequate data protection level. CC ID 00323	Privacy protection for information and data	Data and Information Management
Include personal data that is necessary to fulfill international law obligations as a personal data transfer exception for transferring personal data to another country outside an adequate data protection level. CC ID 00324	Privacy protection for information and data	Data and Information Management
Include personal data used for legal investigations as a personal data transfer exception for transferring personal data to another country outside an adequate data protection level. CC ID 00325	Privacy protection for information and data	Data and Information Management
Include personal data that is authorized by a legislative act as a personal data transfer exception for transferring personal data to another country outside an adequate data protection level. CC ID 00326	Privacy protection for information and data	Data and Information Management
Establish, implement, and maintain a privacy impact assessment. CC ID 13712 [The organisation must, in respect of the assessment mentioned in subsection (4)(a) — identify and implement reasonable measures to — reduce the likelihood that the adverse effect will occur; or § 15A.(5)(b)(ii) The organisation must, in respect of the assessment mentioned in subsection (4)(a) — identify and implement reasonable measures to — eliminate the adverse effect; § 15A.(5)(b)(i) The organisation must, in respect of the assessment mentioned in subsection (4)(a) — identify and implement reasonable measures to — mitigate the adverse effect; and § 15A.(5)(b)(iii)]	Privacy protection for information and data	Establish/Maintain Documentation
Include the individuals with whom information is shared in the privacy impact assessment. CC ID 15520	Privacy protection for information and data	Establish/Maintain Documentation
Include how to grant consent in the privacy impact assessment. CC ID 15519	Privacy protection for information and data	Establish/Maintain Documentation
Include the opportunities for individuals to consent to using their information in the privacy impact assessment. CC ID 15518	Privacy protection for information and data	Establish/Maintain Documentation
Include the opportunities for opting out of information collection in the privacy impact assessment. CC ID 15517	Privacy protection for information and data	Establish/Maintain Documentation
Include data handling procedures in the privacy impact assessment. CC ID 15516	Privacy protection for information and data	Establish/Maintain Documentation
Include the intended use of information in the privacy impact assessment. CC ID 15515	Privacy protection for information and data	Establish/Maintain Documentation
Include the reason information is being collected in the privacy impact assessment. CC ID 15514	Privacy protection for information and data	Establish/Maintain Documentation
Include the type of information to be collected in the privacy impact assessment. CC ID 15513	Privacy protection for information and data	Business Processes
Disseminate and communicate the results of the Privacy Impact Assessment to interested personnel and affected parties. CC ID 15458	Privacy protection for information and data	Communicate
Develop remedies and sanctions for privacy policy violations. CC ID 00474	Privacy protection for information and data	Data and Information Management
Refrain from updating personal data on a regular basis, unless it is necessary for the purposes it was collected. CC ID 13610 [{refrain from correcting} Nothing in this section shall require an organisation to correct or otherwise alter an opinion, including a professional or an expert opinion. § 22.(6)]	Privacy protection for information and data	Data and Information Management
Establish, implement, and maintain a privacy dispute resolution program. CC ID 12526 [An organisation shall — develop a process to receive and respond to complaints that may arise with respect to the application of this Act; § 12.(b)]	Privacy protection for information and data	Establish/Maintain Documentation
Include potential remedies in the privacy dispute resolution program. CC ID 12531	Privacy protection for information and data	Establish/Maintain Documentation
Provide the data subject with the name, title, and address to whom complaints are forwarded. CC ID 00395	Privacy protection for information and data	Establish/Maintain Documentation
Include the time frames in which privacy rights violation complaints are processed in the privacy dispute resolution program. CC ID 12529	Privacy protection for information and data	Establish/Maintain Documentation
Document unresolved challenges. CC ID 13568 [An individual may request an organisation to correct an error or omission in the personal data about the individual that is in the possession or under the control of the organisation. Section 22 shall not apply in respect of— any erm_secondary-verb">BBC;" class="term_primary-noun">examination> conducted by an education institution, examination scripts and, prior to the release of examination results, <span style="background-color:#F0BBBC;" class="term_primary-noun">examination results; SIXTH SCHEDULE § 1.(b) An individual may request an organisation to correct an error or omission in the personal data about the individual that is in the possession or under the control of the organisation. Section 22 shall not apply in respect of— the personal data of the background-color:#F0BBBC;" class="term_primary-noun">beneficiaries of a tyle="background-color:#F0BBBC;" class="term_primary-noun">private trust kept solely for the purpose of ass="term_primary-verb">administering the trust; SIXTH SCHEDULE § 1.(c) An organisation is not required to provide information under section 21(1) in respect of — a document related to a prosecution if all proceedings related to the prosecution have not been completed; or SIXTH SCHEDULE § 1.(e)]	Privacy protection for information and data	Establish/Maintain Documentation
Establish, implement, and maintain an accuracy resolution policy. CC ID 00460	Privacy protection for information and data	Establish/Maintain Documentation
Notify individuals of their right to challenge personal data. CC ID 00457	Privacy protection for information and data	Data and Information Management
Notify individuals of their right to object to personal data for legitimate reasons. CC ID 00458	Privacy protection for information and data	Data and Information Management
Terminate an individual's restriction agreement under specific circumstances. CC ID 06260	Privacy protection for information and data	Configuration
Notify individuals of their ability to challenge personal behavioral assessments on record. CC ID 04798	Privacy protection for information and data	Human Resources Management
Notify individuals of their ability to object to personal data processing, absent cost. CC ID 00459	Privacy protection for information and data	Data and Information Management
Notify individuals of the time frame in which they may challenge personal data. CC ID 16861	Privacy protection for information and data	Communicate
Investigate the disputed accuracy of personal data. CC ID 00461	Privacy protection for information and data	Data and Information Management
Notify third parties of unresolved challenges. CC ID 13559	Privacy protection for information and data	Communicate
Document disagreements as to whether personal data is complete and accurate. CC ID 06952	Privacy protection for information and data	Establish/Maintain Documentation
Include the change to the personal data that the data subject requested and the reason the organization refused to make the change in the statement of disagreement. CC ID 06954 [An individual may request an organisation to correct an error or omission in the personal data about the individual that is in the possession or under the control of the organisation. Section 22 shall b">not apply in respect of— background-color:#F0BBBC;" class="term_primary-noun">opinion data kept solely for an imary-noun">evaluative purpose; SIXTH SCHEDULE § 1.(a) If no correction is made under subsection (2)(a) or (4), the organisation shall annotate the personal data in its possession or under its control with the correction that was requested but e="background-color:#CBD0E5;" class="term_secondary-verb">not made. § 22.(5)]	Privacy protection for information and data	Establish/Maintain Documentation
Defer privacy rights violation complaint investigations under certain conditions. CC ID 00487	Privacy protection for information and data	Behavior
Defer privacy rights violation complaint investigations when the respondent has made an application for a determination. CC ID 00488 [An organisation or a person (including any individual who is a complainant) aggrieved by — may make a written application to the Commission to reconsider the direction or decision in accordance with this section. § 48N.(1) ¶ 1]	Privacy protection for information and data	Behavior
Define the organization's liability based on the applicable law. CC ID 00504	Privacy protection for information and data	Establish/Maintain Documentation
Define the sanctions and fines available for privacy rights violations based on applicable law. CC ID 00505 [A person who suffers loss or damage directly as a result of a contravention — has a right of action for relief in civil proceedings in a court. § 48O.(1) ¶ 1 A telecommunications service provider which contravenes subsection (1) shall be guilty of an offence and shall be liable on conviction to a fine not exceeding $10,000. § 42.(2)]	Privacy protection for information and data	Establish/Maintain Documentation
Define the appeal process based on the applicable law. CC ID 00506 [The application for reconsideration — must be made in the form and manner required by the Commission; and § 48N.(4)(b) An organisation or a person aggrieved by a financial penalty imposed by the Commission under section 48J(1) on the organisation or person may make a written application to the Commission to reconsider the decision to impose the financial penalty or the amount of the financial penalty so imposed in accordance with this section. § 48N.(2) The application for reconsideration — subject to subsection (5), must be submitted to the Commission within the prescribed period; § 48N.(4)(a) The application for reconsideration — must set out the grounds on which the applicant is requesting the reconsideration. § 48N.(4)(c)]	Privacy protection for information and data	Establish/Maintain Documentation
Define the fee structure for the appeal process. CC ID 16532	Privacy protection for information and data	Process or Activity
Define the time requirements for the appeal process. CC ID 16531	Privacy protection for information and data	Process or Activity
Disseminate and communicate instructions for the appeal process to interested personnel and affected parties. CC ID 16544	Privacy protection for information and data	Communicate
Disseminate and communicate a written explanation of the reasons for appeal decisions to interested personnel and affected parties. CC ID 16542	Privacy protection for information and data	Communicate
Establish, implement, and maintain a Customer Information Management program. CC ID 00084	Privacy protection for information and data	Data and Information Management
Establish, implement, and maintain customer data authentication procedures. CC ID 13187	Privacy protection for information and data	Establish/Maintain Documentation
Check the accuracy of restricted data. CC ID 00088 [{is complete} An organisation shall make a reasonable effort to ensure that personal data collected by or on behalf of the organisation is accurate and complete, if the personal data— is likely to be und-color:#B7D8ED;" class="term_primary-verb">used by the organisation to imary-verb">make a decision that affects the individual to whom the personal data " class="term_secondary-verb">relates; or § 23.(a) {is complete} An organisation shall make a reasonable effort to ensure that personal data collected by or on behalf of the organisation is accurate and complete, if the _primary-noun">personal data— is likely to be e="background-color:#B7D8ED;" class="term_primary-verb">disclosed by the organisation to another organisation. § 23.(b) {person}A checker must — ensure that the applicable information provided to P is accurate; and § 43A.(2)(a) {be complete}{be accurate} The organisation must ensure that the copy of the personal data it preserves for the purposes of subsection (1) is a complete and accurate copy of the personal data concerned. § 22A.(2) {be complete} An organisation shall make a reasonable effort to ensure that personal data collected by or on behalf of the organisation verb">is accurate and complete, if the personal data — § 23.]	Privacy protection for information and data	Data and Information Management
Check that restricted data is complete. CC ID 00090 [{be complete}{be accurate} The organisation must ensure that the copy of the personal data it preserves for the purposes of subsection (1) is a complete and accurate copy of the personal data concerned. § 22A.(2) {be complete} An organisation shall make a reasonable effort to ensure that personal data collected by or on behalf of the organisation is accurate and complete, if the personal data — § 23.]	Privacy protection for information and data	Data and Information Management
Establish, implement, and maintain an anti-spam policy. CC ID 00283 [Subject to section 48(2), a person must not send a specified message addressed to a Singapore telephone number unless — the specified message includes the information, and complies with the conditions, specified in the regulations, if any; and § 44.(c) Subject to section 48(2), a person must not send a specified message addressed to a Singapore telephone number unless — the specified message includes the information, and complies with the conditions, specified in the regulations, if any; and § 44.(c) For the purposes of subsection (1), the person has valid confirmation that a Singapore telephone number is not listed in the relevant register in either of the following circumstances: the person has obtained from a checker information that the Singapore telephone number is not listed in the relevant register (called in this section the relevant information) and has no reason to believe that, and is not reckless as to whether — § 43.(2)(b)]	Privacy protection for information and data	Establish/Maintain Documentation
Refrain from sending unsolicited commercial electronic messages under predetermined conditions. CC ID 13993 [Subject to section 48(2), a person must not send a specified message addressed to a Singapore telephone number unless — the information included in the specified message in compliance with this section is reasonably likely to be valid for at least 30 days after the message is sent. § 44.(d) For the purposes of subsection (1), the person has valid confirmation that a Singapore telephone number is not listed in the relevant register in either of the following circumstances: the person has, within the prescribed duration before sending the specified message — made an application to the Commission under section 40(2) to confirm whether the Singapore telephone number is listed in the relevant register; and § 43.(2)(a)(i)]	Privacy protection for information and data	Communicate
Refrain from sending unsolicited commercial electronic messages with hyperlinks to a country with an anti-spam policy. CC ID 00284	Privacy protection for information and data	Behavior
Refrain from including misleading information in the e-mail header when transmitting electronic messages. CC ID 00285	Privacy protection for information and data	Behavior
Include contact information in commercial electronic messages. CC ID 15457	Privacy protection for information and data	Business Processes
Refrain from sending commercial electronic messages to a third party computer when the message does not contain a functioning return e-mail address that is clearly visible to the receiver. CC ID 00287	Privacy protection for information and data	Behavior
Refrain from sending commercial electronic messages, physical mail, or making telephone calls after an opt out by a user. CC ID 00288 [{refrain from sending} If a subscriber or user of a Singapore telephone number gives notice withdrawing consent given to a person for the sending of any specified message="background-color:#CBD0E5;" class="term_secondary-verb">span> to that Singapore telephone number, the person shall cease (and cause its agent to cease) sending any specified message to that Singapore telephone number after the expiry of the prescribed period. § 47.(3)]	Privacy protection for information and data	Behavior
Include a personal identifier, an opt-out provision, and a physical address to add the recipient to the do-not-e-mail registry in all commercial e-mails. CC ID 00289	Privacy protection for information and data	Behavior
Make the opt-out functional after the e-mail is sent, as necessary. CC ID 00290	Privacy protection for information and data	Data and Information Management
Unsubscribe users from the opt-out notification, as necessary. CC ID 00291	Privacy protection for information and data	Data and Information Management
Make identifiers accurate after e-mails are sent, as necessary. CC ID 00292	Privacy protection for information and data	Data and Information Management
Define aggravated violations that relate to commercial electronic messages. CC ID 00293	Privacy protection for information and data	Establish/Maintain Documentation
Refrain from using misleading subject lines or false subject line on unsolicited commercial electronic messages. CC ID 00294	Privacy protection for information and data	Behavior
Define who enforces the anti-spam policy. CC ID 00295	Privacy protection for information and data	Establish Roles
Establish, implement, and maintain a do-not-e-mail registry. CC ID 00297	Privacy protection for information and data	Establish/Maintain Documentation
Enter individuals into the do-not-e-mail registry upon request. CC ID 11810	Privacy protection for information and data	Data and Information Management
Refrain from using address-harvesting software to send unsolicited commercial e-mails. CC ID 00298	Privacy protection for information and data	Behavior
Refrain from sending unsolicited commercial electronic messages to nonexistent electronic addresses. CC ID 00299 [Subject to section 48(2), a person must not send a specified message addressed to a Singapore telephone number unless the person has, at the time the person sends the specified message, valid confirmation that the Singapore telephone number is not listed in the relevant register. § 43.(1) For the purposes of subsection (1), the person has valid confirmation that a Singapore telephone number is not listed in the relevant register in either of the following circumstances: the person has, within the prescribed duration before sending the specified message — received confirmation from the Commission that the Singapore telephone number is not listed in the relevant register; § 43.(2)(a)(ii) Subject to subsections (2) and (3), a person must not send, cause to be sent or authorise the sending of an applicable message. § 48B.(1)]	Privacy protection for information and data	Behavior
Include that commercial electronic messages may be sent to an individual in any situation where the sender has prior consent from the individual or another existing business relationship in the anti-spam policy. CC ID 00300	Privacy protection for information and data	Establish/Maintain Documentation
Send commercial electronic messages to individuals who have consented to receive them. CC ID 00302	Privacy protection for information and data	Behavior
Send commercial electronic messages to individuals who have an existing relationship with the organization. CC ID 00301	Privacy protection for information and data	Behavior
Send commercial electronic messages to individuals who perform a business function to which the content of the message pertains. CC ID 13995	Privacy protection for information and data	Communicate
Document erroneous messages when an unsolicited commercial electronic message is accidentally sent. CC ID 00303	Privacy protection for information and data	Establish/Maintain Documentation
Give customers the opportunity to object to receiving commercial electronic messages. CC ID 00304 [{allow} For the avoidance of doubt, a subscriber of a Singapore telephone number may, at any time on or after the date of commencement of this Part, withdraw any consent given for the style="background-color:#CBD0E5;" class="term_secondary-verb">sending of a specified message to that Singapore telephone number. § 47.(6)]	Privacy protection for information and data	Data and Information Management