0003342
Singapore Personal Data Protection Act 2012 (No. 26 of 2012), Revised Edition 2021
Parliament of Singapore
Regulation or Statute
Free
Singapore Personal Data Protection Act 2012 (No. 26 of 2012) Revised Edition 2021
Singapore Personal Data Protection Act 2012 (No. 26 of 2012)
2021-08-25
The document as a whole was last reviewed and released on 2021-09-30T00:00:00-0700.
0003342
Free
Parliament of Singapore
Regulation or Statute
Singapore Personal Data Protection Act 2012 (No. 26 of 2012) Revised Edition 2021
Singapore Personal Data Protection Act 2012 (No. 26 of 2012)
2021-08-25
The document as a whole was last reviewed and released on 2021-09-30T00:00:00-0700.
This Authority Document In Depth Report is copyrighted - © 2024 - Network Frontiers LLC. All rights reserved. Copyright in the Authority Document analyzed herein is held by its authors. Network Frontiers makes no claims of copyright in this Authority Document.
This Authority Document In Depth Report is provided for informational purposes only and does not constitute, and should not be construed as, legal advice. The reader is encouraged to consult with an attorney experienced in these areas for further explanation and advice.
This Authority Document In Depth Report provides analysis and guidance for use and implementation of the Authority Document but it is not a substitute for the original authority document itself. Readers should refer to the original authority document as the definitive resource on obligations and compliance requirements.
This document has been mapped into the Unified Compliance Framework using a patented methodology and patented tools (you can research our patents HERE). The mapping team has taken every effort to ensure the quality of mapping is of the highest degree. To learn more about the process we use to map Authority Documents, or to become involved in that process, click HERE.
When the UCF Mapping Teams tag Citations and their associated mandates within an Authority Document, those Citations and Mandates are tied to Common Controls. In addition, and by virtue of those Citations and mandates being tied to Common Controls, there are three sets of meta data that are associated with each Citation; Controls by Impact Zone, Controls by Type, and Controls by Classification.
The online version of the mapping analysis you see here is just a fraction of the work the UCF Mapping Team has done. The downloadable version of this document, available within the Common Controls Hub (available HERE) contains the following:
Document implementation analysis – statistics about the document’s alignment with Common Controls as compared to other Authority Documents and statistics on usage of key terms and non-standard terms.
Citation and Mandate Tagging and Mapping – A complete listing of each and every Citation we found within Singapore Personal Data Protection Act 2012 (No. 26 of 2012), Revised Edition 2021 that have been tagged with their primary and secondary nouns and primary and secondary verbs in three column format. The first column shows the Citation (the marker within the Authority Document that points to where we found the guidance). The second column shows the Citation guidance per se, along with the tagging for the mandate we found within the Citation. The third column shows the Common Control ID that the mandate is linked to, and the final column gives us the Common Control itself.
Dictionary Terms – The dictionary terms listed for Singapore Personal Data Protection Act 2012 (No. 26 of 2012), Revised Edition 2021 are based upon terms either found within the Authority Document’s defined terms section(which most legal documents have), its glossary, and for the most part, as tagged within each mandate. The terms with links are terms that are the standardized version of the term.
An Impact Zone is a hierarchical way of organizing our suite of Common Controls — it is a taxonomy. The top levels of the UCF hierarchy are called Impact Zones. Common Controls are mapped within the UCF’s Impact Zones and are maintained in a legal hierarchy within that Impact Zone. Each Impact Zone deals with a separate area of policies, standards, and procedures: technology acquisition, physical security, continuity, records management, etc.
The UCF created its taxonomy by looking at the corpus of standards and regulations through the lens of unification and a view toward how the controls impact the organization. Thus, we created a hierarchical structure for each impact zone that takes into account regulatory and standards bodies, doctrines, and language.
KEY: Primary Verb Primary Noun Secondary Verb Secondary Noun Limiting Term | |||
Mandated - bold Implied - italic Implementation - regular | TYPE | CLASS | |
---|---|---|---|
Audits and risk management CC ID 00677 | IT Impact Zone | IT Impact Zone | |
Establish, implement, and maintain a risk management program. CC ID 12051 | Establish/Maintain Documentation | Preventive | |
Establish, implement, and maintain the risk assessment framework. CC ID 00685 | Establish/Maintain Documentation | Preventive | |
Establish, implement, and maintain a risk assessment program. CC ID 00687 | Establish/Maintain Documentation | Preventive | |
Establish, implement, and maintain Data Protection Impact Assessments. CC ID 14830 [For the purposes of subsection (2)(a), the organisation must, before collecting, using or disclosing any personal data about the individual — conduct an assessment to determine that the proposed collection, use or disclosure of the personal data is not likely to have an adverse effect on the individual; § 15A.(4)(a) {legitimate interest}For the purposes of sub-paragraph (1), the organisation must — conduct an assessment, before collecting, using or disclosing the personal data (as the case may be), to determine whether sub-paragraph (1) is satisfied; and FIRST SCHEDULE PART 3 § 1.(2)(a) {legitimate interest}For the purposes of sub-paragraph (1), the organisation must — conduct an assessment, before collecting, using or disclosing the personal data (as the case may be), to determine whether sub-paragraph (1) is satisfied; and FIRST SCHEDULE PART 3 § 1.(2)(a) {legitimate interest}For the purposes of sub-paragraph (1), the organisation must — conduct an assessment, before collecting, using or disclosing the personal data (as the case may be), to determine whether sub-paragraph (1) is satisfied; and FIRST SCHEDULE PART 3 § 1.(2)(a)] | Process or Activity | Preventive | |
Include a Data Protection Impact Assessment in the risk assessment program. CC ID 12630 | Establish/Maintain Documentation | Preventive | |
Include an assessment of the necessity and proportionality of the processing operations in relation to the purposes in the Data Protection Impact Assessment. CC ID 12681 | Establish/Maintain Documentation | Preventive | |
Include an assessment of the relationship between the data subject and the parties processing the data in the Data Protection Impact Assessment. CC ID 16371 | Establish/Maintain Documentation | Preventive | |
Include a risk assessment of data subject's rights in the Data Protection Impact Assessment. CC ID 12674 | Establish/Maintain Documentation | Preventive | |
Include the description and purpose of processing restricted data in the Data Protection Impact Assessment. CC ID 12673 | Establish/Maintain Documentation | Preventive | |
Disseminate and communicate the Data Protection Impact Assessment to interested personnel and affected parties. CC ID 15313 | Communicate | Preventive | |
Include consideration of the data subject's expectations in the Data Protection Impact Assessment. CC ID 16370 | Establish/Maintain Documentation | Preventive | |
Include monitoring unsecured areas in the Data Protection Impact Assessment. CC ID 12671 | Establish/Maintain Documentation | Preventive | |
Include security measures for protecting restricted data in the Data Protection Impact Assessment. CC ID 12635 [{legitimate interest}The organisation must, in respect of the assessment mentioned in sub-paragraph (2)(a) — identify and implement reasonable measures — to eliminate the adverse effect; FIRST SCHEDULE PART 3 § 1.(3)(b)(i) {legitimate interest}The organisation must, in respect of the assessment mentioned in sub-paragraph (2)(a) — identify and implement reasonable measures — to reduce the likelihood that the adverse effect will occur; or FIRST SCHEDULE PART 3 § 1.(3)(b)(ii) {legitimate interest}The organisation must, in respect of the assessment mentioned in sub-paragraph (2)(a) — identify and implement reasonable measures — to mitigate the adverse effect; and FIRST SCHEDULE PART 3 § 1.(3)(b)(iii)] | Establish/Maintain Documentation | Preventive |
KEY: Primary Verb Primary Noun Secondary Verb Secondary Noun Limiting Term | |||
Mandated - bold Implied - italic Implementation - regular | TYPE | CLASS | |
---|---|---|---|
Human Resources management CC ID 00763 | IT Impact Zone | IT Impact Zone | |
Define and assign workforce roles and responsibilities. CC ID 13267 | Human Resources Management | Preventive | |
Identify and define all critical roles. CC ID 00777 | Establish Roles | Preventive | |
Define and assign the data controller's roles and responsibilities. CC ID 00471 [An organisation is responsible for personal data in its possession or under its yle="background-color:#F0BBBC;" class="term_primary-noun">control. § 11.(2)] | Establish Roles | Preventive | |
Assign the role of data controller to be the Point of Contact for the supervisory authority. CC ID 12616 | Human Resources Management | Preventive | |
Assign the role of the Data Controller to cooperate with the supervisory authority. CC ID 12615 | Human Resources Management | Preventive | |
Assign the data controller to facilitate the exercise of the data subject's rights. CC ID 12666 | Human Resources Management | Preventive | |
Assign the role of data controller to applicable controls. CC ID 00354 | Establish Roles | Preventive | |
Assign the role of data controller to provide advice, when requested. CC ID 12611 | Human Resources Management | Preventive | |
Assign the role of data controller to additional personnel, as necessary. CC ID 00473 | Establish Roles | Preventive | |
Establish and maintain the staff structure in line with the strategic plan. CC ID 00764 | Establish Roles | Preventive | |
Assign and staff all roles appropriately. CC ID 00784 | Testing | Detective | |
Delegate authority for specific processes, as necessary. CC ID 06780 [An individual designated under subsection (3) may delegate to another individual the responsibility conferred by that BBBC;" class="term_primary-noun">designation. § 11.(4)] | Behavior | Preventive |
KEY: Primary Verb Primary Noun Secondary Verb Secondary Noun Limiting Term | |||
Mandated - bold Implied - italic Implementation - regular | TYPE | CLASS | |
---|---|---|---|
Operational management CC ID 00805 | IT Impact Zone | IT Impact Zone | |
Establish, implement, and maintain a Governance, Risk, and Compliance framework. CC ID 01406 [An organisation shall — develop and implement policies and practices that are necessary for the organisation to meet the obligations of the organisation under this Act; § 12.(a)] | Establish/Maintain Documentation | Preventive | |
Include enterprise architecture in the Governance, Risk, and Compliance framework. CC ID 13266 | Establish/Maintain Documentation | Preventive | |
Disseminate and communicate updates to the Governance, Risk, and Compliance framework to interested personnel and affected parties. CC ID 06955 | Behavior | Preventive | |
Establish, implement, and maintain security requirements based on applicable regulations. CC ID 16283 | Establish/Maintain Documentation | Preventive | |
Acquire resources necessary to support Governance, Risk, and Compliance. CC ID 12861 | Acquisition/Sale of Assets or Services | Preventive | |
Establish, implement, and maintain a prioritized plan for updating the Governance, Risk, and Compliance framework. CC ID 12853 | Establish/Maintain Documentation | Preventive | |
Integrate the use of technology in supporting the Governance, Risk, and Compliance capabilities. CC ID 12915 | Process or Activity | Preventive | |
Evaluate the use of technology in supporting Governance, Risk, and Compliance capabilities. CC ID 12895 | Process or Activity | Preventive | |
Analyze the effect of the Governance, Risk, and Compliance capability to achieve organizational objectives. CC ID 12809 | Audits and Risk Management | Preventive | |
Assign accountability for maintaining the Governance, Risk, and Compliance framework. CC ID 12523 | Human Resources Management | Preventive | |
Assign defining the program for disseminating and communicating the Governance, Risk, and Compliance framework. CC ID 12524 | Human Resources Management | Preventive | |
Establish, implement, and maintain a compliance policy. CC ID 14807 | Establish/Maintain Documentation | Preventive | |
Include the standard of conduct and accountability in the compliance policy. CC ID 14813 | Establish/Maintain Documentation | Preventive | |
Include the scope in the compliance policy. CC ID 14812 | Establish/Maintain Documentation | Preventive | |
Include roles and responsibilities in the compliance policy. CC ID 14811 | Establish/Maintain Documentation | Preventive | |
Include a commitment to continual improvement in the compliance policy. CC ID 14810 | Establish/Maintain Documentation | Preventive | |
Disseminate and communicate the compliance policy to interested personnel and affected parties. CC ID 14809 | Communicate | Preventive | |
Include management commitment in the compliance policy. CC ID 14808 | Establish/Maintain Documentation | Preventive | |
Establish, implement, and maintain a governance policy. CC ID 15587 | Establish/Maintain Documentation | Preventive | |
Disseminate and communicate the governance policy to all interested personnel and affected parties. CC ID 15625 | Communicate | Preventive | |
Include a commitment to continuous improvement in the governance policy. CC ID 15595 | Establish/Maintain Documentation | Preventive | |
Include roles and responsibilities in the governance policy. CC ID 15594 | Establish/Maintain Documentation | Preventive | |
Establish, implement, and maintain a positive information control environment. CC ID 00813 | Business Processes | Preventive | |
Make compliance and governance decisions in a timely manner. CC ID 06490 | Behavior | Preventive | |
Establish, implement, and maintain an internal control framework. CC ID 00820 | Establish/Maintain Documentation | Preventive | |
Define the scope for the internal control framework. CC ID 16325 | Business Processes | Preventive | |
Measure policy compliance when reviewing the internal control framework. CC ID 06442 | Actionable Reports or Measurements | Corrective | |
Review the relevance of information supporting internal controls. CC ID 12420 | Business Processes | Detective | |
Assign ownership of the internal control framework to the appropriate organizational role. CC ID 06437 | Establish Roles | Preventive | |
Assign resources to implement the internal control framework. CC ID 00816 | Business Processes | Preventive | |
Define and assign the roles and responsibilities for interested personnel and affected parties when establishing, implementing, and maintaining the internal control framework. CC ID 07146 | Establish Roles | Preventive | |
Establish, implement, and maintain a baseline of internal controls. CC ID 12415 | Business Processes | Preventive | |
Include the business need justification for excluding controls in the baseline of internal controls. CC ID 16129 | Establish/Maintain Documentation | Preventive | |
Include the implementation status of controls in the baseline of internal controls. CC ID 16128 | Establish/Maintain Documentation | Preventive | |
Leverage actionable information to support internal controls. CC ID 12414 | Business Processes | Preventive | |
Include procedures for continuous quality improvement in the internal control framework. CC ID 00819 | Establish/Maintain Documentation | Preventive | |
Include continuous service account management procedures in the internal control framework. CC ID 13860 | Establish/Maintain Documentation | Preventive | |
Include threat assessment in the internal control framework. CC ID 01347 | Establish/Maintain Documentation | Preventive | |
Automate threat assessments, as necessary. CC ID 06877 | Configuration | Preventive | |
Include vulnerability management and risk assessment in the internal control framework. CC ID 13102 | Establish/Maintain Documentation | Preventive | |
Automate vulnerability management, as necessary. CC ID 11730 | Configuration | Preventive | |
Include personnel security procedures in the internal control framework. CC ID 01349 | Establish/Maintain Documentation | Preventive | |
Include continuous security warning monitoring procedures in the internal control framework. CC ID 01358 | Establish/Maintain Documentation | Preventive | |
Include incident alert thresholds in the continuous security warning monitoring procedures. CC ID 13205 | Establish/Maintain Documentation | Preventive | |
Include security information sharing procedures in the internal control framework. CC ID 06489 | Establish/Maintain Documentation | Preventive | |
Share security information with interested personnel and affected parties. CC ID 11732 | Communicate | Preventive | |
Evaluate information sharing partners, as necessary. CC ID 12749 | Process or Activity | Preventive | |
Include security incident response procedures in the internal control framework. CC ID 01359 | Establish/Maintain Documentation | Preventive | |
Include incident response escalation procedures in the internal control framework. CC ID 11745 | Establish/Maintain Documentation | Preventive | |
Include continuous user account management procedures in the internal control framework. CC ID 01360 | Establish/Maintain Documentation | Preventive | |
Include emergency response procedures in the internal control framework. CC ID 06779 | Establish/Maintain Documentation | Detective | |
Authorize and document all exceptions to the internal control framework. CC ID 06781 | Establish/Maintain Documentation | Preventive | |
Disseminate and communicate the internal control framework to all interested personnel and affected parties. CC ID 15229 | Communicate | Preventive | |
Disseminate and communicate the cybersecurity policy to interested personnel and affected parties. CC ID 16835 | Communicate | Preventive | |
Establish, implement, and maintain a cybersecurity policy. CC ID 16833 | Establish/Maintain Documentation | Preventive | |
Establish, implement, and maintain an information security program. CC ID 00812 | Establish/Maintain Documentation | Preventive | |
Include physical safeguards in the information security program. CC ID 12375 | Establish/Maintain Documentation | Preventive | |
Include technical safeguards in the information security program. CC ID 12374 | Establish/Maintain Documentation | Preventive | |
Include administrative safeguards in the information security program. CC ID 12373 | Establish/Maintain Documentation | Preventive | |
Include system development in the information security program. CC ID 12389 | Establish/Maintain Documentation | Preventive | |
Include system maintenance in the information security program. CC ID 12388 | Establish/Maintain Documentation | Preventive | |
Include system acquisition in the information security program. CC ID 12387 | Establish/Maintain Documentation | Preventive | |
Include access control in the information security program. CC ID 12386 | Establish/Maintain Documentation | Preventive | |
Review and approve access controls, as necessary. CC ID 13074 | Process or Activity | Detective | |
Include operations management in the information security program. CC ID 12385 | Establish/Maintain Documentation | Preventive | |
Include communication management in the information security program. CC ID 12384 | Establish/Maintain Documentation | Preventive | |
Include environmental security in the information security program. CC ID 12383 | Establish/Maintain Documentation | Preventive | |
Include physical security in the information security program. CC ID 12382 | Establish/Maintain Documentation | Preventive | |
Include human resources security in the information security program. CC ID 12381 | Establish/Maintain Documentation | Preventive | |
Include asset management in the information security program. CC ID 12380 | Establish/Maintain Documentation | Preventive | |
Include a continuous monitoring program in the information security program. CC ID 14323 | Establish/Maintain Documentation | Preventive | |
Include change management procedures in the continuous monitoring plan. CC ID 16227 | Establish/Maintain Documentation | Preventive | |
include recovery procedures in the continuous monitoring plan. CC ID 16226 | Establish/Maintain Documentation | Preventive | |
Include mechanisms for decommissioning a system in the continuous monitoring plan. CC ID 16225 | Establish/Maintain Documentation | Preventive | |
Include mechanisms for appeal and override in the continuous monitoring plan. CC ID 16223 | Establish/Maintain Documentation | Preventive | |
Include how the information security department is organized in the information security program. CC ID 12379 | Establish/Maintain Documentation | Preventive | |
Include risk management in the information security program. CC ID 12378 | Establish/Maintain Documentation | Preventive | |
Include mitigating supply chain risks in the information security program. CC ID 13352 | Establish/Maintain Documentation | Preventive | |
Provide management direction and support for the information security program. CC ID 11999 | Process or Activity | Preventive | |
Monitor and review the effectiveness of the information security program. CC ID 12744 | Monitor and Evaluate Occurrences | Preventive | |
Establish, implement, and maintain an information security policy. CC ID 11740 | Establish/Maintain Documentation | Preventive | |
Align the information security policy with the organization's risk acceptance level. CC ID 13042 | Business Processes | Preventive | |
Include business processes in the information security policy. CC ID 16326 | Establish/Maintain Documentation | Preventive | |
Include the information security strategy in the information security policy. CC ID 16125 | Establish/Maintain Documentation | Preventive | |
Include a commitment to continuous improvement in the information security policy. CC ID 16123 | Establish/Maintain Documentation | Preventive | |
Include roles and responsibilities in the information security policy. CC ID 16120 | Establish/Maintain Documentation | Preventive | |
Include a commitment to the information security requirements in the information security policy. CC ID 13496 | Establish/Maintain Documentation | Preventive | |
Include information security objectives in the information security policy. CC ID 13493 | Establish/Maintain Documentation | Preventive | |
Include the use of Cloud Services in the information security policy. CC ID 13146 | Establish/Maintain Documentation | Preventive | |
Include notification procedures in the information security policy. CC ID 16842 | Establish/Maintain Documentation | Preventive | |
Approve the information security policy at the organization's management level or higher. CC ID 11737 | Process or Activity | Preventive | |
Establish, implement, and maintain information security procedures. CC ID 12006 | Business Processes | Preventive | |
Describe the group activities that protect restricted data in the information security procedures. CC ID 12294 | Establish/Maintain Documentation | Preventive | |
Disseminate and communicate the information security procedures to all interested personnel and affected parties. CC ID 16303 | Communicate | Preventive | |
Document the roles and responsibilities for all activities that protect restricted data in the information security procedures. CC ID 12304 | Establish/Maintain Documentation | Preventive | |
Define thresholds for approving information security activities in the information security program. CC ID 15702 | Process or Activity | Preventive | |
Assign ownership of the information security program to the appropriate role. CC ID 00814 | Establish Roles | Preventive | |
Assign the responsibility for establishing, implementing, and maintaining the information security program to the appropriate role. CC ID 11884 | Human Resources Management | Preventive | |
Assign information security responsibilities to interested personnel and affected parties in the information security program. CC ID 11885 | Establish/Maintain Documentation | Preventive | |
Assign the responsibility for distributing the information security program to the appropriate role. CC ID 11883 | Human Resources Management | Preventive | |
Disseminate and communicate the information security policy to interested personnel and affected parties. CC ID 11739 | Communicate | Preventive | |
Establish, implement, and maintain a social media governance program. CC ID 06536 | Establish/Maintain Documentation | Preventive | |
Refrain from requiring supervision when users are accessing social media applications. CC ID 14011 | Business Processes | Preventive | |
Refrain from requiring users to disclose social media account usernames or authenticators. CC ID 14009 | Business Processes | Preventive | |
Refrain from accepting instant messages from unknown senders. CC ID 12537 | Behavior | Preventive | |
Include instant messaging, texting, and tweeting in the social media acceptable use policy. CC ID 04578 | Establish/Maintain Documentation | Preventive | |
Include explicit restrictions in the social media acceptable use policy. CC ID 06655 | Establish/Maintain Documentation | Preventive | |
Include contributive content sites in the social media acceptable use policy. CC ID 06656 | Establish/Maintain Documentation | Preventive | |
Perform social network analysis, as necessary. CC ID 14864 | Investigate | Detective | |
Establish, implement, and maintain operational control procedures. CC ID 00831 | Establish/Maintain Documentation | Preventive | |
Include assigning and approving operations in operational control procedures. CC ID 06382 | Establish/Maintain Documentation | Preventive | |
Include startup processes in operational control procedures. CC ID 00833 | Establish/Maintain Documentation | Preventive | |
Include change control processes in the operational control procedures. CC ID 16793 | Establish/Maintain Documentation | Preventive | |
Establish and maintain a data processing run manual. CC ID 00832 | Establish/Maintain Documentation | Preventive | |
Establish, implement, and maintain a Standard Operating Procedures Manual. CC ID 00826 | Establish/Maintain Documentation | Preventive | |
Use systems in accordance with the standard operating procedures manual. CC ID 15049 | Process or Activity | Preventive | |
Include metrics in the standard operating procedures manual. CC ID 14988 | Establish/Maintain Documentation | Preventive | |
Include maintenance measures in the standard operating procedures manual. CC ID 14986 | Establish/Maintain Documentation | Preventive | |
Include the expected lifetime of the system in the standard operating procedures manual. CC ID 14984 | Establish/Maintain Documentation | Preventive | |
Include technical measures used to interpret output in the standard operating procedures manual. CC ID 14982 | Establish/Maintain Documentation | Preventive | |
Include predetermined changes in the standard operating procedures manual. CC ID 14977 | Establish/Maintain Documentation | Preventive | |
Include specifications for input data in the standard operating procedures manual. CC ID 14975 | Establish/Maintain Documentation | Preventive | |
Include risks to health and safety or fundamental rights in the standard operating procedures manual. CC ID 14973 | Establish/Maintain Documentation | Preventive | |
Include circumstances that may impact the system in the standard operating procedures manual. CC ID 14972 | Establish/Maintain Documentation | Preventive | |
Include what the system was tested and validated for in the standard operating procedures manual. CC ID 14969 | Establish/Maintain Documentation | Preventive | |
Include the intended purpose in the standard operating procedures manual. CC ID 14967 | Establish/Maintain Documentation | Preventive | |
Include information on system performance in the standard operating procedures manual. CC ID 14965 | Establish/Maintain Documentation | Preventive | |
Include contact details in the standard operating procedures manual. CC ID 14962 | Establish/Maintain Documentation | Preventive | |
Include information sharing procedures in standard operating procedures. CC ID 12974 | Records Management | Preventive | |
Establish, implement, and maintain information sharing agreements. CC ID 15645 | Business Processes | Preventive | |
Provide support for information sharing activities. CC ID 15644 | Process or Activity | Preventive | |
Adhere to operating procedures as defined in the Standard Operating Procedures Manual. CC ID 06328 | Business Processes | Preventive | |
Update operating procedures that contribute to user errors. CC ID 06935 | Establish/Maintain Documentation | Corrective | |
Disseminate and communicate the Standard Operating Procedures Manual to all interested personnel and affected parties. CC ID 12026 | Communicate | Preventive | |
Establish, implement, and maintain a job scheduling methodology. CC ID 00834 | Establish/Maintain Documentation | Preventive | |
Establish and maintain a job schedule exceptions list. CC ID 00835 | Establish/Maintain Documentation | Preventive | |
Establish, implement, and maintain a data processing continuity plan. CC ID 00836 | Establish/Maintain Documentation | Preventive | |
Establish, implement, and maintain Voice over Internet Protocol operating procedures. CC ID 04583 | Establish/Maintain Documentation | Preventive | |
Establish, implement, and maintain the Acceptable Use Policy. CC ID 01350 | Establish/Maintain Documentation | Preventive | |
Include that explicit management authorization must be given for the use of all technologies and their documentation in the Acceptable Use Policy. CC ID 01351 | Establish/Maintain Documentation | Preventive | |
Include requiring users to protect restricted data in accordance with the Governance, Risk, and Compliance framework in the Acceptable Use Policy. CC ID 11894 | Establish/Maintain Documentation | Preventive | |
Include Bring Your Own Device agreements in the Acceptable Use Policy. CC ID 15703 | Establish/Maintain Documentation | Preventive | |
Include the obligations of users in the Bring Your Own Device agreement. CC ID 15708 | Establish/Maintain Documentation | Preventive | |
Include the rights of the organization in the Bring Your Own Device agreement. CC ID 15707 | Establish/Maintain Documentation | Preventive | |
Include the circumstances in which the organization may confiscate, audit, or inspect assets in the Bring Your Own Device agreement. CC ID 15706 | Establish/Maintain Documentation | Preventive | |
Include the circumstances in which the organization may manage assets in the Bring Your Own Device agreement. CC ID 15705 | Establish/Maintain Documentation | Preventive | |
Include Bring Your Own Device usage in the Acceptable Use Policy. CC ID 12293 | Establish/Maintain Documentation | Preventive | |
Include a web usage policy in the Acceptable Use Policy. CC ID 16496 | Establish/Maintain Documentation | Preventive | |
Include Bring Your Own Device security guidelines in the Acceptable Use Policy. CC ID 01352 | Establish/Maintain Documentation | Preventive | |
Include asset tags in the Acceptable Use Policy. CC ID 01354 | Establish/Maintain Documentation | Preventive | |
Specify the owner of applicable assets in the Acceptable Use Policy. CC ID 15699 | Establish/Maintain Documentation | Preventive | |
Include asset use policies in the Acceptable Use Policy. CC ID 01355 | Establish/Maintain Documentation | Preventive | |
Include authority for access authorization lists for assets in all relevant Acceptable Use Policies. CC ID 11872 | Establish/Maintain Documentation | Preventive | |
Include access control mechanisms in the Acceptable Use Policy. CC ID 01353 | Establish/Maintain Documentation | Preventive | |
Include temporary activation of remote access technologies for third parties in the Acceptable Use Policy. CC ID 11892 | Technical Security | Preventive | |
Include prohibiting the copying or moving of restricted data from its original source onto local hard drives or removable storage media in the Acceptable Use Policy. CC ID 11893 | Establish/Maintain Documentation | Preventive | |
Include a removable storage media use policy in the Acceptable Use Policy. CC ID 06772 | Data and Information Management | Preventive | |
Correlate the Acceptable Use Policy with the network security policy. CC ID 01356 | Establish/Maintain Documentation | Preventive | |
Include appropriate network locations for each technology in the Acceptable Use Policy. CC ID 11881 | Establish/Maintain Documentation | Preventive | |
Correlate the Acceptable Use Policy with the approved product list. CC ID 01357 | Establish/Maintain Documentation | Preventive | |
Include facility access and facility use in the Acceptable Use Policy. CC ID 06441 | Establish/Maintain Documentation | Preventive | |
Include disciplinary actions in the Acceptable Use Policy. CC ID 00296 | Establish/Maintain Documentation | Corrective | |
Include the usage restrictions of mobile code technologies in the Acceptable Use Policy. CC ID 15311 | Establish/Maintain Documentation | Preventive | |
Include a software installation policy in the Acceptable Use Policy. CC ID 06749 | Establish/Maintain Documentation | Preventive | |
Document idle session termination and logout for remote access technologies in the Acceptable Use Policy. CC ID 12472 | Establish/Maintain Documentation | Preventive | |
Disseminate and communicate the Acceptable Use Policy to all interested personnel and affected parties. CC ID 12431 | Communicate | Preventive | |
Require interested personnel and affected parties to sign Acceptable Use Policies. CC ID 06661 | Establish/Maintain Documentation | Preventive | |
Require interested personnel and affected parties to re-sign Acceptable Use Policies, as necessary. CC ID 06663 | Establish/Maintain Documentation | Preventive | |
Establish, implement, and maintain an Intellectual Property Right program. CC ID 00821 | Establish/Maintain Documentation | Preventive | |
Establish, implement, and maintain domain name registration and renewal procedures. CC ID 07075 | Business Processes | Preventive | |
Establish, implement, and maintain Intellectual Property Rights protection procedures. CC ID 11512 | Establish/Maintain Documentation | Preventive | |
Protect against circumvention of the organization's Intellectual Property Rights. CC ID 11513 | Establish/Maintain Documentation | Preventive | |
Establish, implement, and maintain an e-mail policy. CC ID 06439 | Establish/Maintain Documentation | Preventive | |
Include business use of personal e-mail in the e-mail policy. CC ID 14381 | Establish/Maintain Documentation | Preventive | |
Identify the sender in all electronic messages. CC ID 13996 [{be clear}{be accurate}Subject to section 48(2), a person must not send a specified message addressed to a Singapore telephone number unless — the specified message includes clear and accurate information identifying the individual or organisation that sent or authorised the sending of the specified message; § 44.(a) {be clear}{be accurate}Subject to section 48(2), a person must not send a specified message addressed to a Singapore telephone number unless — the specified message includes clear and accurate information about how the recipient can readily contact that individual or organisation; § 44.(b) Subject to section 48(3), a person that makes a voice call containing a specified message or causes a voice call containing a specified message to be made or authorises the making of a voice call containing a specified message, addressed to a Singapore telephone number, from a telephone number or fax number, must not do any of the following: conceal or withhold from the recipient the calling line identity of the sender; § 45.(a) Subject to section 48(3), a person that makes a voice call containing a specified message or causes a voice call containing a specified message to be made or authorises the making of a voice call containing a specified message, addressed to a Singapore telephone number, from a telephone number or fax number, must not do any of the following: perform any operation or issue any instruction in connection with the sending of the specified message for the purpose of, or that has the effect of, concealing or withholding from the recipient the calling line identity of the sender. § 45.(b)] | Data and Information Management | Preventive | |
Protect policies, standards, and procedures from unauthorized modification or disclosure. CC ID 10603 | Establish/Maintain Documentation | Preventive | |
Establish, implement, and maintain nondisclosure agreements. CC ID 04536 | Establish/Maintain Documentation | Preventive | |
Disseminate and communicate nondisclosure agreements to interested personnel and affected parties. CC ID 16191 | Communicate | Preventive | |
Require interested personnel and affected parties to sign nondisclosure agreements. CC ID 06667 | Establish/Maintain Documentation | Preventive | |
Require interested personnel and affected parties to re-sign nondisclosure agreements, as necessary. CC ID 06669 | Establish/Maintain Documentation | Preventive | |
Establish, implement, and maintain a use of information agreement. CC ID 06215 | Establish/Maintain Documentation | Preventive | |
Include use limitations in the use of information agreement. CC ID 06244 | Establish/Maintain Documentation | Preventive | |
Include disclosure requirements in the use of information agreement. CC ID 11735 | Establish/Maintain Documentation | Preventive | |
Include information recipients in the use of information agreement. CC ID 06245 | Establish/Maintain Documentation | Preventive | |
Include reporting out of scope use of information in the use of information agreement. CC ID 06246 | Establish/Maintain Documentation | Preventive | |
Include disclosure of information in the use of information agreement. CC ID 11830 | Establish/Maintain Documentation | Preventive | |
Include information security procedures assigned to the information recipient in the use of information agreement. CC ID 07130 | Establish/Maintain Documentation | Preventive | |
Include information security procedures assigned to the originator in the use of information agreement. CC ID 14418 | Establish/Maintain Documentation | Preventive | |
Include a do not contact rule for the individuals identified in a data set in the use of information agreement. CC ID 07131 | Establish/Maintain Documentation | Preventive | |
Include the information recipient's third parties accepting the agreement in the use of information agreement. CC ID 07132 | Establish/Maintain Documentation | Preventive | |
Implement and comply with the Governance, Risk, and Compliance framework. CC ID 00818 | Business Processes | Preventive | |
Analyze how policies used to create management boundaries relates to the Governance, Risk, and Compliance approach. CC ID 12821 | Process or Activity | Preventive | |
Analyze how the organization sets limits in policies relating to the Governance, Risk, and Compliance approach. CC ID 12819 | Process or Activity | Preventive | |
Analyze how the Board of Directors' and senior management's tone influences the Governance, Risk, and Compliance approach. CC ID 12818 | Process or Activity | Preventive | |
Analyze the degree to which the governing body is engaged in the Governance, Risk, and Compliance approach. CC ID 12817 | Process or Activity | Preventive | |
Analyze the Governance, Risk, and Compliance approach. CC ID 12816 | Process or Activity | Preventive | |
Analyze the organizational culture. CC ID 12899 | Process or Activity | Preventive | |
Include individual commitment to the organization's Governance, Risk, and Compliance framework in the analysis of the organizational culture. CC ID 12922 | Process or Activity | Detective | |
Include the organizational climate in the analysis of the organizational culture. CC ID 12921 | Process or Activity | Detective | |
Include consistency of leadership actions to mission, vision, and values in the analysis of the organizational culture. CC ID 12920 | Process or Activity | Detective | |
Include employee engagement in the analysis of the organizational culture. CC ID 12914 | Behavior | Preventive | |
Include contractual relationships with workforce members in the analysis of the organizational culture. CC ID 15674 | Business Processes | Preventive | |
Include the number of workforce members who are not employees in the analysis of the organizational culture. CC ID 15673 | Business Processes | Preventive | |
Include the type of work performed by workforce members in the analysis of the organizational culture. CC ID 15675 | Business Processes | Preventive | |
Include skill development in the analysis of the organizational culture. CC ID 12913 | Behavior | Preventive | |
Include employee turnover rates in the analysis of the organizational culture. CC ID 12912 | Behavior | Preventive | |
Include demographic characteristics of employees in the analysis of the organizational culture. CC ID 15671 | Business Processes | Preventive | |
Include employee loyalty in the analysis of the organizational culture. CC ID 12911 | Behavior | Preventive | |
Include employee satisfaction in the analysis of the organizational culture. CC ID 12910 | Behavior | Preventive | |
Establish, implement, and maintain consequences for non-compliance with the organizational compliance framework. CC ID 11747 | Process or Activity | Corrective | |
Comply with all implemented policies in the organization's compliance framework. CC ID 06384 [{reasonable and appropriate measure} In meeting its responsibilities under this Act, an organisation shall "term_primary-verb">consider what a reasonable person would consider appropriate in the circumstances. § 11.(1) {reasonable and appropriate measure} In meeting its responsibilities under this Act, an organisation shall "term_primary-verb">consider what a reasonable person would consider appropriate in the circumstances. § 11.(1) The designation of an individual by an organisation under subsection (3) shall not relieve the organisation of any of its obligations under this Act. § 11.(6) {legitimate interest}{personal data}The organisation must, in respect of the assessment mentioned in sub-paragraph (2)(a) — comply with any other prescribed requirements. FIRST SCHEDULE PART 3 § 1.(3)(c)] | Establish/Maintain Documentation | Preventive | |
Provide assurance to interested personnel and affected parties that the Governance, Risk, and Compliance capability is reliable, effective, efficient, and responsive. CC ID 12788 | Communicate | Preventive | |
Review systems for compliance with organizational information security policies. CC ID 12004 | Business Processes | Preventive | |
Disseminate and communicate the Governance, Risk, and Compliance framework to all interested personnel and affected parties. CC ID 00815 [An organisation shall — communicate to its staff information about the organisation's policies and practices referred to in paragraph (a); and § 12.(c) An organisation shall — make information available on request about— the policies and practices referred to in paragraph (a); and § 12.(d)(i)] | Behavior | Preventive | |
Establish, implement, and maintain a customer service program. CC ID 00846 | Establish/Maintain Documentation | Preventive | |
Establish, implement, and maintain an Incident Management program. CC ID 00853 | Business Processes | Preventive | |
Include detection procedures in the Incident Management program. CC ID 00588 | Establish/Maintain Documentation | Preventive | |
Share incident information with interested personnel and affected parties. CC ID 01212 [{data breach} The notification under subsection (1) must be made in the form and submitted in the manner required by the Commission. § 26D.(4)] | Data and Information Management | Corrective | |
Share data loss event information with the media. CC ID 01759 | Behavior | Corrective | |
Comply with privacy regulations and civil liberties requirements when sharing data loss event information. CC ID 10036 | Data and Information Management | Preventive | |
Share data loss event information with interconnected system owners. CC ID 01209 | Establish/Maintain Documentation | Corrective | |
Notify interested personnel and affected parties of an extortion payment in the event of a cybersecurity event. CC ID 16539 | Communicate | Preventive | |
Notify interested personnel and affected parties of the reasons for the extortion payment, along with any alternative solutions. CC ID 16538 | Communicate | Preventive | |
Document the justification for not reporting incidents to interested personnel and affected parties. CC ID 16547 | Establish/Maintain Documentation | Preventive | |
Report data loss event information to breach notification organizations. CC ID 01210 [Where an organisation assesses, in accordance with section 26C, that a data breach is a notifiable data breach, the organisation must notify the Commission as soon as is practicable, but in any case no later than 3 calendar days after the day the organisation makes that assessment. § 26D.(1)] | Data and Information Management | Corrective | |
Submit an incident management audit log to the proper authorities for each security breach that affects a predefined number of individuals, as necessary. CC ID 06326 | Log Management | Detective | |
Report to breach notification organizations the reasons for a delay in sending breach notifications. CC ID 16797 | Communicate | Preventive | |
Report to breach notification organizations the distribution list to which the organization will send data loss event notifications. CC ID 16782 | Communicate | Preventive | |
Report to breach notification organizations the time frame in which the organization will send data loss event notifications to interested personnel and affected parties. CC ID 04731 | Behavior | Corrective | |
Include data loss event notifications in the Incident Response program. CC ID 00364 | Establish/Maintain Documentation | Preventive | |
Notify interested personnel and affected parties of the privacy breach that affects their personal data. CC ID 00365 [Where a data intermediary (other than a data intermediary mentioned in section 26E) has reason to believe that a data breach has occurred in relation to personal data that the data intermediary is processing on behalf of and for the purposes of another organisation — the data intermediary must, without undue delay, notify that other organisation of the occurrence of the data breach; and § 26C.(3)(a) Subject to subsections (5), (6) and (7), on or after notifying the Commission under subsection (1), the organisation must also notify each affected individual affected by a notifiable data breach mentioned in section 26B(1)(a) in any manner that is reasonable in the circumstances. § 26D.(2) {refrain from delaying} the organisation must, without undue delay, notify the public agency of the occurrence of the data breach. § 26E. ¶ 1] | Behavior | Corrective | |
Determine whether or not incident response notifications are necessary during the privacy breach investigation. CC ID 00801 [Where a data intermediary (other than a data intermediary mentioned in section 26E) has reason to believe that a data breach has occurred in relation to personal data that the data intermediary is processing on behalf of and for the purposes of another organisation — that other organisations must, upon notification by the data intermediary, conduct an assessment of whether the data breach is a notifiable data breach. § 26C.(3)(b) {reasonable manner}{be efficient} Subject to subsection (3), where an organisation has reason to believe that a data breach affecting personal data in its possession or under its control has occurred, the organisation must conduct, in a reasonable and expeditious manner, an assessment of whether the data breach is a notifiable data breach. § 26C.(2)] | Behavior | Detective | |
Delay sending incident response notifications under predetermined conditions. CC ID 00804 | Behavior | Corrective | |
Include required information in the written request to delay the notification to affected parties. CC ID 16785 | Establish/Maintain Documentation | Preventive | |
Submit written requests to delay the notification of affected parties. CC ID 16783 | Communicate | Preventive | |
Revoke the written request to delay the notification. CC ID 16843 | Process or Activity | Preventive | |
Design the text of the notice for all incident response notifications to be no smaller than 10-point type. CC ID 12985 | Establish/Maintain Documentation | Preventive | |
Avoid false positive incident response notifications. CC ID 04732 | Behavior | Detective | |
Establish, implement, and maintain incident response notifications. CC ID 12975 [{data breach} The notification under subsection (1) must be made in the form and submitted in the manner required by the Commission. § 26D.(4)] | Establish/Maintain Documentation | Corrective | |
Refrain from charging for providing incident response notifications. CC ID 13876 | Business Processes | Preventive | |
Include information required by law in incident response notifications. CC ID 00802 [The notification under subsection (1) or (2) must contain, to the best of the knowledge and belief of the organisation at the time it notifies the Commission or affected individual (as the case may be), all the information that is prescribed for this purpose. § 26D.(3)] | Establish/Maintain Documentation | Detective | |
Title breach notifications "Notice of Data Breach". CC ID 12977 | Establish/Maintain Documentation | Preventive | |
Display titles of incident response notifications clearly and conspicuously. CC ID 12986 | Establish/Maintain Documentation | Preventive | |
Display headings in incident response notifications clearly and conspicuously. CC ID 12987 | Establish/Maintain Documentation | Preventive | |
Design the incident response notification to call attention to its nature and significance. CC ID 12984 | Establish/Maintain Documentation | Preventive | |
Use plain language to write incident response notifications. CC ID 12976 | Establish/Maintain Documentation | Preventive | |
Include directions for changing the user's authenticator or security questions and answers in the breach notification. CC ID 12983 | Establish/Maintain Documentation | Preventive | |
Refrain from including restricted information in the incident response notification. CC ID 16806 | Actionable Reports or Measurements | Preventive | |
Include the affected parties rights in the incident response notification. CC ID 16811 | Establish/Maintain Documentation | Preventive | |
Include details of the investigation in incident response notifications. CC ID 12296 | Establish/Maintain Documentation | Preventive | |
Include the issuer's name in incident response notifications. CC ID 12062 | Establish/Maintain Documentation | Preventive | |
Include a "What Happened" heading in breach notifications. CC ID 12978 | Establish/Maintain Documentation | Preventive | |
Include a general description of the data loss event in incident response notifications. CC ID 04734 | Establish/Maintain Documentation | Preventive | |
Include time information in incident response notifications. CC ID 04745 | Establish/Maintain Documentation | Preventive | |
Include the identification of the data source in incident response notifications. CC ID 12305 | Establish/Maintain Documentation | Preventive | |
Include a "What Information Was Involved" heading in the breach notification. CC ID 12979 | Establish/Maintain Documentation | Preventive | |
Include the type of information that was lost in incident response notifications. CC ID 04735 | Establish/Maintain Documentation | Preventive | |
Include the type of information the organization maintains about the affected parties in incident response notifications. CC ID 04776 | Establish/Maintain Documentation | Preventive | |
Include a "What We Are Doing" heading in the breach notification. CC ID 12982 | Establish/Maintain Documentation | Preventive | |
Include what the organization has done to enhance data protection controls in incident response notifications. CC ID 04736 | Establish/Maintain Documentation | Preventive | |
Include what the organization is offering or has already done to assist affected parties in incident response notifications. CC ID 04737 | Establish/Maintain Documentation | Preventive | |
Include a "For More Information" heading in breach notifications. CC ID 12981 | Establish/Maintain Documentation | Preventive | |
Include details of the companies and persons involved in incident response notifications. CC ID 12295 | Establish/Maintain Documentation | Preventive | |
Include the credit reporting agencies' contact information in incident response notifications. CC ID 04744 | Establish/Maintain Documentation | Preventive | |
Include the reporting individual's contact information in incident response notifications. CC ID 12297 | Establish/Maintain Documentation | Preventive | |
Include any consequences in the incident response notifications. CC ID 12604 | Establish/Maintain Documentation | Preventive | |
Include whether the notification was delayed due to a law enforcement investigation in incident response notifications. CC ID 04746 | Establish/Maintain Documentation | Preventive | |
Include a "What You Can Do" heading in the breach notification. CC ID 12980 | Establish/Maintain Documentation | Preventive | |
Include how the affected parties can protect themselves from identity theft in incident response notifications. CC ID 04738 | Establish/Maintain Documentation | Detective | |
Provide enrollment information for identity theft prevention services or identity theft mitigation services. CC ID 13767 | Communicate | Corrective | |
Offer identity theft prevention services or identity theft mitigation services at no cost to the affected parties. CC ID 13766 | Business Processes | Corrective | |
Include contact information in incident response notifications. CC ID 04739 | Establish/Maintain Documentation | Preventive | |
Include a copy of the incident response notification in breach notifications, as necessary. CC ID 13085 | Communicate | Preventive | |
Send paper incident response notifications to affected parties, as necessary. CC ID 00366 | Behavior | Corrective | |
Post the incident response notification on the organization's website. CC ID 16809 | Process or Activity | Preventive | |
Determine if a substitute incident response notification is permitted if notifying affected parties. CC ID 00803 | Behavior | Corrective | |
Document the determination for providing a substitute incident response notification. CC ID 16841 | Process or Activity | Preventive | |
Use a substitute incident response notification to notify interested personnel and affected parties of the privacy breach that affects their personal data. CC ID 00368 | Behavior | Corrective | |
Telephone incident response notifications to affected parties, as necessary. CC ID 04650 | Behavior | Corrective | |
Send electronic substitute incident response notifications to affected parties, as necessary. CC ID 04747 | Behavior | Preventive | |
Include contact information in the substitute incident response notification. CC ID 16776 | Establish/Maintain Documentation | Preventive | |
Post substitute incident response notifications to the organization's website, as necessary. CC ID 04748 | Establish/Maintain Documentation | Preventive | |
Send substitute incident response notifications to breach notification organizations, as necessary. CC ID 04750 | Behavior | Preventive | |
Publish the incident response notification in a general circulation periodical. CC ID 04651 | Behavior | Corrective | |
Publish the substitute incident response notification in a general circulation periodical, as necessary. CC ID 04769 | Behavior | Preventive | |
Send electronic incident response notifications to affected parties, as necessary. CC ID 00367 | Behavior | Corrective | |
Notify interested personnel and affected parties of the privacy breach about any recovered restricted data. CC ID 13347 | Communicate | Corrective |
KEY: Primary Verb Primary Noun Secondary Verb Secondary Noun Limiting Term | |||
Mandated - bold Implied - italic Implementation - regular | TYPE | CLASS | |
---|---|---|---|
Privacy protection for information and data CC ID 00008 | IT Impact Zone | IT Impact Zone | |
Establish, implement, and maintain a privacy framework that protects restricted data. CC ID 11850 | Establish/Maintain Documentation | Preventive | |
Establish, implement, and maintain a personal data transparency program. CC ID 00375 | Data and Information Management | Preventive | |
Establish, implement, and maintain opt-out notices. CC ID 13448 [A subscriber may apply to the Commission, in the form and manner prescribed — to remove his Singapore y-verb">oun">telephone numberspan> from a register. § 40.(1)(b)] | Establish/Maintain Documentation | Preventive | |
Include how opt out directions for joint consumers are treated in the opt-out notice. CC ID 13465 | Establish/Maintain Documentation | Preventive | |
Include the opt out method for data subjects in the opt-out notice. CC ID 13467 | Establish/Maintain Documentation | Preventive | |
Include the data subject's right to opt out of personal data disclosure in the opt-out notice. CC ID 13463 | Establish/Maintain Documentation | Preventive | |
Explain the right to opt out in the opt-out notice. CC ID 13462 | Establish/Maintain Documentation | Preventive | |
Include the organization's right to share personal data in the opt-out notice. CC ID 13450 | Establish/Maintain Documentation | Preventive | |
Establish, implement, and maintain adequate openness procedures. CC ID 00377 [{absent consent} An organisation, on or before collecting personal data about an individual from another organisation without the consent of the individual, shall provide the other organisation with sufficient :#CBD0E5;" class="term_secondary-verb">ary-noun">informationpan> regarding the purpose of the An organisation shall — make information available on request about — § 12.(d)] | Data and Information Management | Preventive | |
Provide public proof the organization participates in a privacy program. CC ID 12349 | Communicate | Preventive | |
Publish a description of processing activities in an official register. CC ID 00379 | Establish/Maintain Documentation | Preventive | |
Establish and maintain a records request manual. CC ID 00381 | Establish/Maintain Documentation | Preventive | |
Establish and maintain a description of voluntary disclosure and automatic availability of certain records. CC ID 00382 | Establish/Maintain Documentation | Preventive | |
Register with public bodies and notify the Data Commissioner before processing personal data. CC ID 00383 | Behavior | Preventive | |
Define what is included in registration notices. CC ID 00386 | Establish/Maintain Documentation | Preventive | |
Include roles and responsibilities in the registration notice. CC ID 16803 | Establish Roles | Preventive | |
Include the verification method in the registration notice. CC ID 16798 | Establish/Maintain Documentation | Preventive | |
Include the statutory authority in the registration notice. CC ID 16799 | Establish/Maintain Documentation | Preventive | |
Include the address where the file or hardware supporting the data processing is located in the registration notice. CC ID 00387 | Establish/Maintain Documentation | Preventive | |
Include a purpose specification description in the registration notice. CC ID 00388 | Establish/Maintain Documentation | Preventive | |
Include information about the dispute resolution body in the registration notice. CC ID 16800 | Establish/Maintain Documentation | Preventive | |
Include the data subject category being processed in the registration notice. CC ID 00389 | Establish/Maintain Documentation | Preventive | |
Include the time period for data processing in the registration notice. CC ID 00390 | Establish/Maintain Documentation | Preventive | |
Include procedures for when the registration notice for processing personal data is insufficient in the registration notice. CC ID 00392 | Establish/Maintain Documentation | Preventive | |
Provide legal authorities access to personal data, upon request. CC ID 06818 | Data and Information Management | Preventive | |
Provide the data subject with information about automated decision-making during personal data processing. CC ID 12609 | Process or Activity | Preventive | |
Provide the data subject with information about obtaining automated decision-making used during personal data processing. CC ID 12618 | Establish/Maintain Documentation | Preventive | |
Provide the data subject with the name, title, and address of the individual accountable for the organizational policies. CC ID 00394 [For the purposes of sections 14(1)(a) and 18(b), an organisation shall inform the individual of— on request by the individual, the business contact information of a person who is able to econdary-verb">answer on behalf of the organisation the individual's questions about the collection, use or disclosure of the personal data. § 20.(1)(c) An organisation shall make available to the public the business contact information of at least one of the individuals designated under subsection (3) or delegated under subsection (4). § 11.(5) Without limiting subsection (5), an organisation is deemed to have satisfied that subsection if the organisation makes available the business contact information of any individual mentioned in subsection (3) in any prescribed manner. 11.(5A)] | Establish/Maintain Documentation | Preventive | |
Provide the data subject with a copy of any brochures or other information that explain policies, standards, or codes. CC ID 00398 [An organisation shall — make information available on request about — the complaint process referred to in paragraph (b). § 12.(d).(ii)] | Establish/Maintain Documentation | Preventive | |
Provide the data subject with contractual requirements requiring the provision of personal data. CC ID 12588 [{person]A checker must — provide the applicable information to P in accordance with any prescribed requirements. § 43A.(2)(b)] | Process or Activity | Preventive | |
Document the countries where restricted data may be stored. CC ID 12750 | Data and Information Management | Preventive | |
Protect the rights of students and their parents or legal representatives. CC ID 00222 | Data and Information Management | Preventive | |
Refrain from allowing access rights to education records maintained by another educational institution. CC ID 13014 | Technical Security | Preventive | |
Refrain from allowing students the right to inspect the financial records of their parent or legal representative. CC ID 13025 | Records Management | Preventive | |
Refrain from allowing students the right to inspect confidential letters and confidential letters of recommendation. CC ID 13019 | Records Management | Preventive | |
Amend education records within a reasonable period after receiving a record amendment request. CC ID 12998 | Records Management | Corrective | |
Decide whether to amend education records based on evidence presented during a hearing. CC ID 13020 | Records Management | Corrective | |
Define the criteria for waivers of data subjects' rights. CC ID 16858 | Behavior | Preventive | |
Revoke waivers of data subject's rights, as necessary. CC ID 16859 | Behavior | Preventive | |
Disseminate and communicate the notification of rights to students and their parent or legal representative. CC ID 12996 | Establish/Maintain Documentation | Preventive | |
Include the criteria for determining what constitutes a legitimate educational interest in the notification of rights. CC ID 13004 | Establish/Maintain Documentation | Preventive | |
Include the criteria for determining what constitutes a school official in the notification of rights. CC ID 13003 | Establish/Maintain Documentation | Preventive | |
Disclose educational data, as necessary. CC ID 00223 [{disclose}{without consent} The disclosure of personal data about an individual who is a current or former student of an educational institution to a public agency for the purposes of policy formulation or review. SECOND SCHEDULE PART 3 Division 1 § 2.] | Data and Information Management | Preventive | |
Grant access to education records in support of educational program audits. CC ID 13032 | Records Management | Preventive | |
Grant access to education records in support of external requirements. CC ID 13033 | Records Management | Preventive | |
Disclose statements added to education records, as necessary. CC ID 12990 | Communicate | Preventive | |
Obtain explicit consent from students or their parent or legal representative prior to using or disclosing educational data. CC ID 00220 | Data and Information Management | Preventive | |
Disclose education records when written consent is received. CC ID 00224 | Data and Information Management | Preventive | |
Specify the parties to whom education records may be disclosed in the written consent. CC ID 13002 | Establish/Maintain Documentation | Preventive | |
Specify the purpose of the disclosure in the written consent. CC ID 13001 | Establish/Maintain Documentation | Preventive | |
Specify which education records may be disclosed in the written consent. CC ID 13000 | Establish/Maintain Documentation | Preventive | |
Document the conditions when consent is not required to disclose educational data. CC ID 00225 | Establish/Maintain Documentation | Preventive | |
Disclose educational data absent consent when disclosure is in connection with a disciplinary proceeding. CC ID 13005 | Communicate | Preventive | |
Refrain from disclosing disciplinary proceeding results unless the student has violated the institution's rules or policies. CC ID 13023 | Communicate | Preventive | |
Disclose educational data absent consent when it concerns sex offenders. CC ID 13013 | Communicate | Preventive | |
Disclose educational data absent consent to other school officials. CC ID 00226 | Data and Information Management | Preventive | |
Disclose educational data absent consent to another institution's school officials. CC ID 00227 | Data and Information Management | Preventive | |
Disclose educational data absent consent in connection with financial aid. CC ID 00229 | Data and Information Management | Preventive | |
Disclose educational data absent consent to organizations conducting studies on tests. CC ID 00230 | Data and Information Management | Preventive | |
Disclose educational data absent consent to organizations conducting studies if educational data is destroyed when no longer required. CC ID 12995 | Communicate | Preventive | |
Disclose educational data absent consent to accrediting organizations. CC ID 00231 | Data and Information Management | Preventive | |
Disclose educational data absent consent to a dependent student's parent or legal representative. CC ID 00232 | Data and Information Management | Preventive | |
Disclose educational data absent consent in order to comply with a judicial order. CC ID 00233 | Data and Information Management | Preventive | |
Disclose educational data absent consent for a health and safety emergency. CC ID 00234 | Data and Information Management | Preventive | |
Disclose educational data absent consent when it is merely directory information. CC ID 00235 | Data and Information Management | Preventive | |
Disclose educational data absent consent to a crime victim. CC ID 00236 | Data and Information Management | Preventive | |
Record the health and safety threats of students when disclosing personal data. CC ID 12997 | Establish/Maintain Documentation | Preventive | |
Refrain from providing information to the data subject, as necessary. CC ID 12625 [An organisation is not required to provide information under section 21(1) in respect of— any examination conducted by an education institution, und-color:#F0BBBC;" class="term_primary-noun">examination scripts and, prior to the release of examination results, lass="term_primary-noun">examination results; FIFTH SCHEDULE § 1.(b) An organisation is not required to provide information under section 21(1) in respect of— the personal data of the beneficiaries of a F0BBBC;" class="term_primary-noun">private trust ss="term_primary-verb">kept solely for the purpose of administering the trust; FIFTH SCHEDULE § 1.(c) An organisation is not required to provide information under section 21(1) in respect of— personal data kept by an arbitral institution or a mediation centre solely for the >purposespan> of An organisation is not required to provide information under section 21(1) in respect of— a document related to a prosecution if all 0BBBC;" class="term_primary-noun">proceedings related to the prosecution haground-color:#CBD0E5;" class="term_secondary-verb">ve An organisation is not required to provide information under section 21(1) in respect of— personal data which is primary-verb">subjectspan> to An organisation is not required to provide information under section 21(1) in respect of— personal data kept by an arbitral institution or a mediation centre solely for the >purposespan> of {notifiable data breach}An organisation must not notify any affected individual in accordance with subsection (2) if — the Commission so directs. § 26D.(6)(b) An organisation is not required to provide information under section 21(1) in respect of — derived personal data. SIXTH SCHEDULE § 1.(f)] | Communicate | Preventive | |
Refrain from providing information to the data subject when it is forbidden by law. CC ID 12651 [{notifiable data breach}An organisation must not notify any affected individual in accordance with subsection (2) if — a prescribed law enforcement agency so instructs; or § 26D.(6)(a)] | Communicate | Preventive | |
Refrain from providing information to the data subject when it proves impossible due to statistical purposes. CC ID 12645 | Communicate | Preventive | |
Provide the data subject with information about lifting any restriction of processing, as necessary. CC ID 12634 | Communicate | Preventive | |
Refrain from providing information to the data subject when it proves impossible due to historical research purposes. CC ID 12633 | Communicate | Preventive | |
Refrain from providing information to the data subject when it proves impossible due to scientific research purposes. CC ID 12632 | Communicate | Preventive | |
Refrain from providing information to the data subject when it proves impossible due to archival purposes. CC ID 12631 | Communicate | Preventive | |
Refrain from providing information to the data subject when providing information involves disproportionate effort. CC ID 12629 | Communicate | Preventive | |
Refrain from providing information to the data subject when the data subject has the information. CC ID 12628 | Communicate | Preventive | |
Provide adequate structures, policies, procedures, and mechanisms to support direct access by the data subject to personal data that is provided upon request. CC ID 00393 | Establish/Maintain Documentation | Preventive | |
Provide the data subject with the means of gaining access to personal data held by the organization. CC ID 00396 [{legitimate interest}For the purposes of sub-paragraph (1), the organisation must — provide the individual with reasonable access to information about the organisation's collection, use or disclosure of personal data (as the case may be) in accordance with sub-paragraph (1). FIRST SCHEDULE PART 3 § 1.(2)(b)] | Data and Information Management | Preventive | |
Refrain from requiring the data subject to create an account in order to submit a consumer request. CC ID 13780 | Business Processes | Preventive | |
Provide the data subject with the data protection officer's contact information. CC ID 12573 | Business Processes | Preventive | |
Notify the data subject of the right to data portability. CC ID 12603 | Process or Activity | Preventive | |
Provide the data subject with information about the right to erasure. CC ID 12602 | Process or Activity | Preventive | |
Provide the data subject with a description of the type of information held by the organization and a general account of its use. CC ID 00397 [Any person may apply to the Commission, in the form and manner required by the Commission, to confirm whether any Singapore ;" class="term_primary-noun">telephone number is listed in a oun">register. § 40.(2)] | Establish/Maintain Documentation | Preventive | |
Provide the data subject with what personal data is made available to related organizations or subsidiaries. CC ID 00399 | Data and Information Management | Preventive | |
Establish and maintain a disclosure accounting record. CC ID 13022 | Establish/Maintain Documentation | Preventive | |
Include what information was disclosed and to whom in the disclosure accounting record. CC ID 04680 | Establish/Maintain Documentation | Preventive | |
Include the disclosure purpose in the disclosure accounting record. CC ID 07135 [For the purposes of subsection (2)(a), the organisation must, before collecting, using or disclosing any personal data about the individual — take reasonable steps to bring the following information to the attention of the individual: the organisation's intention to collect, use or disclose the personal data; § 15A.(4)(b)(i)] | Establish/Maintain Documentation | Preventive | |
Disseminate and communicate the disclosure accounting record to interested personnel and affected parties. CC ID 14433 [For the purposes of subsection (2)(a), the organisation must, before collecting, using or disclosing any personal data about the individual — take reasonable steps to bring the following information to the attention of the individual: the purpose for which the personal data will be collected, used or disclosed; § 15A.(4)(b)(ii)] | Communicate | Preventive | |
Establish, implement, and maintain personal data choice and consent program. CC ID 12569 [A subscriber may apply to the Commission, in the form and manner prescribed — to add his Singapore y-verb">">telephone numbern> to a register; or § 40.(1)(a) A person does not contravene subsection (1) if the subscriber or user of the Singapore telephone number to which a specified message is sent — gave clear and unambiguous consent to the sending of the specified message to that Singapore telephone number; and § 43.(4)(a)] | Establish/Maintain Documentation | Preventive | |
Establish, implement, and maintain data request procedures. CC ID 16546 | Establish/Maintain Documentation | Preventive | |
Refrain from discriminating against data subjects who have exercised privacy rights. CC ID 13435 | Human Resources Management | Preventive | |
Refrain from charging a fee to implement an opt-out request. CC ID 13877 | Business Processes | Preventive | |
Establish and maintain disclosure authorization forms for authorization of consent to use personal data. CC ID 13433 [A person does not contravene subsection (1) if the subscriber or user of the Singapore telephone number to which a specified message is sent — the consent is evidenced in written or other form so as to be accessible for subsequent reference. § 43.(4)(b)] | Establish/Maintain Documentation | Preventive | |
Include procedures for revoking authorization of consent to use personal data in the disclosure authorization form. CC ID 13438 | Establish/Maintain Documentation | Preventive | |
Include the identity of the person seeking consent in the disclosure authorization. CC ID 13999 | Establish/Maintain Documentation | Preventive | |
Include the recipients of the disclosed personal data in the disclosure authorization form. CC ID 13440 | Establish/Maintain Documentation | Preventive | |
Include the signature of the data subject and the signing date in the disclosure authorization form. CC ID 13439 | Establish/Maintain Documentation | Preventive | |
Include the identity of the data subject in the disclosure authorization form. CC ID 13436 | Establish/Maintain Documentation | Preventive | |
Include the types of personal data to be disclosed in the disclosure authorization form. CC ID 13442 | Establish/Maintain Documentation | Preventive | |
Include how personal data will be used in the disclosure authorization form. CC ID 13441 | Establish/Maintain Documentation | Preventive | |
Include agreement termination information in the disclosure authorization form. CC ID 13437 | Establish/Maintain Documentation | Preventive | |
Offer incentives for consumers to opt-in to provide their personal data to the organization. CC ID 13781 | Business Processes | Preventive | |
Refrain from using coercive financial incentive programs to entice opt-in consent. CC ID 13795 | Business Processes | Preventive | |
Allow data subjects to opt out and refrain from granting an authorization of consent to use personal data. CC ID 00391 | Data and Information Management | Preventive | |
Treat an opt-out direction by an individual joint consumer as applying to all associated joint consumers. CC ID 13452 | Business Processes | Preventive | |
Treat opt-out directions separately for each customer relationship the data subject establishes with the organization. CC ID 13454 | Business Processes | Preventive | |
Establish, implement, and maintain an opt-out method in accordance with organizational standards. CC ID 16526 | Data and Information Management | Preventive | |
Comply with opt-out directions by the data subject, unless otherwise directed by compliance requirements. CC ID 13451 [{allow} On giving notice, a subscriber or user of a Singapore telephone number may at any time withdraw any consent given to a person for the ="background-color:#CBD0E5;" class="term_secondary-verb">sending of any specified message to that Singapore telephone number. § 47.(1)] | Business Processes | Preventive | |
Confirm the individual's identity before granting an opt-out request. CC ID 16813 | Process or Activity | Preventive | |
Highlight the section regarding data subject's consent from other sections in contracts and agreements. CC ID 13988 | Establish/Maintain Documentation | Preventive | |
Allow consent requests to be provided in any official languages. CC ID 16530 | Business Processes | Preventive | |
Notify interested personnel and affected parties of the reasons the opt-out request was refused. CC ID 16537 | Communicate | Preventive | |
Collect and retain disclosure authorizations for each data subject. CC ID 13434 | Records Management | Preventive | |
Refrain from requiring consent to collect, use, or disclose personal data beyond specified, legitimate reasons in order to receive products and services. CC ID 13605 [{refrain from requiring}(is unreasonable} A person shall not, as a condition for supplying goods, services, land, interest or opportunity, require a subscriber or user of a Singapore telephone number to give -verb">ound-color:#F0BBBC;" class="term_primary-noun">consentspan> for the sending of a specified le="background-color:#F0BBBC;" class="term_primary-noun">message to that Singapore telephone number or any other Singapore telephone number beyond what is reasonable to provide the goods, services, land, interest or opportunity to that subscriber or user, and any consent given in such circumstance is not validly given. § 46.(1) An organisation shall not — as a condition of providing a product or service, require an individual to consent to the collection, use or disclosure of personal data about the individual beyond what is reasonable to provide the product or service to that individual; or § 14.(2)(a)] | Data and Information Management | Preventive | |
Refrain from obtaining consent through deception. CC ID 13556 [{deceptive act or practice}{refrain from accepting} If a person obtains or attempts to obtain consent for sending a specified message to a Singapore telephone number— by providing="term_secondary-verb"> false or misleading information with respect to the sending of the specified message; or by using deceptive or misleading practices, any und-coloy-verb">r:#F0BBBC;" class="term_primary-noun">consent given in such circumstances is not validly given. § 46.(2) ¶ 1 An organisation shall not — obtain or attempt to obtain consent for collecting, using, or disclosing personal data by providing false or misleading information with respect to the collection, use, or disclosure of the personal data, or using deceptive or misleading practices. § 14.(2)(b)] | Data and Information Management | Preventive | |
Give individuals the ability to change the uses of their personal data. CC ID 00469 [{refrain from using} Notwithstanding the other provisions in this Part, an organisation may use personal data about an individual collected before the appointed day for the purposes for which the personal data was collected unless — consent for such use is withdrawn in accordance with section 16; or § 19.(a) A person shall not prohibit a subscriber or user of a Singapore telephone number from withdrawing his consent to the sending of a specified ound-color:#F0BBBC;" class="terd-color:#CBD0E5;" class="term_secondary-verb">m_primary-noun">message to that Singapore telephone number, but this section shall not affect any legal consequences arising from such withdrawal. § 47.(2)] | Data and Information Management | Preventive | |
Notify data subjects of the implications of withdrawing consent. CC ID 13551 [On receipt of the notice referred to in subsection (1), the organisation concerned shall inform the individual of the likely consequences of withdrawing his consent. § 16.(2) An organisation shall not prohibit an individual from withdrawing his consent to the collection, use or disclosure of personal data about the individual, but this section shall not affect any legal consequences arising from such withdrawal. § 16.(3)] | Data and Information Management | Preventive | |
Establish, implement, and maintain a personal data accountability program. CC ID 13432 | Establish/Maintain Documentation | Preventive | |
Assign ownership of the privacy program to the appropriate organizational role. CC ID 11848 [An organisation shall designate one or more individuals to be responsible for ensuring that the organisation verb">complies with this Act. § 11.(3)] | Human Resources Management | Preventive | |
Require data controllers to be accountable for their actions. CC ID 00470 | Establish Roles | Preventive | |
Notify the supervisory authority. CC ID 00472 [{terminated telephone number} Every telecommunications service provider shall report to the ground-color:#F0BBBC;" class="term_primary-noun">Commission, in the form and manner prescribed, all terminated Singapore telephone numbers. § 42.(1) {report}{terminated telephone number}For the purpose of subsection (1), where — it shall be the responsibility of the first provider to satisfy subsection (1). § 42.(4) ¶ 1] | Behavior | Preventive | |
Establish, implement, and maintain approval applications. CC ID 16778 | Establish/Maintain Documentation | Preventive | |
Define the requirements for approving or denying approval applications. CC ID 16780 | Business Processes | Preventive | |
Submit approval applications to the supervisory authority. CC ID 16627 | Communicate | Preventive | |
Include required information in the approval application. CC ID 16628 | Establish/Maintain Documentation | Preventive | |
Extend the time limit for approving or denying approval applications. CC ID 16779 | Business Processes | Preventive | |
Approve the approval application unless applicant has been convicted. CC ID 16603 | Process or Activity | Preventive | |
Provide the supervisory authority with any information requested by the supervisory authority. CC ID 12606 | Process or Activity | Preventive | |
Notify the supervisory authority of the safeguards employed to protect the data subject's rights. CC ID 12605 | Communicate | Preventive | |
Include any reasons for delay if notifying the supervisory authority after the time limit. CC ID 12675 | Communicate | Corrective | |
Establish, implement, and maintain Binding Corporate Rules for the international transfers of restricted data. CC ID 12584 [{business improvement purpose}Sub-paragraph (1)(a) and (c) applies only if — X and Y are bound by any contract or other agreement or binding corporate rules requiring the recipient of personal data about P to implement and maintain appropriate safeguards for the personal data. FIRST SCHEDULE PART 5 § 1.(3)(c)] | Establish/Maintain Documentation | Preventive | |
Include cooperation mechanisms with the supervisory authority in the Binding Corporate Rules. CC ID 12682 | Establish/Maintain Documentation | Preventive | |
Include the tasks assigned to the role of data controller in the Binding Corporate Rules. CC ID 12612 | Establish/Maintain Documentation | Preventive | |
Include data subject's rights in the Binding Corporate Rules. CC ID 12596 | Establish/Maintain Documentation | Preventive | |
Include the means to exercise the data subject's rights in the Binding Corporate Rules. CC ID 12597 | Establish/Maintain Documentation | Preventive | |
Include the organizational structure and contact information in the Binding Corporate Rules. CC ID 12595 | Establish/Maintain Documentation | Preventive | |
Include the acceptance of liability for breaches of the binding corporate rules in the Binding Corporate Rules. CC ID 12594 | Establish/Maintain Documentation | Preventive | |
Include the mechanisms for reporting legal requirements causing adverse effects on protecting restricted data in the Binding Corporate Rules. CC ID 12620 | Establish/Maintain Documentation | Preventive | |
Include provisions for providing information on the binding corporate rules to the data subject in the Binding Corporate Rules. CC ID 12593 | Establish/Maintain Documentation | Preventive | |
Include reporting changes to the binding corporate rules in the Binding Corporate Rules. CC ID 12591 | Establish/Maintain Documentation | Preventive | |
Include reporting changes of the binding corporate rules to the supervisory authority in the Binding Corporate Rules. CC ID 12592 | Establish/Maintain Documentation | Preventive | |
Include complaint procedures in the Binding Corporate Rules. CC ID 12613 | Establish/Maintain Documentation | Preventive | |
Include the data transfers in the Binding Corporate Rules. CC ID 12590 | Establish/Maintain Documentation | Preventive | |
Include specifying the mechanisms for verifying compliance of the binding corporate rules in the Binding Corporate Rules. CC ID 12662 | Establish/Maintain Documentation | Preventive | |
Include the identification of the countries in question for the data transfers in the Binding Corporate Rules. CC ID 12601 | Establish/Maintain Documentation | Preventive | |
Include the type of data subjects affected by the data transfers in the Binding Corporate Rules. CC ID 12600 | Establish/Maintain Documentation | Preventive | |
Include all pertinent data processing information for data transfers in the Binding Corporate Rules. CC ID 12599 | Establish/Maintain Documentation | Preventive | |
Include the categories of personal data for data transfers in the Binding Corporate Rules. CC ID 12598 | Establish/Maintain Documentation | Preventive | |
Include specifying the legally binding nature of the binding corporate rules in the Binding Corporate Rules. CC ID 12627 | Establish/Maintain Documentation | Preventive | |
Include privacy awareness and training in the Binding Corporate Rules. CC ID 12626 | Establish/Maintain Documentation | Preventive | |
Establish, implement, and maintain Data Processing Contracts. CC ID 12650 | Establish/Maintain Documentation | Preventive | |
Include the stipulation of complying with external requirements in the Data Processing Contract. CC ID 12676 [For the purposes of subsection (2)(a), the organisation must, before collecting, using or disclosing any personal data about the individual — satisfy any other prescribed requirements. § 15A.(4)(c) The organisation must, in respect of the assessment mentioned in subsection (4)(a) — comply with any other prescribed requirements. § 15A.(5)(c) {person}A checker is deemed to have complied with subsection (2)(a) if — the applicable information that the checker provides to P is in accordance with a reply from the Commission in response to the checker's application under section 40(2); and § 43A.(3)(a)] | Establish/Maintain Documentation | Preventive | |
Include the stipulation that personal data will be disposed or returned to the data subject in the Data Processing Contract. CC ID 12669 [{prospective party}{organization}If X enters into the business asset transaction, the following conditions apply: if any personal data X collects from Y does not relate directly to the part of Y or Y's business assets with which the business asset transaction entered into is concerned, X must destroy, or return to Y, that personal data; FIRST SCHEDULE PART 4 § 1.(4)(b)] | Establish/Maintain Documentation | Preventive | |
Establish, implement, and maintain a personal data use limitation program. CC ID 13428 | Establish/Maintain Documentation | Preventive | |
Establish, implement, and maintain a personal data use purpose specification. CC ID 00093 | Establish/Maintain Documentation | Preventive | |
Notify the data subject of the collection purpose. CC ID 00095 [For the purposes of sections 14(1)(a) and 18(b), an organisation shall inform the individual of— the purposes for the collection, use or disclosure of the personal data, as the case may be, on or before For the purposes of subsection (4), the organisation must inform the individual of the following: the purpose for which the organisation is collecting, using or disclosing (as the case may be) the personal data about the individual; § 20.(5)(a) For the purposes of subsection (2)(a), the organisation must, before collecting, using or disclosing any personal data about the individual — take reasonable steps to bring the following information to the attention of the individual: the purpose for which the personal data will be collected, used or disclosed; § 15A.(4)(b)(ii) For the purposes of subsection (2)(a), the organisation must, before collecting, using or disclosing any personal data about the individual — take reasonable steps to bring the following information to the attention of the individual: the organisation's intention to collect, use or disclose the personal data; § 15A.(4)(b)(i) {individual's vital interest} Where the organisation collects, uses or discloses (as the case may be) personal data about the individual under sub-paragraph (1), the organisation must, as soon as is practicable, notify the individual of the collection, use or disclosure (as the case may be) and the purpose for the collection, use or disclosure, as the case may be. FIRST SCHEDULE PART 1 § 1.(2)] | Behavior | Preventive | |
Refrain from using restricted data collected for research and statistics for other purposes. CC ID 00096 | Data and Information Management | Preventive | |
Notify the data subject of changes to personal data use. CC ID 00105 [For the purposes of sections 14(1)(a) and 18(b), an organisation shall inform the individual of— any other purpose of the use or disclosure of the personal data of which the individual has not been informed under paragraph (a), before the un">usepan> or disclosure of the personal data for that purpose; and § 20.(1)(b)] | Behavior | Preventive | |
Establish, implement, and maintain data use change of purpose procedures. CC ID 00106 | Establish/Maintain Documentation | Preventive | |
Document the use of publicly accessible personal data as an acceptable secondary purpose. CC ID 00108 | Establish/Maintain Documentation | Preventive | |
Document the use of privacy-related data as acceptable if the information being used is publicly available information, the secondary use is marketing, and it is not practical to seek consent from the individual before use. CC ID 00110 | Establish/Maintain Documentation | Preventive | |
Document the use of personal data as an acceptable secondary purpose when the data subject is not charged to request to opt out of direct marketing communications. CC ID 00111 | Establish/Maintain Documentation | Preventive | |
Document the use of personal data as an acceptable secondary purpose when the data subject has not requested to opt out of direct marketing communications. CC ID 00112 | Establish/Maintain Documentation | Preventive | |
Document the use of personal data as an acceptable secondary purpose when the organization highlights the opt out option during each direct marketing communication. CC ID 00113 | Establish/Maintain Documentation | Preventive | |
Document the use of personal data as an acceptable secondary purpose when the organization displays contact information in each written direct marketing communication. CC ID 00114 | Establish/Maintain Documentation | Preventive | |
Document the use of personal data as an acceptable secondary purpose when the data subject gives consent. CC ID 00115 [If an individual gives or is deemed to have given, consent to the disclosure of personal data about the individual by one organisation to another organisation for a particular purpose, the individual is deemed to consent to the collection, use, or disclosure of the personal data for that particular purpose by that other organisation. § 15.(2) {consent}{disclosure} Where an organisation collects personal data disclosed to it by B under subsection (3)(c), subsection (3)(b) and (c) applies to the organisation as if the personal data were disclosed by A to the organisation under subsection (3)(a). § 15.(4)] | Establish/Maintain Documentation | Preventive | |
Document the use of personal data as an acceptable secondary purpose when the personal data is Individually Identifiable Health Information used for research. CC ID 00116 | Establish/Maintain Documentation | Preventive | |
Document the use of personal data as an acceptable secondary purpose when the personal data is used for statistical research, scholarly research, or scientific research and the data subject is anonymous. CC ID 00117 | Establish/Maintain Documentation | Preventive | |
Document the use of personal data as an acceptable secondary purpose when the data controller believes the use is necessary to prevent a life-threatening emergency. CC ID 00118 | Establish/Maintain Documentation | Preventive | |
Document the use of personal data as an acceptable secondary purpose when required by law. CC ID 00119 | Establish/Maintain Documentation | Preventive | |
Document the use of personal data as an acceptable secondary purpose when the personal data is necessary for public emergencies, public health and safety, or individual emergencies. CC ID 00121 | Establish/Maintain Documentation | Preventive | |
Document the use of personal data as an acceptable secondary purpose when the primary purpose is directly related to the secondary purpose. CC ID 00123 | Establish/Maintain Documentation | Preventive | |
Document the use of personal data as an acceptable secondary purpose when it is necessary for the enforcement of care and custody. CC ID 15453 | Establish/Maintain Documentation | Preventive | |
Document the use of data as an acceptable secondary purpose when it is necessary for use in a legal proceeding. CC ID 15451 | Establish/Maintain Documentation | Preventive | |
Document the use of personal data as an acceptable secondary purpose when it is necessary for a law enforcement investigation. CC ID 15449 | Establish/Maintain Documentation | Preventive | |
Document the use of personal data as an acceptable secondary purpose when it is necessary to perform a treaty with a foreign government. CC ID 15447 | Establish/Maintain Documentation | Preventive | |
Dispose of media and restricted data in a timely manner. CC ID 00125 [{dispose}{deidentify}{no longer appropriate} An organisation shall cease to retain its documents containing personal data, or remove the means by which the personal data can be associated with particular individuals, as soon as it is reasonable to assume that — the ass="term_primastyle="background-color:#CBD0E5;" class="term_secondary-verb">ry-noun">purpose for which that personal data was collected is no longer being served by retention of the personal data; and § 25.(a) {dispose}{deidentify} An organisation shall cease to retain its documents containing personal data, or remove the means by which the personal data can be associated with particular individuals, as soon as it is reasonable to assume that— <span style="background-color:#F0BBBC;" class="term_primary-noun">retention is style="background-color:#CBD0E5;" class="term_secondary-verb">rm_primary-verb">no longer necessaryspan> for legal or business purposes. § 25.(b) {prospective party}{organization} If the business asset transaction does not proceed or is not completed, X must destroy, or return to Y, all personal data collected. FIRST SCHEDULE PART 4 § 1.(5) {organization}{prospective party}{business asset transaction}{individual}If the relevant transaction does not proceed or is not completed — X must destroy, or return to Y or Z (as the case may be), all personal data collected; and FIRST SCHEDULE PART 4 § 2.(4)(a) {business asset transaction}{organization}If the relevant transaction does not proceed or is not completed — Y must destroy, or return to Z, all personal data collected. FIRST SCHEDULE PART 4 § 2.(4)(b)] | Data and Information Management | Preventive | |
Refrain from destroying records being inspected or reviewed. CC ID 13015 | Records Management | Preventive | |
Notify the data subject after their personal data is disposed, as necessary. CC ID 13502 | Communicate | Preventive | |
Establish, implement, and maintain data access procedures. CC ID 00414 | Establish/Maintain Documentation | Preventive | |
Provide individuals with information about the processing purpose of their personal data. CC ID 00416 [An organisation may collect, use or disclose personal data about an individual only for purposes— that the -noun">individual has been Subject to subsections (2), (3) and (4), on request of an individual, an organisation shall, as soon as reasonably possible, provide the individual with— information about the ways in which the personal data referred to in paragraph (a) has been or may have been used or disclosed by the organisation within a year before the date of the request. § 21.(1)(b) For the purposes of subsection (2)(a), the organisation must, before collecting, using or disclosing any personal data about the individual — take reasonable steps to bring the following information to the attention of the individual: the purpose for which the personal data will be collected, used or disclosed; § 15A.(4)(b)(ii) For the purposes of subsection (2)(a), the organisation must, before collecting, using or disclosing any personal data about the individual — take reasonable steps to bring the following information to the attention of the individual: the organisation's intention to collect, use or disclose the personal data; § 15A.(4)(b)(i) {individual's vital interest} Where the organisation collects, uses or discloses (as the case may be) personal data about the individual under sub-paragraph (1), the organisation must, as soon as is practicable, notify the individual of the collection, use or disclosure (as the case may be) and the purpose for the collection, use or disclosure, as the case may be. FIRST SCHEDULE PART 1 § 1.(2) For the purposes of subsection (4), the organisation must inform the individual of the following: the purpose for which the organisation is collecting, using or disclosing (as the case may be) the personal data about the individual; § 20.(5)(a) {inform}Despite subsection (3), an organisation must comply with subsection (5) on or before collecting, using or disclosing personal data about an individual for the purpose of or in relation to the organisation — entering into an employment relationship with the individual or appointing the individual to any office; or § 20.(4)(a) {inform}Despite subsection (3), an organisation must comply with subsection (5) on or before collecting, using or disclosing personal data about an individual for the purpose of or in relation to the organisation — entering into an employment relationship with the individual or appointing the individual to any office; or § 20.(4)(a) {inform}Despite subsection (3), an organisation must comply with subsection (5) on or before collecting, using or disclosing personal data about an individual for the purpose of or in relation to the organisation — entering into an employment relationship with the individual or appointing the individual to any office; or § 20.(4)(a) {inform}Despite subsection (3), an organisation must comply with subsection (5) on or before collecting, using or disclosing personal data about an individual for the purpose of or in relation to the organisation — managing or terminating the employment relationship with or appointment of the individual. § 20.(4)(b) {inform}Despite subsection (3), an organisation must comply with subsection (5) on or before collecting, using or disclosing personal data about an individual for the purpose of or in relation to the organisation — managing or terminating the employment relationship with or appointment of the individual. § 20.(4)(b) {inform}Despite subsection (3), an organisation must comply with subsection (5) on or before collecting, using or disclosing personal data about an individual for the purpose of or in relation to the organisation — managing or terminating the employment relationship with or appointment of the individual. § 20.(4)(b)] | Data and Information Management | Preventive | |
Provide individuals with information about disclosure of their personal data. CC ID 00417 [{individual's vital interest} Where the organisation collects, uses or discloses (as the case may be) personal data about the individual under sub-paragraph (1), the organisation must, as soon as is practicable, notify the individual of the collection, use or disclosure (as the case may be) and the purpose for the collection, use or disclosure, as the case may be. FIRST SCHEDULE PART 1 § 1.(2)] | Data and Information Management | Preventive | |
Allow guardians and legal representatives access to personal data about the individual for whom they are guardians or legal representatives. CC ID 00418 | Data and Information Management | Preventive | |
Establish, implement, and maintain procedures for individuals to be able to modify their personal data, as necessary. CC ID 11811 [{allow} An individual may request an organisation to correct an error or omission in the personal data about the individual that is in the possession or under the control of the organisation. § 22.(1)] | Establish/Maintain Documentation | Preventive | |
Submit personal data removal requests in writing. CC ID 11973 | Records Management | Preventive | |
Include a liability waiver for any harm caused by the exclusion of personal data in the personal data removal request. CC ID 11975 | Establish/Maintain Documentation | Preventive | |
Allow authorized individuals to authenticate record entries containing personal data. CC ID 11812 | Records Management | Corrective | |
Establish, implement, and maintain restricted data use limitation procedures. CC ID 00128 [Subject to subsection (3), an individual is deemed to consent to the collection, use or disclosure of personal data about the individual by an organisation if — the organisation satisfies the requirements in subsection (4); and § 15A.(2)(a)] | Establish/Maintain Documentation | Preventive | |
Identify any adverse effects the processing of personal data will have on the data subject. CC ID 15299 [The organisation must, in respect of the assessment mentioned in subsection (4)(a) — identify any adverse effect that the proposed collection, use or disclosure of the personal data for the purpose concerned is likely to have on the individual; § 15A.(5)(a) {legitimate interest}{collect}{disclose}The organisation must, in respect of the assessment mentioned in sub-paragraph (2)(a) — identify any adverse effect that the proposed collection, use or disclosure (as the case may be) of personal data about an individual is likely to have on the individual; FIRST SCHEDULE PART 3 § 1.(3)(a)] | Data and Information Management | Preventive | |
Disclose de-identified data, as necessary. CC ID 13034 | Communicate | Preventive | |
Notify the data subject after personal data is used or disclosed. CC ID 06247 [{business asset transaction}{organization}{prospective party}If X enters into the relevant transaction, the following conditions apply: X, Y or Z must notify the applicable individuals of Z whose personal data is disclosed that — the relevant transaction has taken place; and FIRST SCHEDULE PART 4 § 2.(3)(c)(i) {business asset transaction}{organization}{prospective party}If X enters into the relevant transaction, the following conditions apply: X, Y or Z must notify the applicable individuals of Z whose personal data is disclosed that — the personal data about them has been disclosed to X. FIRST SCHEDULE PART 4 § 2.(3)(c)(ii) If X enters into the business asset transaction, the following conditions apply: X or Y must notify the applicable individuals of Y whose personal data is disclosed that — the business asset transaction has taken place; and FIRST SCHEDULE PART 4 § 1.(4)(c)(i)] | Behavior | Preventive | |
Refrain from processing restricted data, as necessary. CC ID 12551 [Notwithstanding the other provisions in this Part, an organisation may use personal data about an individual collected before the appointed day for the purposes for which the personal data was collected unless — the individual, whether before, on or after the appointed day, has otherwise indicated to the organisation that he does not consent to the use of the personal data. § 19.(b) An organisation shall not, on or after the appointed day, collect, use or disclose personal data about an individual unless — § 13.] | Records Management | Preventive | |
Refrain from processing restricted data if the restricted data is involved in a legal claim. CC ID 12668 | Process or Activity | Preventive | |
Refrain from providing information to the data subject when the organization cannot identify the data subject. CC ID 12667 | Process or Activity | Preventive | |
Refrain from erasing personal data when the data subject consents to retention. CC ID 14326 | Business Processes | Preventive | |
Refrain from erasing personal data upon data subject request when personal data processing is necessary for statistical purposes. CC ID 12656 | Process or Activity | Preventive | |
Refrain from erasing personal data upon data subject request when personal data processing is necessary for historical research purposes. CC ID 12655 | Process or Activity | Preventive | |
Refrain from erasing personal data upon data subject request when personal data processing is necessary for scientific research purposes. CC ID 12654 | Process or Activity | Preventive | |
Refrain from erasing personal data upon data subject request when personal data processing is necessary for exercising freedom of expression. CC ID 12684 | Process or Activity | Preventive | |
Refrain from erasing personal data upon data subject request when it is used to provide a service. CC ID 13779 | Process or Activity | Preventive | |
Refrain from erasing personal data upon data subject request when it is being used for incident detection. CC ID 13778 | Process or Activity | Detective | |
Refrain from erasing personal data upon data subject request when personal data processing is necessary for archival purposes. CC ID 12653 | Process or Activity | Preventive | |
Refrain from erasing personal data upon data subject request when personal data processing is for compliance with a legal obligation. CC ID 12652 | Process or Activity | Preventive | |
Refrain from erasing personal data upon data subject request when personal data processing is necessary for the public interest. CC ID 12649 | Process or Activity | Preventive | |
Refrain from erasing personal data upon data subject request when personal data processing concerns legal claims. CC ID 12644 | Process or Activity | Preventive | |
Refrain from processing personal data when it is likely to cause unlawful discrimination or arbitrary discrimination. CC ID 00197 | Data and Information Management | Preventive | |
Refrain from processing personal data when it is used for behavioral monitoring. CC ID 16528 | Data and Information Management | Preventive | |
Refrain from processing personal data when it reveals trade union membership. CC ID 12583 | Business Processes | Preventive | |
Refrain from processing personal data when it concerns an individual's sexual orientation. CC ID 12582 | Business Processes | Preventive | |
Refrain from processing personal data when it concerns an individual's sex life. CC ID 12581 | Business Processes | Preventive | |
Refrain from processing personal data when it contains Individually Identifiable Health Information. CC ID 12580 | Business Processes | Preventive | |
Refrain from processing personal data when biometric data is used for the purpose of identifying an individual. CC ID 12579 | Business Processes | Preventive | |
Refrain from processing personal data when the genetic data is used for the purpose of identifying individuals. CC ID 12578 | Business Processes | Preventive | |
Refrain from processing personal data when it reveals philosophical beliefs. CC ID 12577 | Business Processes | Preventive | |
Refrain from processing personal data when it reveals religious beliefs. CC ID 12576 | Business Processes | Preventive | |
Refrain from processing personal data when it reveals political opinions. CC ID 12575 | Business Processes | Preventive | |
Refrain from processing personal data if it reveals ethnic origin. CC ID 12574 | Business Processes | Preventive | |
Refrain from processing personal data if the data subject opposes the data erasure of personal data. CC ID 12619 | Process or Activity | Preventive | |
Establish and maintain a record of processing activities when processing restricted data. CC ID 12636 | Establish/Maintain Documentation | Preventive | |
Refrain from maintaining a record of processing activities if the data processor employs a limited number of persons. CC ID 13378 | Establish/Maintain Documentation | Preventive | |
Refrain from maintaining a record of processing activities if the personal data relates to criminal records. CC ID 13377 | Establish/Maintain Documentation | Preventive | |
Refrain from maintaining a record of processing activities if the data being processed is restricted data. CC ID 13376 | Establish/Maintain Documentation | Preventive | |
Refrain from maintaining a record of processing activities if it could result in a risk to the data subject's rights or data subject's freedom. CC ID 13375 | Establish/Maintain Documentation | Preventive | |
Include the data protection officer's contact information in the record of processing activities. CC ID 12640 | Records Management | Preventive | |
Include the data processor's contact information in the record of processing activities. CC ID 12657 | Records Management | Preventive | |
Include the data processor's representative's contact information in the record of processing activities. CC ID 12658 | Records Management | Preventive | |
Include a general description of the implemented security measures in the record of processing activities. CC ID 12641 | Records Management | Preventive | |
Include a description of the data subject categories in the record of processing activities. CC ID 12659 | Records Management | Preventive | |
Include the purpose of processing restricted data in the record of processing activities. CC ID 12663 | Records Management | Preventive | |
Include the personal data processing categories in the record of processing activities. CC ID 12661 | Records Management | Preventive | |
Include the time limits for erasing each data category in the record of processing activities. CC ID 12690 | Records Management | Preventive | |
Include the data recipient categories to whom restricted data has been or will be disclosed in the record of processing activities. CC ID 12664 | Records Management | Preventive | |
Include a description of the personal data categories in the record of processing activities. CC ID 12660 | Records Management | Preventive | |
Include the joint data controller's contact information in the record of processing activities. CC ID 12639 | Records Management | Preventive | |
Include the data controller's representative's contact information in the record of processing activities. CC ID 12638 | Records Management | Preventive | |
Include documentation of the transferee's safeguards for transferring restricted data in the record of processing activities. CC ID 12643 | Records Management | Preventive | |
Include the identification of transferees for transferring restricted data in the record of processing activities. CC ID 12642 | Records Management | Preventive | |
Include the data controller's contact information in the record of processing activities. CC ID 12637 | Records Management | Preventive | |
Process restricted data lawfully and carefully. CC ID 00086 [{be appropriate} An organisation may collect, use or disclose personal data> about an individual only for purposes— that a reasonable person would consider appropriate in the | Establish Roles | Preventive | |
Analyze requirements for processing personal data in contracts. CC ID 12550 | Investigate | Detective | |
Implement technical controls that limit processing restricted data for specific purposes. CC ID 12646 | Technical Security | Preventive | |
Process personal data pertaining to a patient's health in order to treat those patients. CC ID 00200 | Data and Information Management | Preventive | |
Notify the subject of care when a lack of availability of health information systems might have adversely affected their care. CC ID 13990 | Communicate | Corrective | |
Refrain from disclosing Individually Identifiable Health Information when in violation of territorial or federal law. CC ID 11966 | Records Management | Preventive | |
Document the conditions for the use or disclosure of Individually Identifiable Health Information by a covered entity to another covered entity. CC ID 00210 | Establish/Maintain Documentation | Preventive | |
Disclose Individually Identifiable Health Information for a covered entity's own use. CC ID 00211 | Data and Information Management | Preventive | |
Disclose Individually Identifiable Health Information for a healthcare provider's treatment activities by a covered entity. CC ID 00212 | Data and Information Management | Preventive | |
Rely upon the warranty of the covered entity that the record disclosure request for Individually Identifiable Health Information is permitted with the consent of the data subject. CC ID 11970 | Records Management | Preventive | |
Rely upon the warranty of the covered entity that the record disclosure request for Individually Identifiable Health Information is to support the treatment of the individual. CC ID 11969 | Process or Activity | Preventive | |
Rely upon the warranty of the covered entity that the record disclosure request for Individually Identifiable Health Information is permitted by law. CC ID 11976 | Records Management | Preventive | |
Disclose Individually Identifiable Health Information for payment activities between covered entities or healthcare providers. CC ID 00213 | Data and Information Management | Preventive | |
Disclose Individually Identifiable Health Information for Treatment, Payment, and Health Care Operations activities when both covered entities have a relationship with the data subject. CC ID 00214 | Data and Information Management | Preventive | |
Disclose Individually Identifiable Health Information for Treatment, Payment, and Health Care Operations activities between a covered entity and a participating healthcare provider when the information is collected from the data subject and a third party. CC ID 00215 | Data and Information Management | Preventive | |
Disclose Individually Identifiable Health Information in accordance with agreed upon restrictions. CC ID 06249 | Data and Information Management | Preventive | |
Disclose Individually Identifiable Health Information in accordance with the privacy notice. CC ID 06250 | Data and Information Management | Preventive | |
Disclose permitted Individually Identifiable Health Information for facility directories. CC ID 06251 | Data and Information Management | Preventive | |
Disclose Individually Identifiable Health Information for cadaveric organ donation purposes, eye donation purposes, or tissue donation purposes. CC ID 06252 | Data and Information Management | Preventive | |
Disclose Individually Identifiable Health Information for medical suitability determinations. CC ID 06253 | Data and Information Management | Preventive | |
Disclose Individually Identifiable Health Information for armed forces personnel appropriately. CC ID 06254 | Data and Information Management | Preventive | |
Disclose Individually Identifiable Health Information in order to provide public benefits by government agencies. CC ID 06255 | Data and Information Management | Preventive | |
Disclose Individually Identifiable Health Information for fundraising. CC ID 06256 | Data and Information Management | Preventive | |
Disclose Individually Identifiable Health Information for research use when the appropriate requirements are included in the approval documentation or waiver documentation. CC ID 06257 | Establish/Maintain Documentation | Preventive | |
Document the conditions for the disclosure of Individually Identifiable Health Information by an organization providing healthcare services to organizations other than business associates or other covered entities. CC ID 00201 | Establish/Maintain Documentation | Preventive | |
Disclose Individually Identifiable Health Information when the data subject cannot physically or legally provide consent and the disclosing organization is a healthcare provider. CC ID 00202 | Data and Information Management | Preventive | |
Disclose Individually Identifiable Health Information to provide appropriate treatment to the data subject when the disclosing organization is a healthcare provider. CC ID 00203 | Data and Information Management | Preventive | |
Disclose Individually Identifiable Health Information when it is not contrary to the data subject's wish prior to becoming unable to provide consent and the disclosing organization is a healthcare provider. CC ID 00204 | Data and Information Management | Preventive | |
Disclose Individually Identifiable Health Information that is reasonable or necessary for the disclosure purpose when the disclosing organization is a healthcare provider. CC ID 00205 [{disclose}The disclosure of personal data about an individual who is a current or former patient of any of the following to a public agency for the purposes of policy formulation or review: a healthcare institution licensed under the Private Hospitals and Medical Clinics Act (Cap. 248); SECOND SCHEDULE PART 3 Division 1 § 3.(a)] | Data and Information Management | Preventive | |
Disclose Individually Identifiable Health Information consistent with the law when the disclosing organization is a healthcare provider. CC ID 00206 [{disclose}The disclosure of personal data about an individual who is a current or former patient of any of the following to a public agency for the purposes of policy formulation or review: a prescribed healthcare body. SECOND SCHEDULE PART 3 Division 1 § 3.(c) {disclose}The disclosure of personal data about an individual who is a current or former patient of any of the following to a public agency for the purposes of policy formulation or review: a licensee under the Healthcare Services Act 2020 (Act 3 of 2020); SECOND SCHEDULE PART 3 Division 1 § 3.(b)] | Data and Information Management | Preventive | |
Disclose Individually Identifiable Health Information in order to carry out treatment when the disclosing organization is a healthcare provider. CC ID 00207 | Data and Information Management | Preventive | |
Disclose Individually Identifiable Health Information in order to carry out treatment when the data subject has provided consent and the disclosing organization is a healthcare provider. CC ID 00208 | Data and Information Management | Preventive | |
Disclose Individually Identifiable Health Information in order to carry out treatment when the data subject's guardian or representative has provided consent and the disclosing organization is a healthcare provider. CC ID 00209 | Data and Information Management | Preventive | |
Disclose Individually Identifiable Health Information when the disclosing organization is a healthcare provider that supports public health and safety activities. CC ID 06248 | Data and Information Management | Preventive | |
Disclose Individually Identifiable Health Information in order to report abuse or neglect when the disclosing organization is a healthcare provider. CC ID 06819 | Data and Information Management | Preventive | |
Document how Individually Identifiable Health Information is used and disclosed when authorization has been granted. CC ID 00216 | Establish/Maintain Documentation | Preventive | |
Define and implement valid authorization control requirements. CC ID 06258 | Establish/Maintain Documentation | Preventive | |
Obtain explicit consent for authorization to release Individually Identifiable Health Information. CC ID 00217 | Data and Information Management | Preventive | |
Obtain explicit consent for authorization to release psychotherapy notes. CC ID 00218 | Data and Information Management | Preventive | |
Refrain from using Individually Identifiable Health Information to determine eligibility or continued eligibility for credit. CC ID 00219 | Data and Information Management | Preventive | |
Process personal data after the data subject has granted explicit consent. CC ID 00180 [{refrain from processing} An organisation shall not, on or after the appointed day, collect, use or disclose personal data about an individual unless— the individual rb">gives</span>, or is deemed to have given, his consent under this Act to the collection, use or disclosure, as the case may be; or § 13.(a)] | Data and Information Management | Preventive | |
Process personal data in order to perform a legal obligation or exercise a legal right. CC ID 00182 | Data and Information Management | Preventive | |
Process personal data relating to criminal offenses when required by law. CC ID 00237 | Data and Information Management | Preventive | |
Process personal data in order to prevent personal injury or damage to the data subject's health. CC ID 00183 | Data and Information Management | Preventive | |
Process personal data in order to prevent personal injury or damage to a third party's health. CC ID 00184 | Data and Information Management | Preventive | |
Process personal data for statistical purposes or scientific purposes. CC ID 00256 | Data and Information Management | Preventive | |
Process personal data during legitimate activities with safeguards for the data subject's legal rights. CC ID 00185 [{collect}{disclose}Subject to sub-paragraphs (2), (3) and (4) — the collection, use or disclosure (as the case may be) of personal data about an individual is in the legitimate interests of the organisation or another person; and FIRST SCHEDULE PART 3 § 1.(1)(a)] | Data and Information Management | Preventive | |
Process traffic data in a controlled manner. CC ID 00130 | Data and Information Management | Preventive | |
Process personal data for health insurance, social insurance, state social benefits, social welfare, or child protection. CC ID 00186 | Data and Information Management | Preventive | |
Process personal data when it is publicly accessible. CC ID 00187 [{without consent}{collect}{disclose} The collection, use or disclosure (as the case may be) of personal data about an individual that is publicly available. FIRST SCHEDULE PART 2 § 1.] | Data and Information Management | Preventive | |
Process personal data for direct marketing and other personalized mail programs. CC ID 00188 | Data and Information Management | Preventive | |
Refrain from processing personal data for marketing or advertising to children. CC ID 14010 | Business Processes | Preventive | |
Refrain from disseminating and communicating with individuals that have opted out of direct marketing communications. CC ID 13708 | Communicate | Corrective | |
Process personal data for the purposes of employment. CC ID 16527 | Data and Information Management | Preventive | |
Process personal data for justice administration, lawsuits, judicial decisions, and investigations. CC ID 00189 [{collect}{disclose} The collection, use or disclosure (as the case may be) of personal data about an individual is necessary for the provision of legal services by the organisation to another person, or for the organisation to obtain legal services. FIRST SCHEDULE PART 3 § 5.] | Data and Information Management | Preventive | |
Process personal data for debt collection or benefit payments. CC ID 00190 [{without consent}{collect}{disclose}The collection, use or disclosure (as the case may be) of personal data about an individual is necessary for the organisation — to recover a debt owed by the individual to the organisation; or FIRST SCHEDULE PART 3 § 4.(a) {collect}{disclose}The collection, use or disclosure (as the case may be) of personal data about an individual is necessary for the organisation — to pay to the individual a debt owed by the organisation. FIRST SCHEDULE PART 3 § 4.(b) {legitimate interest}{collect}{disclose}The collection, use or disclosure (as the case may be) of personal data about an individual is to — confer an interest or a benefit on the individual under a private trust or benefit plan; and FIRST SCHEDULE PART 3 § 7.(a)] | Data and Information Management | Preventive | |
Process personal data in order to advance the public interest. CC ID 00191 [The use of personal data about an individual for a research purpose (including historical or statistical research), if — there is a clear public benefit to using the personal data for the research purpose; SECOND SCHEDULE PART 2 Division 3 § 1.(b)] | Data and Information Management | Preventive | |
Process personal data for surveys, archives, or scientific research. CC ID 00192 | Data and Information Management | Preventive | |
Process personal data absent consent for journalistic purposes, artistic purposes, or literary purposes. CC ID 00193 [{without consent} The personal data about an individual is collected, used or disclosed (as the case may be) by a news organisation solely for its news activity. FIRST SCHEDULE PART 2 § 5. {without consent}{artistic purpose}{collect}{disclose} The collection, use or disclosure (as the case may be) of personal data about an individual is solely for artistic or literary purposes. FIRST SCHEDULE PART 2 § 3.] | Data and Information Management | Preventive | |
Process personal data for academic purposes or religious purposes. CC ID 00194 | Data and Information Management | Preventive | |
Process personal data when it is used by a public authority for National Security policy or criminal policy. CC ID 00195 | Data and Information Management | Preventive | |
Refrain from storing data in newly created files or registers which directly or indirectly reveals the restricted data. CC ID 00196 | Data and Information Management | Preventive | |
Follow legal obligations while processing personal data. CC ID 04794 | Data and Information Management | Preventive | |
Start personal data processing only after the needed notifications are submitted. CC ID 04791 | Data and Information Management | Preventive | |
Process personal data absent consent for specific and well-documented circumstances. CC ID 13537 [An individual is deemed to consent to the collection, use or disclosure of personal data about the individual by an organisation for a purpose if— it is reasonable that the individual would voluntarily provide the y-verb">le="background-color:#F0BBBC;" class="term_primary-noun">data. § 15.(1)(b) An organisation may — use personal data about an individual without the consent of the individual, in the circumstances or for the purposes, and subject to any condition, in the First Schedule or Part 2 of the Second Schedule; or § 17.(1)(b) {individual's vital interest}{without consent}Subject to sub-paragraph (2), the collection, use or disclosure (as the case may be) of personal data about an individual is necessary for any purpose which is clearly in the interests of the individual, and — the individual would not reasonably be expected to withhold consent. FIRST SCHEDULE PART 1 § 1.(1)(b) {without consent}{collect}{disclose} The collection, use or disclosure (as the case may be) of personal data about an individual is in the national interest. FIRST SCHEDULE PART 2 § 2. {business improvement purpose}{organization}Subject to the conditions in sub-paragraphs (3), (4) and (5), personal data about an individual (P) — is used by X for a relevant purpose; or FIRST SCHEDULE PART 5 § 1.(1)(b) {business improvement purpose}Sub-paragraph (1)(b) applies only if — a reasonable person would consider the use of personal data about P for the relevant purpose to be appropriate in the circumstances. FIRST SCHEDULE PART 5 § 1.(4)(b) {business improvement purpose}{refrain from achieving}Sub-paragraph (1)(b) applies only if — the relevant purpose for which X uses personal data about P cannot reasonably be achieved without the use of the personal data in an individually identifiable form; and FIRST SCHEDULE PART 5 § 1.(4)(a)] | Data and Information Management | Preventive | |
Process personal data absent consent in order to protect the vital interests of the data subject. CC ID 14012 [{individual's vital interest}{collect}{disclose} Subject to sub-paragraph (2), the collection, use or disclosure (as the case may be) of personal data about an individual is necessary for any purpose which is clearly in the interests of the individual, and — FIRST SCHEDULE PART 1 § 1.(1)] | Process or Activity | Preventive | |
Process personal data absent consent when the data subject has been notified the personal data may be collected, used, or disclosed. CC ID 13617 | Data and Information Management | Preventive | |
Process personal data absent consent in order to establish, manage, or terminate employment contracts. CC ID 13615 [{without consent}The personal data about an individual is collected, used or disclosed (as the case may be) by the organisation, and the collection, use or disclosure (as the case may be) of the personal data is reasonable for the purpose of or in relation to the organisation — entering into an employment relationship with the individual or appointing the individual to any office; or FIRST SCHEDULE PART 3 § 10.(a) {without consent}The personal data about an individual is collected, used or disclosed (as the case may be) by the organisation, and the collection, use or disclosure (as the case may be) of the personal data is reasonable for the purpose of or in relation to the organisation — managing or terminating the employment relationship with or appointment of the individual. FIRST SCHEDULE PART 3 § 10.(b)] | Data and Information Management | Preventive | |
Process personal data absent consent when the data subject is notified that the business transaction is completed and their information was disclosed. CC ID 13612 | Data and Information Management | Preventive | |
Process personal data absent consent when the disclosure concerns the data subject's products and services obtained from the organization. CC ID 13611 [Subject to the conditions in sub-paragraph (2), personal data about an individual (P) is used by the organisation for any of the following purposes: improving or enhancing any goods or services provided, or developing new goods or services to be provided, by the organisation; SECOND SCHEDULE PART 2 Division 2 § 1.(1)(a) Subject to the conditions in sub-paragraph (2), personal data about an individual (P) is used by the organisation for any of the following purposes: learning about and understanding the behaviour and preferences of P or another individual in relation to the goods or services provided by the organisation; SECOND SCHEDULE PART 2 Division 2 § 1.(1)(c) Subject to the conditions in sub-paragraph (2), personal data about an individual (P) is used by the organisation for any of the following purposes: identifying any goods or services provided by the organisation that may be suitable for P or another individual, or personalising or customising any such goods or services for P or another individual. SECOND SCHEDULE PART 2 Division 2 § 1.(1)(d) Subject to the conditions in sub-paragraph (2), personal data about an individual (P) is used by the organisation for any of the following purposes: identifying any goods or services provided by the organisation that may be suitable for P or another individual, or personalising or customising any such goods or services for P or another individual. SECOND SCHEDULE PART 2 Division 2 § 1.(1)(d)] | Data and Information Management | Preventive | |
Process personal data absent consent when it is impracticable to obtain consent. CC ID 13580 [{individual's vital interest}The collection, use or disclosure (as the case may be) of personal data about an individual, where — consent for the collection, use or disclosure (as the case may be) cannot be obtained in a timely way; and FIRST SCHEDULE PART 1 § 3.(a)] | Data and Information Management | Preventive | |
Process personal data absent consent when it is in the data subject's interest and consent cannot be obtained in a timely manner. CC ID 15282 [{individual's vital interest}Subject to sub-paragraph (2), the collection, use or disclosure (as the case may be) of personal data about an individual is necessary for any purpose which is clearly in the interests of the individual, and — consent for the collection, use or disclosure (as the case may be) cannot be obtained in a timely way; or FIRST SCHEDULE PART 1 § 1.(1)(a)] | Data and Information Management | Preventive | |
Process personal data absent consent to determine whether to proceed with business transactions. CC ID 13587 [{without consent}Subject to the conditions in sub-paragraphs (2), (3), (4) and (5), where an organisation (X) is a party or a prospective party to a business asset transaction with another organisation (Y), personal data about an applicable individual of Y — is used or disclosed by X in relation to the business asset transaction; or FIRST SCHEDULE PART 4 § 1.(1)(b) Subject to the conditions in sub-paragraphs (2), (3) and (4), where an organisation (X) is a party or a prospective party to a business asset transaction with another organisation (Y) in respect of Y's interest in a third organisation (Z) (called in this paragraph the relevant transaction), personal data about an applicable individual of Z — is used or disclosed by X or Y in relation to the relevant transaction; or FIRST SCHEDULE PART 4 § 2.(1)(b) {legitimate interest}{collect}{disclose}Subject to sub-paragraph (2), the collection, use or disclosure (as the case may be) of personal data about an individual — relates to a credit report provided by a credit bureau to a member of the credit bureau in relation to a transaction between the member and the individual. FIRST SCHEDULE PART 3 § 6.(1)(b) {business asset transaction}{organization}{prospective party}{individual}If X enters into the relevant transaction, the following conditions apply: X may use or disclose the personal data collected from Y or Z (as the case may be) only for the same purposes for which Y or Z (as the case may be) would have been permitted to use or disclose the personal data; FIRST SCHEDULE PART 4 § 2.(3)(a)] | Data and Information Management | Preventive | |
Process personal data absent consent in order to perform a contract. CC ID 13586 [{prospective party}{organization}If X enters into the business asset transaction, the following conditions apply: X may use or disclose the personal data X collected from Y only for the same purposes for which Y would have been permitted to use or disclose the personal data; FIRST SCHEDULE PART 4 § 1.(4)(a) {organization}If X is a prospective party to the business asset transaction, the following conditions apply: X and Y must have entered into an agreement that requires X to use or disclose the personal data solely for purposes related to the business asset transaction. FIRST SCHEDULE PART 4 § 1.(3)(b) {business asset transaction}{organization}{individual}If X is a prospective party to the relevant transaction, the following conditions apply: where Y collects the personal data mentioned in sub-paragraph (1) from Z — Y and Z must have entered into an agreement that requires Y to use or disclose the personal data solely for purposes related to the relevant transaction. FIRST SCHEDULE PART 4 § 2.(2)(b)(ii)] | Data and Information Management | Preventive | |
Process personal data absent consent when the privacy commissioner is notified before the information is used. CC ID 13581 | Data and Information Management | Preventive | |
Process personal data absent consent to perform obligations in the field of employment law. CC ID 16814 | Data and Information Management | Preventive | |
Process personal data absent consent if the disclosure is to the next of kin or authorized representative. CC ID 15294 [{is necessary}{without consent} The collection, use or disclosure of personal data is for the purpose of contacting the next-of-kin or a friend of any injured, ill or deceased individual. FIRST SCHEDULE PART 1 § 4.] | Data and Information Management | Preventive | |
Process personal data absent consent when it is used in a manner to ensure confidentiality. CC ID 13579 | Data and Information Management | Preventive | |
Process personal data absent consent when it is used for statistical research, scientific research, or scholarly research. CC ID 13578 [{refrain from achieving}The use of personal data about an individual for a research purpose (including historical or statistical research), if — the research purpose cannot reasonably be accomplished unless the personal data is used in an individually identifiable form; SECOND SCHEDULE PART 2 Division 3 § 1.(a) {collect}{disclose} The collection, use or disclosure (as the case may be) of personal data about an individual is necessary for evaluative purposes. FIRST SCHEDULE PART 3 § 2. The use of personal data about an individual for a research purpose (including historical or statistical research), if — the results of the research will not be used to make any decision that affects the individual; and SECOND SCHEDULE PART 2 Division 3 § 1.(c)] | Data and Information Management | Preventive | |
Process personal data absent consent when it is needed by law. CC ID 13577 [{refrain from processing} An organisation shall not, on or after the appointed day, collect,use or disclose personal data about an individual unless— the collection, use or disclosure, as the case may be, without the consent of the individual is 0E5;" class="term_secondary-verb">required or authorised under this Act or any other written law. § 13.(b) Subject to section 25, if an individual withdraws consent to the collection, use or disclosure of personal data about the individual by an organisation for any purpose, the organisation shall cease (and cause its data intermediaries and agents to cease) collecting, using or disclosing the personal data, as the case may be, unless such collection, use or disclosure, as the case may be, without the consent of the individual is required or authorised under this Act or other written law. § 16.(4)] | Data and Information Management | Preventive | |
Process personal data for public interests absent consent in order to protect historical records or archival records. CC ID 15296 [{without consent}{archival purpose} The collection, use or disclosure (as the case may be) of personal data about an individual is solely for archival or historical purposes, if a reasonable person would not consider the personal data to be too sensitive to the individual to be collected, used or disclosed (as the case may be) at the proposed time. FIRST SCHEDULE PART 2 § 4.] | Data and Information Management | Preventive | |
Process personal data absent consent when it is from publicly available information. CC ID 13576 [{without consent}The use of personal data about an individual, if — the personal data was disclosed by a public agency; and SECOND SCHEDULE PART 2 Division 1 § 1.(a)] | Data and Information Management | Preventive | |
Process personal data absent consent to create a credit report. CC ID 15288 [{legitimate interest}{collect}{disclose}Subject to sub-paragraph (2), the collection, use or disclosure (as the case may be) of personal data about an individual — is for the purpose of the preparation by a credit bureau of a credit report; or FIRST SCHEDULE PART 3 § 6.(1)(a)] | Data and Information Management | Preventive | |
Process personal data absent consent if its use is consistent with the intended purpose. CC ID 13575 [Unless otherwise provided under this Act, an organisation may — use or disclose personal data about an individual that — for purposes consistent with the purpose of that collection, or for any purpose permitted by subsection (1)(b) or (c), as the case may be. § 17.(2)(b) ¶ 1 Without limiting subsection (2) and subject to subsection (9), an individual (P) who enters into a contract with an organisation (A) and provides personal data to A pursuant or in relation to that contract is deemed to consent to the following: the collection and use of that personal data by B, where the collection and use are reasonably necessary for any purpose mentioned in paragraph (a); § 15.(6)(b) {without consent}The personal data about an individual — is collected, used or disclosed (as the case may be) for purposes consistent with the purpose for which the document was produced. FIRST SCHEDULE PART 3 § 9.(b) {personal purpose}{domestic purposes}The personal data about an individual — is collected, used or disclosed (as the case may be) by the organisation solely for the purpose in sub-paragraph (a). FIRST SCHEDULE PART 3 § 8.(b) {without consent}The use of personal data about an individual, if — the use of personal data by the organization is consistent with the purpose of the disclosure by the public agency. SECOND SCHEDULE PART 2 Division 1 § 1.(b)] | Data and Information Management | Preventive | |
Process personal data absent consent to administer a trust fund or benefit plan. CC ID 15291 [{collect}{disclose}The collection, use or disclosure (as the case may be) of personal data about an individual is to — administer that trust or benefit plan, at the request of the settlor or the person establishing the benefit plan, as the case may be. FIRST SCHEDULE PART 3 § 7.(b)] | Data and Information Management | Preventive | |
Process personal data absent consent when produced for business purposes. CC ID 13563 [Subject to the conditions in sub-paragraph (2), personal data about an individual (P) is used by the organisation for any of the following purposes: improving or enhancing any goods or services provided, or developing new goods or services to be provided, by the organisation; SECOND SCHEDULE PART 2 Division 2 § 1.(1)(a) Subject to the conditions in sub-paragraph (2), personal data about an individual (P) is used by the organisation for any of the following purposes: improving or enhancing the methods or processes, or developing new methods or processes, for the operations of the organisation; SECOND SCHEDULE PART 2 Division 2 § 1.(1)(b) Subject to the conditions in sub-paragraph (2), personal data about an individual (P) is used by the organisation for any of the following purposes: improving or enhancing the methods or processes, or developing new methods or processes, for the operations of the organisation; SECOND SCHEDULE PART 2 Division 2 § 1.(1)(b) {cannot achieve}Sub-paragraph (1) applies only if — the purpose for which the organisation uses personal data about P cannot reasonably be achieved without the use of the personal data in an individually identifiable form; and SECOND SCHEDULE PART 2 Division 2 § 1.(2)(a) {business improvement purpose}Sub-paragraph (1) applies only if — a reasonable person would consider the use of personal data about P for that purpose to be appropriate in the circumstances. SECOND SCHEDULE PART 2 Division 2 § 1.(2)(b)] | Data and Information Management | Preventive | |
Process personal data absent consent for handling insurance claims. CC ID 13561 | Data and Information Management | Preventive | |
Process personal data absent consent when it is necessary for corporate restructuring. CC ID 16533 | Data and Information Management | Preventive | |
Process personal data absent consent if the information is contained in a witness statement. CC ID 13560 | Data and Information Management | Preventive | |
Process personal data absent consent for life-threatening emergencies. CC ID 13558 [{without consent}{collect}{disclose}The collection, use or disclosure (as the case may be) of personal data about an individual, where — there are reasonable grounds to believe that the health or safety of the individual or another individual will be seriously affected. FIRST SCHEDULE PART 1 § 3.(b)] | Data and Information Management | Preventive | |
Process personal data absent consent for reasonable investigative purposes. CC ID 13557 [{collect}{disclose} The collection, use or disclosure (as the case may be) of personal data about an individual is necessary for any investigation or proceedings. FIRST SCHEDULE PART 3 § 3.] | Data and Information Management | Preventive | |
Notify the individual before restricted data is collected, used, or disclosed. CC ID 00132 [{prospective party}{organization}If X enters into the business asset transaction, the following conditions apply: X or Y must notify the applicable individuals of Y whose personal data is disclosed that — the personal data about them has been disclosed to X. FIRST SCHEDULE PART 4 § 1.(4)(c)(ii)] | Behavior | Preventive | |
Define security breach notification requirement exceptions. CC ID 04797 | Establish/Maintain Documentation | Preventive | |
Refrain from disclosing a security breach if an investigation concludes none has occurred. CC ID 13086 [{data breach}{notifiable data breach} The organisation must carry out the assessment mentioned in subsection (2) or (3)(b) in accordance with any prescribed requirements. § 26C.(4)] | Communicate | Corrective | |
Refrain from disclosing personal data absent consent of the individual or for defined exceptions. CC ID 11967 [An organisation shall not, on or after the appointed day, collect, use or disclose personal data about an individual unless — § 13.] | Records Management | Preventive | |
Notify the data subject when personal data has been inadvertently disclosed. CC ID 13989 | Communicate | Corrective | |
Disclose restricted data when the data subject has given unambiguous and implicit consent. CC ID 00157 [Without limiting subsection (2) and subject to subsection (9), an individual (P) who enters into a contract with an organisation (A) and provides personal data to A pursuant or in relation to that contract is deemed to consent to the following: the disclosure of that personal data by A to another organisation (B), where the disclosure is reasonably necessary — § 15.(6)(a)] | Data and Information Management | Preventive | |
Define what restricted data is not required to be disclosed absent consent. CC ID 00134 | Establish/Maintain Documentation | Preventive | |
Define the exceptions to disclosure absent consent. CC ID 00135 | Establish/Maintain Documentation | Preventive | |
Disclose personal data when the data subject has consented and has the ability to opt out. CC ID 00158 [Without limiting subsection (2) and subject to subsection (9), an individual (P) who provides personal data to an organisation (A) with a view to P entering into a contract with A is deemed to consent to the following where reasonably necessary for the conclusion of the contract between P and A: the collection and use of that personal data by B; § 15.(3)(b)] | Data and Information Management | Detective | |
Define opt-out exceptions for disclosing restricted data. CC ID 00159 | Establish/Maintain Documentation | Preventive | |
Define how a data subject may give consent. CC ID 00160 [An individual has not given consent under this Act for the collection, use or disclosure of personal data about the individual by an organisation for a purpose unless— the individual has been provided with the information required under section 20; and § 14.(1)(a) {render invalid} Any consent given in any of the circumstances in subsection (2) is not validly given for the purposes of this Act. § 14.(3) An individual is deemed to consent to the collection, use or disclosure of personal data about the individual by an organisation for a purpose if— the individual, without actually giving consent referred to in section 14, voluntarily provides the personal data to the organisation for that purpose; and § 15.(1)(a) In this Act, references to the consent given or deemed to have been given, by an individual for the collection, use, or disclosure of personal data about the individual shall include consent given, or deemed to have been given, by any person validly acting on behalf of that individual for the collection, use or disclosure of such personal data. § 14.(4) An individual has not given consent under this Act for the collection, use or disclosure of personal data about the individual by an organisation for a purpose unless — the individual provided his consent for that purpose in accordance with this Act. § 14.(1)(b) Subject to subsection (3), an individual is deemed to consent to the collection, use or disclosure of personal data about the individual by an organisation if — the individual does not notify the organisation, before the expiry of the period mentioned in subsection (4)(b)(iii), that the individual does not consent to the proposed collection, use or disclosure of the personal data by the organisation. § 15A.(2)(b) For the purposes of subsection (2)(a), the organisation must, before collecting, using or disclosing any personal data about the individual — take reasonable steps to bring the following information to the attention of the individual: a reasonable period within which, and a reasonable manner by which, the individual may notify the organisation that the individual does not consent to the organisation's proposed collection, use or disclosure of the personal data; and § 15A.(4)(b)(iii)] | Establish/Maintain Documentation | Preventive | |
Disclose Personal Identification Numbers absent consent in order to update address information. CC ID 04793 | Data and Information Management | Preventive | |
Disclose personal data absent consent for specific and well-documented circumstances. CC ID 15267 [An organisation may — disclose personal data about an individual without the consent of the individual, in the circumstances or for the purposes, and subject to any condition, in the First Schedule or Part 3 of the Second Schedule. § 17.(1)(c) {individual's vital interest}{without consent}Subject to sub-paragraph (2), the collection, use or disclosure (as the case may be) of personal data about an individual is necessary for any purpose which is clearly in the interests of the individual, and — the individual would not reasonably be expected to withhold consent. FIRST SCHEDULE PART 1 § 1.(1)(b) {organization}{corporation}{business improvement purpose}Subject to the conditions in sub-paragraphs (3), (4) and (5), personal data about an individual (P) — is disclosed by Y to X for a relevant purpose. FIRST SCHEDULE PART 5 § 1.(1)(c)] | Communicate | Preventive | |
Disclose restricted data absent consent when the law does not require consent. CC ID 00136 | Data and Information Management | Preventive | |
Disclose data absent consent if its disclosure is consistent with the intended purpose. CC ID 15270 [Unless otherwise provided under this Act, an organisation may — use or disclose personal data about an individual that — for purposes consistent with the purpose of that collection, or for any purpose permitted by subsection (1)(b) or (c), as the case may be. § 17.(2)(b) ¶ 1 Without limiting subsection (2) and subject to subsection (9), an individual (P) who enters into a contract with an organisation (A) and provides personal data to A pursuant or in relation to that contract is deemed to consent to the following: the disclosure of that personal data by B to another organisation, where the disclosure is reasonably necessary for any purpose mentioned in paragraph (a). § 15.(6)(c) {personal purpose}{domestic purposes}The personal data about an individual — is collected, used or disclosed (as the case may be) by the organisation solely for the purpose in sub-paragraph (a). FIRST SCHEDULE PART 3 § 8.(b) {business improvement purpose}{refrain from achieving}Sub-paragraph (1)(a) and (c) applies only if — the relevant purpose for which X collects, or Y discloses, personal data about P cannot reasonably be achieved without the collection, use or disclosure (as the case may be) of the personal data in an individually identifiable form; FIRST SCHEDULE PART 5 § 1.(3)(a) {without consent}The personal data about an individual — is collected, used or disclosed (as the case may be) for purposes consistent with the purpose for which the document was produced. FIRST SCHEDULE PART 3 § 9.(b)] | Data and Information Management | Preventive | |
Disclose restricted data when a relevant connection exists between the data subject and the data controller's operations. CC ID 00137 [Without limiting subsection (2) and subject to subsection (9), an individual (P) who provides personal data to an organisation (A) with a view to P entering into a contract with A is deemed to consent to the following where reasonably necessary for the conclusion of the contract between P and A: the disclosure of that personal data by A to another organisation (B); § 15.(3)(a) Without limiting subsection (2) and subject to subsection (9), an individual (P) who provides personal data to an organisation (A) with a view to P entering into a contract with A is deemed to consent to the following where reasonably necessary for the conclusion of the contract between P and A: the disclosure of that personal data by B to another organisation. § 15.(3)(c) {business improvement purpose}Where X collects from Y, and Y discloses to X, personal data about P for a purpose mentioned in sub-paragraph (2)(c) or (d), P must be, at the time of the collection or disclosure, as the case may be — an existing customer of Y; and FIRST SCHEDULE PART 5 § 1.(5)(a) {business improvement purpose}Where X collects from Y, and Y discloses to X, personal data about P for a purpose mentioned in sub-paragraph (2)(c) or (d), P must be, at the time of the collection or disclosure, as the case may be — an existing customer or a prospective customer of X. FIRST SCHEDULE PART 5 § 1.(5)(b)] | Data and Information Management | Preventive | |
Disclose personal data absent consent if the disclosure with the consent or knowledge of the data subject would compromise the ability to prevent, detect, or suppress fraud. CC ID 13594 | Data and Information Management | Preventive | |
Disclose personal data absent consent when it is in the data subject's interest and consent cannot be obtained in a timely manner. CC ID 15284 [{individual's vital interest}Subject to sub-paragraph (2), the collection, use or disclosure (as the case may be) of personal data about an individual is necessary for any purpose which is clearly in the interests of the individual, and — consent for the collection, use or disclosure (as the case may be) cannot be obtained in a timely way; or FIRST SCHEDULE PART 1 § 1.(1)(a)] | Data and Information Management | Preventive | |
Disclose personal data absent consent in order to establish, manage, or terminate employment contracts. CC ID 13616 [{without consent}The personal data about an individual is collected, used or disclosed (as the case may be) by the organisation, and the collection, use or disclosure (as the case may be) of the personal data is reasonable for the purpose of or in relation to the organisation — entering into an employment relationship with the individual or appointing the individual to any office; or FIRST SCHEDULE PART 3 § 10.(a) {without consent}The personal data about an individual is collected, used or disclosed (as the case may be) by the organisation, and the collection, use or disclosure (as the case may be) of the personal data is reasonable for the purpose of or in relation to the organisation — managing or terminating the employment relationship with or appointment of the individual. FIRST SCHEDULE PART 3 § 10.(b)] | Data and Information Management | Preventive | |
Disclose personal data absent consent when the data subject is notified that the business transaction is completed and their information was disclosed. CC ID 13613 | Data and Information Management | Preventive | |
Disclose personal data absent consent when the data subject has been notified the personal data may be collected, used, or disclosed. CC ID 13603 | Data and Information Management | Preventive | |
Disclose personal data absent consent if disclosure is made a predetermined number of years after the death of the data subject. CC ID 13598 | Data and Information Management | Preventive | |
Disclose personal data absent consent when disclosure is made a predetermined number of years after the information was created. CC ID 13597 | Data and Information Management | Preventive | |
Disclose personal data absent consent if the data subject is notified of the disclosure. CC ID 13596 | Data and Information Management | Preventive | |
Disclose personal data absent consent to detect, suppress, or prevent fraud. CC ID 13592 | Data and Information Management | Preventive | |
Disclose personal data absent consent to create a credit report. CC ID 15297 [{legitimate interest}{collect}{disclose}Subject to sub-paragraph (2), the collection, use or disclosure (as the case may be) of personal data about an individual — is for the purpose of the preparation by a credit bureau of a credit report; or FIRST SCHEDULE PART 3 § 6.(1)(a)] | Data and Information Management | Preventive | |
Disclose personal data absent consent if it is necessary to identify an individual who is injured, ill or deceased. CC ID 13595 | Data and Information Management | Preventive | |
Disclose restricted data absent consent if the disclosure is to a government institution. CC ID 13583 | Data and Information Management | Preventive | |
Disclose personal data absent consent for reasonable investigative purposes. CC ID 13593 | Data and Information Management | Preventive | |
Disclose personal data absent consent to determine whether to proceed with business transactions. CC ID 15285 [{business asset transaction}{organization}{individual}If X is a prospective party to the relevant transaction, the following conditions apply: where Y collects the personal data mentioned in sub-paragraph (1) from Z — Y may collect, and Z may disclose, only personal data that is necessary for X or Y (as the case may be) to determine whether to proceed with the relevant transaction; and FIRST SCHEDULE PART 4 § 2.(2)(b)(i)] | Data and Information Management | Preventive | |
Disclose personal data absent consent for handling insurance claims. CC ID 13585 | Data and Information Management | Preventive | |
Disclose personal data absent consent if the information is contained in a witness statement. CC ID 13584 | Data and Information Management | Preventive | |
Disclose personal data absent consent if the data subject is believed to be a victim of financial abuse. CC ID 13555 | Data and Information Management | Preventive | |
Disclose personal data absent consent for transactions related to the consumer. CC ID 14853 | Data and Information Management | Preventive | |
Disclose restricted data absent consent to a government institution that has requested the information. CC ID 13582 | Data and Information Management | Preventive | |
Disclose personal data absent consent if the disclosure is to the next of kin or authorized representative. CC ID 13554 [{is necessary}{without consent} The collection, use or disclosure of personal data is for the purpose of contacting the next-of-kin or a friend of any injured, ill or deceased individual. FIRST SCHEDULE PART 1 § 4.] | Data and Information Management | Preventive | |
Disclose restricted data absent consent when it is for the data controller's legitimate interest or third party's legitimate interest and it prevails over individual rights. CC ID 00138 [{collect}{disclose}Subject to sub-paragraphs (2), (3) and (4) — the collection, use or disclosure (as the case may be) of personal data about an individual is in the legitimate interests of the organisation or another person; and FIRST SCHEDULE PART 3 § 1.(1)(a)] | Data and Information Management | Preventive | |
Disclose personal data absent consent if the organization notifies the privacy commissioner before disclosing the information. CC ID 13553 | Data and Information Management | Preventive | |
Disclose personal data absent consent if it is impracticable to obtain consent. CC ID 13552 [{individual's vital interest}The collection, use or disclosure (as the case may be) of personal data about an individual, where — consent for the collection, use or disclosure (as the case may be) cannot be obtained in a timely way; and FIRST SCHEDULE PART 1 § 3.(a) The disclosure of personal data about an individual for a research purpose (including historical or statistical research), if — it is impracticable for the organisation to seek the consent of the individual for the disclosure; SECOND SCHEDULE PART 3 Division 2 § 1.(b)] | Data and Information Management | Preventive | |
Disclose restricted data absent consent in order to perform a contract. CC ID 00139 [Without limiting subsection (2) and subject to subsection (9), an individual (P) who enters into a contract with an organisation (A) and provides personal data to A pursuant or in relation to that contract is deemed to consent to the following: the disclosure of that personal data by A to another organisation (B), where the disclosure is reasonably necessary — for the conclusion or performance of a contract between A and B which is entered into at P's request, or which a reasonable person would consider to be in P's interest; § 15.(6)(a)(ii) {without consent}Subject to the conditions in sub-paragraphs (2), (3), (4) and (5), where an organisation (X) is a party or a prospective party to a business asset transaction with another organisation (Y), personal data about an applicable individual of Y — is used or disclosed by X in relation to the business asset transaction; or FIRST SCHEDULE PART 4 § 1.(1)(b) {without consent}Subject to the conditions in sub-paragraphs (2), (3), (4) and (5), where an organisation (X) is a party or a prospective party to a business asset transaction with another organisation (Y), personal data about an applicable individual of Y — is disclosed by Y to X for the purposes of the business transaction. FIRST SCHEDULE PART 4 § 1.(1)(c) {organization}If X is a prospective party to the business asset transaction, the following conditions apply: X may collect, and Y may disclose, only personal data that is necessary for X to determine whether to proceed with the business asset transaction; FIRST SCHEDULE PART 4 § 1.(3)(a) {prospective party}{organization}If X enters into the business asset transaction, the following conditions apply: X may use or disclose the personal data X collected from Y only for the same purposes for which Y would have been permitted to use or disclose the personal data; FIRST SCHEDULE PART 4 § 1.(4)(a) {organization}If X is a prospective party to the business asset transaction, the following conditions apply: X and Y must have entered into an agreement that requires X to use or disclose the personal data solely for purposes related to the business asset transaction. FIRST SCHEDULE PART 4 § 1.(3)(b) Subject to the conditions in sub-paragraphs (2), (3) and (4), where an organisation (X) is a party or a prospective party to a business asset transaction with another organisation (Y) in respect of Y's interest in a third organisation (Z) (called in this paragraph the relevant transaction), personal data about an applicable individual of Z — is used or disclosed by X or Y in relation to the relevant transaction; or FIRST SCHEDULE PART 4 § 2.(1)(b) Without limiting subsection (2) and subject to subsection (9), an individual (P) who enters into a contract with an organisation (A) and provides personal data to A pursuant or in relation to that contract is deemed to consent to the following: the disclosure of that personal data by A to another organisation (B), where the disclosure is reasonably necessary — for the performance of the contract between P and A; or § 15.(6)(a)(i) {legitimate interest}{collect}{disclose}Subject to sub-paragraph (2), the collection, use or disclosure (as the case may be) of personal data about an individual — relates to a credit report provided by a credit bureau to a member of the credit bureau in relation to a transaction between the member and the individual. FIRST SCHEDULE PART 3 § 6.(1)(b) Subject to the conditions in sub-paragraphs (2), (3) and (4), where an organisation (X) is a party or a prospective party to a business asset transaction with another organisation (Y) in respect of Y's interest in a third organisation (Z) (called in this paragraph the relevant transaction), personal data about an applicable individual of Z — is disclosed by Y or Z (as the case may be) to X, or by Z to Y, for the purposes of the relevant transaction. FIRST SCHEDULE PART 4 § 2.(1)(c) {business asset transaction}If X is a prospective party to the relevant transaction, the following conditions apply: where X collects the personal data mentioned in sub-paragraph (1) from Y or Z — X may collect, and Y or Z (as the case may be) may disclose, only personal data that is necessary for X to determine whether to proceed with the relevant transaction; and FIRST SCHEDULE PART 4 § 2.(2)(a)(i) {business asset transaction}{organization}{prospective party}{individual}If X enters into the relevant transaction, the following conditions apply: X may use or disclose the personal data collected from Y or Z (as the case may be) only for the same purposes for which Y or Z (as the case may be) would have been permitted to use or disclose the personal data; FIRST SCHEDULE PART 4 § 2.(3)(a) {business asset transaction}If X is a prospective party to the relevant transaction, the following conditions apply: where X collects the personal data mentioned in sub-paragraph (1) from Y or Z — X and Y or Z (as the case may be) must have entered into an agreement that requires X to use or disclose the personal data solely for purposes related to the relevant transaction; FIRST SCHEDULE PART 4 § 2.(2)(a)(ii) {business asset transaction}{organization}{individual}If X is a prospective party to the relevant transaction, the following conditions apply: where Y collects the personal data mentioned in sub-paragraph (1) from Z — Y and Z must have entered into an agreement that requires Y to use or disclose the personal data solely for purposes related to the relevant transaction. FIRST SCHEDULE PART 4 § 2.(2)(b)(ii) {legitimate interest}{collect}{disclose}The collection, use or disclosure (as the case may be) of personal data about an individual is to — confer an interest or a benefit on the individual under a private trust or benefit plan; and FIRST SCHEDULE PART 3 § 7.(a)] | Data and Information Management | Preventive | |
Disclose restricted data absent consent in order to assist Telecommunications Ombudsmen in resolving complaints. CC ID 00140 | Data and Information Management | Preventive | |
Disclose personal data absent consent to administer a trust fund or benefit plan. CC ID 15290 [{collect}{disclose}The collection, use or disclosure (as the case may be) of personal data about an individual is to — administer that trust or benefit plan, at the request of the settlor or the person establishing the benefit plan, as the case may be. FIRST SCHEDULE PART 3 § 7.(b)] | Data and Information Management | Preventive | |
Disclose personal data absent consent for research purposes and the data subject is not identified. CC ID 15286 [{disclose}The disclosure of personal data about an individual for a research purpose (including historical or statistical research), if — in the event that the results of the research are published, the organisation publishes the results in a form that does not identify the individual. SECOND SCHEDULE PART 3 Division 2 § 1.(e)] | Data and Information Management | Preventive | |
Disclose personal data absent consent when the personal data is disclosed by calling an emergency service number. CC ID 00141 | Data and Information Management | Preventive | |
Disclose restricted data absent consent when the restricted data prevents life-threatening emergencies to third parties. CC ID 00142 | Data and Information Management | Preventive | |
Disclose restricted data absent consent when the restricted data preserves human life at sea. CC ID 00143 | Data and Information Management | Preventive | |
Disclose restricted data absent consent in order to process the restricted data for public interests. CC ID 00144 [{disclose}{without consent} The disclosure of personal data about an individual to a public agency, where the disclosure is necessary in the public interest. SECOND SCHEDULE PART 3 Division 1 § 1.] | Data and Information Management | Preventive | |
Disclose restricted data for public interests absent consent in order to provide social work assistance services. CC ID 00145 | Data and Information Management | Preventive | |
Disclose restricted data for public interests absent consent if confidentiality is assured and the disclosure is for statistical research, scientific research, or scholarly research. CC ID 00146 [The use of personal data about an individual for a research purpose (including historical or statistical research), if — in the event that the results of the research are published, the organisation publishes the results in a form that does not identify the individual. SECOND SCHEDULE PART 2 Division 3 § 1.(d) {refrain from achieving}The disclosure of personal data about an individual for a research purpose (including historical or statistical research), if — the research purpose cannot reasonably be accomplished unless the personal data is disclosed in an individually identifiable form; SECOND SCHEDULE PART 3 Division 2 § 1.(a) The disclosure of personal data about an individual for a research purpose (including historical or statistical research), if — there is a clear public benefit to disclosing the personal data for the research purpose; SECOND SCHEDULE PART 3 Division 2 § 1.(c) {collect}{disclose} The collection, use or disclosure (as the case may be) of personal data about an individual is necessary for evaluative purposes. FIRST SCHEDULE PART 3 § 2. {disclose}The disclosure of personal data about an individual for a research purpose (including historical or statistical research), if — the results of the research will not be used to make a decision that affects the individual; and SECOND SCHEDULE PART 3 Division 2 § 1.(d)] | Data and Information Management | Preventive | |
Disclose restricted data for public interests absent consent in order to protect historical records or archival records. CC ID 00147 [{without consent}{archival purpose} The collection, use or disclosure (as the case may be) of personal data about an individual is solely for archival or historical purposes, if a reasonable person would not consider the personal data to be too sensitive to the individual to be collected, used or disclosed (as the case may be) at the proposed time. FIRST SCHEDULE PART 2 § 4.] | Data and Information Management | Preventive | |
Disclose restricted data absent consent for public economic interests. CC ID 00148 | Data and Information Management | Preventive | |
Disclose restricted data for public interests absent consent for National Security reasons. CC ID 00149 [{without consent}{collect}{disclose} The collection, use or disclosure (as the case may be) of personal data about an individual is in the national interest. FIRST SCHEDULE PART 2 § 2.] | Data and Information Management | Preventive | |
Disclose restricted data absent consent for journalistic purposes, artistic purposes, or literary purposes. CC ID 00150 [{without consent} The personal data about an individual is collected, used or disclosed (as the case may be) by a news organisation solely for its news activity. FIRST SCHEDULE PART 2 § 5. {without consent}{artistic purpose}{collect}{disclose} The collection, use or disclosure (as the case may be) of personal data about an individual is solely for artistic or literary purposes. FIRST SCHEDULE PART 2 § 3.] | Data and Information Management | Preventive | |
Disclose restricted data absent consent when it is publicly accessible. CC ID 00151 [{without consent}{collect}{disclose} The collection, use or disclosure (as the case may be) of personal data about an individual that is publicly available. FIRST SCHEDULE PART 2 § 1.] | Data and Information Management | Preventive | |
Disclose restricted data absent consent when it is related to publicly available information. CC ID 00152 | Data and Information Management | Preventive | |
Disclose publicly accessible restricted data absent consent when the data subject has already published it. CC ID 00153 | Data and Information Management | Preventive | |
Disclose restricted data absent consent in order to protect the data subject's vital interests. CC ID 00154 [{individual's vital interest}{collect}{disclose} Subject to sub-paragraph (2), the collection, use or disclosure (as the case may be) of personal data about an individual is necessary for any purpose which is clearly in the interests of the individual, and — FIRST SCHEDULE PART 1 § 1.(1)] | Data and Information Management | Preventive | |
Disclose restricted data absent consent in order to protect the data subject's vital interests when there is a life-threatening emergency. CC ID 00155 [{without consent}{collect}{disclose}The collection, use or disclosure (as the case may be) of personal data about an individual, where — there are reasonable grounds to believe that the health or safety of the individual or another individual will be seriously affected. FIRST SCHEDULE PART 1 § 3.(b)] | Data and Information Management | Preventive | |
Disclose restricted data absent consent when it is for judicial decisions, lawsuits, and investigations. CC ID 00161 [{collect}{disclose} The collection, use or disclosure (as the case may be) of personal data about an individual is necessary for any investigation or proceedings. FIRST SCHEDULE PART 3 § 3. {collect}{disclose} The collection, use or disclosure (as the case may be) of personal data about an individual is necessary for the provision of legal services by the organisation to another person, or for the organisation to obtain legal services. FIRST SCHEDULE PART 3 § 5.] | Data and Information Management | Preventive | |
Disclose restricted data for judicial decisions, lawsuits, and investigations only after the data controller includes a note of the disclosure in the record. CC ID 00162 | Establish/Maintain Documentation | Detective | |
Disclose restricted data absent consent when it is needed by law. CC ID 00163 | Data and Information Management | Preventive | |
Disclose personal data required by law absent consent for special cases involving security or law enforcement. CC ID 04796 [An organisation must not inform any individual under subsection (1)(b) that the organisation has disclosed personal data about the individual to a prescribed law enforcement agency if the disclosure was made under this Act or any other written law without the consent of the individual. § 21.(4) {disclose} The disclosure of personal data about any individual to any officer of a prescribed law enforcement agency, upon production of written authorisation signed by the head or director of that prescribed law enforcement agency or a person of a similar rank, certifying that the personal data is necessary for the purposes of the functions or duties of the officer. SECOND SCHEDULE PART 3 Division 1 § 4.] | Data and Information Management | Preventive | |
Disclose personal data absent consent when it is being disclosed to the data subject. CC ID 00164 | Data and Information Management | Preventive | |
Disclose personal data absent consent for direct marketing or other personalized mail programs. CC ID 14855 | Data and Information Management | Preventive | |
Disclose personal data absent consent in order to collect a debt owed by the data subject. CC ID 00165 [{without consent}{collect}{disclose}The collection, use or disclosure (as the case may be) of personal data about an individual is necessary for the organisation — to recover a debt owed by the individual to the organisation; or FIRST SCHEDULE PART 3 § 4.(a) {collect}{disclose}The collection, use or disclosure (as the case may be) of personal data about an individual is necessary for the organisation — to pay to the individual a debt owed by the organisation. FIRST SCHEDULE PART 3 § 4.(b)] | Data and Information Management | Preventive | |
Disclose personal data absent consent when the data subject or data owner is anonymous. CC ID 00166 | Data and Information Management | Preventive | |
Disclose restricted data absent consent when the disclosure concerns the individual's products or services obtained from the organization. CC ID 13469 | Communicate | Preventive | |
Establish, implement, and maintain restricted data retention procedures. CC ID 00167 [the organisation must preserve, for not less than the prescribed period, a copy of the personal data concerned. § 22A.(1) ¶ 1] | Establish/Maintain Documentation | Preventive | |
Establish, implement, and maintain personal data disposition procedures. CC ID 13498 | Establish/Maintain Documentation | Preventive | |
Capture personal data removal requests. CC ID 13507 | Communicate | Preventive | |
Remove personal data from records after receiving a personal data removal request. CC ID 11972 | Records Management | Preventive | |
Refrain from erasing personal data upon receiving a personal data removal request when it is necessary for maintaining information assets. CC ID 13789 | Process or Activity | Preventive | |
Refrain from erasing personal data upon receiving a personal data removal request when it is necessary to complete a payment transaction. CC ID 13788 | Process or Activity | Preventive | |
Dispose of personal data removal requests, as necessary. CC ID 13512 | Business Processes | Preventive | |
Limit the redisclosure and reuse of restricted data. CC ID 00168 | Data and Information Management | Preventive | |
Refrain from redisclosing or reusing restricted data. CC ID 00169 | Data and Information Management | Preventive | |
Document the redisclosing restricted data exceptions. CC ID 00170 | Establish/Maintain Documentation | Preventive | |
Redisclose restricted data when the data subject consents. CC ID 00171 | Data and Information Management | Preventive | |
Redisclose restricted data when it is for criminal law enforcement. CC ID 00172 | Data and Information Management | Preventive | |
Redisclose restricted data in order to protect public revenue. CC ID 00173 | Data and Information Management | Preventive | |
Redisclose restricted data in order to assist a Telecommunications Ombudsman. CC ID 00174 | Data and Information Management | Preventive | |
Redisclose restricted data in order to prevent a life-threatening emergency. CC ID 00175 | Data and Information Management | Preventive | |
Redisclose restricted data when it deals with installing, maintaining, operating, or providing access to a Public Telecommunications Network or a telecommunication facility. CC ID 00176 | Data and Information Management | Preventive | |
Redisclose restricted data in order to preserve human life at sea. CC ID 00177 | Data and Information Management | Preventive | |
Obtain explicit consent directly from the data subject prior to the use of that person's sensitive data. CC ID 00178 | Data and Information Management | Preventive | |
Obtain consent from a parent or legal representative in order to use or disclose a child's data. CC ID 00198 | Data and Information Management | Preventive | |
Obtain opt-in consent from teenagers prior to the collection, use, or disclosure of personal data. CC ID 00199 | Data and Information Management | Preventive | |
Obtain explicit consent prior to using the data subject's Personal Identification Number. CC ID 00238 | Data and Information Management | Preventive | |
Process Personal Identification Numbers with consent. CC ID 00239 | Data and Information Management | Preventive | |
Refrain from requiring individuals to use Personal Identification Numbers as an account number or password. CC ID 00253 | Behavior | Preventive | |
Obtain consent prior to selling a Personal Identification Number. CC ID 00240 | Data and Information Management | Preventive | |
Obtain consent prior to displaying a Personal Identification Number. CC ID 00241 | Data and Information Management | Preventive | |
Refrain from displaying Personal Identification Numbers on government-issued checks or other paperwork. CC ID 00254 | Data and Information Management | Preventive | |
Refrain from displaying Personal Identification Numbers on identification cards or badges. CC ID 00255 | Data and Information Management | Preventive | |
Document the conditions to use Personal Identification Numbers absent consent. CC ID 00242 | Establish/Maintain Documentation | Preventive | |
Use Personal Identification Numbers absent consent for granting credit or collecting a debt. CC ID 00252 | Data and Information Management | Preventive | |
Use Personal Identification Numbers absent consent for research purposes. CC ID 00247 | Data and Information Management | Preventive | |
Refrain from requiring consent to use a Personal Identification Number when protecting the public health and safety or an individual's safety in an emergency. CC ID 00244 | Data and Information Management | Preventive | |
Use Personal Identification Numbers absent consent when a federal law mandates its use. CC ID 00243 | Data and Information Management | Preventive | |
Allow data subjects the ability to restrict the use and disclosure of personal data. CC ID 06821 | Data and Information Management | Preventive | |
Establish, implement, and maintain data disclosure procedures. CC ID 00133 [Subject to subsection (3), an individual is deemed to consent to the collection, use or disclosure of personal data about the individual by an organisation if — the organisation satisfies the requirements in subsection (4); and § 15A.(2)(a) {business asset transaction}{organization}{prospective party}{individual}If X enters into the relevant transaction, the following conditions apply: Y may use or disclose the personal data collected from Z only for the same purposes for which Z would have been permitted to use or disclose the personal data; FIRST SCHEDULE PART 4 § 2.(3)(b)] | Establish/Maintain Documentation | Preventive | |
Identify any adverse effects the disclosure of personal data will have on the data subject. CC ID 15298 [The organisation must, in respect of the assessment mentioned in subsection (4)(a) — identify any adverse effect that the proposed collection, use or disclosure of the personal data for the purpose concerned is likely to have on the individual; § 15A.(5)(a) {legitimate interest}{collect}{disclose}The organisation must, in respect of the assessment mentioned in sub-paragraph (2)(a) — identify any adverse effect that the proposed collection, use or disclosure (as the case may be) of personal data about an individual is likely to have on the individual; FIRST SCHEDULE PART 3 § 1.(3)(a)] | Data and Information Management | Preventive | |
Review personal data disclosure requests. CC ID 07129 | Data and Information Management | Preventive | |
Notify the data subject of the disclosure purpose. CC ID 15268 [For the purposes of subsection (4), the organisation must inform the individual of the following: the purpose for which the organisation is collecting, using or disclosing (as the case may be) the personal data about the individual; § 20.(5)(a)] | Communicate | Preventive | |
Establish, implement, and maintain data request denial procedures. CC ID 00434 | Establish/Maintain Documentation | Preventive | |
Include frivolous requests or vexatious requests as a reason for denial in the personal data request denial procedures. CC ID 00435 [{personal data request} An organisation is not required to provide information under section 21(1) in respect of— any request— that would unreasonably interfere with the ound-color:#F0BBBC;" class="term_primary-noun">operations of the organisation because of the repetitious or systematic nature of the requests; FIFTH SCHEDULE § 1.(j)(i) {personal data request} An organisation is not required to provide information under section 21(1) in respect of— any request— for y-noun">informatground-color:#CBD0E5;" class="term_secondary-verb">ionan> that is trivial; or FIFTH SCHEDULE § 1.(j)(iv) {personal data request}{is unnecessary} An organisation is not required to provide information under section 21(1) in respect of— any request— that is otherwise frivolous or vexatious. FIFTH SCHEDULE § 1.(j)(v) {interfere}{operation} For the purposes of paragraph 1(j)(i), the organisation may have regard to the number and frequency of requests received. FIFTH SCHEDULE § 2.] | Data and Information Management | Preventive | |
Include when the required information is unavailable as a reason for denial in the personal data request denial procedures. CC ID 00436 [{personal data request} An organisation is not required to provide information under section 21(1) in respect of— any request— for information that lass="term_primary-verb">does not exist or cannot be found; FIFTH SCHEDULE § 1.(j)(iii)] | Data and Information Management | Preventive | |
Include when the disclosure of personal data constitutes contempt of court or contempt of House of Representatives as a reason for denial in the personal data request denial procedures. CC ID 00437 | Data and Information Management | Preventive | |
Include disclosing personal data that would identify suppliers or breaches an express promise of privacy or implied promise of privacy as a reason for denial in the personal data request denial procedures. CC ID 00438 [{other person} An organisation shall not provide an individual with the individual's personal data or other information under subsection (1) if the provision of that personal data or other information, as the case may be, could reasonably be expected to— class="term_primary-verb">reveal personal data about another individual; § 21.(3)(c) {other person} An organisation shall not provide an individual with the individual's personal data or other information under subsection (1) if the provision of that personal data or other information, as the case may be, could reasonably be expected to — m_primary-verb">reveal the identity of an individual who has provided personal data about another individual and the individual providing the personal data does not consent to the disclosure of his identity; or § 21.(3)(d)] | Data and Information Management | Preventive | |
Include disclosing personal data that would compromise National Security as a reason for denial in the personal data request denial procedures. CC ID 00439 | Data and Information Management | Preventive | |
Include information that is protected by attorney-client privilege as a reason for denial in the personal data request denial procedures. CC ID 00440 | Data and Information Management | Preventive | |
Include disclosing personal data that would reveal trade secrets, commercial information, or harmful financial information as a reason for denial in the personal data request denial procedures. CC ID 00441 [An organisation is not required to provide information under section 21(1) in respect of— personal data which, if disclosed, would reveal or:#F0BBBC;" class="term_primary-noun">confidential commercial information that could, in the opispan>nion of a reasonable person, harm the ">competitive position of the organisation; FIFTH SCHEDULE § 1.(g)] | Data and Information Management | Preventive | |
Include disclosing personal data that would threaten an individual's life or an individual's security as a reason for denial in the personal data request denial procedures. CC ID 00442 [An organisation shall not provide an individual with the individual's personal data or other information under subsection (1) if the provision of that personal data or other information, as the case may be, could reasonably be expected to— <span style="background-color:#B7D8ED;" class="term_primary-verb">threaten the safety or physical or mental health of an individual other than the individual who made the request; § 21.(3)(a) An organisation shall not provide an individual with the individual's personal data or other information under subsection (1) if the provision of that personal data or other information, as the case may be, could reasonably be expected to— cause immediate or grave harm> to the ackground-color:#F0BBBC;" class="term_primary-noun">safety or to the physical or mental style="background-color:#F0BBBC;" class="term_primary-noun">health of the individual who made the request; § 21.(3)(b)] | Data and Information Management | Preventive | |
Include disclosing personal data that would have an unreasonable impact on another individual's privacy as a reason for denial in the personal data request denial procedures. CC ID 00443 | Data and Information Management | Preventive | |
Include disclosing personal data that would threaten facilities, property, transport, or communication systems as a reason for denial in the personal data request denial procedures. CC ID 08702 | Process or Activity | Preventive | |
Include responding to access requests after the time limit as a reason for denial in the personal data request denial procedures. CC ID 13600 | Data and Information Management | Preventive | |
Include information that was generated from a formal dispute as a reason for denial in the personal data request denial procedures. CC ID 00444 | Data and Information Management | Preventive | |
Include personal data that is used solely for scientific research, scholarly research, statistical research, library purposes, museum purposes, or archival purposes as a reason for denial in the personal data request denial procedures. CC ID 00445 [An organisation is not required to provide information under section 21(1) in respect of— opinion data rb">keptan> solely for an style="background-color:#F0BBBC;" class="term_primary-noun">evaluative purpose; FIFTH SCHEDULE § 1.(a)] | Data and Information Management | Preventive | |
Include personal data that is for the state's economic interest as a reason for denial in the personal data request denial procedures. CC ID 00446 [{contravene} An organisation shall not provide an individual with the individual's personal data or other information under subsection (1)if the provision of that round-color:#F0BBBC;" class="term_primary-noun">personal data or other information, as the case may be, could reasonably be expected to — be contrary to the national interest. § 21.(3)(e)] | Data and Information Management | Detective | |
Include personal data that is for protecting the civil rights or other's freedoms as a reason for denial in the personal data request denial procedures. CC ID 00447 | Data and Information Management | Preventive | |
Include disclosing personal data that constitutes a state secret as a reason for denial in the personal data request denial procedures. CC ID 00448 | Data and Information Management | Preventive | |
Include disclosing personal data that would result in interference with the operation of public functions as a reason for denial in the personal data request denial procedures. CC ID 00449 | Data and Information Management | Preventive | |
Include disclosing personal data that would interrupt criminal investigation and surveillance or other legal purposes as a reason for denial in the personal data request denial procedures. CC ID 00450 [An organisation is not required to provide information under section 21(1) in respect of — personal data collected, used or disclosed without consent, under paragraph 3 of Part 3 of the First Schedule, for the purposes of an investigation if the investigation and associated proceedings and appeals have not been completed; FIFTH SCHEDULE § 1.(h)] | Data and Information Management | Preventive | |
Include when a country's laws prevent disclosure as a reason for denial in the personal data request denial procedures. CC ID 00451 | Data and Information Management | Preventive | |
Include disclosing personal data that would interfere with grievance proceeding or employee security investigations as a reason for denial in the personal data request denial procedures. CC ID 06873 [An organisation is not required to provide information under section 21(1) in respect of— the personal data was collected or created by a mediator or arbitrator in the conduct of a mediation or arbitration for which he was appointed to act— under a un">collective agreement under the Industrial Relations Act (Cap. 136) or by agreement between the parties to the mediation or arbitration; FIFTH SCHEDULE § 1.(i)(i) An organisation is not required to provide information under section 21(1) in respect of— the personal data was collected or created by a mediator or arbitrator in the conduct of a ry-noun">mediationn> or arbitrationan> for which he was appointed to act— under any written m_primary-noun">law; or FIFTH SCHEDULE § 1.(i)(ii) An organisation is not required to provide information under section 21(1) in respect of— the personal data was collected or created by a mediator or arbitrator in the conduct of a mediation or arbitration for which he was style="background-color:#CBD0E5;" class="term_secondary-verb">ED;" class="term_primary-verb">appointed to act— by a | Data and Information Management | Preventive | |
Include disclosing personal data that would interfere with commercial acquisitions or reorganizations as a reason for denial in the personal data request denial procedures. CC ID 06874 | Data and Information Management | Preventive | |
Include if the cost or burden of disclosing the personal data is disproportionate as a reason for denial in the personal data request denial procedures. CC ID 06875 [{personal data request}{be disproportionate} An organisation is not required to provide information under section 21(1) in respect of—any request— if the burden or expense of providing access would "background-color:#B7D8ED;" class="term_primary-verb">be unreasonable to the organisation or disproportionate to the individual's interests; FIFTH SCHEDULE § 1.(j)(ii) {personal data request}{be disproportionate} An organisation is not required to provide information under section 21(1) in respect of—any request— if the burden or expense of providing access would "background-color:#B7D8ED;" class="term_primary-verb">be unreasonable to the organisation or disproportionate to the individual's interests; FIFTH SCHEDULE § 1.(j)(ii)] | Data and Information Management | Preventive | |
Notify interested personnel and affected parties of the reasons the data access request was refused. CC ID 00453 [the organisation must, within the prescribed time and in accordance with the prescribed requirements, notify the individual of the rejection. § 21.(6) ¶ 1] | Data and Information Management | Preventive | |
Notify the individual of the organization's legal rights to refuse the personal data access request, as necessary. CC ID 13509 | Communicate | Preventive | |
Notify individuals of their right to challenge a refusal to a data access request. CC ID 00454 | Data and Information Management | Preventive | |
Include if the record would constitute an action for breach of a duty of confidence as a reason for denial in the personal data request denial procedures. CC ID 08700 | Process or Activity | Preventive | |
Disseminate and communicate personal data to the individual that it relates to. CC ID 00428 [Subject to subsections (2), (3) and (4), on request of an individual, an organisation shall, as soon as reasonably possible, provide the individual with— personal data> about the individual that is in the possession or under the control of the organisation; and § 21.(1)(a) {is complete} If an organisation is able to provide the individual with the individual's personal data and other information requested under subsection (1) without the personal data or other information excluded under subsections (2), (3) and (4), the organisation shall d-color:#B7D8ED;" class="term_primary-verb">provide the individual with ="term_primary-noun">access to the personal data and other information without the personal data or other information excluded under subsections (2), (3) and (4). § 21.(5)] | Data and Information Management | Preventive | |
Provide personal data to an individual after the individual's identity has been confirmed. CC ID 06876 | Data and Information Management | Preventive | |
Notify that data subject of any exclusions to requested personal data. CC ID 15271 [the organisation must notify the individual of the exclusion, under subsection (2) or (3), of any of the personal data or other information so requested. § 21.(7) ¶ 1] | Communicate | Preventive | |
Provide data or records in a reasonable time frame. CC ID 00429 [{person}A checker is deemed to have complied with subsection (2)(a) if — the checker provides the applicable information to P before the expiry of the prescribed period mentioned in section 43(2)(b)(i). § 43A.(3)(b)] | Data and Information Management | Preventive | |
Notify individuals of the new time limit for responding to an access request in a notice of extension. CC ID 13599 | Communicate | Preventive | |
Extend the time limit for providing personal data in order to convert it to an alternative format. CC ID 13591 | Data and Information Management | Preventive | |
Extend the time limit for providing personal data if the time is impracticable to respond to the access request. CC ID 13590 | Data and Information Management | Preventive | |
Extend the time limit for providing data if it would unreasonably interfere with the organization's activities. CC ID 13589 | Data and Information Management | Preventive | |
Provide data at a cost that is not excessive. CC ID 00430 | Data and Information Management | Preventive | |
Provide records or data in a reasonable manner. CC ID 00431 | Data and Information Management | Preventive | |
Provide personal data in a form that is intelligible. CC ID 00432 | Data and Information Management | Preventive | |
Provide restricted data that would threaten the life or security of another individual after that information has been redacted. CC ID 13604 | Data and Information Management | Preventive | |
Provide restricted data that would reveal confidential commercial information after that information has been redacted. CC ID 13602 | Data and Information Management | Preventive | |
Remove data pertaining to third parties before giving the requestor access to the information. CC ID 13601 | Data and Information Management | Preventive | |
Document that a data search was conducted in case the requested data cannot be found. CC ID 06953 | Establish/Maintain Documentation | Preventive | |
Establish, implement, and maintain a personal data collection program. CC ID 06487 | Establish/Maintain Documentation | Preventive | |
Identify any adverse effects the collection of personal data will have on the data subject. CC ID 15279 [The organisation must, in respect of the assessment mentioned in subsection (4)(a) — identify any adverse effect that the proposed collection, use or disclosure of the personal data for the purpose concerned is likely to have on the individual; § 15A.(5)(a) {legitimate interest}{collect}{disclose}The organisation must, in respect of the assessment mentioned in sub-paragraph (2)(a) — identify any adverse effect that the proposed collection, use or disclosure (as the case may be) of personal data about an individual is likely to have on the individual; FIRST SCHEDULE PART 3 § 1.(3)(a)] | Data and Information Management | Preventive | |
Refrain from collecting personal data, as necessary. CC ID 15269 [An organisation shall not, on or after the appointed day, collect, use or disclose personal data about an individual unless — § 13.] | Data and Information Management | Preventive | |
Establish, implement, and maintain personal data collection limitation boundaries. CC ID 00507 [Subject to subsection (3), an individual is deemed to consent to the collection, use or disclosure of personal data about the individual by an organisation if — the organisation satisfies the requirements in subsection (4); and § 15A.(2)(a)] | Establish/Maintain Documentation | Preventive | |
Establish, implement, and maintain a personal data use policy. CC ID 00076 | Establish/Maintain Documentation | Preventive | |
Use personal data for specified purposes. CC ID 11831 [{business asset transaction}{organization}{prospective party}{individual}If X enters into the relevant transaction, the following conditions apply: Y may use or disclose the personal data collected from Z only for the same purposes for which Z would have been permitted to use or disclose the personal data; FIRST SCHEDULE PART 4 § 2.(3)(b)] | Data and Information Management | Preventive | |
Post the collection purpose. CC ID 00101 | Establish/Maintain Documentation | Preventive | |
Obtain the data subject's consent and acknowledgment before collecting data. CC ID 00012 [Without limiting subsection (2) and subject to subsection (9), an individual (P) who enters into a contract with an organisation (A) and provides personal data to A pursuant or in relation to that contract is deemed to consent to the following: § 15.(6)] | Data and Information Management | Preventive | |
Document each individual's personal data collection consent preferences. CC ID 06945 | Establish/Maintain Documentation | Preventive | |
Provide explicit consent that is clear and unambiguous. CC ID 00181 | Data and Information Management | Preventive | |
Allow individuals to change their personal data collection consent preferences. CC ID 06946 [{allow} On giving reasonable notice to the organisation, an individual may at any time withdraw any consent given, or deemed to have been given under this Act, in respect of the collection, use or disclosure by that organisation of personal data about the individual for any purpose. § 16.(1) An organisation shall not prohibit an individual from withdrawing his consent to the collection, use or disclosure of personal data about the individual, but this section shall not affect any legal consequences arising from such withdrawal. § 16.(3)] | Data and Information Management | Preventive | |
Adhere to each individual's personal data collection consent preferences. CC ID 06947 | Data and Information Management | Preventive | |
Notify the data subject of the source of collected personal data. CC ID 00083 | Behavior | Preventive | |
Furnish disclosure of information and usage of information to data subjects when oral consent is given. CC ID 04717 | Data and Information Management | Preventive | |
Disclose the direct marketing purpose before obtaining consent for collecting information. CC ID 04718 | Data and Information Management | Preventive | |
Establish and maintain a personal data definition. CC ID 00028 | Establish/Maintain Documentation | Preventive | |
Include an individual's name in the personal data definition. CC ID 04710 | Data and Information Management | Preventive | |
Include an individual's name combined with other personal data in the personal data definition. CC ID 04709 | Data and Information Management | Preventive | |
Include the legal surname of the parent or legal representative prior to marriage in the personal data definition. CC ID 04686 | Data and Information Management | Preventive | |
Include an individual's signature in the personal data definition. CC ID 04711 | Data and Information Management | Preventive | |
Include an individual's date of birth in the personal data definition. CC ID 04770 | Data and Information Management | Preventive | |
Include the number of children in the personal data definition. CC ID 13759 | Establish/Maintain Documentation | Preventive | |
Include the individual's religion in the personal data definition. CC ID 13765 | Establish/Maintain Documentation | Preventive | |
Include an individual's physical characteristics or description in the personal data definition. CC ID 04712 | Data and Information Management | Preventive | |
Include an individual's biometric data in the personal data definition. CC ID 04698 | Data and Information Management | Preventive | |
Include an individual's photographic image in the personal data definition. CC ID 04779 | Data and Information Management | Preventive | |
Include an individual's fingerprints in the personal data definition. CC ID 04689 | Data and Information Management | Preventive | |
Include an individual's address in the personal data definition. CC ID 04687 | Data and Information Management | Preventive | |
Include an individual's telephone number in the personal data definition. CC ID 04688 | Data and Information Management | Preventive | |
Include an individual's fax number in the personal data definition. CC ID 07120 | Data and Information Management | Preventive | |
Include an individual's political party affiliation in the personal data definition. CC ID 13764 | Establish/Maintain Documentation | Preventive | |
Include an individual's license plate number in the personal data definition. CC ID 13763 | Establish/Maintain Documentation | Preventive | |
Include an individual's financial account number in the personal data definition. CC ID 04692 | Data and Information Management | Preventive | |
Include an individual's account balances in the personal data definition. CC ID 13770 | Establish/Maintain Documentation | Preventive | |
Include stock numbers, bond numbers, and other security certificate numbers in the personal data definition. CC ID 04768 | Data and Information Management | Preventive | |
Include an individual's electronic identification name or number in the personal data definition. CC ID 04694 | Data and Information Management | Preventive | |
Include an individual's logon credentials in the personal data definition. CC ID 13771 | Establish/Maintain Documentation | Preventive | |
Include an individual's Alien Registration Number in the personal data definition. CC ID 04743 | Data and Information Management | Preventive | |
Include an individual's passport number in the personal data definition. CC ID 04713 | Data and Information Management | Preventive | |
Include an individual's driver's license number or an individual's state identification card number in the personal data definition. CC ID 04691 | Data and Information Management | Preventive | |
Include an individual's Social Security Number or Personal Identification Number in the personal data definition. CC ID 04690 | Data and Information Management | Preventive | |
Include an individual's military identification number in the personal data definition. CC ID 13083 | Establish/Maintain Documentation | Preventive | |
Include an individual's e-mail address in the personal data definition. CC ID 04696 | Data and Information Management | Preventive | |
Include electronic signatures in the personal data definition. CC ID 04697 | Data and Information Management | Preventive | |
Include an individual's payment card information in the personal data definition. CC ID 04751 | Data and Information Management | Preventive | |
Include an individual's credit card number or an individual's debit card number in the personal data definition. CC ID 04693 | Data and Information Management | Preventive | |
Include an individual's payment card service code in the personal data definition. CC ID 04753 | Data and Information Management | Preventive | |
Include an individual's payment card expiration date in the personal data definition. CC ID 04755 | Data and Information Management | Preventive | |
Include the payment transaction data and transaction authentication data in the personal data definition. CC ID 04825 | Data and Information Management | Preventive | |
Include an individual's Individually Identifiable Health Information in the personal data definition. CC ID 04700 | Data and Information Management | Preventive | |
Include an individual's medical history in the personal data definition. CC ID 04701 | Data and Information Management | Preventive | |
Include an individual's medical treatment in the personal data definition. CC ID 04702 | Data and Information Management | Preventive | |
Include an individual's medical diagnosis in the personal data definition. CC ID 04703 | Data and Information Management | Preventive | |
Include an individual's mental condition or an individual's physical condition in the personal data definition. CC ID 04704 | Data and Information Management | Preventive | |
Include an individual's medical record numbers in the personal data definition. CC ID 07121 | Data and Information Management | Preventive | |
Include an individual's health insurance information in the personal data definition. CC ID 04705 | Data and Information Management | Preventive | |
Include an individual's health insurance policy number in the personal data definition. CC ID 04706 | Data and Information Management | Preventive | |
Include an individual's health insurance application and health insurance claims history (including appeals) in the personal data definition. CC ID 04707 | Data and Information Management | Preventive | |
Include an individual's education information in the personal data definition. CC ID 04714 | Data and Information Management | Preventive | |
Include an individual's professional certification numbers or an individual's professional license numbers in the personal data definition. CC ID 07122 | Data and Information Management | Preventive | |
Include an individual's employment information in the personal data definition. CC ID 04715 | Data and Information Management | Preventive | |
Include an employer's Taxpayer Identification Number in the personal data definition. CC ID 04767 | Data and Information Management | Preventive | |
Include an individual's Taxpayer Identification Number in the personal data definition. CC ID 04763 | Data and Information Management | Preventive | |
Include an individual's employment history in the personal data definition. CC ID 04716 | Data and Information Management | Preventive | |
Include an individual's place of employment in the personal data definition. CC ID 04765 | Data and Information Management | Preventive | |
Include an individual's Employee Identification Number in the personal data definition. CC ID 04766 | Data and Information Management | Preventive | |
Include an individual's property information in the personal data definition. CC ID 04780 | Data and Information Management | Preventive | |
Include an individual's property title in the personal data definition. CC ID 04781 | Data and Information Management | Preventive | |
Include an individual's vehicle registration in the personal data definition. CC ID 04782 | Data and Information Management | Preventive | |
Include hardware asset identification information in the personal data definition. CC ID 07123 | Data and Information Management | Preventive | |
Include MAC addresses in the personal data definition. CC ID 04778 | Data and Information Management | Preventive | |
Include Internet Protocol addresses in the personal data definition. CC ID 04777 | Data and Information Management | Preventive | |
Include asset serial numbers in the personal data definition. CC ID 07124 | Data and Information Management | Preventive | |
Include Uniform Resource Locators in the personal data definition. CC ID 07125 | Data and Information Management | Preventive | |
Refrain from including publicly available information in the personal data definition. CC ID 13084 | Establish/Maintain Documentation | Preventive | |
Define specially restricted data. CC ID 00037 | Data and Information Management | Preventive | |
Protect an individual's civil rights during personal data collection and personal data processing. CC ID 00079 | Data and Information Management | Preventive | |
Refrain from compiling data that is likely to give rise to unlawful discrimination or arbitrary discrimination. CC ID 00075 | Data and Information Management | Preventive | |
Refrain from subjecting an individual to a solely automated decision process that produces legal effects based on the evaluation of certain characteristics. CC ID 00080 | Data and Information Management | Preventive | |
Implement a nondiscrimination principle. CC ID 00081 | Data and Information Management | Preventive | |
Include the collection and use of personal data in the nondiscrimination principle. CC ID 11799 | Data and Information Management | Preventive | |
Preserve each individual's right to human dignity. CC ID 00082 | Data and Information Management | Preventive | |
Manage Personal Identification Numbers and PIN verification code numbers. CC ID 00058 | Data and Information Management | Preventive | |
Employ a random number generator to create authenticators. CC ID 13782 | Technical Security | Preventive | |
Collect Personal Identification Numbers with the individual's consent. CC ID 00059 | Data and Information Management | Preventive | |
Collect Personal Identification Numbers absent consent when the law mandates. CC ID 00061 | Data and Information Management | Preventive | |
Collect Personal Identification Numbers absent consent for research purposes. CC ID 00065 | Data and Information Management | Preventive | |
Collect Personal Identification Numbers absent consent to realize the rights or duties of the data subject or data controller. CC ID 04792 | Data and Information Management | Preventive | |
Refrain from requiring a Personal Identification Number to purchase goods or services. CC ID 00069 | Behavior | Preventive | |
Manage health data collection. CC ID 00050 | Data and Information Management | Preventive | |
Collect Individually Identifiable Health Information to provide health care services. CC ID 00052 | Data and Information Management | Preventive | |
Collect Individually Identifiable Health Information when the law dictates. CC ID 00053 | Data and Information Management | Preventive | |
Collect Individually Identifiable Health Information for research. CC ID 00054 | Data and Information Management | Preventive | |
Remove personal data before disclosing health data. CC ID 00055 | Data and Information Management | Preventive | |
Give special attention to collecting children's data. CC ID 00038 | Data and Information Management | Preventive | |
Use simple understandable language to collect information from children. CC ID 00039 | Behavior | Preventive | |
Notify parents or legal representatives of what information is collected from children. CC ID 00040 | Establish/Maintain Documentation | Preventive | |
Obtain consent from a parent or legal representative before collecting information from children. CC ID 00041 | Data and Information Management | Preventive | |
Waive verifiable consent from a parent or legal representative for collecting information from children in order to collect online contact information for a one-time only response to a specific request. CC ID 00043 | Data and Information Management | Preventive | |
Waive verifiable consent from a parent or legal representative for collecting information from children in order to request the parent or legal representative's information to obtain consent. CC ID 00044 | Data and Information Management | Preventive | |
Waive verifiable consent from a parent or legal representative for collecting information from children in order to respond to additional requests which do not go beyond the scope of the request. CC ID 00045 | Data and Information Management | Preventive | |
Waive verifiable consent from a parent or legal representative for collecting information from children in order to protect the child's safety. CC ID 00046 | Data and Information Management | Preventive | |
Waive verifiable consent from a parent or legal representative for collecting information from children in order to take liability precautions. CC ID 00047 | Data and Information Management | Preventive | |
Waive verifiable consent from a parent or legal representative for collecting information from children in order to respond to a judicial process. CC ID 00048 | Data and Information Management | Preventive | |
Waive verifiable consent from a parent or legal representative for collecting information from children in order to respond to a request for law enforcement purposes. CC ID 00049 | Data and Information Management | Preventive | |
Waive verifiable consent from a parent or legal representative for collecting information from children in order to protect the website's security or integrity or the online service's security or integrity. CC ID 06199 | Data and Information Management | Preventive | |
Establish, implement, and maintain a personal data collection policy. CC ID 00029 | Establish/Maintain Documentation | Preventive | |
Collect personal data directly from the data subject. CC ID 00011 | Data and Information Management | Preventive | |
Create and manage user account aliases to maintain pseudonymity. CC ID 04549 | Data and Information Management | Preventive | |
Provide unlinkability for users and resources. CC ID 04550 | Data and Information Management | Preventive | |
Provide unobservability of users and resources. CC ID 04551 | Technical Security | Preventive | |
Confirm the data quality of personal data collected from third parties. CC ID 13510 | Investigate | Detective | |
Collect restricted data in a fair and lawful manner. CC ID 00010 [Without limiting subsection (2) and subject to subsection (9), an individual (P) who provides personal data to an organisation (A) with a view to P entering into a contract with A is deemed to consent to the following where reasonably necessary for the conclusion of the contract between P and A: the collection and use of that personal data by B; § 15.(3)(b)] | Data and Information Management | Preventive | |
Collect restricted data absent consent for specific and well-documented circumstances. CC ID 00013 [An organisation may — collect personal data about an individual, without the consent of the individual or from a source other than the individual, in the circumstances or for the purposes, and subject to any condition, in the First Schedule or Part 1 of the Second Schedule; § 17.(1)(a) {individual's vital interest}{without consent}Subject to sub-paragraph (2), the collection, use or disclosure (as the case may be) of personal data about an individual is necessary for any purpose which is clearly in the interests of the individual, and — the individual would not reasonably be expected to withhold consent. FIRST SCHEDULE PART 1 § 1.(1)(b) {without consent}{collect}{disclose} The collection, use or disclosure (as the case may be) of personal data about an individual is in the national interest. FIRST SCHEDULE PART 2 § 2. {business improvement purpose}Sub-paragraph (1)(a) and (c) applies only if — a reasonable person would consider the collection or disclosure of personal data about P for the relevant purpose to be appropriate in the circumstances; and FIRST SCHEDULE PART 5 § 1.(3)(b) Unless otherwise provided under this Act, an organisation may — collect personal data about an individual that the organisation receives by way of a disclosure to the organisation — § 17.(2)(a) Subject to the conditions in sub-paragraphs (3), (4) and (5), personal data about an individual (P) — is collected by an organisation (X) that is a corporation from a related corporation (Y) for a purpose specified in sub-paragraph (2) (called the relevant purpose); FIRST SCHEDULE PART 5 § 1.(1)(a) {business improvement purpose}Where X collects from Y, and Y discloses to X, personal data about P for a purpose mentioned in sub-paragraph (2)(c) or (d), P must be, at the time of the collection or disclosure, as the case may be — an existing customer of Y; and FIRST SCHEDULE PART 5 § 1.(5)(a) {business improvement purpose}Where X collects from Y, and Y discloses to X, personal data about P for a purpose mentioned in sub-paragraph (2)(c) or (d), P must be, at the time of the collection or disclosure, as the case may be — an existing customer or a prospective customer of X. FIRST SCHEDULE PART 5 § 1.(5)(b) {personal purpose}The personal data about an individual — is provided to the organisation by another individual to enable the organisation to provide a service for the personal or domestic purposes of that other individual; and FIRST SCHEDULE PART 3 § 8.(a) {without consent}Unless otherwise provided under this Act, an organisation may — collect personal data about an individual that the organisation receives by way of a disclosure to the organisation — on or after the specified date in accordance with subsection (1)(c); or § 17.(2)(a)(i) {without consent}Unless otherwise provided under this Act, an organisation may — collect personal data about an individual that the organisation receives by way of a disclosure to the organisation — before the specified date in accordance with section 17(3) as in force before the specified date, § 17.(2)(a)(ii)] | Data and Information Management | Preventive | |
Collect restricted data absent consent when the data collection is in the individual's interests and consent can not be obtained in a timely manner. CC ID 00014 [{individual's vital interest}The collection, use or disclosure (as the case may be) of personal data about an individual, where — consent for the collection, use or disclosure (as the case may be) cannot be obtained in a timely way; and FIRST SCHEDULE PART 1 § 3.(a) {individual's vital interest}Subject to sub-paragraph (2), the collection, use or disclosure (as the case may be) of personal data about an individual is necessary for any purpose which is clearly in the interests of the individual, and — consent for the collection, use or disclosure (as the case may be) cannot be obtained in a timely way; or FIRST SCHEDULE PART 1 § 1.(1)(a) {legitimate interest}{collect}{disclose}The collection, use or disclosure (as the case may be) of personal data about an individual is to — confer an interest or a benefit on the individual under a private trust or benefit plan; and FIRST SCHEDULE PART 3 § 7.(a)] | Data and Information Management | Preventive | |
Collect restricted data absent consent when consent compromises data accuracy. CC ID 00015 | Data and Information Management | Preventive | |
Collect personal data absent consent in order to make a disclosure. CC ID 13550 [{individual}{consent} Where an organisation collects personal data disclosed to it by B under subsection (6)(c), subsection (6)(b) and (c) applies to the organisation as if the personal data were disclosed by A to the organisation under subsection (6)(a). § 15.(7) {without consent}{collect}The collection of personal data about an individual, if — the personal data was disclosed by a public agency; and SECOND SCHEDULE PART 1 § 1.(a)] | Data and Information Management | Preventive | |
Collect personal data absent consent for reasonable investigative purposes. CC ID 11801 [{collect}{disclose} The collection, use or disclosure (as the case may be) of personal data about an individual is necessary for any investigation or proceedings. FIRST SCHEDULE PART 3 § 3.] | Data and Information Management | Preventive | |
Collect personal data absent consent if the collection is consistent with the intended purpose. CC ID 13548 [Without limiting subsection (2) and subject to subsection (9), an individual (P) who enters into a contract with an organisation (A) and provides personal data to A pursuant or in relation to that contract is deemed to consent to the following: the collection and use of that personal data by B, where the collection and use are reasonably necessary for any purpose mentioned in paragraph (a); § 15.(6)(b) {without consent}The personal data about an individual — is collected, used or disclosed (as the case may be) for purposes consistent with the purpose for which the document was produced. FIRST SCHEDULE PART 3 § 9.(b) {business improvement purpose}{refrain from achieving}Sub-paragraph (1)(a) and (c) applies only if — the relevant purpose for which X collects, or Y discloses, personal data about P cannot reasonably be achieved without the collection, use or disclosure (as the case may be) of the personal data in an individually identifiable form; FIRST SCHEDULE PART 5 § 1.(3)(a) {collect}{without consent}The collection of personal data about an individual, if — the collection of personal data by the organisation is consistent with the purpose of the disclosure by the public agency. SECOND SCHEDULE PART 1 § 1.(b) {personal purpose}{domestic purposes}The personal data about an individual — is collected, used or disclosed (as the case may be) by the organisation solely for the purpose in sub-paragraph (a). FIRST SCHEDULE PART 3 § 8.(b)] | Data and Information Management | Preventive | |
Collect personal data absent consent when the personal data was produced by the data subject in the course of employment, business, or profession. CC ID 13544 [{collect}{without consent}The personal data about an individual — is included in a document produced in the course, and for the purposes, of the individual's employment, business or profession; and FIRST SCHEDULE PART 3 § 9.(a) {without consent}Subject to the conditions in sub-paragraphs (2), (3), (4) and (5), where an organisation (X) is a party or a prospective party to a business asset transaction with another organisation (Y), personal data about an applicable individual of Y — is collected from Y by X for the purposes of the business asset transaction; FIRST SCHEDULE PART 4 § 1.(1)(a) {organization}{party} Where the business asset transaction concerns any part of Y or Y's business assets, the personal data mentioned in sub-paragraph (1) must relate directly to that part of Y or Y's business assets, as the case may be. FIRST SCHEDULE PART 4 § 1.(2) {organization}If X is a prospective party to the business asset transaction, the following conditions apply: X may collect, and Y may disclose, only personal data that is necessary for X to determine whether to proceed with the business asset transaction; FIRST SCHEDULE PART 4 § 1.(3)(a) Subject to the conditions in sub-paragraphs (2), (3) and (4), where an organisation (X) is a party or a prospective party to a business asset transaction with another organisation (Y) in respect of Y's interest in a third organisation (Z) (called in this paragraph the relevant transaction), personal data about an applicable individual of Z — is collected from Y or Z by X, or from Z by Y, for the purposes of the relevant transaction; FIRST SCHEDULE PART 4 § 2.(1)(a) {legitimate interest}{collect}{disclose}Subject to sub-paragraph (2), the collection, use or disclosure (as the case may be) of personal data about an individual — relates to a credit report provided by a credit bureau to a member of the credit bureau in relation to a transaction between the member and the individual. FIRST SCHEDULE PART 3 § 6.(1)(b) {business asset transaction}If X is a prospective party to the relevant transaction, the following conditions apply: where X collects the personal data mentioned in sub-paragraph (1) from Y or Z — X may collect, and Y or Z (as the case may be) may disclose, only personal data that is necessary for X to determine whether to proceed with the relevant transaction; and FIRST SCHEDULE PART 4 § 2.(2)(a)(i) {business asset transaction}{organization}{individual}If X is a prospective party to the relevant transaction, the following conditions apply: where Y collects the personal data mentioned in sub-paragraph (1) from Z — Y may collect, and Z may disclose, only personal data that is necessary for X or Y (as the case may be) to determine whether to proceed with the relevant transaction; and FIRST SCHEDULE PART 4 § 2.(2)(b)(i) {business asset transaction}If X is a prospective party to the relevant transaction, the following conditions apply: where X collects the personal data mentioned in sub-paragraph (1) from Y or Z — X and Y or Z (as the case may be) must have entered into an agreement that requires X to use or disclose the personal data solely for purposes related to the relevant transaction; FIRST SCHEDULE PART 4 § 2.(2)(a)(ii)] | Data and Information Management | Preventive | |
Collect personal data absent consent for handling insurance claims. CC ID 13543 | Data and Information Management | Preventive | |
Collect personal data absent consent when the data subject has authorized the collection through another individual. CC ID 00016 | Data and Information Management | Preventive | |
Collect personal data absent consent if the disclosure is to the next of kin or authorized representative. CC ID 15295 [{is necessary}{without consent} The collection, use or disclosure of personal data is for the purpose of contacting the next-of-kin or a friend of any injured, ill or deceased individual. FIRST SCHEDULE PART 1 § 4.] | Data and Information Management | Preventive | |
Collect personal data absent consent in order to establish, manage, or terminate employment contracts. CC ID 13614 [{without consent}The personal data about an individual is collected, used or disclosed (as the case may be) by the organisation, and the collection, use or disclosure (as the case may be) of the personal data is reasonable for the purpose of or in relation to the organisation — entering into an employment relationship with the individual or appointing the individual to any office; or FIRST SCHEDULE PART 3 § 10.(a) {without consent}The personal data about an individual is collected, used or disclosed (as the case may be) by the organisation, and the collection, use or disclosure (as the case may be) of the personal data is reasonable for the purpose of or in relation to the organisation — managing or terminating the employment relationship with or appointment of the individual. FIRST SCHEDULE PART 3 § 10.(b)] | Data and Information Management | Preventive | |
Collect personal data absent consent in order to protect the data subject's vital interests. CC ID 15277 [{individual's vital interest}{collect}{disclose} Subject to sub-paragraph (2), the collection, use or disclosure (as the case may be) of personal data about an individual is necessary for any purpose which is clearly in the interests of the individual, and — FIRST SCHEDULE PART 1 § 1.(1)] | Data and Information Management | Preventive | |
Collect personal data for public interests absent consent in order to protect historical records or archival records. CC ID 15289 [{without consent}{archival purpose} The collection, use or disclosure (as the case may be) of personal data about an individual is solely for archival or historical purposes, if a reasonable person would not consider the personal data to be too sensitive to the individual to be collected, used or disclosed (as the case may be) at the proposed time. FIRST SCHEDULE PART 2 § 4.] | Data and Information Management | Preventive | |
Collect personal data absent consent to administer a trust fund or benefit plan. CC ID 15292 [{collect}{disclose}The collection, use or disclosure (as the case may be) of personal data about an individual is to — administer that trust or benefit plan, at the request of the settlor or the person establishing the benefit plan, as the case may be. FIRST SCHEDULE PART 3 § 7.(b)] | Data and Information Management | Preventive | |
Collect restricted data absent consent for journalistic purposes, artistic purposes, or literary purposes. CC ID 00017 [{without consent}{artistic purpose}{collect}{disclose} The collection, use or disclosure (as the case may be) of personal data about an individual is solely for artistic or literary purposes. FIRST SCHEDULE PART 2 § 3. {without consent} The personal data about an individual is collected, used or disclosed (as the case may be) by a news organisation solely for its news activity. FIRST SCHEDULE PART 2 § 5.] | Data and Information Management | Preventive | |
Collect personal data absent consent in order to collect a debt owed by the data subject. CC ID 15293 [{without consent}{collect}{disclose}The collection, use or disclosure (as the case may be) of personal data about an individual is necessary for the organisation — to recover a debt owed by the individual to the organisation; or FIRST SCHEDULE PART 3 § 4.(a) {collect}{disclose}The collection, use or disclosure (as the case may be) of personal data about an individual is necessary for the organisation — to pay to the individual a debt owed by the organisation. FIRST SCHEDULE PART 3 § 4.(b)] | Data and Information Management | Preventive | |
Collect personal data absent consent for statistical purposes or research purposes and the data subject is not identified. CC ID 00018 [{collect}{disclose} The collection, use or disclosure (as the case may be) of personal data about an individual is necessary for evaluative purposes. FIRST SCHEDULE PART 3 § 2.] | Data and Information Management | Preventive | |
Collect restricted data absent consent from publicly available information. CC ID 00019 [{without consent}{collect}{disclose} The collection, use or disclosure (as the case may be) of personal data about an individual that is publicly available. FIRST SCHEDULE PART 2 § 1.] | Data and Information Management | Preventive | |
Collect restricted data absent consent when needed by law. CC ID 00020 | Data and Information Management | Preventive | |
Collect personal data absent consent to create a credit report. CC ID 15287 [{legitimate interest}{collect}{disclose}Subject to sub-paragraph (2), the collection, use or disclosure (as the case may be) of personal data about an individual — is for the purpose of the preparation by a credit bureau of a credit report; or FIRST SCHEDULE PART 3 § 6.(1)(a)] | Data and Information Management | Preventive | |
Collect restricted data absent consent when no potential harm can come to the data subject. CC ID 00021 | Data and Information Management | Preventive | |
Collect personal data absent consent when collecting personal data from the data subject is impossible or the data collection involves a disproportionate effort. CC ID 00022 | Data and Information Management | Preventive | |
Collect the minimum amount of restricted data necessary. CC ID 00078 | Data and Information Management | Preventive | |
Collect restricted data in a proper information framework. CC ID 00009 | Data and Information Management | Preventive | |
Collect and record restricted data for specific, explicit, and legitimate purposes. CC ID 00027 [Unless otherwise provided under this Act, an organisation may — collect personal data about an individual that the organisation receives by way of a disclosure to the organisation — for purposes consistent with the purpose of that disclosure, or for any purpose permitted by subsection (1)(a); or § 17.(2)(a) ¶ 1 {collect}{disclose}Subject to sub-paragraphs (2), (3) and (4) — the collection, use or disclosure (as the case may be) of personal data about an individual is in the legitimate interests of the organisation or another person; and FIRST SCHEDULE PART 3 § 1.(1)(a)] | Data and Information Management | Preventive | |
Collect restricted data when required by law. CC ID 00031 | Data and Information Management | Preventive | |
Collect restricted data to prevent life-threatening emergencies. CC ID 00032 [{without consent}{collect}{disclose}The collection, use or disclosure (as the case may be) of personal data about an individual, where — there are reasonable grounds to believe that the health or safety of the individual or another individual will be seriously affected. FIRST SCHEDULE PART 1 § 3.(b)] | Data and Information Management | Preventive | |
Collect restricted data relating solely to nonprofit organization members or individuals who are in regular contact during the nonprofit organization's activities. CC ID 00034 | Data and Information Management | Preventive | |
Collect restricted data for legal purposes. CC ID 00036 [{collect}{disclose} The collection, use or disclosure (as the case may be) of personal data about an individual is necessary for the provision of legal services by the organisation to another person, or for the organisation to obtain legal services. FIRST SCHEDULE PART 3 § 5.] | Data and Information Management | Preventive | |
Review the methods for collecting personal data, as necessary. CC ID 13511 | Investigate | Detective | |
Provide the data subject with information about the data controller during the collection process. CC ID 00023 | Establish/Maintain Documentation | Preventive | |
Disseminate and communicate the data collector's name and contact information to all interested personnel. CC ID 13760 | Communicate | Preventive | |
Provide the data subject with the data collector's name and contact information. CC ID 00024 [For the purposes of subsection (4), the organisation must inform the individual of the following: on request by the individual, the business contact information of a person who is able to answer the individual's questions about that collection, use or disclosure (as the case may be) on behalf of the organisation. § 20.(5)(b)] | Establish/Maintain Documentation | Preventive | |
Provide the data subject with the name of the data collector who will hold the collected restricted data. CC ID 00025 | Establish/Maintain Documentation | Preventive | |
Provide the data subject with the third party processor's contact information when the data controller is not processing the restricted data. CC ID 00026 | Establish/Maintain Documentation | Preventive | |
Establish, implement, and maintain a data handling program. CC ID 13427 | Establish/Maintain Documentation | Preventive | |
Establish, implement, and maintain data handling policies. CC ID 00353 | Establish/Maintain Documentation | Preventive | |
Establish, implement, and maintain data and information confidentiality policies. CC ID 00361 | Establish/Maintain Documentation | Preventive | |
Implement security measures to protect personal data. CC ID 13606 [{storage device}An organisation must protect personal data in its possession or under its control by making reasonable security arrangements to prevent — the loss of any storage medium or device on which personal data is stored. § 24.(b) {absent authorization}An organisation must protect personal data in its possession or under its control by making reasonable security arrangements to prevent — unauthorised access, collection, use, disclosure, copying, modification or disposal, or similar risks; and § 24.(a)] | Technical Security | Preventive | |
Establish, implement, and maintain a personal data transfer program. CC ID 00307 | Establish/Maintain Documentation | Preventive | |
Include procedures for transferring personal data to third parties in the personal data transfer program. CC ID 00333 | Establish/Maintain Documentation | Preventive | |
Define the personal data transfer exceptions for transferring personal data to another country when adequate protection level standards are not met. CC ID 00315 [{other country} An organisation shall not transfer any personal data to a country or territory outside Singapore except in accordance with requirements verb">prescribed under this Act to ensure that organisations provide a standard of protection to personal data so transferred that is comparable to the protection under this Act. § 26.(1)] | Establish/Maintain Documentation | Preventive | |
Include publicly available information as a personal data transfer exception for transferring personal data to another country outside an adequate data protection level. CC ID 00316 | Data and Information Management | Preventive | |
Include transfer agreements between data controllers and third parties when it is for the data subject's interest as a personal data transfer exception for transferring personal data to another country outside an adequate data protection level. CC ID 00317 | Data and Information Management | Preventive | |
Include personal data for the health field and for treatment as a personal data transfer exception for transferring personal data to another country outside an adequate data protection level. CC ID 00318 | Data and Information Management | Preventive | |
Include personal data for journalistic purposes or private purposes as a personal data transfer exception for transferring personal data to another country outside an adequate data protection level. CC ID 00319 | Data and Information Management | Preventive | |
Include personal data for important public interest as a personal data transfer exception for transferring personal data to another country outside an adequate data protection level. CC ID 00320 | Data and Information Management | Preventive | |
Include consent by the data subject as a personal data transfer exception for transferring personal data to another country outside an adequate data protection level. CC ID 00321 | Data and Information Management | Preventive | |
Include personal data used for a contract as a personal data transfer exception for transferring personal data to another country outside an adequate data protection level. CC ID 00322 | Data and Information Management | Preventive | |
Include personal data for protecting the data subject or the data subject's interests, such as saving his/her life or providing healthcare as a personal data transfer exception for transferring personal data to another country outside an adequate data protection level. CC ID 00323 | Data and Information Management | Preventive | |
Include personal data that is necessary to fulfill international law obligations as a personal data transfer exception for transferring personal data to another country outside an adequate data protection level. CC ID 00324 | Data and Information Management | Preventive | |
Include personal data used for legal investigations as a personal data transfer exception for transferring personal data to another country outside an adequate data protection level. CC ID 00325 | Data and Information Management | Preventive | |
Include personal data that is authorized by a legislative act as a personal data transfer exception for transferring personal data to another country outside an adequate data protection level. CC ID 00326 | Data and Information Management | Preventive | |
Establish, implement, and maintain a privacy impact assessment. CC ID 13712 [The organisation must, in respect of the assessment mentioned in subsection (4)(a) — identify and implement reasonable measures to — reduce the likelihood that the adverse effect will occur; or § 15A.(5)(b)(ii) The organisation must, in respect of the assessment mentioned in subsection (4)(a) — identify and implement reasonable measures to — eliminate the adverse effect; § 15A.(5)(b)(i) The organisation must, in respect of the assessment mentioned in subsection (4)(a) — identify and implement reasonable measures to — mitigate the adverse effect; and § 15A.(5)(b)(iii)] | Establish/Maintain Documentation | Preventive | |
Include the individuals with whom information is shared in the privacy impact assessment. CC ID 15520 | Establish/Maintain Documentation | Preventive | |
Include how to grant consent in the privacy impact assessment. CC ID 15519 | Establish/Maintain Documentation | Preventive | |
Include the opportunities for individuals to consent to using their information in the privacy impact assessment. CC ID 15518 | Establish/Maintain Documentation | Preventive | |
Include the opportunities for opting out of information collection in the privacy impact assessment. CC ID 15517 | Establish/Maintain Documentation | Preventive | |
Include data handling procedures in the privacy impact assessment. CC ID 15516 | Establish/Maintain Documentation | Preventive | |
Include the intended use of information in the privacy impact assessment. CC ID 15515 | Establish/Maintain Documentation | Preventive | |
Include the reason information is being collected in the privacy impact assessment. CC ID 15514 | Establish/Maintain Documentation | Preventive | |
Include the type of information to be collected in the privacy impact assessment. CC ID 15513 | Business Processes | Preventive | |
Disseminate and communicate the results of the Privacy Impact Assessment to interested personnel and affected parties. CC ID 15458 | Communicate | Preventive | |
Develop remedies and sanctions for privacy policy violations. CC ID 00474 | Data and Information Management | Preventive | |
Change or destroy any personal data that is incorrect. CC ID 00462 [When an organisation is notified under subsection (2)(b) or (3) of a correction of personal data, the organisation shall correct the personal data in its possession or under its control unless the organisation is satisfied on reasonable grounds that the correction should "background-color:#CBD0E5;" class="term_secondary-verb">not be made. § 22.(4) Unless the organisation is satisfied on reasonable grounds that a correction should not be made, the organisation shall — correct the personal data as soon as practicable; and § 22.(2)(a)] | Data and Information Management | Corrective | |
Notify the data subject of changes made to personal data as the result of a dispute. CC ID 00463 | Behavior | Corrective | |
Refrain from updating personal data on a regular basis, unless it is necessary for the purposes it was collected. CC ID 13610 [{refrain from correcting} Nothing in this section shall require an organisation to correct or otherwise alter an opinion, including a professional or an expert opinion. § 22.(6)] | Data and Information Management | Preventive | |
Escalate the appeal process to change personal data when the data controller fails to make changes to the disputed data. CC ID 00465 | Data and Information Management | Corrective | |
Establish, implement, and maintain a privacy dispute resolution program. CC ID 12526 [An organisation shall — develop a process to receive and respond to complaints that may arise with respect to the application of this Act; § 12.(b)] | Establish/Maintain Documentation | Preventive | |
Include potential remedies in the privacy dispute resolution program. CC ID 12531 | Establish/Maintain Documentation | Preventive | |
Provide the data subject with the name, title, and address to whom complaints are forwarded. CC ID 00395 | Establish/Maintain Documentation | Preventive | |
Include the time frames in which privacy rights violation complaints are processed in the privacy dispute resolution program. CC ID 12529 | Establish/Maintain Documentation | Preventive | |
Document unresolved challenges. CC ID 13568 [An individual may request an organisation to correct an error or omission in the personal data about the individual that is in the possession or under the control of the organisation. Section 22 shall not apply in respect of— any erm_secondary-verb">BBC;" class="term_primary-noun">examination> conducted by an education institution, examination scripts and, prior to the release of examination results, <span style="background-color:#F0BBBC;" class="term_primary-noun">examination results; SIXTH SCHEDULE § 1.(b) An individual may request an organisation to correct an error or omission in the personal data about the individual that is in the possession or under the control of the organisation. Section 22 shall not apply in respect of— the personal data of the background-color:#F0BBBC;" class="term_primary-noun">beneficiaries of a tyle="background-color:#F0BBBC;" class="term_primary-noun">private trust kept solely for the purpose of ass="term_primary-verb">administering the trust; SIXTH SCHEDULE § 1.(c) An organisation is not required to provide information under section 21(1) in respect of — a document related to a prosecution if all proceedings related to the prosecution have not been completed; or SIXTH SCHEDULE § 1.(e)] | Establish/Maintain Documentation | Preventive | |
Establish, implement, and maintain an accuracy resolution policy. CC ID 00460 | Establish/Maintain Documentation | Preventive | |
Notify individuals of their right to challenge personal data. CC ID 00457 | Data and Information Management | Preventive | |
Notify individuals of their right to object to personal data for legitimate reasons. CC ID 00458 | Data and Information Management | Preventive | |
Terminate an individual's restriction agreement under specific circumstances. CC ID 06260 | Configuration | Preventive | |
Notify individuals of their ability to challenge personal behavioral assessments on record. CC ID 04798 | Human Resources Management | Preventive | |
Notify individuals of their ability to object to personal data processing, absent cost. CC ID 00459 | Data and Information Management | Preventive | |
Notify individuals of the time frame in which they may challenge personal data. CC ID 16861 | Communicate | Preventive | |
Investigate the disputed accuracy of personal data. CC ID 00461 | Data and Information Management | Preventive | |
Notify the data subject of which and why disputed changes were not made to personal data. CC ID 00466 | Behavior | Corrective | |
Notify entities to whom personal data was transferred that the personal data is wrong, along with the corrections. CC ID 00467 [subject to subsection (3), send the corrected personal data to every other organisation to which the personal data was disclosed by the organisation within a year before the date the correction was made, unless that other organisation does not need the corrected personal data for any legal or business purpose. § 22.(2)(b) An organisation (not being a credit bureau) may, if the individual consents, send the corrected personal data only to specific organisations to which the personal data was disclosed by the organisation within a year before the date the correction was made. § 22.(3)] | Behavior | Corrective | |
Notify third parties of unresolved challenges. CC ID 13559 | Communicate | Preventive | |
Document disagreements as to whether personal data is complete and accurate. CC ID 06952 | Establish/Maintain Documentation | Preventive | |
Include the change to the personal data that the data subject requested and the reason the organization refused to make the change in the statement of disagreement. CC ID 06954 [An individual may request an organisation to correct an error or omission in the personal data about the individual that is in the possession or under the control of the organisation. Section 22 shall b">not apply in respect of— background-color:#F0BBBC;" class="term_primary-noun">opinion data kept solely for an imary-noun">evaluative purpose; SIXTH SCHEDULE § 1.(a) If no correction is made under subsection (2)(a) or (4), the organisation shall annotate the personal data in its possession or under its control with the correction that was requested but e="background-color:#CBD0E5;" class="term_secondary-verb">not made. § 22.(5)] | Establish/Maintain Documentation | Preventive | |
Investigate privacy rights violation complaints. CC ID 00480 | Behavior | Detective | |
Defer privacy rights violation complaint investigations under certain conditions. CC ID 00487 | Behavior | Preventive | |
Defer privacy rights violation complaint investigations when the respondent has made an application for a determination. CC ID 00488 [An organisation or a person (including any individual who is a complainant) aggrieved by — may make a written application to the Commission to reconsider the direction or decision in accordance with this section. § 48N.(1) ¶ 1] | Behavior | Preventive | |
Define the organization's liability based on the applicable law. CC ID 00504 | Establish/Maintain Documentation | Preventive | |
Define the sanctions and fines available for privacy rights violations based on applicable law. CC ID 00505 [A person who suffers loss or damage directly as a result of a contravention — has a right of action for relief in civil proceedings in a court. § 48O.(1) ¶ 1 A telecommunications service provider which contravenes subsection (1) shall be guilty of an offence and shall be liable on conviction to a fine not exceeding $10,000. § 42.(2)] | Establish/Maintain Documentation | Preventive | |
Define the appeal process based on the applicable law. CC ID 00506 [The application for reconsideration — must be made in the form and manner required by the Commission; and § 48N.(4)(b) An organisation or a person aggrieved by a financial penalty imposed by the Commission under section 48J(1) on the organisation or person may make a written application to the Commission to reconsider the decision to impose the financial penalty or the amount of the financial penalty so imposed in accordance with this section. § 48N.(2) The application for reconsideration — subject to subsection (5), must be submitted to the Commission within the prescribed period; § 48N.(4)(a) The application for reconsideration — must set out the grounds on which the applicant is requesting the reconsideration. § 48N.(4)(c)] | Establish/Maintain Documentation | Preventive | |
Define the fee structure for the appeal process. CC ID 16532 | Process or Activity | Preventive | |
Define the time requirements for the appeal process. CC ID 16531 | Process or Activity | Preventive | |
Disseminate and communicate instructions for the appeal process to interested personnel and affected parties. CC ID 16544 | Communicate | Preventive | |
Disseminate and communicate a written explanation of the reasons for appeal decisions to interested personnel and affected parties. CC ID 16542 | Communicate | Preventive | |
Establish, implement, and maintain a Customer Information Management program. CC ID 00084 | Data and Information Management | Preventive | |
Establish, implement, and maintain customer data authentication procedures. CC ID 13187 | Establish/Maintain Documentation | Preventive | |
Check the accuracy of restricted data. CC ID 00088 [{is complete} An organisation shall make a reasonable effort to ensure that personal data collected by or on behalf of the organisation is accurate and complete, if the personal data— is likely to be und-color:#B7D8ED;" class="term_primary-verb">used by the organisation to imary-verb">make a decision that affects the individual to whom the personal data " class="term_secondary-verb">relates; or § 23.(a) {is complete} An organisation shall make a reasonable effort to ensure that personal data collected by or on behalf of the organisation is accurate and complete, if the _primary-noun">personal data— is likely to be e="background-color:#B7D8ED;" class="term_primary-verb">disclosed by the organisation to another organisation. § 23.(b) {person}A checker must — ensure that the applicable information provided to P is accurate; and § 43A.(2)(a) {be complete}{be accurate} The organisation must ensure that the copy of the personal data it preserves for the purposes of subsection (1) is a complete and accurate copy of the personal data concerned. § 22A.(2) {be complete} An organisation shall make a reasonable effort to ensure that personal data collected by or on behalf of the organisation verb">is accurate and complete, if the personal data — § 23.] | Data and Information Management | Preventive | |
Record restricted data correctly. CC ID 00089 | Testing | Detective | |
Check that restricted data is complete. CC ID 00090 [{be complete}{be accurate} The organisation must ensure that the copy of the personal data it preserves for the purposes of subsection (1) is a complete and accurate copy of the personal data concerned. § 22A.(2) {be complete} An organisation shall make a reasonable effort to ensure that personal data collected by or on behalf of the organisation is accurate and complete, if the personal data — § 23.] | Data and Information Management | Preventive | |
Establish, implement, and maintain an anti-spam policy. CC ID 00283 [Subject to section 48(2), a person must not send a specified message addressed to a Singapore telephone number unless — the specified message includes the information, and complies with the conditions, specified in the regulations, if any; and § 44.(c) Subject to section 48(2), a person must not send a specified message addressed to a Singapore telephone number unless — the specified message includes the information, and complies with the conditions, specified in the regulations, if any; and § 44.(c) For the purposes of subsection (1), the person has valid confirmation that a Singapore telephone number is not listed in the relevant register in either of the following circumstances: the person has obtained from a checker information that the Singapore telephone number is not listed in the relevant register (called in this section the relevant information) and has no reason to believe that, and is not reckless as to whether — § 43.(2)(b)] | Establish/Maintain Documentation | Preventive | |
Refrain from sending unsolicited commercial electronic messages under predetermined conditions. CC ID 13993 [Subject to section 48(2), a person must not send a specified message addressed to a Singapore telephone number unless — the information included in the specified message in compliance with this section is reasonably likely to be valid for at least 30 days after the message is sent. § 44.(d) For the purposes of subsection (1), the person has valid confirmation that a Singapore telephone number is not listed in the relevant register in either of the following circumstances: the person has, within the prescribed duration before sending the specified message — made an application to the Commission under section 40(2) to confirm whether the Singapore telephone number is listed in the relevant register; and § 43.(2)(a)(i)] | Communicate | Preventive | |
Refrain from sending unsolicited commercial electronic messages with hyperlinks to a country with an anti-spam policy. CC ID 00284 | Behavior | Preventive | |
Refrain from including misleading information in the e-mail header when transmitting electronic messages. CC ID 00285 | Behavior | Preventive | |
Include information identifying the organization hired to send commercial electronic messages when sending commercial electronic messages through a third party. CC ID 00286 | Establish/Maintain Documentation | Detective | |
Include contact information in commercial electronic messages. CC ID 15457 | Business Processes | Preventive | |
Refrain from sending commercial electronic messages to a third party computer when the message does not contain a functioning return e-mail address that is clearly visible to the receiver. CC ID 00287 | Behavior | Preventive | |
Refrain from sending commercial electronic messages, physical mail, or making telephone calls after an opt out by a user. CC ID 00288 [{refrain from sending} If a subscriber or user of a Singapore telephone number gives notice withdrawing consent given to a person for the sending of any specified message="background-color:#CBD0E5;" class="term_secondary-verb">span> to that Singapore telephone number, the person shall cease (and cause its agent to cease) sending any specified message to that Singapore telephone number after the expiry of the prescribed period. § 47.(3)] | Behavior | Preventive | |
Include a personal identifier, an opt-out provision, and a physical address to add the recipient to the do-not-e-mail registry in all commercial e-mails. CC ID 00289 | Behavior | Preventive | |
Make the opt-out functional after the e-mail is sent, as necessary. CC ID 00290 | Data and Information Management | Preventive | |
Unsubscribe users from the opt-out notification, as necessary. CC ID 00291 | Data and Information Management | Preventive | |
Make identifiers accurate after e-mails are sent, as necessary. CC ID 00292 | Data and Information Management | Preventive | |
Define aggravated violations that relate to commercial electronic messages. CC ID 00293 | Establish/Maintain Documentation | Preventive | |
Refrain from using misleading subject lines or false subject line on unsolicited commercial electronic messages. CC ID 00294 | Behavior | Preventive | |
Define who enforces the anti-spam policy. CC ID 00295 | Establish Roles | Preventive | |
Establish, implement, and maintain a do-not-e-mail registry. CC ID 00297 | Establish/Maintain Documentation | Preventive | |
Enter individuals into the do-not-e-mail registry upon request. CC ID 11810 | Data and Information Management | Preventive | |
Refrain from using address-harvesting software to send unsolicited commercial e-mails. CC ID 00298 | Behavior | Preventive | |
Refrain from sending unsolicited commercial electronic messages to nonexistent electronic addresses. CC ID 00299 [Subject to section 48(2), a person must not send a specified message addressed to a Singapore telephone number unless the person has, at the time the person sends the specified message, valid confirmation that the Singapore telephone number is not listed in the relevant register. § 43.(1) For the purposes of subsection (1), the person has valid confirmation that a Singapore telephone number is not listed in the relevant register in either of the following circumstances: the person has, within the prescribed duration before sending the specified message — received confirmation from the Commission that the Singapore telephone number is not listed in the relevant register; § 43.(2)(a)(ii) Subject to subsections (2) and (3), a person must not send, cause to be sent or authorise the sending of an applicable message. § 48B.(1)] | Behavior | Preventive | |
Include that commercial electronic messages may be sent to an individual in any situation where the sender has prior consent from the individual or another existing business relationship in the anti-spam policy. CC ID 00300 | Establish/Maintain Documentation | Preventive | |
Send commercial electronic messages to individuals who have consented to receive them. CC ID 00302 | Behavior | Preventive | |
Send commercial electronic messages to individuals who have an existing relationship with the organization. CC ID 00301 | Behavior | Preventive | |
Send commercial electronic messages to individuals who perform a business function to which the content of the message pertains. CC ID 13995 | Communicate | Preventive | |
Document erroneous messages when an unsolicited commercial electronic message is accidentally sent. CC ID 00303 | Establish/Maintain Documentation | Preventive | |
Give customers the opportunity to object to receiving commercial electronic messages. CC ID 00304 [{allow} For the avoidance of doubt, a subscriber of a Singapore telephone number may, at any time on or after the date of commencement of this Part, withdraw any consent given for the style="background-color:#CBD0E5;" class="term_secondary-verb">sending of a specified message to that Singapore telephone number. § 47.(6)] | Data and Information Management | Preventive | |
Refrain from unknowingly including hyperlinks in commercial electronic messages to the anti-spam policy's country of origin. CC ID 00305 | Testing | Detective |
Each Common Control is assigned a meta-data type to help you determine the objective of the Control and associated Authority Document mandates aligned with it. These types include behavioral controls, process controls, records management, technical security, configuration management, etc. They are provided as another tool to dissect the Authority Document’s mandates and assign them effectively within your organization.
KEY: Primary Verb Primary Noun Secondary Verb Secondary Noun Limiting Term | |||
Mandated - bold Implied - italic Implementation - regular | IMPACT ZONE | CLASS | |
---|---|---|---|
Acquire resources necessary to support Governance, Risk, and Compliance. CC ID 12861 | Operational management | Preventive |
KEY: Primary Verb Primary Noun Secondary Verb Secondary Noun Limiting Term | |||
Mandated - bold Implied - italic Implementation - regular | IMPACT ZONE | CLASS | |
---|---|---|---|
Measure policy compliance when reviewing the internal control framework. CC ID 06442 | Operational management | Corrective | |
Refrain from including restricted information in the incident response notification. CC ID 16806 | Operational management | Preventive |
KEY: Primary Verb Primary Noun Secondary Verb Secondary Noun Limiting Term | |||
Mandated - bold Implied - italic Implementation - regular | IMPACT ZONE | CLASS | |
---|---|---|---|
Analyze the effect of the Governance, Risk, and Compliance capability to achieve organizational objectives. CC ID 12809 | Operational management | Preventive |
KEY: Primary Verb Primary Noun Secondary Verb Secondary Noun Limiting Term | |||
Mandated - bold Implied - italic Implementation - regular | IMPACT ZONE | CLASS | |
---|---|---|---|
Delegate authority for specific processes, as necessary. CC ID 06780 [An individual designated under subsection (3) may delegate to another individual the responsibility conferred by that BBBC;" class="term_primary-noun">designation. § 11.(4)] | Human Resources management | Preventive | |
Disseminate and communicate updates to the Governance, Risk, and Compliance framework to interested personnel and affected parties. CC ID 06955 | Operational management | Preventive | |
Make compliance and governance decisions in a timely manner. CC ID 06490 | Operational management | Preventive | |
Refrain from accepting instant messages from unknown senders. CC ID 12537 | Operational management | Preventive | |
Include employee engagement in the analysis of the organizational culture. CC ID 12914 | Operational management | Preventive | |
Include skill development in the analysis of the organizational culture. CC ID 12913 | Operational management | Preventive | |
Include employee turnover rates in the analysis of the organizational culture. CC ID 12912 | Operational management | Preventive | |
Include employee loyalty in the analysis of the organizational culture. CC ID 12911 | Operational management | Preventive | |
Include employee satisfaction in the analysis of the organizational culture. CC ID 12910 | Operational management | Preventive | |
Disseminate and communicate the Governance, Risk, and Compliance framework to all interested personnel and affected parties. CC ID 00815 [An organisation shall — communicate to its staff information about the organisation's policies and practices referred to in paragraph (a); and § 12.(c) An organisation shall — make information available on request about— the policies and practices referred to in paragraph (a); and § 12.(d)(i)] | Operational management | Preventive | |
Share data loss event information with the media. CC ID 01759 | Operational management | Corrective | |
Report to breach notification organizations the time frame in which the organization will send data loss event notifications to interested personnel and affected parties. CC ID 04731 | Operational management | Corrective | |
Notify interested personnel and affected parties of the privacy breach that affects their personal data. CC ID 00365 [Where a data intermediary (other than a data intermediary mentioned in section 26E) has reason to believe that a data breach has occurred in relation to personal data that the data intermediary is processing on behalf of and for the purposes of another organisation — the data intermediary must, without undue delay, notify that other organisation of the occurrence of the data breach; and § 26C.(3)(a) Subject to subsections (5), (6) and (7), on or after notifying the Commission under subsection (1), the organisation must also notify each affected individual affected by a notifiable data breach mentioned in section 26B(1)(a) in any manner that is reasonable in the circumstances. § 26D.(2) {refrain from delaying} the organisation must, without undue delay, notify the public agency of the occurrence of the data breach. § 26E. ¶ 1] | Operational management | Corrective | |
Determine whether or not incident response notifications are necessary during the privacy breach investigation. CC ID 00801 [Where a data intermediary (other than a data intermediary mentioned in section 26E) has reason to believe that a data breach has occurred in relation to personal data that the data intermediary is processing on behalf of and for the purposes of another organisation — that other organisations must, upon notification by the data intermediary, conduct an assessment of whether the data breach is a notifiable data breach. § 26C.(3)(b) {reasonable manner}{be efficient} Subject to subsection (3), where an organisation has reason to believe that a data breach affecting personal data in its possession or under its control has occurred, the organisation must conduct, in a reasonable and expeditious manner, an assessment of whether the data breach is a notifiable data breach. § 26C.(2)] | Operational management | Detective | |
Delay sending incident response notifications under predetermined conditions. CC ID 00804 | Operational management | Corrective | |
Avoid false positive incident response notifications. CC ID 04732 | Operational management | Detective | |
Send paper incident response notifications to affected parties, as necessary. CC ID 00366 | Operational management | Corrective | |
Determine if a substitute incident response notification is permitted if notifying affected parties. CC ID 00803 | Operational management | Corrective | |
Use a substitute incident response notification to notify interested personnel and affected parties of the privacy breach that affects their personal data. CC ID 00368 | Operational management | Corrective | |
Telephone incident response notifications to affected parties, as necessary. CC ID 04650 | Operational management | Corrective | |
Send electronic substitute incident response notifications to affected parties, as necessary. CC ID 04747 | Operational management | Preventive | |
Send substitute incident response notifications to breach notification organizations, as necessary. CC ID 04750 | Operational management | Preventive | |
Publish the incident response notification in a general circulation periodical. CC ID 04651 | Operational management | Corrective | |
Publish the substitute incident response notification in a general circulation periodical, as necessary. CC ID 04769 | Operational management | Preventive | |
Send electronic incident response notifications to affected parties, as necessary. CC ID 00367 | Operational management | Corrective | |
Register with public bodies and notify the Data Commissioner before processing personal data. CC ID 00383 | Privacy protection for information and data | Preventive | |
Define the criteria for waivers of data subjects' rights. CC ID 16858 | Privacy protection for information and data | Preventive | |
Revoke waivers of data subject's rights, as necessary. CC ID 16859 | Privacy protection for information and data | Preventive | |
Notify the supervisory authority. CC ID 00472 [{terminated telephone number} Every telecommunications service provider shall report to the ground-color:#F0BBBC;" class="term_primary-noun">Commission, in the form and manner prescribed, all terminated Singapore telephone numbers. § 42.(1) {report}{terminated telephone number}For the purpose of subsection (1), where — it shall be the responsibility of the first provider to satisfy subsection (1). § 42.(4) ¶ 1] | Privacy protection for information and data | Preventive | |
Notify the data subject of the collection purpose. CC ID 00095 [For the purposes of sections 14(1)(a) and 18(b), an organisation shall inform the individual of— the purposes for the collection, use or disclosure of the personal data, as the case may be, on or before For the purposes of subsection (4), the organisation must inform the individual of the following: the purpose for which the organisation is collecting, using or disclosing (as the case may be) the personal data about the individual; § 20.(5)(a) For the purposes of subsection (2)(a), the organisation must, before collecting, using or disclosing any personal data about the individual — take reasonable steps to bring the following information to the attention of the individual: the purpose for which the personal data will be collected, used or disclosed; § 15A.(4)(b)(ii) For the purposes of subsection (2)(a), the organisation must, before collecting, using or disclosing any personal data about the individual — take reasonable steps to bring the following information to the attention of the individual: the organisation's intention to collect, use or disclose the personal data; § 15A.(4)(b)(i) {individual's vital interest} Where the organisation collects, uses or discloses (as the case may be) personal data about the individual under sub-paragraph (1), the organisation must, as soon as is practicable, notify the individual of the collection, use or disclosure (as the case may be) and the purpose for the collection, use or disclosure, as the case may be. FIRST SCHEDULE PART 1 § 1.(2)] | Privacy protection for information and data | Preventive | |
Notify the data subject of changes to personal data use. CC ID 00105 [For the purposes of sections 14(1)(a) and 18(b), an organisation shall inform the individual of— any other purpose of the use or disclosure of the personal data of which the individual has not been informed under paragraph (a), before the un">usepan> or disclosure of the personal data for that purpose; and § 20.(1)(b)] | Privacy protection for information and data | Preventive | |
Notify the data subject after personal data is used or disclosed. CC ID 06247 [{business asset transaction}{organization}{prospective party}If X enters into the relevant transaction, the following conditions apply: X, Y or Z must notify the applicable individuals of Z whose personal data is disclosed that — the relevant transaction has taken place; and FIRST SCHEDULE PART 4 § 2.(3)(c)(i) {business asset transaction}{organization}{prospective party}If X enters into the relevant transaction, the following conditions apply: X, Y or Z must notify the applicable individuals of Z whose personal data is disclosed that — the personal data about them has been disclosed to X. FIRST SCHEDULE PART 4 § 2.(3)(c)(ii) If X enters into the business asset transaction, the following conditions apply: X or Y must notify the applicable individuals of Y whose personal data is disclosed that — the business asset transaction has taken place; and FIRST SCHEDULE PART 4 § 1.(4)(c)(i)] | Privacy protection for information and data | Preventive | |
Notify the individual before restricted data is collected, used, or disclosed. CC ID 00132 [{prospective party}{organization}If X enters into the business asset transaction, the following conditions apply: X or Y must notify the applicable individuals of Y whose personal data is disclosed that — the personal data about them has been disclosed to X. FIRST SCHEDULE PART 4 § 1.(4)(c)(ii)] | Privacy protection for information and data | Preventive | |
Refrain from requiring individuals to use Personal Identification Numbers as an account number or password. CC ID 00253 | Privacy protection for information and data | Preventive | |
Notify the data subject of the source of collected personal data. CC ID 00083 | Privacy protection for information and data | Preventive | |
Refrain from requiring a Personal Identification Number to purchase goods or services. CC ID 00069 | Privacy protection for information and data | Preventive | |
Use simple understandable language to collect information from children. CC ID 00039 | Privacy protection for information and data | Preventive | |
Notify the data subject of changes made to personal data as the result of a dispute. CC ID 00463 | Privacy protection for information and data | Corrective | |
Notify the data subject of which and why disputed changes were not made to personal data. CC ID 00466 | Privacy protection for information and data | Corrective | |
Notify entities to whom personal data was transferred that the personal data is wrong, along with the corrections. CC ID 00467 [subject to subsection (3), send the corrected personal data to every other organisation to which the personal data was disclosed by the organisation within a year before the date the correction was made, unless that other organisation does not need the corrected personal data for any legal or business purpose. § 22.(2)(b) An organisation (not being a credit bureau) may, if the individual consents, send the corrected personal data only to specific organisations to which the personal data was disclosed by the organisation within a year before the date the correction was made. § 22.(3)] | Privacy protection for information and data | Corrective | |
Investigate privacy rights violation complaints. CC ID 00480 | Privacy protection for information and data | Detective | |
Defer privacy rights violation complaint investigations under certain conditions. CC ID 00487 | Privacy protection for information and data | Preventive | |
Defer privacy rights violation complaint investigations when the respondent has made an application for a determination. CC ID 00488 [An organisation or a person (including any individual who is a complainant) aggrieved by — may make a written application to the Commission to reconsider the direction or decision in accordance with this section. § 48N.(1) ¶ 1] | Privacy protection for information and data | Preventive | |
Refrain from sending unsolicited commercial electronic messages with hyperlinks to a country with an anti-spam policy. CC ID 00284 | Privacy protection for information and data | Preventive | |
Refrain from including misleading information in the e-mail header when transmitting electronic messages. CC ID 00285 | Privacy protection for information and data | Preventive | |
Refrain from sending commercial electronic messages to a third party computer when the message does not contain a functioning return e-mail address that is clearly visible to the receiver. CC ID 00287 | Privacy protection for information and data | Preventive | |
Refrain from sending commercial electronic messages, physical mail, or making telephone calls after an opt out by a user. CC ID 00288 [{refrain from sending} If a subscriber or user of a Singapore telephone number gives notice withdrawing consent given to a person for the sending of any specified message="background-color:#CBD0E5;" class="term_secondary-verb">span> to that Singapore telephone number, the person shall cease (and cause its agent to cease) sending any specified message to that Singapore telephone number after the expiry of the prescribed period. § 47.(3)] | Privacy protection for information and data | Preventive | |
Include a personal identifier, an opt-out provision, and a physical address to add the recipient to the do-not-e-mail registry in all commercial e-mails. CC ID 00289 | Privacy protection for information and data | Preventive | |
Refrain from using misleading subject lines or false subject line on unsolicited commercial electronic messages. CC ID 00294 | Privacy protection for information and data | Preventive | |
Refrain from using address-harvesting software to send unsolicited commercial e-mails. CC ID 00298 | Privacy protection for information and data | Preventive | |
Refrain from sending unsolicited commercial electronic messages to nonexistent electronic addresses. CC ID 00299 [Subject to section 48(2), a person must not send a specified message addressed to a Singapore telephone number unless the person has, at the time the person sends the specified message, valid confirmation that the Singapore telephone number is not listed in the relevant register. § 43.(1) For the purposes of subsection (1), the person has valid confirmation that a Singapore telephone number is not listed in the relevant register in either of the following circumstances: the person has, within the prescribed duration before sending the specified message — received confirmation from the Commission that the Singapore telephone number is not listed in the relevant register; § 43.(2)(a)(ii) Subject to subsections (2) and (3), a person must not send, cause to be sent or authorise the sending of an applicable message. § 48B.(1)] | Privacy protection for information and data | Preventive | |
Send commercial electronic messages to individuals who have consented to receive them. CC ID 00302 | Privacy protection for information and data | Preventive | |
Send commercial electronic messages to individuals who have an existing relationship with the organization. CC ID 00301 | Privacy protection for information and data | Preventive |
KEY: Primary Verb Primary Noun Secondary Verb Secondary Noun Limiting Term | |||
Mandated - bold Implied - italic Implementation - regular | IMPACT ZONE | CLASS | |
---|---|---|---|
Establish, implement, and maintain a positive information control environment. CC ID 00813 | Operational management | Preventive | |
Define the scope for the internal control framework. CC ID 16325 | Operational management | Preventive | |
Review the relevance of information supporting internal controls. CC ID 12420 | Operational management | Detective | |
Assign resources to implement the internal control framework. CC ID 00816 | Operational management | Preventive | |
Establish, implement, and maintain a baseline of internal controls. CC ID 12415 | Operational management | Preventive | |
Leverage actionable information to support internal controls. CC ID 12414 | Operational management | Preventive | |
Align the information security policy with the organization's risk acceptance level. CC ID 13042 | Operational management | Preventive | |
Establish, implement, and maintain information security procedures. CC ID 12006 | Operational management | Preventive | |
Refrain from requiring supervision when users are accessing social media applications. CC ID 14011 | Operational management | Preventive | |
Refrain from requiring users to disclose social media account usernames or authenticators. CC ID 14009 | Operational management | Preventive | |
Establish, implement, and maintain information sharing agreements. CC ID 15645 | Operational management | Preventive | |
Adhere to operating procedures as defined in the Standard Operating Procedures Manual. CC ID 06328 | Operational management | Preventive | |
Establish, implement, and maintain domain name registration and renewal procedures. CC ID 07075 | Operational management | Preventive | |
Implement and comply with the Governance, Risk, and Compliance framework. CC ID 00818 | Operational management | Preventive | |
Include contractual relationships with workforce members in the analysis of the organizational culture. CC ID 15674 | Operational management | Preventive | |
Include the number of workforce members who are not employees in the analysis of the organizational culture. CC ID 15673 | Operational management | Preventive | |
Include the type of work performed by workforce members in the analysis of the organizational culture. CC ID 15675 | Operational management | Preventive | |
Include demographic characteristics of employees in the analysis of the organizational culture. CC ID 15671 | Operational management | Preventive | |
Review systems for compliance with organizational information security policies. CC ID 12004 | Operational management | Preventive | |
Establish, implement, and maintain an Incident Management program. CC ID 00853 | Operational management | Preventive | |
Refrain from charging for providing incident response notifications. CC ID 13876 | Operational management | Preventive | |
Offer identity theft prevention services or identity theft mitigation services at no cost to the affected parties. CC ID 13766 | Operational management | Corrective | |
Refrain from requiring the data subject to create an account in order to submit a consumer request. CC ID 13780 | Privacy protection for information and data | Preventive | |
Provide the data subject with the data protection officer's contact information. CC ID 12573 | Privacy protection for information and data | Preventive | |
Refrain from charging a fee to implement an opt-out request. CC ID 13877 | Privacy protection for information and data | Preventive | |
Offer incentives for consumers to opt-in to provide their personal data to the organization. CC ID 13781 | Privacy protection for information and data | Preventive | |
Refrain from using coercive financial incentive programs to entice opt-in consent. CC ID 13795 | Privacy protection for information and data | Preventive | |
Treat an opt-out direction by an individual joint consumer as applying to all associated joint consumers. CC ID 13452 | Privacy protection for information and data | Preventive | |
Treat opt-out directions separately for each customer relationship the data subject establishes with the organization. CC ID 13454 | Privacy protection for information and data | Preventive | |
Comply with opt-out directions by the data subject, unless otherwise directed by compliance requirements. CC ID 13451 [{allow} On giving notice, a subscriber or user of a Singapore telephone number may at any time withdraw any consent given to a person for the ="background-color:#CBD0E5;" class="term_secondary-verb">sending of any specified message to that Singapore telephone number. § 47.(1)] | Privacy protection for information and data | Preventive | |
Allow consent requests to be provided in any official languages. CC ID 16530 | Privacy protection for information and data | Preventive | |
Define the requirements for approving or denying approval applications. CC ID 16780 | Privacy protection for information and data | Preventive | |
Extend the time limit for approving or denying approval applications. CC ID 16779 | Privacy protection for information and data | Preventive | |
Refrain from erasing personal data when the data subject consents to retention. CC ID 14326 | Privacy protection for information and data | Preventive | |
Refrain from processing personal data when it reveals trade union membership. CC ID 12583 | Privacy protection for information and data | Preventive | |
Refrain from processing personal data when it concerns an individual's sexual orientation. CC ID 12582 | Privacy protection for information and data | Preventive | |
Refrain from processing personal data when it concerns an individual's sex life. CC ID 12581 | Privacy protection for information and data | Preventive | |
Refrain from processing personal data when it contains Individually Identifiable Health Information. CC ID 12580 | Privacy protection for information and data | Preventive | |
Refrain from processing personal data when biometric data is used for the purpose of identifying an individual. CC ID 12579 | Privacy protection for information and data | Preventive | |
Refrain from processing personal data when the genetic data is used for the purpose of identifying individuals. CC ID 12578 | Privacy protection for information and data | Preventive | |
Refrain from processing personal data when it reveals philosophical beliefs. CC ID 12577 | Privacy protection for information and data | Preventive | |
Refrain from processing personal data when it reveals religious beliefs. CC ID 12576 | Privacy protection for information and data | Preventive | |
Refrain from processing personal data when it reveals political opinions. CC ID 12575 | Privacy protection for information and data | Preventive | |
Refrain from processing personal data if it reveals ethnic origin. CC ID 12574 | Privacy protection for information and data | Preventive | |
Refrain from processing personal data for marketing or advertising to children. CC ID 14010 | Privacy protection for information and data | Preventive | |
Dispose of personal data removal requests, as necessary. CC ID 13512 | Privacy protection for information and data | Preventive | |
Include the type of information to be collected in the privacy impact assessment. CC ID 15513 | Privacy protection for information and data | Preventive | |
Include contact information in commercial electronic messages. CC ID 15457 | Privacy protection for information and data | Preventive |
KEY: Primary Verb Primary Noun Secondary Verb Secondary Noun Limiting Term | |||
Mandated - bold Implied - italic Implementation - regular | IMPACT ZONE | CLASS | |
---|---|---|---|
Disseminate and communicate the Data Protection Impact Assessment to interested personnel and affected parties. CC ID 15313 | Audits and risk management | Preventive | |
Disseminate and communicate the compliance policy to interested personnel and affected parties. CC ID 14809 | Operational management | Preventive | |
Disseminate and communicate the governance policy to all interested personnel and affected parties. CC ID 15625 | Operational management | Preventive | |
Share security information with interested personnel and affected parties. CC ID 11732 | Operational management | Preventive | |
Disseminate and communicate the internal control framework to all interested personnel and affected parties. CC ID 15229 | Operational management | Preventive | |
Disseminate and communicate the cybersecurity policy to interested personnel and affected parties. CC ID 16835 | Operational management | Preventive | |
Disseminate and communicate the information security procedures to all interested personnel and affected parties. CC ID 16303 | Operational management | Preventive | |
Disseminate and communicate the information security policy to interested personnel and affected parties. CC ID 11739 | Operational management | Preventive | |
Disseminate and communicate the Standard Operating Procedures Manual to all interested personnel and affected parties. CC ID 12026 | Operational management | Preventive | |
Disseminate and communicate the Acceptable Use Policy to all interested personnel and affected parties. CC ID 12431 | Operational management | Preventive | |
Disseminate and communicate nondisclosure agreements to interested personnel and affected parties. CC ID 16191 | Operational management | Preventive | |
Provide assurance to interested personnel and affected parties that the Governance, Risk, and Compliance capability is reliable, effective, efficient, and responsive. CC ID 12788 | Operational management | Preventive | |
Notify interested personnel and affected parties of an extortion payment in the event of a cybersecurity event. CC ID 16539 | Operational management | Preventive | |
Notify interested personnel and affected parties of the reasons for the extortion payment, along with any alternative solutions. CC ID 16538 | Operational management | Preventive | |
Report to breach notification organizations the reasons for a delay in sending breach notifications. CC ID 16797 | Operational management | Preventive | |
Report to breach notification organizations the distribution list to which the organization will send data loss event notifications. CC ID 16782 | Operational management | Preventive | |
Submit written requests to delay the notification of affected parties. CC ID 16783 | Operational management | Preventive | |
Provide enrollment information for identity theft prevention services or identity theft mitigation services. CC ID 13767 | Operational management | Corrective | |
Include a copy of the incident response notification in breach notifications, as necessary. CC ID 13085 | Operational management | Preventive | |
Notify interested personnel and affected parties of the privacy breach about any recovered restricted data. CC ID 13347 | Operational management | Corrective | |
Provide public proof the organization participates in a privacy program. CC ID 12349 | Privacy protection for information and data | Preventive | |
Disclose statements added to education records, as necessary. CC ID 12990 | Privacy protection for information and data | Preventive | |
Disclose educational data absent consent when disclosure is in connection with a disciplinary proceeding. CC ID 13005 | Privacy protection for information and data | Preventive | |
Refrain from disclosing disciplinary proceeding results unless the student has violated the institution's rules or policies. CC ID 13023 | Privacy protection for information and data | Preventive | |
Disclose educational data absent consent when it concerns sex offenders. CC ID 13013 | Privacy protection for information and data | Preventive | |
Disclose educational data absent consent to organizations conducting studies if educational data is destroyed when no longer required. CC ID 12995 | Privacy protection for information and data | Preventive | |
Refrain from providing information to the data subject, as necessary. CC ID 12625 [An organisation is not required to provide information under section 21(1) in respect of— any examination conducted by an education institution, und-color:#F0BBBC;" class="term_primary-noun">examination scripts and, prior to the release of examination results, lass="term_primary-noun">examination results; FIFTH SCHEDULE § 1.(b) An organisation is not required to provide information under section 21(1) in respect of— the personal data of the beneficiaries of a F0BBBC;" class="term_primary-noun">private trust ss="term_primary-verb">kept solely for the purpose of administering the trust; FIFTH SCHEDULE § 1.(c) An organisation is not required to provide information under section 21(1) in respect of— personal data kept by an arbitral institution or a mediation centre solely for the >purposespan> of An organisation is not required to provide information under section 21(1) in respect of— a document related to a prosecution if all 0BBBC;" class="term_primary-noun">proceedings related to the prosecution haground-color:#CBD0E5;" class="term_secondary-verb">ve An organisation is not required to provide information under section 21(1) in respect of— personal data which is primary-verb">subjectspan> to An organisation is not required to provide information under section 21(1) in respect of— personal data kept by an arbitral institution or a mediation centre solely for the >purposespan> of {notifiable data breach}An organisation must not notify any affected individual in accordance with subsection (2) if — the Commission so directs. § 26D.(6)(b) An organisation is not required to provide information under section 21(1) in respect of — derived personal data. SIXTH SCHEDULE § 1.(f)] | Privacy protection for information and data | Preventive | |
Refrain from providing information to the data subject when it is forbidden by law. CC ID 12651 [{notifiable data breach}An organisation must not notify any affected individual in accordance with subsection (2) if — a prescribed law enforcement agency so instructs; or § 26D.(6)(a)] | Privacy protection for information and data | Preventive | |
Refrain from providing information to the data subject when it proves impossible due to statistical purposes. CC ID 12645 | Privacy protection for information and data | Preventive | |
Provide the data subject with information about lifting any restriction of processing, as necessary. CC ID 12634 | Privacy protection for information and data | Preventive | |
Refrain from providing information to the data subject when it proves impossible due to historical research purposes. CC ID 12633 | Privacy protection for information and data | Preventive | |
Refrain from providing information to the data subject when it proves impossible due to scientific research purposes. CC ID 12632 | Privacy protection for information and data | Preventive | |
Refrain from providing information to the data subject when it proves impossible due to archival purposes. CC ID 12631 | Privacy protection for information and data | Preventive | |
Refrain from providing information to the data subject when providing information involves disproportionate effort. CC ID 12629 | Privacy protection for information and data | Preventive | |
Refrain from providing information to the data subject when the data subject has the information. CC ID 12628 | Privacy protection for information and data | Preventive | |
Disseminate and communicate the disclosure accounting record to interested personnel and affected parties. CC ID 14433 [For the purposes of subsection (2)(a), the organisation must, before collecting, using or disclosing any personal data about the individual — take reasonable steps to bring the following information to the attention of the individual: the purpose for which the personal data will be collected, used or disclosed; § 15A.(4)(b)(ii)] | Privacy protection for information and data | Preventive | |
Notify interested personnel and affected parties of the reasons the opt-out request was refused. CC ID 16537 | Privacy protection for information and data | Preventive | |
Submit approval applications to the supervisory authority. CC ID 16627 | Privacy protection for information and data | Preventive | |
Notify the supervisory authority of the safeguards employed to protect the data subject's rights. CC ID 12605 | Privacy protection for information and data | Preventive | |
Include any reasons for delay if notifying the supervisory authority after the time limit. CC ID 12675 | Privacy protection for information and data | Corrective | |
Notify the data subject after their personal data is disposed, as necessary. CC ID 13502 | Privacy protection for information and data | Preventive | |
Disclose de-identified data, as necessary. CC ID 13034 | Privacy protection for information and data | Preventive | |
Notify the subject of care when a lack of availability of health information systems might have adversely affected their care. CC ID 13990 | Privacy protection for information and data | Corrective | |
Refrain from disseminating and communicating with individuals that have opted out of direct marketing communications. CC ID 13708 | Privacy protection for information and data | Corrective | |
Refrain from disclosing a security breach if an investigation concludes none has occurred. CC ID 13086 [{data breach}{notifiable data breach} The organisation must carry out the assessment mentioned in subsection (2) or (3)(b) in accordance with any prescribed requirements. § 26C.(4)] | Privacy protection for information and data | Corrective | |
Notify the data subject when personal data has been inadvertently disclosed. CC ID 13989 | Privacy protection for information and data | Corrective | |
Disclose personal data absent consent for specific and well-documented circumstances. CC ID 15267 [An organisation may — disclose personal data about an individual without the consent of the individual, in the circumstances or for the purposes, and subject to any condition, in the First Schedule or Part 3 of the Second Schedule. § 17.(1)(c) {individual's vital interest}{without consent}Subject to sub-paragraph (2), the collection, use or disclosure (as the case may be) of personal data about an individual is necessary for any purpose which is clearly in the interests of the individual, and — the individual would not reasonably be expected to withhold consent. FIRST SCHEDULE PART 1 § 1.(1)(b) {organization}{corporation}{business improvement purpose}Subject to the conditions in sub-paragraphs (3), (4) and (5), personal data about an individual (P) — is disclosed by Y to X for a relevant purpose. FIRST SCHEDULE PART 5 § 1.(1)(c)] | Privacy protection for information and data | Preventive | |
Disclose restricted data absent consent when the disclosure concerns the individual's products or services obtained from the organization. CC ID 13469 | Privacy protection for information and data | Preventive | |
Capture personal data removal requests. CC ID 13507 | Privacy protection for information and data | Preventive | |
Notify the data subject of the disclosure purpose. CC ID 15268 [For the purposes of subsection (4), the organisation must inform the individual of the following: the purpose for which the organisation is collecting, using or disclosing (as the case may be) the personal data about the individual; § 20.(5)(a)] | Privacy protection for information and data | Preventive | |
Notify the individual of the organization's legal rights to refuse the personal data access request, as necessary. CC ID 13509 | Privacy protection for information and data | Preventive | |
Notify that data subject of any exclusions to requested personal data. CC ID 15271 [the organisation must notify the individual of the exclusion, under subsection (2) or (3), of any of the personal data or other information so requested. § 21.(7) ¶ 1] | Privacy protection for information and data | Preventive | |
Notify individuals of the new time limit for responding to an access request in a notice of extension. CC ID 13599 | Privacy protection for information and data | Preventive | |
Disseminate and communicate the data collector's name and contact information to all interested personnel. CC ID 13760 | Privacy protection for information and data | Preventive | |
Disseminate and communicate the results of the Privacy Impact Assessment to interested personnel and affected parties. CC ID 15458 | Privacy protection for information and data | Preventive | |
Notify individuals of the time frame in which they may challenge personal data. CC ID 16861 | Privacy protection for information and data | Preventive | |
Notify third parties of unresolved challenges. CC ID 13559 | Privacy protection for information and data | Preventive | |
Disseminate and communicate instructions for the appeal process to interested personnel and affected parties. CC ID 16544 | Privacy protection for information and data | Preventive | |
Disseminate and communicate a written explanation of the reasons for appeal decisions to interested personnel and affected parties. CC ID 16542 | Privacy protection for information and data | Preventive | |
Refrain from sending unsolicited commercial electronic messages under predetermined conditions. CC ID 13993 [Subject to section 48(2), a person must not send a specified message addressed to a Singapore telephone number unless — the information included in the specified message in compliance with this section is reasonably likely to be valid for at least 30 days after the message is sent. § 44.(d) For the purposes of subsection (1), the person has valid confirmation that a Singapore telephone number is not listed in the relevant register in either of the following circumstances: the person has, within the prescribed duration before sending the specified message — made an application to the Commission under section 40(2) to confirm whether the Singapore telephone number is listed in the relevant register; and § 43.(2)(a)(i)] | Privacy protection for information and data | Preventive | |
Send commercial electronic messages to individuals who perform a business function to which the content of the message pertains. CC ID 13995 | Privacy protection for information and data | Preventive |
KEY: Primary Verb Primary Noun Secondary Verb Secondary Noun Limiting Term | |||
Mandated - bold Implied - italic Implementation - regular | IMPACT ZONE | CLASS | |
---|---|---|---|
Automate threat assessments, as necessary. CC ID 06877 | Operational management | Preventive | |
Automate vulnerability management, as necessary. CC ID 11730 | Operational management | Preventive | |
Terminate an individual's restriction agreement under specific circumstances. CC ID 06260 | Privacy protection for information and data | Preventive |
KEY: Primary Verb Primary Noun Secondary Verb Secondary Noun Limiting Term | |||
Mandated - bold Implied - italic Implementation - regular | IMPACT ZONE | CLASS | |
---|---|---|---|
Include a removable storage media use policy in the Acceptable Use Policy. CC ID 06772 | Operational management | Preventive | |
Identify the sender in all electronic messages. CC ID 13996 [{be clear}{be accurate}Subject to section 48(2), a person must not send a specified message addressed to a Singapore telephone number unless — the specified message includes clear and accurate information identifying the individual or organisation that sent or authorised the sending of the specified message; § 44.(a) {be clear}{be accurate}Subject to section 48(2), a person must not send a specified message addressed to a Singapore telephone number unless — the specified message includes clear and accurate information about how the recipient can readily contact that individual or organisation; § 44.(b) Subject to section 48(3), a person that makes a voice call containing a specified message or causes a voice call containing a specified message to be made or authorises the making of a voice call containing a specified message, addressed to a Singapore telephone number, from a telephone number or fax number, must not do any of the following: conceal or withhold from the recipient the calling line identity of the sender; § 45.(a) Subject to section 48(3), a person that makes a voice call containing a specified message or causes a voice call containing a specified message to be made or authorises the making of a voice call containing a specified message, addressed to a Singapore telephone number, from a telephone number or fax number, must not do any of the following: perform any operation or issue any instruction in connection with the sending of the specified message for the purpose of, or that has the effect of, concealing or withholding from the recipient the calling line identity of the sender. § 45.(b)] | Operational management | Preventive | |
Share incident information with interested personnel and affected parties. CC ID 01212 [{data breach} The notification under subsection (1) must be made in the form and submitted in the manner required by the Commission. § 26D.(4)] | Operational management | Corrective | |
Comply with privacy regulations and civil liberties requirements when sharing data loss event information. CC ID 10036 | Operational management | Preventive | |
Report data loss event information to breach notification organizations. CC ID 01210 [Where an organisation assesses, in accordance with section 26C, that a data breach is a notifiable data breach, the organisation must notify the Commission as soon as is practicable, but in any case no later than 3 calendar days after the day the organisation makes that assessment. § 26D.(1)] | Operational management | Corrective | |
Establish, implement, and maintain a personal data transparency program. CC ID 00375 | Privacy protection for information and data | Preventive | |
Establish, implement, and maintain adequate openness procedures. CC ID 00377 [{absent consent} An organisation, on or before collecting personal data about an individual from another organisation without the consent of the individual, shall provide the other organisation with sufficient :#CBD0E5;" class="term_secondary-verb">ary-noun">informationpan> regarding the purpose of the An organisation shall — make information available on request about — § 12.(d)] | Privacy protection for information and data | Preventive | |
Provide legal authorities access to personal data, upon request. CC ID 06818 | Privacy protection for information and data | Preventive | |
Document the countries where restricted data may be stored. CC ID 12750 | Privacy protection for information and data | Preventive | |
Protect the rights of students and their parents or legal representatives. CC ID 00222 | Privacy protection for information and data | Preventive | |
Disclose educational data, as necessary. CC ID 00223 [{disclose}{without consent} The disclosure of personal data about an individual who is a current or former student of an educational institution to a public agency for the purposes of policy formulation or review. SECOND SCHEDULE PART 3 Division 1 § 2.] | Privacy protection for information and data | Preventive | |
Obtain explicit consent from students or their parent or legal representative prior to using or disclosing educational data. CC ID 00220 | Privacy protection for information and data | Preventive | |
Disclose education records when written consent is received. CC ID 00224 | Privacy protection for information and data | Preventive | |
Disclose educational data absent consent to other school officials. CC ID 00226 | Privacy protection for information and data | Preventive | |
Disclose educational data absent consent to another institution's school officials. CC ID 00227 | Privacy protection for information and data | Preventive | |
Disclose educational data absent consent in connection with financial aid. CC ID 00229 | Privacy protection for information and data | Preventive | |
Disclose educational data absent consent to organizations conducting studies on tests. CC ID 00230 | Privacy protection for information and data | Preventive | |
Disclose educational data absent consent to accrediting organizations. CC ID 00231 | Privacy protection for information and data | Preventive | |
Disclose educational data absent consent to a dependent student's parent or legal representative. CC ID 00232 | Privacy protection for information and data | Preventive | |
Disclose educational data absent consent in order to comply with a judicial order. CC ID 00233 | Privacy protection for information and data | Preventive | |
Disclose educational data absent consent for a health and safety emergency. CC ID 00234 | Privacy protection for information and data | Preventive | |
Disclose educational data absent consent when it is merely directory information. CC ID 00235 | Privacy protection for information and data | Preventive | |
Disclose educational data absent consent to a crime victim. CC ID 00236 | Privacy protection for information and data | Preventive | |
Provide the data subject with the means of gaining access to personal data held by the organization. CC ID 00396 [{legitimate interest}For the purposes of sub-paragraph (1), the organisation must — provide the individual with reasonable access to information about the organisation's collection, use or disclosure of personal data (as the case may be) in accordance with sub-paragraph (1). FIRST SCHEDULE PART 3 § 1.(2)(b)] | Privacy protection for information and data | Preventive | |
Provide the data subject with what personal data is made available to related organizations or subsidiaries. CC ID 00399 | Privacy protection for information and data | Preventive | |
Allow data subjects to opt out and refrain from granting an authorization of consent to use personal data. CC ID 00391 | Privacy protection for information and data | Preventive | |
Establish, implement, and maintain an opt-out method in accordance with organizational standards. CC ID 16526 | Privacy protection for information and data | Preventive | |
Refrain from requiring consent to collect, use, or disclose personal data beyond specified, legitimate reasons in order to receive products and services. CC ID 13605 [{refrain from requiring}(is unreasonable} A person shall not, as a condition for supplying goods, services, land, interest or opportunity, require a subscriber or user of a Singapore telephone number to give -verb">ound-color:#F0BBBC;" class="term_primary-noun">consentspan> for the sending of a specified le="background-color:#F0BBBC;" class="term_primary-noun">message to that Singapore telephone number or any other Singapore telephone number beyond what is reasonable to provide the goods, services, land, interest or opportunity to that subscriber or user, and any consent given in such circumstance is not validly given. § 46.(1) An organisation shall not — as a condition of providing a product or service, require an individual to consent to the collection, use or disclosure of personal data about the individual beyond what is reasonable to provide the product or service to that individual; or § 14.(2)(a)] | Privacy protection for information and data | Preventive | |
Refrain from obtaining consent through deception. CC ID 13556 [{deceptive act or practice}{refrain from accepting} If a person obtains or attempts to obtain consent for sending a specified message to a Singapore telephone number— by providing="term_secondary-verb"> false or misleading information with respect to the sending of the specified message; or by using deceptive or misleading practices, any und-coloy-verb">r:#F0BBBC;" class="term_primary-noun">consent given in such circumstances is not validly given. § 46.(2) ¶ 1 An organisation shall not — obtain or attempt to obtain consent for collecting, using, or disclosing personal data by providing false or misleading information with respect to the collection, use, or disclosure of the personal data, or using deceptive or misleading practices. § 14.(2)(b)] | Privacy protection for information and data | Preventive | |
Give individuals the ability to change the uses of their personal data. CC ID 00469 [{refrain from using} Notwithstanding the other provisions in this Part, an organisation may use personal data about an individual collected before the appointed day for the purposes for which the personal data was collected unless — consent for such use is withdrawn in accordance with section 16; or § 19.(a) A person shall not prohibit a subscriber or user of a Singapore telephone number from withdrawing his consent to the sending of a specified ound-color:#F0BBBC;" class="terd-color:#CBD0E5;" class="term_secondary-verb">m_primary-noun">message to that Singapore telephone number, but this section shall not affect any legal consequences arising from such withdrawal. § 47.(2)] | Privacy protection for information and data | Preventive | |
Notify data subjects of the implications of withdrawing consent. CC ID 13551 [On receipt of the notice referred to in subsection (1), the organisation concerned shall inform the individual of the likely consequences of withdrawing his consent. § 16.(2) An organisation shall not prohibit an individual from withdrawing his consent to the collection, use or disclosure of personal data about the individual, but this section shall not affect any legal consequences arising from such withdrawal. § 16.(3)] | Privacy protection for information and data | Preventive | |
Refrain from using restricted data collected for research and statistics for other purposes. CC ID 00096 | Privacy protection for information and data | Preventive | |
Dispose of media and restricted data in a timely manner. CC ID 00125 [{dispose}{deidentify}{no longer appropriate} An organisation shall cease to retain its documents containing personal data, or remove the means by which the personal data can be associated with particular individuals, as soon as it is reasonable to assume that — the ass="term_primastyle="background-color:#CBD0E5;" class="term_secondary-verb">ry-noun">purpose for which that personal data was collected is no longer being served by retention of the personal data; and § 25.(a) {dispose}{deidentify} An organisation shall cease to retain its documents containing personal data, or remove the means by which the personal data can be associated with particular individuals, as soon as it is reasonable to assume that— <span style="background-color:#F0BBBC;" class="term_primary-noun">retention is style="background-color:#CBD0E5;" class="term_secondary-verb">rm_primary-verb">no longer necessaryspan> for legal or business purposes. § 25.(b) {prospective party}{organization} If the business asset transaction does not proceed or is not completed, X must destroy, or return to Y, all personal data collected. FIRST SCHEDULE PART 4 § 1.(5) {organization}{prospective party}{business asset transaction}{individual}If the relevant transaction does not proceed or is not completed — X must destroy, or return to Y or Z (as the case may be), all personal data collected; and FIRST SCHEDULE PART 4 § 2.(4)(a) {business asset transaction}{organization}If the relevant transaction does not proceed or is not completed — Y must destroy, or return to Z, all personal data collected. FIRST SCHEDULE PART 4 § 2.(4)(b)] | Privacy protection for information and data | Preventive | |
Provide individuals with information about the processing purpose of their personal data. CC ID 00416 [An organisation may collect, use or disclose personal data about an individual only for purposes— that the -noun">individual has been Subject to subsections (2), (3) and (4), on request of an individual, an organisation shall, as soon as reasonably possible, provide the individual with— information about the ways in which the personal data referred to in paragraph (a) has been or may have been used or disclosed by the organisation within a year before the date of the request. § 21.(1)(b) For the purposes of subsection (2)(a), the organisation must, before collecting, using or disclosing any personal data about the individual — take reasonable steps to bring the following information to the attention of the individual: the purpose for which the personal data will be collected, used or disclosed; § 15A.(4)(b)(ii) For the purposes of subsection (2)(a), the organisation must, before collecting, using or disclosing any personal data about the individual — take reasonable steps to bring the following information to the attention of the individual: the organisation's intention to collect, use or disclose the personal data; § 15A.(4)(b)(i) {individual's vital interest} Where the organisation collects, uses or discloses (as the case may be) personal data about the individual under sub-paragraph (1), the organisation must, as soon as is practicable, notify the individual of the collection, use or disclosure (as the case may be) and the purpose for the collection, use or disclosure, as the case may be. FIRST SCHEDULE PART 1 § 1.(2) For the purposes of subsection (4), the organisation must inform the individual of the following: the purpose for which the organisation is collecting, using or disclosing (as the case may be) the personal data about the individual; § 20.(5)(a) {inform}Despite subsection (3), an organisation must comply with subsection (5) on or before collecting, using or disclosing personal data about an individual for the purpose of or in relation to the organisation — entering into an employment relationship with the individual or appointing the individual to any office; or § 20.(4)(a) {inform}Despite subsection (3), an organisation must comply with subsection (5) on or before collecting, using or disclosing personal data about an individual for the purpose of or in relation to the organisation — entering into an employment relationship with the individual or appointing the individual to any office; or § 20.(4)(a) {inform}Despite subsection (3), an organisation must comply with subsection (5) on or before collecting, using or disclosing personal data about an individual for the purpose of or in relation to the organisation — entering into an employment relationship with the individual or appointing the individual to any office; or § 20.(4)(a) {inform}Despite subsection (3), an organisation must comply with subsection (5) on or before collecting, using or disclosing personal data about an individual for the purpose of or in relation to the organisation — managing or terminating the employment relationship with or appointment of the individual. § 20.(4)(b) {inform}Despite subsection (3), an organisation must comply with subsection (5) on or before collecting, using or disclosing personal data about an individual for the purpose of or in relation to the organisation — managing or terminating the employment relationship with or appointment of the individual. § 20.(4)(b) {inform}Despite subsection (3), an organisation must comply with subsection (5) on or before collecting, using or disclosing personal data about an individual for the purpose of or in relation to the organisation — managing or terminating the employment relationship with or appointment of the individual. § 20.(4)(b)] | Privacy protection for information and data | Preventive | |
Provide individuals with information about disclosure of their personal data. CC ID 00417 [{individual's vital interest} Where the organisation collects, uses or discloses (as the case may be) personal data about the individual under sub-paragraph (1), the organisation must, as soon as is practicable, notify the individual of the collection, use or disclosure (as the case may be) and the purpose for the collection, use or disclosure, as the case may be. FIRST SCHEDULE PART 1 § 1.(2)] | Privacy protection for information and data | Preventive | |
Allow guardians and legal representatives access to personal data about the individual for whom they are guardians or legal representatives. CC ID 00418 | Privacy protection for information and data | Preventive | |
Identify any adverse effects the processing of personal data will have on the data subject. CC ID 15299 [The organisation must, in respect of the assessment mentioned in subsection (4)(a) — identify any adverse effect that the proposed collection, use or disclosure of the personal data for the purpose concerned is likely to have on the individual; § 15A.(5)(a) {legitimate interest}{collect}{disclose}The organisation must, in respect of the assessment mentioned in sub-paragraph (2)(a) — identify any adverse effect that the proposed collection, use or disclosure (as the case may be) of personal data about an individual is likely to have on the individual; FIRST SCHEDULE PART 3 § 1.(3)(a)] | Privacy protection for information and data | Preventive | |
Refrain from processing personal data when it is likely to cause unlawful discrimination or arbitrary discrimination. CC ID 00197 | Privacy protection for information and data | Preventive | |
Refrain from processing personal data when it is used for behavioral monitoring. CC ID 16528 | Privacy protection for information and data | Preventive | |
Process personal data pertaining to a patient's health in order to treat those patients. CC ID 00200 | Privacy protection for information and data | Preventive | |
Disclose Individually Identifiable Health Information for a covered entity's own use. CC ID 00211 | Privacy protection for information and data | Preventive | |
Disclose Individually Identifiable Health Information for a healthcare provider's treatment activities by a covered entity. CC ID 00212 | Privacy protection for information and data | Preventive | |
Disclose Individually Identifiable Health Information for payment activities between covered entities or healthcare providers. CC ID 00213 | Privacy protection for information and data | Preventive | |
Disclose Individually Identifiable Health Information for Treatment, Payment, and Health Care Operations activities when both covered entities have a relationship with the data subject. CC ID 00214 | Privacy protection for information and data | Preventive | |
Disclose Individually Identifiable Health Information for Treatment, Payment, and Health Care Operations activities between a covered entity and a participating healthcare provider when the information is collected from the data subject and a third party. CC ID 00215 | Privacy protection for information and data | Preventive | |
Disclose Individually Identifiable Health Information in accordance with agreed upon restrictions. CC ID 06249 | Privacy protection for information and data | Preventive | |
Disclose Individually Identifiable Health Information in accordance with the privacy notice. CC ID 06250 | Privacy protection for information and data | Preventive | |
Disclose permitted Individually Identifiable Health Information for facility directories. CC ID 06251 | Privacy protection for information and data | Preventive | |
Disclose Individually Identifiable Health Information for cadaveric organ donation purposes, eye donation purposes, or tissue donation purposes. CC ID 06252 | Privacy protection for information and data | Preventive | |
Disclose Individually Identifiable Health Information for medical suitability determinations. CC ID 06253 | Privacy protection for information and data | Preventive | |
Disclose Individually Identifiable Health Information for armed forces personnel appropriately. CC ID 06254 | Privacy protection for information and data | Preventive | |
Disclose Individually Identifiable Health Information in order to provide public benefits by government agencies. CC ID 06255 | Privacy protection for information and data | Preventive | |
Disclose Individually Identifiable Health Information for fundraising. CC ID 06256 | Privacy protection for information and data | Preventive | |
Disclose Individually Identifiable Health Information when the data subject cannot physically or legally provide consent and the disclosing organization is a healthcare provider. CC ID 00202 | Privacy protection for information and data | Preventive | |
Disclose Individually Identifiable Health Information to provide appropriate treatment to the data subject when the disclosing organization is a healthcare provider. CC ID 00203 | Privacy protection for information and data | Preventive | |
Disclose Individually Identifiable Health Information when it is not contrary to the data subject's wish prior to becoming unable to provide consent and the disclosing organization is a healthcare provider. CC ID 00204 | Privacy protection for information and data | Preventive | |
Disclose Individually Identifiable Health Information that is reasonable or necessary for the disclosure purpose when the disclosing organization is a healthcare provider. CC ID 00205 [{disclose}The disclosure of personal data about an individual who is a current or former patient of any of the following to a public agency for the purposes of policy formulation or review: a healthcare institution licensed under the Private Hospitals and Medical Clinics Act (Cap. 248); SECOND SCHEDULE PART 3 Division 1 § 3.(a)] | Privacy protection for information and data | Preventive | |
Disclose Individually Identifiable Health Information consistent with the law when the disclosing organization is a healthcare provider. CC ID 00206 [{disclose}The disclosure of personal data about an individual who is a current or former patient of any of the following to a public agency for the purposes of policy formulation or review: a prescribed healthcare body. SECOND SCHEDULE PART 3 Division 1 § 3.(c) {disclose}The disclosure of personal data about an individual who is a current or former patient of any of the following to a public agency for the purposes of policy formulation or review: a licensee under the Healthcare Services Act 2020 (Act 3 of 2020); SECOND SCHEDULE PART 3 Division 1 § 3.(b)] | Privacy protection for information and data | Preventive | |
Disclose Individually Identifiable Health Information in order to carry out treatment when the disclosing organization is a healthcare provider. CC ID 00207 | Privacy protection for information and data | Preventive | |
Disclose Individually Identifiable Health Information in order to carry out treatment when the data subject has provided consent and the disclosing organization is a healthcare provider. CC ID 00208 | Privacy protection for information and data | Preventive | |
Disclose Individually Identifiable Health Information in order to carry out treatment when the data subject's guardian or representative has provided consent and the disclosing organization is a healthcare provider. CC ID 00209 | Privacy protection for information and data | Preventive | |
Disclose Individually Identifiable Health Information when the disclosing organization is a healthcare provider that supports public health and safety activities. CC ID 06248 | Privacy protection for information and data | Preventive | |
Disclose Individually Identifiable Health Information in order to report abuse or neglect when the disclosing organization is a healthcare provider. CC ID 06819 | Privacy protection for information and data | Preventive | |
Obtain explicit consent for authorization to release Individually Identifiable Health Information. CC ID 00217 | Privacy protection for information and data | Preventive | |
Obtain explicit consent for authorization to release psychotherapy notes. CC ID 00218 | Privacy protection for information and data | Preventive | |
Refrain from using Individually Identifiable Health Information to determine eligibility or continued eligibility for credit. CC ID 00219 | Privacy protection for information and data | Preventive | |
Process personal data after the data subject has granted explicit consent. CC ID 00180 [{refrain from processing} An organisation shall not, on or after the appointed day, collect, use or disclose personal data about an individual unless— the individual rb">gives</span>, or is deemed to have given, his consent under this Act to the collection, use or disclosure, as the case may be; or § 13.(a)] | Privacy protection for information and data | Preventive | |
Process personal data in order to perform a legal obligation or exercise a legal right. CC ID 00182 | Privacy protection for information and data | Preventive | |
Process personal data relating to criminal offenses when required by law. CC ID 00237 | Privacy protection for information and data | Preventive | |
Process personal data in order to prevent personal injury or damage to the data subject's health. CC ID 00183 | Privacy protection for information and data | Preventive | |
Process personal data in order to prevent personal injury or damage to a third party's health. CC ID 00184 | Privacy protection for information and data | Preventive | |
Process personal data for statistical purposes or scientific purposes. CC ID 00256 | Privacy protection for information and data | Preventive | |
Process personal data during legitimate activities with safeguards for the data subject's legal rights. CC ID 00185 [{collect}{disclose}Subject to sub-paragraphs (2), (3) and (4) — the collection, use or disclosure (as the case may be) of personal data about an individual is in the legitimate interests of the organisation or another person; and FIRST SCHEDULE PART 3 § 1.(1)(a)] | Privacy protection for information and data | Preventive | |
Process traffic data in a controlled manner. CC ID 00130 | Privacy protection for information and data | Preventive | |
Process personal data for health insurance, social insurance, state social benefits, social welfare, or child protection. CC ID 00186 | Privacy protection for information and data | Preventive | |
Process personal data when it is publicly accessible. CC ID 00187 [{without consent}{collect}{disclose} The collection, use or disclosure (as the case may be) of personal data about an individual that is publicly available. FIRST SCHEDULE PART 2 § 1.] | Privacy protection for information and data | Preventive | |
Process personal data for direct marketing and other personalized mail programs. CC ID 00188 | Privacy protection for information and data | Preventive | |
Process personal data for the purposes of employment. CC ID 16527 | Privacy protection for information and data | Preventive | |
Process personal data for justice administration, lawsuits, judicial decisions, and investigations. CC ID 00189 [{collect}{disclose} The collection, use or disclosure (as the case may be) of personal data about an individual is necessary for the provision of legal services by the organisation to another person, or for the organisation to obtain legal services. FIRST SCHEDULE PART 3 § 5.] | Privacy protection for information and data | Preventive | |
Process personal data for debt collection or benefit payments. CC ID 00190 [{without consent}{collect}{disclose}The collection, use or disclosure (as the case may be) of personal data about an individual is necessary for the organisation — to recover a debt owed by the individual to the organisation; or FIRST SCHEDULE PART 3 § 4.(a) {collect}{disclose}The collection, use or disclosure (as the case may be) of personal data about an individual is necessary for the organisation — to pay to the individual a debt owed by the organisation. FIRST SCHEDULE PART 3 § 4.(b) {legitimate interest}{collect}{disclose}The collection, use or disclosure (as the case may be) of personal data about an individual is to — confer an interest or a benefit on the individual under a private trust or benefit plan; and FIRST SCHEDULE PART 3 § 7.(a)] | Privacy protection for information and data | Preventive | |
Process personal data in order to advance the public interest. CC ID 00191 [The use of personal data about an individual for a research purpose (including historical or statistical research), if — there is a clear public benefit to using the personal data for the research purpose; SECOND SCHEDULE PART 2 Division 3 § 1.(b)] | Privacy protection for information and data | Preventive | |
Process personal data for surveys, archives, or scientific research. CC ID 00192 | Privacy protection for information and data | Preventive | |
Process personal data absent consent for journalistic purposes, artistic purposes, or literary purposes. CC ID 00193 [{without consent} The personal data about an individual is collected, used or disclosed (as the case may be) by a news organisation solely for its news activity. FIRST SCHEDULE PART 2 § 5. {without consent}{artistic purpose}{collect}{disclose} The collection, use or disclosure (as the case may be) of personal data about an individual is solely for artistic or literary purposes. FIRST SCHEDULE PART 2 § 3.] | Privacy protection for information and data | Preventive | |
Process personal data for academic purposes or religious purposes. CC ID 00194 | Privacy protection for information and data | Preventive | |
Process personal data when it is used by a public authority for National Security policy or criminal policy. CC ID 00195 | Privacy protection for information and data | Preventive | |
Refrain from storing data in newly created files or registers which directly or indirectly reveals the restricted data. CC ID 00196 | Privacy protection for information and data | Preventive | |
Follow legal obligations while processing personal data. CC ID 04794 | Privacy protection for information and data | Preventive | |
Start personal data processing only after the needed notifications are submitted. CC ID 04791 | Privacy protection for information and data | Preventive | |
Process personal data absent consent for specific and well-documented circumstances. CC ID 13537 [An individual is deemed to consent to the collection, use or disclosure of personal data about the individual by an organisation for a purpose if— it is reasonable that the individual would voluntarily provide the y-verb">le="background-color:#F0BBBC;" class="term_primary-noun">data. § 15.(1)(b) An organisation may — use personal data about an individual without the consent of the individual, in the circumstances or for the purposes, and subject to any condition, in the First Schedule or Part 2 of the Second Schedule; or § 17.(1)(b) {individual's vital interest}{without consent}Subject to sub-paragraph (2), the collection, use or disclosure (as the case may be) of personal data about an individual is necessary for any purpose which is clearly in the interests of the individual, and — the individual would not reasonably be expected to withhold consent. FIRST SCHEDULE PART 1 § 1.(1)(b) {without consent}{collect}{disclose} The collection, use or disclosure (as the case may be) of personal data about an individual is in the national interest. FIRST SCHEDULE PART 2 § 2. {business improvement purpose}{organization}Subject to the conditions in sub-paragraphs (3), (4) and (5), personal data about an individual (P) — is used by X for a relevant purpose; or FIRST SCHEDULE PART 5 § 1.(1)(b) {business improvement purpose}Sub-paragraph (1)(b) applies only if — a reasonable person would consider the use of personal data about P for the relevant purpose to be appropriate in the circumstances. FIRST SCHEDULE PART 5 § 1.(4)(b) {business improvement purpose}{refrain from achieving}Sub-paragraph (1)(b) applies only if — the relevant purpose for which X uses personal data about P cannot reasonably be achieved without the use of the personal data in an individually identifiable form; and FIRST SCHEDULE PART 5 § 1.(4)(a)] | Privacy protection for information and data | Preventive | |
Process personal data absent consent when the data subject has been notified the personal data may be collected, used, or disclosed. CC ID 13617 | Privacy protection for information and data | Preventive | |
Process personal data absent consent in order to establish, manage, or terminate employment contracts. CC ID 13615 [{without consent}The personal data about an individual is collected, used or disclosed (as the case may be) by the organisation, and the collection, use or disclosure (as the case may be) of the personal data is reasonable for the purpose of or in relation to the organisation — entering into an employment relationship with the individual or appointing the individual to any office; or FIRST SCHEDULE PART 3 § 10.(a) {without consent}The personal data about an individual is collected, used or disclosed (as the case may be) by the organisation, and the collection, use or disclosure (as the case may be) of the personal data is reasonable for the purpose of or in relation to the organisation — managing or terminating the employment relationship with or appointment of the individual. FIRST SCHEDULE PART 3 § 10.(b)] | Privacy protection for information and data | Preventive | |
Process personal data absent consent when the data subject is notified that the business transaction is completed and their information was disclosed. CC ID 13612 | Privacy protection for information and data | Preventive | |
Process personal data absent consent when the disclosure concerns the data subject's products and services obtained from the organization. CC ID 13611 [Subject to the conditions in sub-paragraph (2), personal data about an individual (P) is used by the organisation for any of the following purposes: improving or enhancing any goods or services provided, or developing new goods or services to be provided, by the organisation; SECOND SCHEDULE PART 2 Division 2 § 1.(1)(a) Subject to the conditions in sub-paragraph (2), personal data about an individual (P) is used by the organisation for any of the following purposes: learning about and understanding the behaviour and preferences of P or another individual in relation to the goods or services provided by the organisation; SECOND SCHEDULE PART 2 Division 2 § 1.(1)(c) Subject to the conditions in sub-paragraph (2), personal data about an individual (P) is used by the organisation for any of the following purposes: identifying any goods or services provided by the organisation that may be suitable for P or another individual, or personalising or customising any such goods or services for P or another individual. SECOND SCHEDULE PART 2 Division 2 § 1.(1)(d) Subject to the conditions in sub-paragraph (2), personal data about an individual (P) is used by the organisation for any of the following purposes: identifying any goods or services provided by the organisation that may be suitable for P or another individual, or personalising or customising any such goods or services for P or another individual. SECOND SCHEDULE PART 2 Division 2 § 1.(1)(d)] | Privacy protection for information and data | Preventive | |
Process personal data absent consent when it is impracticable to obtain consent. CC ID 13580 [{individual's vital interest}The collection, use or disclosure (as the case may be) of personal data about an individual, where — consent for the collection, use or disclosure (as the case may be) cannot be obtained in a timely way; and FIRST SCHEDULE PART 1 § 3.(a)] | Privacy protection for information and data | Preventive | |
Process personal data absent consent when it is in the data subject's interest and consent cannot be obtained in a timely manner. CC ID 15282 [{individual's vital interest}Subject to sub-paragraph (2), the collection, use or disclosure (as the case may be) of personal data about an individual is necessary for any purpose which is clearly in the interests of the individual, and — consent for the collection, use or disclosure (as the case may be) cannot be obtained in a timely way; or FIRST SCHEDULE PART 1 § 1.(1)(a)] | Privacy protection for information and data | Preventive | |
Process personal data absent consent to determine whether to proceed with business transactions. CC ID 13587 [{without consent}Subject to the conditions in sub-paragraphs (2), (3), (4) and (5), where an organisation (X) is a party or a prospective party to a business asset transaction with another organisation (Y), personal data about an applicable individual of Y — is used or disclosed by X in relation to the business asset transaction; or FIRST SCHEDULE PART 4 § 1.(1)(b) Subject to the conditions in sub-paragraphs (2), (3) and (4), where an organisation (X) is a party or a prospective party to a business asset transaction with another organisation (Y) in respect of Y's interest in a third organisation (Z) (called in this paragraph the relevant transaction), personal data about an applicable individual of Z — is used or disclosed by X or Y in relation to the relevant transaction; or FIRST SCHEDULE PART 4 § 2.(1)(b) {legitimate interest}{collect}{disclose}Subject to sub-paragraph (2), the collection, use or disclosure (as the case may be) of personal data about an individual — relates to a credit report provided by a credit bureau to a member of the credit bureau in relation to a transaction between the member and the individual. FIRST SCHEDULE PART 3 § 6.(1)(b) {business asset transaction}{organization}{prospective party}{individual}If X enters into the relevant transaction, the following conditions apply: X may use or disclose the personal data collected from Y or Z (as the case may be) only for the same purposes for which Y or Z (as the case may be) would have been permitted to use or disclose the personal data; FIRST SCHEDULE PART 4 § 2.(3)(a)] | Privacy protection for information and data | Preventive | |
Process personal data absent consent in order to perform a contract. CC ID 13586 [{prospective party}{organization}If X enters into the business asset transaction, the following conditions apply: X may use or disclose the personal data X collected from Y only for the same purposes for which Y would have been permitted to use or disclose the personal data; FIRST SCHEDULE PART 4 § 1.(4)(a) {organization}If X is a prospective party to the business asset transaction, the following conditions apply: X and Y must have entered into an agreement that requires X to use or disclose the personal data solely for purposes related to the business asset transaction. FIRST SCHEDULE PART 4 § 1.(3)(b) {business asset transaction}{organization}{individual}If X is a prospective party to the relevant transaction, the following conditions apply: where Y collects the personal data mentioned in sub-paragraph (1) from Z — Y and Z must have entered into an agreement that requires Y to use or disclose the personal data solely for purposes related to the relevant transaction. FIRST SCHEDULE PART 4 § 2.(2)(b)(ii)] | Privacy protection for information and data | Preventive | |
Process personal data absent consent when the privacy commissioner is notified before the information is used. CC ID 13581 | Privacy protection for information and data | Preventive | |
Process personal data absent consent to perform obligations in the field of employment law. CC ID 16814 | Privacy protection for information and data | Preventive | |
Process personal data absent consent if the disclosure is to the next of kin or authorized representative. CC ID 15294 [{is necessary}{without consent} The collection, use or disclosure of personal data is for the purpose of contacting the next-of-kin or a friend of any injured, ill or deceased individual. FIRST SCHEDULE PART 1 § 4.] | Privacy protection for information and data | Preventive | |
Process personal data absent consent when it is used in a manner to ensure confidentiality. CC ID 13579 | Privacy protection for information and data | Preventive | |
Process personal data absent consent when it is used for statistical research, scientific research, or scholarly research. CC ID 13578 [{refrain from achieving}The use of personal data about an individual for a research purpose (including historical or statistical research), if — the research purpose cannot reasonably be accomplished unless the personal data is used in an individually identifiable form; SECOND SCHEDULE PART 2 Division 3 § 1.(a) {collect}{disclose} The collection, use or disclosure (as the case may be) of personal data about an individual is necessary for evaluative purposes. FIRST SCHEDULE PART 3 § 2. The use of personal data about an individual for a research purpose (including historical or statistical research), if — the results of the research will not be used to make any decision that affects the individual; and SECOND SCHEDULE PART 2 Division 3 § 1.(c)] | Privacy protection for information and data | Preventive | |
Process personal data absent consent when it is needed by law. CC ID 13577 [{refrain from processing} An organisation shall not, on or after the appointed day, collect,use or disclose personal data about an individual unless— the collection, use or disclosure, as the case may be, without the consent of the individual is 0E5;" class="term_secondary-verb">required or authorised under this Act or any other written law. § 13.(b) Subject to section 25, if an individual withdraws consent to the collection, use or disclosure of personal data about the individual by an organisation for any purpose, the organisation shall cease (and cause its data intermediaries and agents to cease) collecting, using or disclosing the personal data, as the case may be, unless such collection, use or disclosure, as the case may be, without the consent of the individual is required or authorised under this Act or other written law. § 16.(4)] | Privacy protection for information and data | Preventive | |
Process personal data for public interests absent consent in order to protect historical records or archival records. CC ID 15296 [{without consent}{archival purpose} The collection, use or disclosure (as the case may be) of personal data about an individual is solely for archival or historical purposes, if a reasonable person would not consider the personal data to be too sensitive to the individual to be collected, used or disclosed (as the case may be) at the proposed time. FIRST SCHEDULE PART 2 § 4.] | Privacy protection for information and data | Preventive | |
Process personal data absent consent when it is from publicly available information. CC ID 13576 [{without consent}The use of personal data about an individual, if — the personal data was disclosed by a public agency; and SECOND SCHEDULE PART 2 Division 1 § 1.(a)] | Privacy protection for information and data | Preventive | |
Process personal data absent consent to create a credit report. CC ID 15288 [{legitimate interest}{collect}{disclose}Subject to sub-paragraph (2), the collection, use or disclosure (as the case may be) of personal data about an individual — is for the purpose of the preparation by a credit bureau of a credit report; or FIRST SCHEDULE PART 3 § 6.(1)(a)] | Privacy protection for information and data | Preventive | |
Process personal data absent consent if its use is consistent with the intended purpose. CC ID 13575 [Unless otherwise provided under this Act, an organisation may — use or disclose personal data about an individual that — for purposes consistent with the purpose of that collection, or for any purpose permitted by subsection (1)(b) or (c), as the case may be. § 17.(2)(b) ¶ 1 Without limiting subsection (2) and subject to subsection (9), an individual (P) who enters into a contract with an organisation (A) and provides personal data to A pursuant or in relation to that contract is deemed to consent to the following: the collection and use of that personal data by B, where the collection and use are reasonably necessary for any purpose mentioned in paragraph (a); § 15.(6)(b) {without consent}The personal data about an individual — is collected, used or disclosed (as the case may be) for purposes consistent with the purpose for which the document was produced. FIRST SCHEDULE PART 3 § 9.(b) {personal purpose}{domestic purposes}The personal data about an individual — is collected, used or disclosed (as the case may be) by the organisation solely for the purpose in sub-paragraph (a). FIRST SCHEDULE PART 3 § 8.(b) {without consent}The use of personal data about an individual, if — the use of personal data by the organization is consistent with the purpose of the disclosure by the public agency. SECOND SCHEDULE PART 2 Division 1 § 1.(b)] | Privacy protection for information and data | Preventive | |
Process personal data absent consent to administer a trust fund or benefit plan. CC ID 15291 [{collect}{disclose}The collection, use or disclosure (as the case may be) of personal data about an individual is to — administer that trust or benefit plan, at the request of the settlor or the person establishing the benefit plan, as the case may be. FIRST SCHEDULE PART 3 § 7.(b)] | Privacy protection for information and data | Preventive | |
Process personal data absent consent when produced for business purposes. CC ID 13563 [Subject to the conditions in sub-paragraph (2), personal data about an individual (P) is used by the organisation for any of the following purposes: improving or enhancing any goods or services provided, or developing new goods or services to be provided, by the organisation; SECOND SCHEDULE PART 2 Division 2 § 1.(1)(a) Subject to the conditions in sub-paragraph (2), personal data about an individual (P) is used by the organisation for any of the following purposes: improving or enhancing the methods or processes, or developing new methods or processes, for the operations of the organisation; SECOND SCHEDULE PART 2 Division 2 § 1.(1)(b) Subject to the conditions in sub-paragraph (2), personal data about an individual (P) is used by the organisation for any of the following purposes: improving or enhancing the methods or processes, or developing new methods or processes, for the operations of the organisation; SECOND SCHEDULE PART 2 Division 2 § 1.(1)(b) {cannot achieve}Sub-paragraph (1) applies only if — the purpose for which the organisation uses personal data about P cannot reasonably be achieved without the use of the personal data in an individually identifiable form; and SECOND SCHEDULE PART 2 Division 2 § 1.(2)(a) {business improvement purpose}Sub-paragraph (1) applies only if — a reasonable person would consider the use of personal data about P for that purpose to be appropriate in the circumstances. SECOND SCHEDULE PART 2 Division 2 § 1.(2)(b)] | Privacy protection for information and data | Preventive | |
Process personal data absent consent for handling insurance claims. CC ID 13561 | Privacy protection for information and data | Preventive | |
Process personal data absent consent when it is necessary for corporate restructuring. CC ID 16533 | Privacy protection for information and data | Preventive | |
Process personal data absent consent if the information is contained in a witness statement. CC ID 13560 | Privacy protection for information and data | Preventive | |
Process personal data absent consent for life-threatening emergencies. CC ID 13558 [{without consent}{collect}{disclose}The collection, use or disclosure (as the case may be) of personal data about an individual, where — there are reasonable grounds to believe that the health or safety of the individual or another individual will be seriously affected. FIRST SCHEDULE PART 1 § 3.(b)] | Privacy protection for information and data | Preventive | |
Process personal data absent consent for reasonable investigative purposes. CC ID 13557 [{collect}{disclose} The collection, use or disclosure (as the case may be) of personal data about an individual is necessary for any investigation or proceedings. FIRST SCHEDULE PART 3 § 3.] | Privacy protection for information and data | Preventive | |
Disclose restricted data when the data subject has given unambiguous and implicit consent. CC ID 00157 [Without limiting subsection (2) and subject to subsection (9), an individual (P) who enters into a contract with an organisation (A) and provides personal data to A pursuant or in relation to that contract is deemed to consent to the following: the disclosure of that personal data by A to another organisation (B), where the disclosure is reasonably necessary — § 15.(6)(a)] | Privacy protection for information and data | Preventive | |
Disclose personal data when the data subject has consented and has the ability to opt out. CC ID 00158 [Without limiting subsection (2) and subject to subsection (9), an individual (P) who provides personal data to an organisation (A) with a view to P entering into a contract with A is deemed to consent to the following where reasonably necessary for the conclusion of the contract between P and A: the collection and use of that personal data by B; § 15.(3)(b)] | Privacy protection for information and data | Detective | |
Disclose Personal Identification Numbers absent consent in order to update address information. CC ID 04793 | Privacy protection for information and data | Preventive | |
Disclose restricted data absent consent when the law does not require consent. CC ID 00136 | Privacy protection for information and data | Preventive | |
Disclose data absent consent if its disclosure is consistent with the intended purpose. CC ID 15270 [Unless otherwise provided under this Act, an organisation may — use or disclose personal data about an individual that — for purposes consistent with the purpose of that collection, or for any purpose permitted by subsection (1)(b) or (c), as the case may be. § 17.(2)(b) ¶ 1 Without limiting subsection (2) and subject to subsection (9), an individual (P) who enters into a contract with an organisation (A) and provides personal data to A pursuant or in relation to that contract is deemed to consent to the following: the disclosure of that personal data by B to another organisation, where the disclosure is reasonably necessary for any purpose mentioned in paragraph (a). § 15.(6)(c) {personal purpose}{domestic purposes}The personal data about an individual — is collected, used or disclosed (as the case may be) by the organisation solely for the purpose in sub-paragraph (a). FIRST SCHEDULE PART 3 § 8.(b) {business improvement purpose}{refrain from achieving}Sub-paragraph (1)(a) and (c) applies only if — the relevant purpose for which X collects, or Y discloses, personal data about P cannot reasonably be achieved without the collection, use or disclosure (as the case may be) of the personal data in an individually identifiable form; FIRST SCHEDULE PART 5 § 1.(3)(a) {without consent}The personal data about an individual — is collected, used or disclosed (as the case may be) for purposes consistent with the purpose for which the document was produced. FIRST SCHEDULE PART 3 § 9.(b)] | Privacy protection for information and data | Preventive | |
Disclose restricted data when a relevant connection exists between the data subject and the data controller's operations. CC ID 00137 [Without limiting subsection (2) and subject to subsection (9), an individual (P) who provides personal data to an organisation (A) with a view to P entering into a contract with A is deemed to consent to the following where reasonably necessary for the conclusion of the contract between P and A: the disclosure of that personal data by A to another organisation (B); § 15.(3)(a) Without limiting subsection (2) and subject to subsection (9), an individual (P) who provides personal data to an organisation (A) with a view to P entering into a contract with A is deemed to consent to the following where reasonably necessary for the conclusion of the contract between P and A: the disclosure of that personal data by B to another organisation. § 15.(3)(c) {business improvement purpose}Where X collects from Y, and Y discloses to X, personal data about P for a purpose mentioned in sub-paragraph (2)(c) or (d), P must be, at the time of the collection or disclosure, as the case may be — an existing customer of Y; and FIRST SCHEDULE PART 5 § 1.(5)(a) {business improvement purpose}Where X collects from Y, and Y discloses to X, personal data about P for a purpose mentioned in sub-paragraph (2)(c) or (d), P must be, at the time of the collection or disclosure, as the case may be — an existing customer or a prospective customer of X. FIRST SCHEDULE PART 5 § 1.(5)(b)] | Privacy protection for information and data | Preventive | |
Disclose personal data absent consent if the disclosure with the consent or knowledge of the data subject would compromise the ability to prevent, detect, or suppress fraud. CC ID 13594 | Privacy protection for information and data | Preventive | |
Disclose personal data absent consent when it is in the data subject's interest and consent cannot be obtained in a timely manner. CC ID 15284 [{individual's vital interest}Subject to sub-paragraph (2), the collection, use or disclosure (as the case may be) of personal data about an individual is necessary for any purpose which is clearly in the interests of the individual, and — consent for the collection, use or disclosure (as the case may be) cannot be obtained in a timely way; or FIRST SCHEDULE PART 1 § 1.(1)(a)] | Privacy protection for information and data | Preventive | |
Disclose personal data absent consent in order to establish, manage, or terminate employment contracts. CC ID 13616 [{without consent}The personal data about an individual is collected, used or disclosed (as the case may be) by the organisation, and the collection, use or disclosure (as the case may be) of the personal data is reasonable for the purpose of or in relation to the organisation — entering into an employment relationship with the individual or appointing the individual to any office; or FIRST SCHEDULE PART 3 § 10.(a) {without consent}The personal data about an individual is collected, used or disclosed (as the case may be) by the organisation, and the collection, use or disclosure (as the case may be) of the personal data is reasonable for the purpose of or in relation to the organisation — managing or terminating the employment relationship with or appointment of the individual. FIRST SCHEDULE PART 3 § 10.(b)] | Privacy protection for information and data | Preventive | |
Disclose personal data absent consent when the data subject is notified that the business transaction is completed and their information was disclosed. CC ID 13613 | Privacy protection for information and data | Preventive | |
Disclose personal data absent consent when the data subject has been notified the personal data may be collected, used, or disclosed. CC ID 13603 | Privacy protection for information and data | Preventive | |
Disclose personal data absent consent if disclosure is made a predetermined number of years after the death of the data subject. CC ID 13598 | Privacy protection for information and data | Preventive | |
Disclose personal data absent consent when disclosure is made a predetermined number of years after the information was created. CC ID 13597 | Privacy protection for information and data | Preventive | |
Disclose personal data absent consent if the data subject is notified of the disclosure. CC ID 13596 | Privacy protection for information and data | Preventive | |
Disclose personal data absent consent to detect, suppress, or prevent fraud. CC ID 13592 | Privacy protection for information and data | Preventive | |
Disclose personal data absent consent to create a credit report. CC ID 15297 [{legitimate interest}{collect}{disclose}Subject to sub-paragraph (2), the collection, use or disclosure (as the case may be) of personal data about an individual — is for the purpose of the preparation by a credit bureau of a credit report; or FIRST SCHEDULE PART 3 § 6.(1)(a)] | Privacy protection for information and data | Preventive | |
Disclose personal data absent consent if it is necessary to identify an individual who is injured, ill or deceased. CC ID 13595 | Privacy protection for information and data | Preventive | |
Disclose restricted data absent consent if the disclosure is to a government institution. CC ID 13583 | Privacy protection for information and data | Preventive | |
Disclose personal data absent consent for reasonable investigative purposes. CC ID 13593 | Privacy protection for information and data | Preventive | |
Disclose personal data absent consent to determine whether to proceed with business transactions. CC ID 15285 [{business asset transaction}{organization}{individual}If X is a prospective party to the relevant transaction, the following conditions apply: where Y collects the personal data mentioned in sub-paragraph (1) from Z — Y may collect, and Z may disclose, only personal data that is necessary for X or Y (as the case may be) to determine whether to proceed with the relevant transaction; and FIRST SCHEDULE PART 4 § 2.(2)(b)(i)] | Privacy protection for information and data | Preventive | |
Disclose personal data absent consent for handling insurance claims. CC ID 13585 | Privacy protection for information and data | Preventive | |
Disclose personal data absent consent if the information is contained in a witness statement. CC ID 13584 | Privacy protection for information and data | Preventive | |
Disclose personal data absent consent if the data subject is believed to be a victim of financial abuse. CC ID 13555 | Privacy protection for information and data | Preventive | |
Disclose personal data absent consent for transactions related to the consumer. CC ID 14853 | Privacy protection for information and data | Preventive | |
Disclose restricted data absent consent to a government institution that has requested the information. CC ID 13582 | Privacy protection for information and data | Preventive | |
Disclose personal data absent consent if the disclosure is to the next of kin or authorized representative. CC ID 13554 [{is necessary}{without consent} The collection, use or disclosure of personal data is for the purpose of contacting the next-of-kin or a friend of any injured, ill or deceased individual. FIRST SCHEDULE PART 1 § 4.] | Privacy protection for information and data | Preventive | |
Disclose restricted data absent consent when it is for the data controller's legitimate interest or third party's legitimate interest and it prevails over individual rights. CC ID 00138 [{collect}{disclose}Subject to sub-paragraphs (2), (3) and (4) — the collection, use or disclosure (as the case may be) of personal data about an individual is in the legitimate interests of the organisation or another person; and FIRST SCHEDULE PART 3 § 1.(1)(a)] | Privacy protection for information and data | Preventive | |
Disclose personal data absent consent if the organization notifies the privacy commissioner before disclosing the information. CC ID 13553 | Privacy protection for information and data | Preventive | |
Disclose personal data absent consent if it is impracticable to obtain consent. CC ID 13552 [{individual's vital interest}The collection, use or disclosure (as the case may be) of personal data about an individual, where — consent for the collection, use or disclosure (as the case may be) cannot be obtained in a timely way; and FIRST SCHEDULE PART 1 § 3.(a) The disclosure of personal data about an individual for a research purpose (including historical or statistical research), if — it is impracticable for the organisation to seek the consent of the individual for the disclosure; SECOND SCHEDULE PART 3 Division 2 § 1.(b)] | Privacy protection for information and data | Preventive | |
Disclose restricted data absent consent in order to perform a contract. CC ID 00139 [Without limiting subsection (2) and subject to subsection (9), an individual (P) who enters into a contract with an organisation (A) and provides personal data to A pursuant or in relation to that contract is deemed to consent to the following: the disclosure of that personal data by A to another organisation (B), where the disclosure is reasonably necessary — for the conclusion or performance of a contract between A and B which is entered into at P's request, or which a reasonable person would consider to be in P's interest; § 15.(6)(a)(ii) {without consent}Subject to the conditions in sub-paragraphs (2), (3), (4) and (5), where an organisation (X) is a party or a prospective party to a business asset transaction with another organisation (Y), personal data about an applicable individual of Y — is used or disclosed by X in relation to the business asset transaction; or FIRST SCHEDULE PART 4 § 1.(1)(b) {without consent}Subject to the conditions in sub-paragraphs (2), (3), (4) and (5), where an organisation (X) is a party or a prospective party to a business asset transaction with another organisation (Y), personal data about an applicable individual of Y — is disclosed by Y to X for the purposes of the business transaction. FIRST SCHEDULE PART 4 § 1.(1)(c) {organization}If X is a prospective party to the business asset transaction, the following conditions apply: X may collect, and Y may disclose, only personal data that is necessary for X to determine whether to proceed with the business asset transaction; FIRST SCHEDULE PART 4 § 1.(3)(a) {prospective party}{organization}If X enters into the business asset transaction, the following conditions apply: X may use or disclose the personal data X collected from Y only for the same purposes for which Y would have been permitted to use or disclose the personal data; FIRST SCHEDULE PART 4 § 1.(4)(a) {organization}If X is a prospective party to the business asset transaction, the following conditions apply: X and Y must have entered into an agreement that requires X to use or disclose the personal data solely for purposes related to the business asset transaction. FIRST SCHEDULE PART 4 § 1.(3)(b) Subject to the conditions in sub-paragraphs (2), (3) and (4), where an organisation (X) is a party or a prospective party to a business asset transaction with another organisation (Y) in respect of Y's interest in a third organisation (Z) (called in this paragraph the relevant transaction), personal data about an applicable individual of Z — is used or disclosed by X or Y in relation to the relevant transaction; or FIRST SCHEDULE PART 4 § 2.(1)(b) Without limiting subsection (2) and subject to subsection (9), an individual (P) who enters into a contract with an organisation (A) and provides personal data to A pursuant or in relation to that contract is deemed to consent to the following: the disclosure of that personal data by A to another organisation (B), where the disclosure is reasonably necessary — for the performance of the contract between P and A; or § 15.(6)(a)(i) {legitimate interest}{collect}{disclose}Subject to sub-paragraph (2), the collection, use or disclosure (as the case may be) of personal data about an individual — relates to a credit report provided by a credit bureau to a member of the credit bureau in relation to a transaction between the member and the individual. FIRST SCHEDULE PART 3 § 6.(1)(b) Subject to the conditions in sub-paragraphs (2), (3) and (4), where an organisation (X) is a party or a prospective party to a business asset transaction with another organisation (Y) in respect of Y's interest in a third organisation (Z) (called in this paragraph the relevant transaction), personal data about an applicable individual of Z — is disclosed by Y or Z (as the case may be) to X, or by Z to Y, for the purposes of the relevant transaction. FIRST SCHEDULE PART 4 § 2.(1)(c) {business asset transaction}If X is a prospective party to the relevant transaction, the following conditions apply: where X collects the personal data mentioned in sub-paragraph (1) from Y or Z — X may collect, and Y or Z (as the case may be) may disclose, only personal data that is necessary for X to determine whether to proceed with the relevant transaction; and FIRST SCHEDULE PART 4 § 2.(2)(a)(i) {business asset transaction}{organization}{prospective party}{individual}If X enters into the relevant transaction, the following conditions apply: X may use or disclose the personal data collected from Y or Z (as the case may be) only for the same purposes for which Y or Z (as the case may be) would have been permitted to use or disclose the personal data; FIRST SCHEDULE PART 4 § 2.(3)(a) {business asset transaction}If X is a prospective party to the relevant transaction, the following conditions apply: where X collects the personal data mentioned in sub-paragraph (1) from Y or Z — X and Y or Z (as the case may be) must have entered into an agreement that requires X to use or disclose the personal data solely for purposes related to the relevant transaction; FIRST SCHEDULE PART 4 § 2.(2)(a)(ii) {business asset transaction}{organization}{individual}If X is a prospective party to the relevant transaction, the following conditions apply: where Y collects the personal data mentioned in sub-paragraph (1) from Z — Y and Z must have entered into an agreement that requires Y to use or disclose the personal data solely for purposes related to the relevant transaction. FIRST SCHEDULE PART 4 § 2.(2)(b)(ii) {legitimate interest}{collect}{disclose}The collection, use or disclosure (as the case may be) of personal data about an individual is to — confer an interest or a benefit on the individual under a private trust or benefit plan; and FIRST SCHEDULE PART 3 § 7.(a)] | Privacy protection for information and data | Preventive | |
Disclose restricted data absent consent in order to assist Telecommunications Ombudsmen in resolving complaints. CC ID 00140 | Privacy protection for information and data | Preventive | |
Disclose personal data absent consent to administer a trust fund or benefit plan. CC ID 15290 [{collect}{disclose}The collection, use or disclosure (as the case may be) of personal data about an individual is to — administer that trust or benefit plan, at the request of the settlor or the person establishing the benefit plan, as the case may be. FIRST SCHEDULE PART 3 § 7.(b)] | Privacy protection for information and data | Preventive | |
Disclose personal data absent consent for research purposes and the data subject is not identified. CC ID 15286 [{disclose}The disclosure of personal data about an individual for a research purpose (including historical or statistical research), if — in the event that the results of the research are published, the organisation publishes the results in a form that does not identify the individual. SECOND SCHEDULE PART 3 Division 2 § 1.(e)] | Privacy protection for information and data | Preventive | |
Disclose personal data absent consent when the personal data is disclosed by calling an emergency service number. CC ID 00141 | Privacy protection for information and data | Preventive | |
Disclose restricted data absent consent when the restricted data prevents life-threatening emergencies to third parties. CC ID 00142 | Privacy protection for information and data | Preventive | |
Disclose restricted data absent consent when the restricted data preserves human life at sea. CC ID 00143 | Privacy protection for information and data | Preventive | |
Disclose restricted data absent consent in order to process the restricted data for public interests. CC ID 00144 [{disclose}{without consent} The disclosure of personal data about an individual to a public agency, where the disclosure is necessary in the public interest. SECOND SCHEDULE PART 3 Division 1 § 1.] | Privacy protection for information and data | Preventive | |
Disclose restricted data for public interests absent consent in order to provide social work assistance services. CC ID 00145 | Privacy protection for information and data | Preventive | |
Disclose restricted data for public interests absent consent if confidentiality is assured and the disclosure is for statistical research, scientific research, or scholarly research. CC ID 00146 [The use of personal data about an individual for a research purpose (including historical or statistical research), if — in the event that the results of the research are published, the organisation publishes the results in a form that does not identify the individual. SECOND SCHEDULE PART 2 Division 3 § 1.(d) {refrain from achieving}The disclosure of personal data about an individual for a research purpose (including historical or statistical research), if — the research purpose cannot reasonably be accomplished unless the personal data is disclosed in an individually identifiable form; SECOND SCHEDULE PART 3 Division 2 § 1.(a) The disclosure of personal data about an individual for a research purpose (including historical or statistical research), if — there is a clear public benefit to disclosing the personal data for the research purpose; SECOND SCHEDULE PART 3 Division 2 § 1.(c) {collect}{disclose} The collection, use or disclosure (as the case may be) of personal data about an individual is necessary for evaluative purposes. FIRST SCHEDULE PART 3 § 2. {disclose}The disclosure of personal data about an individual for a research purpose (including historical or statistical research), if — the results of the research will not be used to make a decision that affects the individual; and SECOND SCHEDULE PART 3 Division 2 § 1.(d)] | Privacy protection for information and data | Preventive | |
Disclose restricted data for public interests absent consent in order to protect historical records or archival records. CC ID 00147 [{without consent}{archival purpose} The collection, use or disclosure (as the case may be) of personal data about an individual is solely for archival or historical purposes, if a reasonable person would not consider the personal data to be too sensitive to the individual to be collected, used or disclosed (as the case may be) at the proposed time. FIRST SCHEDULE PART 2 § 4.] | Privacy protection for information and data | Preventive | |
Disclose restricted data absent consent for public economic interests. CC ID 00148 | Privacy protection for information and data | Preventive | |
Disclose restricted data for public interests absent consent for National Security reasons. CC ID 00149 [{without consent}{collect}{disclose} The collection, use or disclosure (as the case may be) of personal data about an individual is in the national interest. FIRST SCHEDULE PART 2 § 2.] | Privacy protection for information and data | Preventive | |
Disclose restricted data absent consent for journalistic purposes, artistic purposes, or literary purposes. CC ID 00150 [{without consent} The personal data about an individual is collected, used or disclosed (as the case may be) by a news organisation solely for its news activity. FIRST SCHEDULE PART 2 § 5. {without consent}{artistic purpose}{collect}{disclose} The collection, use or disclosure (as the case may be) of personal data about an individual is solely for artistic or literary purposes. FIRST SCHEDULE PART 2 § 3.] | Privacy protection for information and data | Preventive | |
Disclose restricted data absent consent when it is publicly accessible. CC ID 00151 [{without consent}{collect}{disclose} The collection, use or disclosure (as the case may be) of personal data about an individual that is publicly available. FIRST SCHEDULE PART 2 § 1.] | Privacy protection for information and data | Preventive | |
Disclose restricted data absent consent when it is related to publicly available information. CC ID 00152 | Privacy protection for information and data | Preventive | |
Disclose publicly accessible restricted data absent consent when the data subject has already published it. CC ID 00153 | Privacy protection for information and data | Preventive | |
Disclose restricted data absent consent in order to protect the data subject's vital interests. CC ID 00154 [{individual's vital interest}{collect}{disclose} Subject to sub-paragraph (2), the collection, use or disclosure (as the case may be) of personal data about an individual is necessary for any purpose which is clearly in the interests of the individual, and — FIRST SCHEDULE PART 1 § 1.(1)] | Privacy protection for information and data | Preventive | |
Disclose restricted data absent consent in order to protect the data subject's vital interests when there is a life-threatening emergency. CC ID 00155 [{without consent}{collect}{disclose}The collection, use or disclosure (as the case may be) of personal data about an individual, where — there are reasonable grounds to believe that the health or safety of the individual or another individual will be seriously affected. FIRST SCHEDULE PART 1 § 3.(b)] | Privacy protection for information and data | Preventive | |
Disclose restricted data absent consent when it is for judicial decisions, lawsuits, and investigations. CC ID 00161 [{collect}{disclose} The collection, use or disclosure (as the case may be) of personal data about an individual is necessary for any investigation or proceedings. FIRST SCHEDULE PART 3 § 3. {collect}{disclose} The collection, use or disclosure (as the case may be) of personal data about an individual is necessary for the provision of legal services by the organisation to another person, or for the organisation to obtain legal services. FIRST SCHEDULE PART 3 § 5.] | Privacy protection for information and data | Preventive | |
Disclose restricted data absent consent when it is needed by law. CC ID 00163 | Privacy protection for information and data | Preventive | |
Disclose personal data required by law absent consent for special cases involving security or law enforcement. CC ID 04796 [An organisation must not inform any individual under subsection (1)(b) that the organisation has disclosed personal data about the individual to a prescribed law enforcement agency if the disclosure was made under this Act or any other written law without the consent of the individual. § 21.(4) {disclose} The disclosure of personal data about any individual to any officer of a prescribed law enforcement agency, upon production of written authorisation signed by the head or director of that prescribed law enforcement agency or a person of a similar rank, certifying that the personal data is necessary for the purposes of the functions or duties of the officer. SECOND SCHEDULE PART 3 Division 1 § 4.] | Privacy protection for information and data | Preventive | |
Disclose personal data absent consent when it is being disclosed to the data subject. CC ID 00164 | Privacy protection for information and data | Preventive | |
Disclose personal data absent consent for direct marketing or other personalized mail programs. CC ID 14855 | Privacy protection for information and data | Preventive | |
Disclose personal data absent consent in order to collect a debt owed by the data subject. CC ID 00165 [{without consent}{collect}{disclose}The collection, use or disclosure (as the case may be) of personal data about an individual is necessary for the organisation — to recover a debt owed by the individual to the organisation; or FIRST SCHEDULE PART 3 § 4.(a) {collect}{disclose}The collection, use or disclosure (as the case may be) of personal data about an individual is necessary for the organisation — to pay to the individual a debt owed by the organisation. FIRST SCHEDULE PART 3 § 4.(b)] | Privacy protection for information and data | Preventive | |
Disclose personal data absent consent when the data subject or data owner is anonymous. CC ID 00166 | Privacy protection for information and data | Preventive | |
Limit the redisclosure and reuse of restricted data. CC ID 00168 | Privacy protection for information and data | Preventive | |
Refrain from redisclosing or reusing restricted data. CC ID 00169 | Privacy protection for information and data | Preventive | |
Redisclose restricted data when the data subject consents. CC ID 00171 | Privacy protection for information and data | Preventive | |
Redisclose restricted data when it is for criminal law enforcement. CC ID 00172 | Privacy protection for information and data | Preventive | |
Redisclose restricted data in order to protect public revenue. CC ID 00173 | Privacy protection for information and data | Preventive | |
Redisclose restricted data in order to assist a Telecommunications Ombudsman. CC ID 00174 | Privacy protection for information and data | Preventive | |
Redisclose restricted data in order to prevent a life-threatening emergency. CC ID 00175 | Privacy protection for information and data | Preventive | |
Redisclose restricted data when it deals with installing, maintaining, operating, or providing access to a Public Telecommunications Network or a telecommunication facility. CC ID 00176 | Privacy protection for information and data | Preventive | |
Redisclose restricted data in order to preserve human life at sea. CC ID 00177 | Privacy protection for information and data | Preventive | |
Obtain explicit consent directly from the data subject prior to the use of that person's sensitive data. CC ID 00178 | Privacy protection for information and data | Preventive | |
Obtain consent from a parent or legal representative in order to use or disclose a child's data. CC ID 00198 | Privacy protection for information and data | Preventive | |
Obtain opt-in consent from teenagers prior to the collection, use, or disclosure of personal data. CC ID 00199 | Privacy protection for information and data | Preventive | |
Obtain explicit consent prior to using the data subject's Personal Identification Number. CC ID 00238 | Privacy protection for information and data | Preventive | |
Process Personal Identification Numbers with consent. CC ID 00239 | Privacy protection for information and data | Preventive | |
Obtain consent prior to selling a Personal Identification Number. CC ID 00240 | Privacy protection for information and data | Preventive | |
Obtain consent prior to displaying a Personal Identification Number. CC ID 00241 | Privacy protection for information and data | Preventive | |
Refrain from displaying Personal Identification Numbers on government-issued checks or other paperwork. CC ID 00254 | Privacy protection for information and data | Preventive | |
Refrain from displaying Personal Identification Numbers on identification cards or badges. CC ID 00255 | Privacy protection for information and data | Preventive | |
Use Personal Identification Numbers absent consent for granting credit or collecting a debt. CC ID 00252 | Privacy protection for information and data | Preventive | |
Use Personal Identification Numbers absent consent for research purposes. CC ID 00247 | Privacy protection for information and data | Preventive | |
Refrain from requiring consent to use a Personal Identification Number when protecting the public health and safety or an individual's safety in an emergency. CC ID 00244 | Privacy protection for information and data | Preventive | |
Use Personal Identification Numbers absent consent when a federal law mandates its use. CC ID 00243 | Privacy protection for information and data | Preventive | |
Allow data subjects the ability to restrict the use and disclosure of personal data. CC ID 06821 | Privacy protection for information and data | Preventive | |
Identify any adverse effects the disclosure of personal data will have on the data subject. CC ID 15298 [The organisation must, in respect of the assessment mentioned in subsection (4)(a) — identify any adverse effect that the proposed collection, use or disclosure of the personal data for the purpose concerned is likely to have on the individual; § 15A.(5)(a) {legitimate interest}{collect}{disclose}The organisation must, in respect of the assessment mentioned in sub-paragraph (2)(a) — identify any adverse effect that the proposed collection, use or disclosure (as the case may be) of personal data about an individual is likely to have on the individual; FIRST SCHEDULE PART 3 § 1.(3)(a)] | Privacy protection for information and data | Preventive | |
Review personal data disclosure requests. CC ID 07129 | Privacy protection for information and data | Preventive | |
Include frivolous requests or vexatious requests as a reason for denial in the personal data request denial procedures. CC ID 00435 [{personal data request} An organisation is not required to provide information under section 21(1) in respect of— any request— that would unreasonably interfere with the ound-color:#F0BBBC;" class="term_primary-noun">operations of the organisation because of the repetitious or systematic nature of the requests; FIFTH SCHEDULE § 1.(j)(i) {personal data request} An organisation is not required to provide information under section 21(1) in respect of— any request— for y-noun">informatground-color:#CBD0E5;" class="term_secondary-verb">ionan> that is trivial; or FIFTH SCHEDULE § 1.(j)(iv) {personal data request}{is unnecessary} An organisation is not required to provide information under section 21(1) in respect of— any request— that is otherwise frivolous or vexatious. FIFTH SCHEDULE § 1.(j)(v) {interfere}{operation} For the purposes of paragraph 1(j)(i), the organisation may have regard to the number and frequency of requests received. FIFTH SCHEDULE § 2.] | Privacy protection for information and data | Preventive | |
Include when the required information is unavailable as a reason for denial in the personal data request denial procedures. CC ID 00436 [{personal data request} An organisation is not required to provide information under section 21(1) in respect of— any request— for information that lass="term_primary-verb">does not exist or cannot be found; FIFTH SCHEDULE § 1.(j)(iii)] | Privacy protection for information and data | Preventive | |
Include when the disclosure of personal data constitutes contempt of court or contempt of House of Representatives as a reason for denial in the personal data request denial procedures. CC ID 00437 | Privacy protection for information and data | Preventive | |
Include disclosing personal data that would identify suppliers or breaches an express promise of privacy or implied promise of privacy as a reason for denial in the personal data request denial procedures. CC ID 00438 [{other person} An organisation shall not provide an individual with the individual's personal data or other information under subsection (1) if the provision of that personal data or other information, as the case may be, could reasonably be expected to— class="term_primary-verb">reveal personal data about another individual; § 21.(3)(c) {other person} An organisation shall not provide an individual with the individual's personal data or other information under subsection (1) if the provision of that personal data or other information, as the case may be, could reasonably be expected to — m_primary-verb">reveal the identity of an individual who has provided personal data about another individual and the individual providing the personal data does not consent to the disclosure of his identity; or § 21.(3)(d)] | Privacy protection for information and data | Preventive | |
Include disclosing personal data that would compromise National Security as a reason for denial in the personal data request denial procedures. CC ID 00439 | Privacy protection for information and data | Preventive | |
Include information that is protected by attorney-client privilege as a reason for denial in the personal data request denial procedures. CC ID 00440 | Privacy protection for information and data | Preventive | |
Include disclosing personal data that would reveal trade secrets, commercial information, or harmful financial information as a reason for denial in the personal data request denial procedures. CC ID 00441 [An organisation is not required to provide information under section 21(1) in respect of— personal data which, if disclosed, would reveal or:#F0BBBC;" class="term_primary-noun">confidential commercial information that could, in the opispan>nion of a reasonable person, harm the ">competitive position of the organisation; FIFTH SCHEDULE § 1.(g)] | Privacy protection for information and data | Preventive | |
Include disclosing personal data that would threaten an individual's life or an individual's security as a reason for denial in the personal data request denial procedures. CC ID 00442 [An organisation shall not provide an individual with the individual's personal data or other information under subsection (1) if the provision of that personal data or other information, as the case may be, could reasonably be expected to— <span style="background-color:#B7D8ED;" class="term_primary-verb">threaten the safety or physical or mental health of an individual other than the individual who made the request; § 21.(3)(a) An organisation shall not provide an individual with the individual's personal data or other information under subsection (1) if the provision of that personal data or other information, as the case may be, could reasonably be expected to— cause immediate or grave harm> to the ackground-color:#F0BBBC;" class="term_primary-noun">safety or to the physical or mental style="background-color:#F0BBBC;" class="term_primary-noun">health of the individual who made the request; § 21.(3)(b)] | Privacy protection for information and data | Preventive | |
Include disclosing personal data that would have an unreasonable impact on another individual's privacy as a reason for denial in the personal data request denial procedures. CC ID 00443 | Privacy protection for information and data | Preventive | |
Include responding to access requests after the time limit as a reason for denial in the personal data request denial procedures. CC ID 13600 | Privacy protection for information and data | Preventive | |
Include information that was generated from a formal dispute as a reason for denial in the personal data request denial procedures. CC ID 00444 | Privacy protection for information and data | Preventive | |
Include personal data that is used solely for scientific research, scholarly research, statistical research, library purposes, museum purposes, or archival purposes as a reason for denial in the personal data request denial procedures. CC ID 00445 [An organisation is not required to provide information under section 21(1) in respect of— opinion data rb">keptan> solely for an style="background-color:#F0BBBC;" class="term_primary-noun">evaluative purpose; FIFTH SCHEDULE § 1.(a)] | Privacy protection for information and data | Preventive | |
Include personal data that is for the state's economic interest as a reason for denial in the personal data request denial procedures. CC ID 00446 [{contravene} An organisation shall not provide an individual with the individual's personal data or other information under subsection (1)if the provision of that round-color:#F0BBBC;" class="term_primary-noun">personal data or other information, as the case may be, could reasonably be expected to — be contrary to the national interest. § 21.(3)(e)] | Privacy protection for information and data | Detective | |
Include personal data that is for protecting the civil rights or other's freedoms as a reason for denial in the personal data request denial procedures. CC ID 00447 | Privacy protection for information and data | Preventive | |
Include disclosing personal data that constitutes a state secret as a reason for denial in the personal data request denial procedures. CC ID 00448 | Privacy protection for information and data | Preventive | |
Include disclosing personal data that would result in interference with the operation of public functions as a reason for denial in the personal data request denial procedures. CC ID 00449 | Privacy protection for information and data | Preventive | |
Include disclosing personal data that would interrupt criminal investigation and surveillance or other legal purposes as a reason for denial in the personal data request denial procedures. CC ID 00450 [An organisation is not required to provide information under section 21(1) in respect of — personal data collected, used or disclosed without consent, under paragraph 3 of Part 3 of the First Schedule, for the purposes of an investigation if the investigation and associated proceedings and appeals have not been completed; FIFTH SCHEDULE § 1.(h)] | Privacy protection for information and data | Preventive | |
Include when a country's laws prevent disclosure as a reason for denial in the personal data request denial procedures. CC ID 00451 | Privacy protection for information and data | Preventive | |
Include disclosing personal data that would interfere with grievance proceeding or employee security investigations as a reason for denial in the personal data request denial procedures. CC ID 06873 [An organisation is not required to provide information under section 21(1) in respect of— the personal data was collected or created by a mediator or arbitrator in the conduct of a mediation or arbitration for which he was appointed to act— under a un">collective agreement under the Industrial Relations Act (Cap. 136) or by agreement between the parties to the mediation or arbitration; FIFTH SCHEDULE § 1.(i)(i) An organisation is not required to provide information under section 21(1) in respect of— the personal data was collected or created by a mediator or arbitrator in the conduct of a ry-noun">mediationn> or arbitrationan> for which he was appointed to act— under any written m_primary-noun">law; or FIFTH SCHEDULE § 1.(i)(ii) An organisation is not required to provide information under section 21(1) in respect of— the personal data was collected or created by a mediator or arbitrator in the conduct of a mediation or arbitration for which he was style="background-color:#CBD0E5;" class="term_secondary-verb">ED;" class="term_primary-verb">appointed to act— by a | Privacy protection for information and data | Preventive | |
Include disclosing personal data that would interfere with commercial acquisitions or reorganizations as a reason for denial in the personal data request denial procedures. CC ID 06874 | Privacy protection for information and data | Preventive | |
Include if the cost or burden of disclosing the personal data is disproportionate as a reason for denial in the personal data request denial procedures. CC ID 06875 [{personal data request}{be disproportionate} An organisation is not required to provide information under section 21(1) in respect of—any request— if the burden or expense of providing access would "background-color:#B7D8ED;" class="term_primary-verb">be unreasonable to the organisation or disproportionate to the individual's interests; FIFTH SCHEDULE § 1.(j)(ii) {personal data request}{be disproportionate} An organisation is not required to provide information under section 21(1) in respect of—any request— if the burden or expense of providing access would "background-color:#B7D8ED;" class="term_primary-verb">be unreasonable to the organisation or disproportionate to the individual's interests; FIFTH SCHEDULE § 1.(j)(ii)] | Privacy protection for information and data | Preventive | |
Notify interested personnel and affected parties of the reasons the data access request was refused. CC ID 00453 [the organisation must, within the prescribed time and in accordance with the prescribed requirements, notify the individual of the rejection. § 21.(6) ¶ 1] | Privacy protection for information and data | Preventive | |
Notify individuals of their right to challenge a refusal to a data access request. CC ID 00454 | Privacy protection for information and data | Preventive | |
Disseminate and communicate personal data to the individual that it relates to. CC ID 00428 [Subject to subsections (2), (3) and (4), on request of an individual, an organisation shall, as soon as reasonably possible, provide the individual with— personal data> about the individual that is in the possession or under the control of the organisation; and § 21.(1)(a) {is complete} If an organisation is able to provide the individual with the individual's personal data and other information requested under subsection (1) without the personal data or other information excluded under subsections (2), (3) and (4), the organisation shall d-color:#B7D8ED;" class="term_primary-verb">provide the individual with ="term_primary-noun">access to the personal data and other information without the personal data or other information excluded under subsections (2), (3) and (4). § 21.(5)] | Privacy protection for information and data | Preventive | |
Provide personal data to an individual after the individual's identity has been confirmed. CC ID 06876 | Privacy protection for information and data | Preventive | |
Provide data or records in a reasonable time frame. CC ID 00429 [{person}A checker is deemed to have complied with subsection (2)(a) if — the checker provides the applicable information to P before the expiry of the prescribed period mentioned in section 43(2)(b)(i). § 43A.(3)(b)] | Privacy protection for information and data | Preventive | |
Extend the time limit for providing personal data in order to convert it to an alternative format. CC ID 13591 | Privacy protection for information and data | Preventive | |
Extend the time limit for providing personal data if the time is impracticable to respond to the access request. CC ID 13590 | Privacy protection for information and data | Preventive | |
Extend the time limit for providing data if it would unreasonably interfere with the organization's activities. CC ID 13589 | Privacy protection for information and data | Preventive | |
Provide data at a cost that is not excessive. CC ID 00430 | Privacy protection for information and data | Preventive | |
Provide records or data in a reasonable manner. CC ID 00431 | Privacy protection for information and data | Preventive | |
Provide personal data in a form that is intelligible. CC ID 00432 | Privacy protection for information and data | Preventive | |
Provide restricted data that would threaten the life or security of another individual after that information has been redacted. CC ID 13604 | Privacy protection for information and data | Preventive | |
Provide restricted data that would reveal confidential commercial information after that information has been redacted. CC ID 13602 | Privacy protection for information and data | Preventive | |
Remove data pertaining to third parties before giving the requestor access to the information. CC ID 13601 | Privacy protection for information and data | Preventive | |
Identify any adverse effects the collection of personal data will have on the data subject. CC ID 15279 [The organisation must, in respect of the assessment mentioned in subsection (4)(a) — identify any adverse effect that the proposed collection, use or disclosure of the personal data for the purpose concerned is likely to have on the individual; § 15A.(5)(a) {legitimate interest}{collect}{disclose}The organisation must, in respect of the assessment mentioned in sub-paragraph (2)(a) — identify any adverse effect that the proposed collection, use or disclosure (as the case may be) of personal data about an individual is likely to have on the individual; FIRST SCHEDULE PART 3 § 1.(3)(a)] | Privacy protection for information and data | Preventive | |
Refrain from collecting personal data, as necessary. CC ID 15269 [An organisation shall not, on or after the appointed day, collect, use or disclose personal data about an individual unless — § 13.] | Privacy protection for information and data | Preventive | |
Use personal data for specified purposes. CC ID 11831 [{business asset transaction}{organization}{prospective party}{individual}If X enters into the relevant transaction, the following conditions apply: Y may use or disclose the personal data collected from Z only for the same purposes for which Z would have been permitted to use or disclose the personal data; FIRST SCHEDULE PART 4 § 2.(3)(b)] | Privacy protection for information and data | Preventive | |
Obtain the data subject's consent and acknowledgment before collecting data. CC ID 00012 [Without limiting subsection (2) and subject to subsection (9), an individual (P) who enters into a contract with an organisation (A) and provides personal data to A pursuant or in relation to that contract is deemed to consent to the following: § 15.(6)] | Privacy protection for information and data | Preventive | |
Provide explicit consent that is clear and unambiguous. CC ID 00181 | Privacy protection for information and data | Preventive | |
Allow individuals to change their personal data collection consent preferences. CC ID 06946 [{allow} On giving reasonable notice to the organisation, an individual may at any time withdraw any consent given, or deemed to have been given under this Act, in respect of the collection, use or disclosure by that organisation of personal data about the individual for any purpose. § 16.(1) An organisation shall not prohibit an individual from withdrawing his consent to the collection, use or disclosure of personal data about the individual, but this section shall not affect any legal consequences arising from such withdrawal. § 16.(3)] | Privacy protection for information and data | Preventive | |
Adhere to each individual's personal data collection consent preferences. CC ID 06947 | Privacy protection for information and data | Preventive | |
Furnish disclosure of information and usage of information to data subjects when oral consent is given. CC ID 04717 | Privacy protection for information and data | Preventive | |
Disclose the direct marketing purpose before obtaining consent for collecting information. CC ID 04718 | Privacy protection for information and data | Preventive | |
Include an individual's name in the personal data definition. CC ID 04710 | Privacy protection for information and data | Preventive | |
Include an individual's name combined with other personal data in the personal data definition. CC ID 04709 | Privacy protection for information and data | Preventive | |
Include the legal surname of the parent or legal representative prior to marriage in the personal data definition. CC ID 04686 | Privacy protection for information and data | Preventive | |
Include an individual's signature in the personal data definition. CC ID 04711 | Privacy protection for information and data | Preventive | |
Include an individual's date of birth in the personal data definition. CC ID 04770 | Privacy protection for information and data | Preventive | |
Include an individual's physical characteristics or description in the personal data definition. CC ID 04712 | Privacy protection for information and data | Preventive | |
Include an individual's biometric data in the personal data definition. CC ID 04698 | Privacy protection for information and data | Preventive | |
Include an individual's photographic image in the personal data definition. CC ID 04779 | Privacy protection for information and data | Preventive | |
Include an individual's fingerprints in the personal data definition. CC ID 04689 | Privacy protection for information and data | Preventive | |
Include an individual's address in the personal data definition. CC ID 04687 | Privacy protection for information and data | Preventive | |
Include an individual's telephone number in the personal data definition. CC ID 04688 | Privacy protection for information and data | Preventive | |
Include an individual's fax number in the personal data definition. CC ID 07120 | Privacy protection for information and data | Preventive | |
Include an individual's financial account number in the personal data definition. CC ID 04692 | Privacy protection for information and data | Preventive | |
Include stock numbers, bond numbers, and other security certificate numbers in the personal data definition. CC ID 04768 | Privacy protection for information and data | Preventive | |
Include an individual's electronic identification name or number in the personal data definition. CC ID 04694 | Privacy protection for information and data | Preventive | |
Include an individual's Alien Registration Number in the personal data definition. CC ID 04743 | Privacy protection for information and data | Preventive | |
Include an individual's passport number in the personal data definition. CC ID 04713 | Privacy protection for information and data | Preventive | |
Include an individual's driver's license number or an individual's state identification card number in the personal data definition. CC ID 04691 | Privacy protection for information and data | Preventive | |
Include an individual's Social Security Number or Personal Identification Number in the personal data definition. CC ID 04690 | Privacy protection for information and data | Preventive | |
Include an individual's e-mail address in the personal data definition. CC ID 04696 | Privacy protection for information and data | Preventive | |
Include electronic signatures in the personal data definition. CC ID 04697 | Privacy protection for information and data | Preventive | |
Include an individual's payment card information in the personal data definition. CC ID 04751 | Privacy protection for information and data | Preventive | |
Include an individual's credit card number or an individual's debit card number in the personal data definition. CC ID 04693 | Privacy protection for information and data | Preventive | |
Include an individual's payment card service code in the personal data definition. CC ID 04753 | Privacy protection for information and data | Preventive | |
Include an individual's payment card expiration date in the personal data definition. CC ID 04755 | Privacy protection for information and data | Preventive | |
Include the payment transaction data and transaction authentication data in the personal data definition. CC ID 04825 | Privacy protection for information and data | Preventive | |
Include an individual's Individually Identifiable Health Information in the personal data definition. CC ID 04700 | Privacy protection for information and data | Preventive | |
Include an individual's medical history in the personal data definition. CC ID 04701 | Privacy protection for information and data | Preventive | |
Include an individual's medical treatment in the personal data definition. CC ID 04702 | Privacy protection for information and data | Preventive | |
Include an individual's medical diagnosis in the personal data definition. CC ID 04703 | Privacy protection for information and data | Preventive | |
Include an individual's mental condition or an individual's physical condition in the personal data definition. CC ID 04704 | Privacy protection for information and data | Preventive | |
Include an individual's medical record numbers in the personal data definition. CC ID 07121 | Privacy protection for information and data | Preventive | |
Include an individual's health insurance information in the personal data definition. CC ID 04705 | Privacy protection for information and data | Preventive | |
Include an individual's health insurance policy number in the personal data definition. CC ID 04706 | Privacy protection for information and data | Preventive | |
Include an individual's health insurance application and health insurance claims history (including appeals) in the personal data definition. CC ID 04707 | Privacy protection for information and data | Preventive | |
Include an individual's education information in the personal data definition. CC ID 04714 | Privacy protection for information and data | Preventive | |
Include an individual's professional certification numbers or an individual's professional license numbers in the personal data definition. CC ID 07122 | Privacy protection for information and data | Preventive | |
Include an individual's employment information in the personal data definition. CC ID 04715 | Privacy protection for information and data | Preventive | |
Include an employer's Taxpayer Identification Number in the personal data definition. CC ID 04767 | Privacy protection for information and data | Preventive | |
Include an individual's Taxpayer Identification Number in the personal data definition. CC ID 04763 | Privacy protection for information and data | Preventive | |
Include an individual's employment history in the personal data definition. CC ID 04716 | Privacy protection for information and data | Preventive | |
Include an individual's place of employment in the personal data definition. CC ID 04765 | Privacy protection for information and data | Preventive | |
Include an individual's Employee Identification Number in the personal data definition. CC ID 04766 | Privacy protection for information and data | Preventive | |
Include an individual's property information in the personal data definition. CC ID 04780 | Privacy protection for information and data | Preventive | |
Include an individual's property title in the personal data definition. CC ID 04781 | Privacy protection for information and data | Preventive | |
Include an individual's vehicle registration in the personal data definition. CC ID 04782 | Privacy protection for information and data | Preventive | |
Include hardware asset identification information in the personal data definition. CC ID 07123 | Privacy protection for information and data | Preventive | |
Include MAC addresses in the personal data definition. CC ID 04778 | Privacy protection for information and data | Preventive | |
Include Internet Protocol addresses in the personal data definition. CC ID 04777 | Privacy protection for information and data | Preventive | |
Include asset serial numbers in the personal data definition. CC ID 07124 | Privacy protection for information and data | Preventive | |
Include Uniform Resource Locators in the personal data definition. CC ID 07125 | Privacy protection for information and data | Preventive | |
Define specially restricted data. CC ID 00037 | Privacy protection for information and data | Preventive | |
Protect an individual's civil rights during personal data collection and personal data processing. CC ID 00079 | Privacy protection for information and data | Preventive | |
Refrain from compiling data that is likely to give rise to unlawful discrimination or arbitrary discrimination. CC ID 00075 | Privacy protection for information and data | Preventive | |
Refrain from subjecting an individual to a solely automated decision process that produces legal effects based on the evaluation of certain characteristics. CC ID 00080 | Privacy protection for information and data | Preventive | |
Implement a nondiscrimination principle. CC ID 00081 | Privacy protection for information and data | Preventive | |
Include the collection and use of personal data in the nondiscrimination principle. CC ID 11799 | Privacy protection for information and data | Preventive | |
Preserve each individual's right to human dignity. CC ID 00082 | Privacy protection for information and data | Preventive | |
Manage Personal Identification Numbers and PIN verification code numbers. CC ID 00058 | Privacy protection for information and data | Preventive | |
Collect Personal Identification Numbers with the individual's consent. CC ID 00059 | Privacy protection for information and data | Preventive | |
Collect Personal Identification Numbers absent consent when the law mandates. CC ID 00061 | Privacy protection for information and data | Preventive | |
Collect Personal Identification Numbers absent consent for research purposes. CC ID 00065 | Privacy protection for information and data | Preventive | |
Collect Personal Identification Numbers absent consent to realize the rights or duties of the data subject or data controller. CC ID 04792 | Privacy protection for information and data | Preventive | |
Manage health data collection. CC ID 00050 | Privacy protection for information and data | Preventive | |
Collect Individually Identifiable Health Information to provide health care services. CC ID 00052 | Privacy protection for information and data | Preventive | |
Collect Individually Identifiable Health Information when the law dictates. CC ID 00053 | Privacy protection for information and data | Preventive | |
Collect Individually Identifiable Health Information for research. CC ID 00054 | Privacy protection for information and data | Preventive | |
Remove personal data before disclosing health data. CC ID 00055 | Privacy protection for information and data | Preventive | |
Give special attention to collecting children's data. CC ID 00038 | Privacy protection for information and data | Preventive | |
Obtain consent from a parent or legal representative before collecting information from children. CC ID 00041 | Privacy protection for information and data | Preventive | |
Waive verifiable consent from a parent or legal representative for collecting information from children in order to collect online contact information for a one-time only response to a specific request. CC ID 00043 | Privacy protection for information and data | Preventive | |
Waive verifiable consent from a parent or legal representative for collecting information from children in order to request the parent or legal representative's information to obtain consent. CC ID 00044 | Privacy protection for information and data | Preventive | |
Waive verifiable consent from a parent or legal representative for collecting information from children in order to respond to additional requests which do not go beyond the scope of the request. CC ID 00045 | Privacy protection for information and data | Preventive | |
Waive verifiable consent from a parent or legal representative for collecting information from children in order to protect the child's safety. CC ID 00046 | Privacy protection for information and data | Preventive | |
Waive verifiable consent from a parent or legal representative for collecting information from children in order to take liability precautions. CC ID 00047 | Privacy protection for information and data | Preventive | |
Waive verifiable consent from a parent or legal representative for collecting information from children in order to respond to a judicial process. CC ID 00048 | Privacy protection for information and data | Preventive | |
Waive verifiable consent from a parent or legal representative for collecting information from children in order to respond to a request for law enforcement purposes. CC ID 00049 | Privacy protection for information and data | Preventive | |
Waive verifiable consent from a parent or legal representative for collecting information from children in order to protect the website's security or integrity or the online service's security or integrity. CC ID 06199 | Privacy protection for information and data | Preventive | |
Collect personal data directly from the data subject. CC ID 00011 | Privacy protection for information and data | Preventive | |
Create and manage user account aliases to maintain pseudonymity. CC ID 04549 | Privacy protection for information and data | Preventive | |
Provide unlinkability for users and resources. CC ID 04550 | Privacy protection for information and data | Preventive | |
Collect restricted data in a fair and lawful manner. CC ID 00010 [Without limiting subsection (2) and subject to subsection (9), an individual (P) who provides personal data to an organisation (A) with a view to P entering into a contract with A is deemed to consent to the following where reasonably necessary for the conclusion of the contract between P and A: the collection and use of that personal data by B; § 15.(3)(b)] | Privacy protection for information and data | Preventive | |
Collect restricted data absent consent for specific and well-documented circumstances. CC ID 00013 [An organisation may — collect personal data about an individual, without the consent of the individual or from a source other than the individual, in the circumstances or for the purposes, and subject to any condition, in the First Schedule or Part 1 of the Second Schedule; § 17.(1)(a) {individual's vital interest}{without consent}Subject to sub-paragraph (2), the collection, use or disclosure (as the case may be) of personal data about an individual is necessary for any purpose which is clearly in the interests of the individual, and — the individual would not reasonably be expected to withhold consent. FIRST SCHEDULE PART 1 § 1.(1)(b) {without consent}{collect}{disclose} The collection, use or disclosure (as the case may be) of personal data about an individual is in the national interest. FIRST SCHEDULE PART 2 § 2. {business improvement purpose}Sub-paragraph (1)(a) and (c) applies only if — a reasonable person would consider the collection or disclosure of personal data about P for the relevant purpose to be appropriate in the circumstances; and FIRST SCHEDULE PART 5 § 1.(3)(b) Unless otherwise provided under this Act, an organisation may — collect personal data about an individual that the organisation receives by way of a disclosure to the organisation — § 17.(2)(a) Subject to the conditions in sub-paragraphs (3), (4) and (5), personal data about an individual (P) — is collected by an organisation (X) that is a corporation from a related corporation (Y) for a purpose specified in sub-paragraph (2) (called the relevant purpose); FIRST SCHEDULE PART 5 § 1.(1)(a) {business improvement purpose}Where X collects from Y, and Y discloses to X, personal data about P for a purpose mentioned in sub-paragraph (2)(c) or (d), P must be, at the time of the collection or disclosure, as the case may be — an existing customer of Y; and FIRST SCHEDULE PART 5 § 1.(5)(a) {business improvement purpose}Where X collects from Y, and Y discloses to X, personal data about P for a purpose mentioned in sub-paragraph (2)(c) or (d), P must be, at the time of the collection or disclosure, as the case may be — an existing customer or a prospective customer of X. FIRST SCHEDULE PART 5 § 1.(5)(b) {personal purpose}The personal data about an individual — is provided to the organisation by another individual to enable the organisation to provide a service for the personal or domestic purposes of that other individual; and FIRST SCHEDULE PART 3 § 8.(a) {without consent}Unless otherwise provided under this Act, an organisation may — collect personal data about an individual that the organisation receives by way of a disclosure to the organisation — on or after the specified date in accordance with subsection (1)(c); or § 17.(2)(a)(i) {without consent}Unless otherwise provided under this Act, an organisation may — collect personal data about an individual that the organisation receives by way of a disclosure to the organisation — before the specified date in accordance with section 17(3) as in force before the specified date, § 17.(2)(a)(ii)] | Privacy protection for information and data | Preventive | |
Collect restricted data absent consent when the data collection is in the individual's interests and consent can not be obtained in a timely manner. CC ID 00014 [{individual's vital interest}The collection, use or disclosure (as the case may be) of personal data about an individual, where — consent for the collection, use or disclosure (as the case may be) cannot be obtained in a timely way; and FIRST SCHEDULE PART 1 § 3.(a) {individual's vital interest}Subject to sub-paragraph (2), the collection, use or disclosure (as the case may be) of personal data about an individual is necessary for any purpose which is clearly in the interests of the individual, and — consent for the collection, use or disclosure (as the case may be) cannot be obtained in a timely way; or FIRST SCHEDULE PART 1 § 1.(1)(a) {legitimate interest}{collect}{disclose}The collection, use or disclosure (as the case may be) of personal data about an individual is to — confer an interest or a benefit on the individual under a private trust or benefit plan; and FIRST SCHEDULE PART 3 § 7.(a)] | Privacy protection for information and data | Preventive | |
Collect restricted data absent consent when consent compromises data accuracy. CC ID 00015 | Privacy protection for information and data | Preventive | |
Collect personal data absent consent in order to make a disclosure. CC ID 13550 [{individual}{consent} Where an organisation collects personal data disclosed to it by B under subsection (6)(c), subsection (6)(b) and (c) applies to the organisation as if the personal data were disclosed by A to the organisation under subsection (6)(a). § 15.(7) {without consent}{collect}The collection of personal data about an individual, if — the personal data was disclosed by a public agency; and SECOND SCHEDULE PART 1 § 1.(a)] | Privacy protection for information and data | Preventive | |
Collect personal data absent consent for reasonable investigative purposes. CC ID 11801 [{collect}{disclose} The collection, use or disclosure (as the case may be) of personal data about an individual is necessary for any investigation or proceedings. FIRST SCHEDULE PART 3 § 3.] | Privacy protection for information and data | Preventive | |
Collect personal data absent consent if the collection is consistent with the intended purpose. CC ID 13548 [Without limiting subsection (2) and subject to subsection (9), an individual (P) who enters into a contract with an organisation (A) and provides personal data to A pursuant or in relation to that contract is deemed to consent to the following: the collection and use of that personal data by B, where the collection and use are reasonably necessary for any purpose mentioned in paragraph (a); § 15.(6)(b) {without consent}The personal data about an individual — is collected, used or disclosed (as the case may be) for purposes consistent with the purpose for which the document was produced. FIRST SCHEDULE PART 3 § 9.(b) {business improvement purpose}{refrain from achieving}Sub-paragraph (1)(a) and (c) applies only if — the relevant purpose for which X collects, or Y discloses, personal data about P cannot reasonably be achieved without the collection, use or disclosure (as the case may be) of the personal data in an individually identifiable form; FIRST SCHEDULE PART 5 § 1.(3)(a) {collect}{without consent}The collection of personal data about an individual, if — the collection of personal data by the organisation is consistent with the purpose of the disclosure by the public agency. SECOND SCHEDULE PART 1 § 1.(b) {personal purpose}{domestic purposes}The personal data about an individual — is collected, used or disclosed (as the case may be) by the organisation solely for the purpose in sub-paragraph (a). FIRST SCHEDULE PART 3 § 8.(b)] | Privacy protection for information and data | Preventive | |
Collect personal data absent consent when the personal data was produced by the data subject in the course of employment, business, or profession. CC ID 13544 [{collect}{without consent}The personal data about an individual — is included in a document produced in the course, and for the purposes, of the individual's employment, business or profession; and FIRST SCHEDULE PART 3 § 9.(a) {without consent}Subject to the conditions in sub-paragraphs (2), (3), (4) and (5), where an organisation (X) is a party or a prospective party to a business asset transaction with another organisation (Y), personal data about an applicable individual of Y — is collected from Y by X for the purposes of the business asset transaction; FIRST SCHEDULE PART 4 § 1.(1)(a) {organization}{party} Where the business asset transaction concerns any part of Y or Y's business assets, the personal data mentioned in sub-paragraph (1) must relate directly to that part of Y or Y's business assets, as the case may be. FIRST SCHEDULE PART 4 § 1.(2) {organization}If X is a prospective party to the business asset transaction, the following conditions apply: X may collect, and Y may disclose, only personal data that is necessary for X to determine whether to proceed with the business asset transaction; FIRST SCHEDULE PART 4 § 1.(3)(a) Subject to the conditions in sub-paragraphs (2), (3) and (4), where an organisation (X) is a party or a prospective party to a business asset transaction with another organisation (Y) in respect of Y's interest in a third organisation (Z) (called in this paragraph the relevant transaction), personal data about an applicable individual of Z — is collected from Y or Z by X, or from Z by Y, for the purposes of the relevant transaction; FIRST SCHEDULE PART 4 § 2.(1)(a) {legitimate interest}{collect}{disclose}Subject to sub-paragraph (2), the collection, use or disclosure (as the case may be) of personal data about an individual — relates to a credit report provided by a credit bureau to a member of the credit bureau in relation to a transaction between the member and the individual. FIRST SCHEDULE PART 3 § 6.(1)(b) {business asset transaction}If X is a prospective party to the relevant transaction, the following conditions apply: where X collects the personal data mentioned in sub-paragraph (1) from Y or Z — X may collect, and Y or Z (as the case may be) may disclose, only personal data that is necessary for X to determine whether to proceed with the relevant transaction; and FIRST SCHEDULE PART 4 § 2.(2)(a)(i) {business asset transaction}{organization}{individual}If X is a prospective party to the relevant transaction, the following conditions apply: where Y collects the personal data mentioned in sub-paragraph (1) from Z — Y may collect, and Z may disclose, only personal data that is necessary for X or Y (as the case may be) to determine whether to proceed with the relevant transaction; and FIRST SCHEDULE PART 4 § 2.(2)(b)(i) {business asset transaction}If X is a prospective party to the relevant transaction, the following conditions apply: where X collects the personal data mentioned in sub-paragraph (1) from Y or Z — X and Y or Z (as the case may be) must have entered into an agreement that requires X to use or disclose the personal data solely for purposes related to the relevant transaction; FIRST SCHEDULE PART 4 § 2.(2)(a)(ii)] | Privacy protection for information and data | Preventive | |
Collect personal data absent consent for handling insurance claims. CC ID 13543 | Privacy protection for information and data | Preventive | |
Collect personal data absent consent when the data subject has authorized the collection through another individual. CC ID 00016 | Privacy protection for information and data | Preventive | |
Collect personal data absent consent if the disclosure is to the next of kin or authorized representative. CC ID 15295 [{is necessary}{without consent} The collection, use or disclosure of personal data is for the purpose of contacting the next-of-kin or a friend of any injured, ill or deceased individual. FIRST SCHEDULE PART 1 § 4.] | Privacy protection for information and data | Preventive | |
Collect personal data absent consent in order to establish, manage, or terminate employment contracts. CC ID 13614 [{without consent}The personal data about an individual is collected, used or disclosed (as the case may be) by the organisation, and the collection, use or disclosure (as the case may be) of the personal data is reasonable for the purpose of or in relation to the organisation — entering into an employment relationship with the individual or appointing the individual to any office; or FIRST SCHEDULE PART 3 § 10.(a) {without consent}The personal data about an individual is collected, used or disclosed (as the case may be) by the organisation, and the collection, use or disclosure (as the case may be) of the personal data is reasonable for the purpose of or in relation to the organisation — managing or terminating the employment relationship with or appointment of the individual. FIRST SCHEDULE PART 3 § 10.(b)] | Privacy protection for information and data | Preventive | |
Collect personal data absent consent in order to protect the data subject's vital interests. CC ID 15277 [{individual's vital interest}{collect}{disclose} Subject to sub-paragraph (2), the collection, use or disclosure (as the case may be) of personal data about an individual is necessary for any purpose which is clearly in the interests of the individual, and — FIRST SCHEDULE PART 1 § 1.(1)] | Privacy protection for information and data | Preventive | |
Collect personal data for public interests absent consent in order to protect historical records or archival records. CC ID 15289 [{without consent}{archival purpose} The collection, use or disclosure (as the case may be) of personal data about an individual is solely for archival or historical purposes, if a reasonable person would not consider the personal data to be too sensitive to the individual to be collected, used or disclosed (as the case may be) at the proposed time. FIRST SCHEDULE PART 2 § 4.] | Privacy protection for information and data | Preventive | |
Collect personal data absent consent to administer a trust fund or benefit plan. CC ID 15292 [{collect}{disclose}The collection, use or disclosure (as the case may be) of personal data about an individual is to — administer that trust or benefit plan, at the request of the settlor or the person establishing the benefit plan, as the case may be. FIRST SCHEDULE PART 3 § 7.(b)] | Privacy protection for information and data | Preventive | |
Collect restricted data absent consent for journalistic purposes, artistic purposes, or literary purposes. CC ID 00017 [{without consent}{artistic purpose}{collect}{disclose} The collection, use or disclosure (as the case may be) of personal data about an individual is solely for artistic or literary purposes. FIRST SCHEDULE PART 2 § 3. {without consent} The personal data about an individual is collected, used or disclosed (as the case may be) by a news organisation solely for its news activity. FIRST SCHEDULE PART 2 § 5.] | Privacy protection for information and data | Preventive | |
Collect personal data absent consent in order to collect a debt owed by the data subject. CC ID 15293 [{without consent}{collect}{disclose}The collection, use or disclosure (as the case may be) of personal data about an individual is necessary for the organisation — to recover a debt owed by the individual to the organisation; or FIRST SCHEDULE PART 3 § 4.(a) {collect}{disclose}The collection, use or disclosure (as the case may be) of personal data about an individual is necessary for the organisation — to pay to the individual a debt owed by the organisation. FIRST SCHEDULE PART 3 § 4.(b)] | Privacy protection for information and data | Preventive | |
Collect personal data absent consent for statistical purposes or research purposes and the data subject is not identified. CC ID 00018 [{collect}{disclose} The collection, use or disclosure (as the case may be) of personal data about an individual is necessary for evaluative purposes. FIRST SCHEDULE PART 3 § 2.] | Privacy protection for information and data | Preventive | |
Collect restricted data absent consent from publicly available information. CC ID 00019 [{without consent}{collect}{disclose} The collection, use or disclosure (as the case may be) of personal data about an individual that is publicly available. FIRST SCHEDULE PART 2 § 1.] | Privacy protection for information and data | Preventive | |
Collect restricted data absent consent when needed by law. CC ID 00020 | Privacy protection for information and data | Preventive | |
Collect personal data absent consent to create a credit report. CC ID 15287 [{legitimate interest}{collect}{disclose}Subject to sub-paragraph (2), the collection, use or disclosure (as the case may be) of personal data about an individual — is for the purpose of the preparation by a credit bureau of a credit report; or FIRST SCHEDULE PART 3 § 6.(1)(a)] | Privacy protection for information and data | Preventive | |
Collect restricted data absent consent when no potential harm can come to the data subject. CC ID 00021 | Privacy protection for information and data | Preventive | |
Collect personal data absent consent when collecting personal data from the data subject is impossible or the data collection involves a disproportionate effort. CC ID 00022 | Privacy protection for information and data | Preventive | |
Collect the minimum amount of restricted data necessary. CC ID 00078 | Privacy protection for information and data | Preventive | |
Collect restricted data in a proper information framework. CC ID 00009 | Privacy protection for information and data | Preventive | |
Collect and record restricted data for specific, explicit, and legitimate purposes. CC ID 00027 [Unless otherwise provided under this Act, an organisation may — collect personal data about an individual that the organisation receives by way of a disclosure to the organisation — for purposes consistent with the purpose of that disclosure, or for any purpose permitted by subsection (1)(a); or § 17.(2)(a) ¶ 1 {collect}{disclose}Subject to sub-paragraphs (2), (3) and (4) — the collection, use or disclosure (as the case may be) of personal data about an individual is in the legitimate interests of the organisation or another person; and FIRST SCHEDULE PART 3 § 1.(1)(a)] | Privacy protection for information and data | Preventive | |
Collect restricted data when required by law. CC ID 00031 | Privacy protection for information and data | Preventive | |
Collect restricted data to prevent life-threatening emergencies. CC ID 00032 [{without consent}{collect}{disclose}The collection, use or disclosure (as the case may be) of personal data about an individual, where — there are reasonable grounds to believe that the health or safety of the individual or another individual will be seriously affected. FIRST SCHEDULE PART 1 § 3.(b)] | Privacy protection for information and data | Preventive | |
Collect restricted data relating solely to nonprofit organization members or individuals who are in regular contact during the nonprofit organization's activities. CC ID 00034 | Privacy protection for information and data | Preventive | |
Collect restricted data for legal purposes. CC ID 00036 [{collect}{disclose} The collection, use or disclosure (as the case may be) of personal data about an individual is necessary for the provision of legal services by the organisation to another person, or for the organisation to obtain legal services. FIRST SCHEDULE PART 3 § 5.] | Privacy protection for information and data | Preventive | |
Include publicly available information as a personal data transfer exception for transferring personal data to another country outside an adequate data protection level. CC ID 00316 | Privacy protection for information and data | Preventive | |
Include transfer agreements between data controllers and third parties when it is for the data subject's interest as a personal data transfer exception for transferring personal data to another country outside an adequate data protection level. CC ID 00317 | Privacy protection for information and data | Preventive | |
Include personal data for the health field and for treatment as a personal data transfer exception for transferring personal data to another country outside an adequate data protection level. CC ID 00318 | Privacy protection for information and data | Preventive | |
Include personal data for journalistic purposes or private purposes as a personal data transfer exception for transferring personal data to another country outside an adequate data protection level. CC ID 00319 | Privacy protection for information and data | Preventive | |
Include personal data for important public interest as a personal data transfer exception for transferring personal data to another country outside an adequate data protection level. CC ID 00320 | Privacy protection for information and data | Preventive | |
Include consent by the data subject as a personal data transfer exception for transferring personal data to another country outside an adequate data protection level. CC ID 00321 | Privacy protection for information and data | Preventive | |
Include personal data used for a contract as a personal data transfer exception for transferring personal data to another country outside an adequate data protection level. CC ID 00322 | Privacy protection for information and data | Preventive | |
Include personal data for protecting the data subject or the data subject's interests, such as saving his/her life or providing healthcare as a personal data transfer exception for transferring personal data to another country outside an adequate data protection level. CC ID 00323 | Privacy protection for information and data | Preventive | |
Include personal data that is necessary to fulfill international law obligations as a personal data transfer exception for transferring personal data to another country outside an adequate data protection level. CC ID 00324 | Privacy protection for information and data | Preventive | |
Include personal data used for legal investigations as a personal data transfer exception for transferring personal data to another country outside an adequate data protection level. CC ID 00325 | Privacy protection for information and data | Preventive | |
Include personal data that is authorized by a legislative act as a personal data transfer exception for transferring personal data to another country outside an adequate data protection level. CC ID 00326 | Privacy protection for information and data | Preventive | |
Develop remedies and sanctions for privacy policy violations. CC ID 00474 | Privacy protection for information and data | Preventive | |
Change or destroy any personal data that is incorrect. CC ID 00462 [When an organisation is notified under subsection (2)(b) or (3) of a correction of personal data, the organisation shall correct the personal data in its possession or under its control unless the organisation is satisfied on reasonable grounds that the correction should "background-color:#CBD0E5;" class="term_secondary-verb">not be made. § 22.(4) Unless the organisation is satisfied on reasonable grounds that a correction should not be made, the organisation shall — correct the personal data as soon as practicable; and § 22.(2)(a)] | Privacy protection for information and data | Corrective | |
Refrain from updating personal data on a regular basis, unless it is necessary for the purposes it was collected. CC ID 13610 [{refrain from correcting} Nothing in this section shall require an organisation to correct or otherwise alter an opinion, including a professional or an expert opinion. § 22.(6)] | Privacy protection for information and data | Preventive | |
Escalate the appeal process to change personal data when the data controller fails to make changes to the disputed data. CC ID 00465 | Privacy protection for information and data | Corrective | |
Notify individuals of their right to challenge personal data. CC ID 00457 | Privacy protection for information and data | Preventive | |
Notify individuals of their right to object to personal data for legitimate reasons. CC ID 00458 | Privacy protection for information and data | Preventive | |
Notify individuals of their ability to object to personal data processing, absent cost. CC ID 00459 | Privacy protection for information and data | Preventive | |
Investigate the disputed accuracy of personal data. CC ID 00461 | Privacy protection for information and data | Preventive | |
Establish, implement, and maintain a Customer Information Management program. CC ID 00084 | Privacy protection for information and data | Preventive | |
Check the accuracy of restricted data. CC ID 00088 [{is complete} An organisation shall make a reasonable effort to ensure that personal data collected by or on behalf of the organisation is accurate and complete, if the personal data— is likely to be und-color:#B7D8ED;" class="term_primary-verb">used by the organisation to imary-verb">make a decision that affects the individual to whom the personal data " class="term_secondary-verb">relates; or § 23.(a) {is complete} An organisation shall make a reasonable effort to ensure that personal data collected by or on behalf of the organisation is accurate and complete, if the _primary-noun">personal data— is likely to be e="background-color:#B7D8ED;" class="term_primary-verb">disclosed by the organisation to another organisation. § 23.(b) {person}A checker must — ensure that the applicable information provided to P is accurate; and § 43A.(2)(a) {be complete}{be accurate} The organisation must ensure that the copy of the personal data it preserves for the purposes of subsection (1) is a complete and accurate copy of the personal data concerned. § 22A.(2) {be complete} An organisation shall make a reasonable effort to ensure that personal data collected by or on behalf of the organisation verb">is accurate and complete, if the personal data — § 23.] | Privacy protection for information and data | Preventive | |
Check that restricted data is complete. CC ID 00090 [{be complete}{be accurate} The organisation must ensure that the copy of the personal data it preserves for the purposes of subsection (1) is a complete and accurate copy of the personal data concerned. § 22A.(2) {be complete} An organisation shall make a reasonable effort to ensure that personal data collected by or on behalf of the organisation is accurate and complete, if the personal data — § 23.] | Privacy protection for information and data | Preventive | |
Make the opt-out functional after the e-mail is sent, as necessary. CC ID 00290 | Privacy protection for information and data | Preventive | |
Unsubscribe users from the opt-out notification, as necessary. CC ID 00291 | Privacy protection for information and data | Preventive | |
Make identifiers accurate after e-mails are sent, as necessary. CC ID 00292 | Privacy protection for information and data | Preventive | |
Enter individuals into the do-not-e-mail registry upon request. CC ID 11810 | Privacy protection for information and data | Preventive | |
Give customers the opportunity to object to receiving commercial electronic messages. CC ID 00304 [{allow} For the avoidance of doubt, a subscriber of a Singapore telephone number may, at any time on or after the date of commencement of this Part, withdraw any consent given for the style="background-color:#CBD0E5;" class="term_secondary-verb">sending of a specified message to that Singapore telephone number. § 47.(6)] | Privacy protection for information and data | Preventive |
KEY: Primary Verb Primary Noun Secondary Verb Secondary Noun Limiting Term | |||
Mandated - bold Implied - italic Implementation - regular | IMPACT ZONE | CLASS | |
---|---|---|---|
Identify and define all critical roles. CC ID 00777 | Human Resources management | Preventive | |
Define and assign the data controller's roles and responsibilities. CC ID 00471 [An organisation is responsible for personal data in its possession or under its yle="background-color:#F0BBBC;" class="term_primary-noun">control. § 11.(2)] | Human Resources management | Preventive | |
Assign the role of data controller to applicable controls. CC ID 00354 | Human Resources management | Preventive | |
Assign the role of data controller to additional personnel, as necessary. CC ID 00473 | Human Resources management | Preventive | |
Establish and maintain the staff structure in line with the strategic plan. CC ID 00764 | Human Resources management | Preventive | |
Assign ownership of the internal control framework to the appropriate organizational role. CC ID 06437 | Operational management | Preventive | |
Define and assign the roles and responsibilities for interested personnel and affected parties when establishing, implementing, and maintaining the internal control framework. CC ID 07146 | Operational management | Preventive | |
Assign ownership of the information security program to the appropriate role. CC ID 00814 | Operational management | Preventive | |
Include roles and responsibilities in the registration notice. CC ID 16803 | Privacy protection for information and data | Preventive | |
Require data controllers to be accountable for their actions. CC ID 00470 | Privacy protection for information and data | Preventive | |
Process restricted data lawfully and carefully. CC ID 00086 [{be appropriate} An organisation may collect, use or disclose personal data> about an individual only for purposes— that a reasonable person would consider appropriate in the | Privacy protection for information and data | Preventive | |
Define who enforces the anti-spam policy. CC ID 00295 | Privacy protection for information and data | Preventive |
KEY: Primary Verb Primary Noun Secondary Verb Secondary Noun Limiting Term | |||
Mandated - bold Implied - italic Implementation - regular | IMPACT ZONE | CLASS | |
---|---|---|---|
Establish, implement, and maintain a risk management program. CC ID 12051 | Audits and risk management | Preventive | |
Establish, implement, and maintain the risk assessment framework. CC ID 00685 | Audits and risk management | Preventive | |
Establish, implement, and maintain a risk assessment program. CC ID 00687 | Audits and risk management | Preventive | |
Include a Data Protection Impact Assessment in the risk assessment program. CC ID 12630 | Audits and risk management | Preventive | |
Include an assessment of the necessity and proportionality of the processing operations in relation to the purposes in the Data Protection Impact Assessment. CC ID 12681 | Audits and risk management | Preventive | |
Include an assessment of the relationship between the data subject and the parties processing the data in the Data Protection Impact Assessment. CC ID 16371 | Audits and risk management | Preventive | |
Include a risk assessment of data subject's rights in the Data Protection Impact Assessment. CC ID 12674 | Audits and risk management | Preventive | |
Include the description and purpose of processing restricted data in the Data Protection Impact Assessment. CC ID 12673 | Audits and risk management | Preventive | |
Include consideration of the data subject's expectations in the Data Protection Impact Assessment. CC ID 16370 | Audits and risk management | Preventive | |
Include monitoring unsecured areas in the Data Protection Impact Assessment. CC ID 12671 | Audits and risk management | Preventive | |
Include security measures for protecting restricted data in the Data Protection Impact Assessment. CC ID 12635 [{legitimate interest}The organisation must, in respect of the assessment mentioned in sub-paragraph (2)(a) — identify and implement reasonable measures — to eliminate the adverse effect; FIRST SCHEDULE PART 3 § 1.(3)(b)(i) {legitimate interest}The organisation must, in respect of the assessment mentioned in sub-paragraph (2)(a) — identify and implement reasonable measures — to reduce the likelihood that the adverse effect will occur; or FIRST SCHEDULE PART 3 § 1.(3)(b)(ii) {legitimate interest}The organisation must, in respect of the assessment mentioned in sub-paragraph (2)(a) — identify and implement reasonable measures — to mitigate the adverse effect; and FIRST SCHEDULE PART 3 § 1.(3)(b)(iii)] | Audits and risk management | Preventive | |
Establish, implement, and maintain a Governance, Risk, and Compliance framework. CC ID 01406 [An organisation shall — develop and implement policies and practices that are necessary for the organisation to meet the obligations of the organisation under this Act; § 12.(a)] | Operational management | Preventive | |
Include enterprise architecture in the Governance, Risk, and Compliance framework. CC ID 13266 | Operational management | Preventive | |
Establish, implement, and maintain security requirements based on applicable regulations. CC ID 16283 | Operational management | Preventive | |
Establish, implement, and maintain a prioritized plan for updating the Governance, Risk, and Compliance framework. CC ID 12853 | Operational management | Preventive | |
Establish, implement, and maintain a compliance policy. CC ID 14807 | Operational management | Preventive | |
Include the standard of conduct and accountability in the compliance policy. CC ID 14813 | Operational management | Preventive | |
Include the scope in the compliance policy. CC ID 14812 | Operational management | Preventive | |
Include roles and responsibilities in the compliance policy. CC ID 14811 | Operational management | Preventive | |
Include a commitment to continual improvement in the compliance policy. CC ID 14810 | Operational management | Preventive | |
Include management commitment in the compliance policy. CC ID 14808 | Operational management | Preventive | |
Establish, implement, and maintain a governance policy. CC ID 15587 | Operational management | Preventive | |
Include a commitment to continuous improvement in the governance policy. CC ID 15595 | Operational management | Preventive | |
Include roles and responsibilities in the governance policy. CC ID 15594 | Operational management | Preventive | |
Establish, implement, and maintain an internal control framework. CC ID 00820 | Operational management | Preventive | |
Include the business need justification for excluding controls in the baseline of internal controls. CC ID 16129 | Operational management | Preventive | |
Include the implementation status of controls in the baseline of internal controls. CC ID 16128 | Operational management | Preventive | |
Include procedures for continuous quality improvement in the internal control framework. CC ID 00819 | Operational management | Preventive | |
Include continuous service account management procedures in the internal control framework. CC ID 13860 | Operational management | Preventive | |
Include threat assessment in the internal control framework. CC ID 01347 | Operational management | Preventive | |
Include vulnerability management and risk assessment in the internal control framework. CC ID 13102 | Operational management | Preventive | |
Include personnel security procedures in the internal control framework. CC ID 01349 | Operational management | Preventive | |
Include continuous security warning monitoring procedures in the internal control framework. CC ID 01358 | Operational management | Preventive | |
Include incident alert thresholds in the continuous security warning monitoring procedures. CC ID 13205 | Operational management | Preventive | |
Include security information sharing procedures in the internal control framework. CC ID 06489 | Operational management | Preventive | |
Include security incident response procedures in the internal control framework. CC ID 01359 | Operational management | Preventive | |
Include incident response escalation procedures in the internal control framework. CC ID 11745 | Operational management | Preventive | |
Include continuous user account management procedures in the internal control framework. CC ID 01360 | Operational management | Preventive | |
Include emergency response procedures in the internal control framework. CC ID 06779 | Operational management | Detective | |
Authorize and document all exceptions to the internal control framework. CC ID 06781 | Operational management | Preventive | |
Establish, implement, and maintain a cybersecurity policy. CC ID 16833 | Operational management | Preventive | |
Establish, implement, and maintain an information security program. CC ID 00812 | Operational management | Preventive | |
Include physical safeguards in the information security program. CC ID 12375 | Operational management | Preventive | |
Include technical safeguards in the information security program. CC ID 12374 | Operational management | Preventive | |
Include administrative safeguards in the information security program. CC ID 12373 | Operational management | Preventive | |
Include system development in the information security program. CC ID 12389 | Operational management | Preventive | |
Include system maintenance in the information security program. CC ID 12388 | Operational management | Preventive | |
Include system acquisition in the information security program. CC ID 12387 | Operational management | Preventive | |
Include access control in the information security program. CC ID 12386 | Operational management | Preventive | |
Include operations management in the information security program. CC ID 12385 | Operational management | Preventive | |
Include communication management in the information security program. CC ID 12384 | Operational management | Preventive | |
Include environmental security in the information security program. CC ID 12383 | Operational management | Preventive | |
Include physical security in the information security program. CC ID 12382 | Operational management | Preventive | |
Include human resources security in the information security program. CC ID 12381 | Operational management | Preventive | |
Include asset management in the information security program. CC ID 12380 | Operational management | Preventive | |
Include a continuous monitoring program in the information security program. CC ID 14323 | Operational management | Preventive | |
Include change management procedures in the continuous monitoring plan. CC ID 16227 | Operational management | Preventive | |
include recovery procedures in the continuous monitoring plan. CC ID 16226 | Operational management | Preventive | |
Include mechanisms for decommissioning a system in the continuous monitoring plan. CC ID 16225 | Operational management | Preventive | |
Include mechanisms for appeal and override in the continuous monitoring plan. CC ID 16223 | Operational management | Preventive | |
Include how the information security department is organized in the information security program. CC ID 12379 | Operational management | Preventive | |
Include risk management in the information security program. CC ID 12378 | Operational management | Preventive | |
Include mitigating supply chain risks in the information security program. CC ID 13352 | Operational management | Preventive | |
Establish, implement, and maintain an information security policy. CC ID 11740 | Operational management | Preventive | |
Include business processes in the information security policy. CC ID 16326 | Operational management | Preventive | |
Include the information security strategy in the information security policy. CC ID 16125 | Operational management | Preventive | |
Include a commitment to continuous improvement in the information security policy. CC ID 16123 | Operational management | Preventive | |
Include roles and responsibilities in the information security policy. CC ID 16120 | Operational management | Preventive | |
Include a commitment to the information security requirements in the information security policy. CC ID 13496 | Operational management | Preventive | |
Include information security objectives in the information security policy. CC ID 13493 | Operational management | Preventive | |
Include the use of Cloud Services in the information security policy. CC ID 13146 | Operational management | Preventive | |
Include notification procedures in the information security policy. CC ID 16842 | Operational management | Preventive | |
Describe the group activities that protect restricted data in the information security procedures. CC ID 12294 | Operational management | Preventive | |
Document the roles and responsibilities for all activities that protect restricted data in the information security procedures. CC ID 12304 | Operational management | Preventive | |
Assign information security responsibilities to interested personnel and affected parties in the information security program. CC ID 11885 | Operational management | Preventive | |
Establish, implement, and maintain a social media governance program. CC ID 06536 | Operational management | Preventive | |
Include instant messaging, texting, and tweeting in the social media acceptable use policy. CC ID 04578 | Operational management | Preventive | |
Include explicit restrictions in the social media acceptable use policy. CC ID 06655 | Operational management | Preventive | |
Include contributive content sites in the social media acceptable use policy. CC ID 06656 | Operational management | Preventive | |
Establish, implement, and maintain operational control procedures. CC ID 00831 | Operational management | Preventive | |
Include assigning and approving operations in operational control procedures. CC ID 06382 | Operational management | Preventive | |
Include startup processes in operational control procedures. CC ID 00833 | Operational management | Preventive | |
Include change control processes in the operational control procedures. CC ID 16793 | Operational management | Preventive | |
Establish and maintain a data processing run manual. CC ID 00832 | Operational management | Preventive | |
Establish, implement, and maintain a Standard Operating Procedures Manual. CC ID 00826 | Operational management | Preventive | |
Include metrics in the standard operating procedures manual. CC ID 14988 | Operational management | Preventive | |
Include maintenance measures in the standard operating procedures manual. CC ID 14986 | Operational management | Preventive | |
Include the expected lifetime of the system in the standard operating procedures manual. CC ID 14984 | Operational management | Preventive | |
Include technical measures used to interpret output in the standard operating procedures manual. CC ID 14982 | Operational management | Preventive | |
Include predetermined changes in the standard operating procedures manual. CC ID 14977 | Operational management | Preventive | |
Include specifications for input data in the standard operating procedures manual. CC ID 14975 | Operational management | Preventive | |
Include risks to health and safety or fundamental rights in the standard operating procedures manual. CC ID 14973 | Operational management | Preventive | |
Include circumstances that may impact the system in the standard operating procedures manual. CC ID 14972 | Operational management | Preventive | |
Include what the system was tested and validated for in the standard operating procedures manual. CC ID 14969 | Operational management | Preventive | |
Include the intended purpose in the standard operating procedures manual. CC ID 14967 | Operational management | Preventive | |
Include information on system performance in the standard operating procedures manual. CC ID 14965 | Operational management | Preventive | |
Include contact details in the standard operating procedures manual. CC ID 14962 | Operational management | Preventive | |
Update operating procedures that contribute to user errors. CC ID 06935 | Operational management | Corrective | |
Establish, implement, and maintain a job scheduling methodology. CC ID 00834 | Operational management | Preventive | |
Establish and maintain a job schedule exceptions list. CC ID 00835 | Operational management | Preventive | |
Establish, implement, and maintain a data processing continuity plan. CC ID 00836 | Operational management | Preventive | |
Establish, implement, and maintain Voice over Internet Protocol operating procedures. CC ID 04583 | Operational management | Preventive | |
Establish, implement, and maintain the Acceptable Use Policy. CC ID 01350 | Operational management | Preventive | |
Include that explicit management authorization must be given for the use of all technologies and their documentation in the Acceptable Use Policy. CC ID 01351 | Operational management | Preventive | |
Include requiring users to protect restricted data in accordance with the Governance, Risk, and Compliance framework in the Acceptable Use Policy. CC ID 11894 | Operational management | Preventive | |
Include Bring Your Own Device agreements in the Acceptable Use Policy. CC ID 15703 | Operational management | Preventive | |
Include the obligations of users in the Bring Your Own Device agreement. CC ID 15708 | Operational management | Preventive | |
Include the rights of the organization in the Bring Your Own Device agreement. CC ID 15707 | Operational management | Preventive | |
Include the circumstances in which the organization may confiscate, audit, or inspect assets in the Bring Your Own Device agreement. CC ID 15706 | Operational management | Preventive | |
Include the circumstances in which the organization may manage assets in the Bring Your Own Device agreement. CC ID 15705 | Operational management | Preventive | |
Include Bring Your Own Device usage in the Acceptable Use Policy. CC ID 12293 | Operational management | Preventive | |
Include a web usage policy in the Acceptable Use Policy. CC ID 16496 | Operational management | Preventive | |
Include Bring Your Own Device security guidelines in the Acceptable Use Policy. CC ID 01352 | Operational management | Preventive | |
Include asset tags in the Acceptable Use Policy. CC ID 01354 | Operational management | Preventive | |
Specify the owner of applicable assets in the Acceptable Use Policy. CC ID 15699 | Operational management | Preventive | |
Include asset use policies in the Acceptable Use Policy. CC ID 01355 | Operational management | Preventive | |
Include authority for access authorization lists for assets in all relevant Acceptable Use Policies. CC ID 11872 | Operational management | Preventive | |
Include access control mechanisms in the Acceptable Use Policy. CC ID 01353 | Operational management | Preventive | |
Include prohibiting the copying or moving of restricted data from its original source onto local hard drives or removable storage media in the Acceptable Use Policy. CC ID 11893 | Operational management | Preventive | |
Correlate the Acceptable Use Policy with the network security policy. CC ID 01356 | Operational management | Preventive | |
Include appropriate network locations for each technology in the Acceptable Use Policy. CC ID 11881 | Operational management | Preventive | |
Correlate the Acceptable Use Policy with the approved product list. CC ID 01357 | Operational management | Preventive | |
Include facility access and facility use in the Acceptable Use Policy. CC ID 06441 | Operational management | Preventive | |
Include disciplinary actions in the Acceptable Use Policy. CC ID 00296 | Operational management | Corrective | |
Include the usage restrictions of mobile code technologies in the Acceptable Use Policy. CC ID 15311 | Operational management | Preventive | |
Include a software installation policy in the Acceptable Use Policy. CC ID 06749 | Operational management | Preventive | |
Document idle session termination and logout for remote access technologies in the Acceptable Use Policy. CC ID 12472 | Operational management | Preventive | |
Require interested personnel and affected parties to sign Acceptable Use Policies. CC ID 06661 | Operational management | Preventive | |
Require interested personnel and affected parties to re-sign Acceptable Use Policies, as necessary. CC ID 06663 | Operational management | Preventive | |
Establish, implement, and maintain an Intellectual Property Right program. CC ID 00821 | Operational management | Preventive | |
Establish, implement, and maintain Intellectual Property Rights protection procedures. CC ID 11512 | Operational management | Preventive | |
Protect against circumvention of the organization's Intellectual Property Rights. CC ID 11513 | Operational management | Preventive | |
Establish, implement, and maintain an e-mail policy. CC ID 06439 | Operational management | Preventive | |
Include business use of personal e-mail in the e-mail policy. CC ID 14381 | Operational management | Preventive | |
Protect policies, standards, and procedures from unauthorized modification or disclosure. CC ID 10603 | Operational management | Preventive | |
Establish, implement, and maintain nondisclosure agreements. CC ID 04536 | Operational management | Preventive | |
Require interested personnel and affected parties to sign nondisclosure agreements. CC ID 06667 | Operational management | Preventive | |
Require interested personnel and affected parties to re-sign nondisclosure agreements, as necessary. CC ID 06669 | Operational management | Preventive | |
Establish, implement, and maintain a use of information agreement. CC ID 06215 | Operational management | Preventive | |
Include use limitations in the use of information agreement. CC ID 06244 | Operational management | Preventive | |
Include disclosure requirements in the use of information agreement. CC ID 11735 | Operational management | Preventive | |
Include information recipients in the use of information agreement. CC ID 06245 | Operational management | Preventive | |
Include reporting out of scope use of information in the use of information agreement. CC ID 06246 | Operational management | Preventive | |
Include disclosure of information in the use of information agreement. CC ID 11830 | Operational management | Preventive | |
Include information security procedures assigned to the information recipient in the use of information agreement. CC ID 07130 | Operational management | Preventive | |
Include information security procedures assigned to the originator in the use of information agreement. CC ID 14418 | Operational management | Preventive | |
Include a do not contact rule for the individuals identified in a data set in the use of information agreement. CC ID 07131 | Operational management | Preventive | |
Include the information recipient's third parties accepting the agreement in the use of information agreement. CC ID 07132 | Operational management | Preventive | |
Comply with all implemented policies in the organization's compliance framework. CC ID 06384 [{reasonable and appropriate measure} In meeting its responsibilities under this Act, an organisation shall "term_primary-verb">consider what a reasonable person would consider appropriate in the circumstances. § 11.(1) {reasonable and appropriate measure} In meeting its responsibilities under this Act, an organisation shall "term_primary-verb">consider what a reasonable person would consider appropriate in the circumstances. § 11.(1) The designation of an individual by an organisation under subsection (3) shall not relieve the organisation of any of its obligations under this Act. § 11.(6) {legitimate interest}{personal data}The organisation must, in respect of the assessment mentioned in sub-paragraph (2)(a) — comply with any other prescribed requirements. FIRST SCHEDULE PART 3 § 1.(3)(c)] | Operational management | Preventive | |
Establish, implement, and maintain a customer service program. CC ID 00846 | Operational management | Preventive | |
Include detection procedures in the Incident Management program. CC ID 00588 | Operational management | Preventive | |
Share data loss event information with interconnected system owners. CC ID 01209 | Operational management | Corrective | |
Document the justification for not reporting incidents to interested personnel and affected parties. CC ID 16547 | Operational management | Preventive | |
Include data loss event notifications in the Incident Response program. CC ID 00364 | Operational management | Preventive | |
Include required information in the written request to delay the notification to affected parties. CC ID 16785 | Operational management | Preventive | |
Design the text of the notice for all incident response notifications to be no smaller than 10-point type. CC ID 12985 | Operational management | Preventive | |
Establish, implement, and maintain incident response notifications. CC ID 12975 [{data breach} The notification under subsection (1) must be made in the form and submitted in the manner required by the Commission. § 26D.(4)] | Operational management | Corrective | |
Include information required by law in incident response notifications. CC ID 00802 [The notification under subsection (1) or (2) must contain, to the best of the knowledge and belief of the organisation at the time it notifies the Commission or affected individual (as the case may be), all the information that is prescribed for this purpose. § 26D.(3)] | Operational management | Detective | |
Title breach notifications "Notice of Data Breach". CC ID 12977 | Operational management | Preventive | |
Display titles of incident response notifications clearly and conspicuously. CC ID 12986 | Operational management | Preventive | |
Display headings in incident response notifications clearly and conspicuously. CC ID 12987 | Operational management | Preventive | |
Design the incident response notification to call attention to its nature and significance. CC ID 12984 | Operational management | Preventive | |
Use plain language to write incident response notifications. CC ID 12976 | Operational management | Preventive | |
Include directions for changing the user's authenticator or security questions and answers in the breach notification. CC ID 12983 | Operational management | Preventive | |
Include the affected parties rights in the incident response notification. CC ID 16811 | Operational management | Preventive | |
Include details of the investigation in incident response notifications. CC ID 12296 | Operational management | Preventive | |
Include the issuer's name in incident response notifications. CC ID 12062 | Operational management | Preventive | |
Include a "What Happened" heading in breach notifications. CC ID 12978 | Operational management | Preventive | |
Include a general description of the data loss event in incident response notifications. CC ID 04734 | Operational management | Preventive | |
Include time information in incident response notifications. CC ID 04745 | Operational management | Preventive | |
Include the identification of the data source in incident response notifications. CC ID 12305 | Operational management | Preventive | |
Include a "What Information Was Involved" heading in the breach notification. CC ID 12979 | Operational management | Preventive | |
Include the type of information that was lost in incident response notifications. CC ID 04735 | Operational management | Preventive | |
Include the type of information the organization maintains about the affected parties in incident response notifications. CC ID 04776 | Operational management | Preventive | |
Include a "What We Are Doing" heading in the breach notification. CC ID 12982 | Operational management | Preventive | |
Include what the organization has done to enhance data protection controls in incident response notifications. CC ID 04736 | Operational management | Preventive | |
Include what the organization is offering or has already done to assist affected parties in incident response notifications. CC ID 04737 | Operational management | Preventive | |
Include a "For More Information" heading in breach notifications. CC ID 12981 | Operational management | Preventive | |
Include details of the companies and persons involved in incident response notifications. CC ID 12295 | Operational management | Preventive | |
Include the credit reporting agencies' contact information in incident response notifications. CC ID 04744 | Operational management | Preventive | |
Include the reporting individual's contact information in incident response notifications. CC ID 12297 | Operational management | Preventive | |
Include any consequences in the incident response notifications. CC ID 12604 | Operational management | Preventive | |
Include whether the notification was delayed due to a law enforcement investigation in incident response notifications. CC ID 04746 | Operational management | Preventive | |
Include a "What You Can Do" heading in the breach notification. CC ID 12980 | Operational management | Preventive | |
Include how the affected parties can protect themselves from identity theft in incident response notifications. CC ID 04738 | Operational management | Detective | |
Include contact information in incident response notifications. CC ID 04739 | Operational management | Preventive | |
Include contact information in the substitute incident response notification. CC ID 16776 | Operational management | Preventive | |
Post substitute incident response notifications to the organization's website, as necessary. CC ID 04748 | Operational management | Preventive | |
Establish, implement, and maintain a privacy framework that protects restricted data. CC ID 11850 | Privacy protection for information and data | Preventive | |
Establish, implement, and maintain opt-out notices. CC ID 13448 [A subscriber may apply to the Commission, in the form and manner prescribed — to remove his Singapore y-verb">oun">telephone numberspan> from a register. § 40.(1)(b)] | Privacy protection for information and data | Preventive | |
Include how opt out directions for joint consumers are treated in the opt-out notice. CC ID 13465 | Privacy protection for information and data | Preventive | |
Include the opt out method for data subjects in the opt-out notice. CC ID 13467 | Privacy protection for information and data | Preventive | |
Include the data subject's right to opt out of personal data disclosure in the opt-out notice. CC ID 13463 | Privacy protection for information and data | Preventive | |
Explain the right to opt out in the opt-out notice. CC ID 13462 | Privacy protection for information and data | Preventive | |
Include the organization's right to share personal data in the opt-out notice. CC ID 13450 | Privacy protection for information and data | Preventive | |
Publish a description of processing activities in an official register. CC ID 00379 | Privacy protection for information and data | Preventive | |
Establish and maintain a records request manual. CC ID 00381 | Privacy protection for information and data | Preventive | |
Establish and maintain a description of voluntary disclosure and automatic availability of certain records. CC ID 00382 | Privacy protection for information and data | Preventive | |
Define what is included in registration notices. CC ID 00386 | Privacy protection for information and data | Preventive | |
Include the verification method in the registration notice. CC ID 16798 | Privacy protection for information and data | Preventive | |
Include the statutory authority in the registration notice. CC ID 16799 | Privacy protection for information and data | Preventive | |
Include the address where the file or hardware supporting the data processing is located in the registration notice. CC ID 00387 | Privacy protection for information and data | Preventive | |
Include a purpose specification description in the registration notice. CC ID 00388 | Privacy protection for information and data | Preventive | |
Include information about the dispute resolution body in the registration notice. CC ID 16800 | Privacy protection for information and data | Preventive | |
Include the data subject category being processed in the registration notice. CC ID 00389 | Privacy protection for information and data | Preventive | |
Include the time period for data processing in the registration notice. CC ID 00390 | Privacy protection for information and data | Preventive | |
Include procedures for when the registration notice for processing personal data is insufficient in the registration notice. CC ID 00392 | Privacy protection for information and data | Preventive | |
Provide the data subject with information about obtaining automated decision-making used during personal data processing. CC ID 12618 | Privacy protection for information and data | Preventive | |
Provide the data subject with the name, title, and address of the individual accountable for the organizational policies. CC ID 00394 [For the purposes of sections 14(1)(a) and 18(b), an organisation shall inform the individual of— on request by the individual, the business contact information of a person who is able to econdary-verb">answer on behalf of the organisation the individual's questions about the collection, use or disclosure of the personal data. § 20.(1)(c) An organisation shall make available to the public the business contact information of at least one of the individuals designated under subsection (3) or delegated under subsection (4). § 11.(5) Without limiting subsection (5), an organisation is deemed to have satisfied that subsection if the organisation makes available the business contact information of any individual mentioned in subsection (3) in any prescribed manner. 11.(5A)] | Privacy protection for information and data | Preventive | |
Provide the data subject with a copy of any brochures or other information that explain policies, standards, or codes. CC ID 00398 [An organisation shall — make information available on request about — the complaint process referred to in paragraph (b). § 12.(d).(ii)] | Privacy protection for information and data | Preventive | |
Disseminate and communicate the notification of rights to students and their parent or legal representative. CC ID 12996 | Privacy protection for information and data | Preventive | |
Include the criteria for determining what constitutes a legitimate educational interest in the notification of rights. CC ID 13004 | Privacy protection for information and data | Preventive | |
Include the criteria for determining what constitutes a school official in the notification of rights. CC ID 13003 | Privacy protection for information and data | Preventive | |
Specify the parties to whom education records may be disclosed in the written consent. CC ID 13002 | Privacy protection for information and data | Preventive | |
Specify the purpose of the disclosure in the written consent. CC ID 13001 | Privacy protection for information and data | Preventive | |
Specify which education records may be disclosed in the written consent. CC ID 13000 | Privacy protection for information and data | Preventive | |
Document the conditions when consent is not required to disclose educational data. CC ID 00225 | Privacy protection for information and data | Preventive | |
Record the health and safety threats of students when disclosing personal data. CC ID 12997 | Privacy protection for information and data | Preventive | |
Provide adequate structures, policies, procedures, and mechanisms to support direct access by the data subject to personal data that is provided upon request. CC ID 00393 | Privacy protection for information and data | Preventive | |
Provide the data subject with a description of the type of information held by the organization and a general account of its use. CC ID 00397 [Any person may apply to the Commission, in the form and manner required by the Commission, to confirm whether any Singapore ;" class="term_primary-noun">telephone number is listed in a oun">register. § 40.(2)] | Privacy protection for information and data | Preventive | |
Establish and maintain a disclosure accounting record. CC ID 13022 | Privacy protection for information and data | Preventive | |
Include what information was disclosed and to whom in the disclosure accounting record. CC ID 04680 | Privacy protection for information and data | Preventive | |
Include the disclosure purpose in the disclosure accounting record. CC ID 07135 [For the purposes of subsection (2)(a), the organisation must, before collecting, using or disclosing any personal data about the individual — take reasonable steps to bring the following information to the attention of the individual: the organisation's intention to collect, use or disclose the personal data; § 15A.(4)(b)(i)] | Privacy protection for information and data | Preventive | |
Establish, implement, and maintain personal data choice and consent program. CC ID 12569 [A subscriber may apply to the Commission, in the form and manner prescribed — to add his Singapore y-verb">">telephone numbern> to a register; or § 40.(1)(a) A person does not contravene subsection (1) if the subscriber or user of the Singapore telephone number to which a specified message is sent — gave clear and unambiguous consent to the sending of the specified message to that Singapore telephone number; and § 43.(4)(a)] | Privacy protection for information and data | Preventive | |
Establish, implement, and maintain data request procedures. CC ID 16546 | Privacy protection for information and data | Preventive | |
Establish and maintain disclosure authorization forms for authorization of consent to use personal data. CC ID 13433 [A person does not contravene subsection (1) if the subscriber or user of the Singapore telephone number to which a specified message is sent — the consent is evidenced in written or other form so as to be accessible for subsequent reference. § 43.(4)(b)] | Privacy protection for information and data | Preventive | |
Include procedures for revoking authorization of consent to use personal data in the disclosure authorization form. CC ID 13438 | Privacy protection for information and data | Preventive | |
Include the identity of the person seeking consent in the disclosure authorization. CC ID 13999 | Privacy protection for information and data | Preventive | |
Include the recipients of the disclosed personal data in the disclosure authorization form. CC ID 13440 | Privacy protection for information and data | Preventive | |
Include the signature of the data subject and the signing date in the disclosure authorization form. CC ID 13439 | Privacy protection for information and data | Preventive | |
Include the identity of the data subject in the disclosure authorization form. CC ID 13436 | Privacy protection for information and data | Preventive | |
Include the types of personal data to be disclosed in the disclosure authorization form. CC ID 13442 | Privacy protection for information and data | Preventive | |
Include how personal data will be used in the disclosure authorization form. CC ID 13441 | Privacy protection for information and data | Preventive | |
Include agreement termination information in the disclosure authorization form. CC ID 13437 | Privacy protection for information and data | Preventive | |
Highlight the section regarding data subject's consent from other sections in contracts and agreements. CC ID 13988 | Privacy protection for information and data | Preventive | |
Establish, implement, and maintain a personal data accountability program. CC ID 13432 | Privacy protection for information and data | Preventive | |
Establish, implement, and maintain approval applications. CC ID 16778 | Privacy protection for information and data | Preventive | |
Include required information in the approval application. CC ID 16628 | Privacy protection for information and data | Preventive | |
Establish, implement, and maintain Binding Corporate Rules for the international transfers of restricted data. CC ID 12584 [{business improvement purpose}Sub-paragraph (1)(a) and (c) applies only if — X and Y are bound by any contract or other agreement or binding corporate rules requiring the recipient of personal data about P to implement and maintain appropriate safeguards for the personal data. FIRST SCHEDULE PART 5 § 1.(3)(c)] | Privacy protection for information and data | Preventive | |
Include cooperation mechanisms with the supervisory authority in the Binding Corporate Rules. CC ID 12682 | Privacy protection for information and data | Preventive | |
Include the tasks assigned to the role of data controller in the Binding Corporate Rules. CC ID 12612 | Privacy protection for information and data | Preventive | |
Include data subject's rights in the Binding Corporate Rules. CC ID 12596 | Privacy protection for information and data | Preventive | |
Include the means to exercise the data subject's rights in the Binding Corporate Rules. CC ID 12597 | Privacy protection for information and data | Preventive | |
Include the organizational structure and contact information in the Binding Corporate Rules. CC ID 12595 | Privacy protection for information and data | Preventive | |
Include the acceptance of liability for breaches of the binding corporate rules in the Binding Corporate Rules. CC ID 12594 | Privacy protection for information and data | Preventive | |
Include the mechanisms for reporting legal requirements causing adverse effects on protecting restricted data in the Binding Corporate Rules. CC ID 12620 | Privacy protection for information and data | Preventive | |
Include provisions for providing information on the binding corporate rules to the data subject in the Binding Corporate Rules. CC ID 12593 | Privacy protection for information and data | Preventive | |
Include reporting changes to the binding corporate rules in the Binding Corporate Rules. CC ID 12591 | Privacy protection for information and data | Preventive | |
Include reporting changes of the binding corporate rules to the supervisory authority in the Binding Corporate Rules. CC ID 12592 | Privacy protection for information and data | Preventive | |
Include complaint procedures in the Binding Corporate Rules. CC ID 12613 | Privacy protection for information and data | Preventive | |
Include the data transfers in the Binding Corporate Rules. CC ID 12590 | Privacy protection for information and data | Preventive | |
Include specifying the mechanisms for verifying compliance of the binding corporate rules in the Binding Corporate Rules. CC ID 12662 | Privacy protection for information and data | Preventive | |
Include the identification of the countries in question for the data transfers in the Binding Corporate Rules. CC ID 12601 | Privacy protection for information and data | Preventive | |
Include the type of data subjects affected by the data transfers in the Binding Corporate Rules. CC ID 12600 | Privacy protection for information and data | Preventive | |
Include all pertinent data processing information for data transfers in the Binding Corporate Rules. CC ID 12599 | Privacy protection for information and data | Preventive | |
Include the categories of personal data for data transfers in the Binding Corporate Rules. CC ID 12598 | Privacy protection for information and data | Preventive | |
Include specifying the legally binding nature of the binding corporate rules in the Binding Corporate Rules. CC ID 12627 | Privacy protection for information and data | Preventive | |
Include privacy awareness and training in the Binding Corporate Rules. CC ID 12626 | Privacy protection for information and data | Preventive | |
Establish, implement, and maintain Data Processing Contracts. CC ID 12650 | Privacy protection for information and data | Preventive | |
Include the stipulation of complying with external requirements in the Data Processing Contract. CC ID 12676 [For the purposes of subsection (2)(a), the organisation must, before collecting, using or disclosing any personal data about the individual — satisfy any other prescribed requirements. § 15A.(4)(c) The organisation must, in respect of the assessment mentioned in subsection (4)(a) — comply with any other prescribed requirements. § 15A.(5)(c) {person}A checker is deemed to have complied with subsection (2)(a) if — the applicable information that the checker provides to P is in accordance with a reply from the Commission in response to the checker's application under section 40(2); and § 43A.(3)(a)] | Privacy protection for information and data | Preventive | |
Include the stipulation that personal data will be disposed or returned to the data subject in the Data Processing Contract. CC ID 12669 [{prospective party}{organization}If X enters into the business asset transaction, the following conditions apply: if any personal data X collects from Y does not relate directly to the part of Y or Y's business assets with which the business asset transaction entered into is concerned, X must destroy, or return to Y, that personal data; FIRST SCHEDULE PART 4 § 1.(4)(b)] | Privacy protection for information and data | Preventive | |
Establish, implement, and maintain a personal data use limitation program. CC ID 13428 | Privacy protection for information and data | Preventive | |
Establish, implement, and maintain a personal data use purpose specification. CC ID 00093 | Privacy protection for information and data | Preventive | |
Establish, implement, and maintain data use change of purpose procedures. CC ID 00106 | Privacy protection for information and data | Preventive | |
Document the use of publicly accessible personal data as an acceptable secondary purpose. CC ID 00108 | Privacy protection for information and data | Preventive | |
Document the use of privacy-related data as acceptable if the information being used is publicly available information, the secondary use is marketing, and it is not practical to seek consent from the individual before use. CC ID 00110 | Privacy protection for information and data | Preventive | |
Document the use of personal data as an acceptable secondary purpose when the data subject is not charged to request to opt out of direct marketing communications. CC ID 00111 | Privacy protection for information and data | Preventive | |
Document the use of personal data as an acceptable secondary purpose when the data subject has not requested to opt out of direct marketing communications. CC ID 00112 | Privacy protection for information and data | Preventive | |
Document the use of personal data as an acceptable secondary purpose when the organization highlights the opt out option during each direct marketing communication. CC ID 00113 | Privacy protection for information and data | Preventive | |
Document the use of personal data as an acceptable secondary purpose when the organization displays contact information in each written direct marketing communication. CC ID 00114 | Privacy protection for information and data | Preventive | |
Document the use of personal data as an acceptable secondary purpose when the data subject gives consent. CC ID 00115 [If an individual gives or is deemed to have given, consent to the disclosure of personal data about the individual by one organisation to another organisation for a particular purpose, the individual is deemed to consent to the collection, use, or disclosure of the personal data for that particular purpose by that other organisation. § 15.(2) {consent}{disclosure} Where an organisation collects personal data disclosed to it by B under subsection (3)(c), subsection (3)(b) and (c) applies to the organisation as if the personal data were disclosed by A to the organisation under subsection (3)(a). § 15.(4)] | Privacy protection for information and data | Preventive | |
Document the use of personal data as an acceptable secondary purpose when the personal data is Individually Identifiable Health Information used for research. CC ID 00116 | Privacy protection for information and data | Preventive | |
Document the use of personal data as an acceptable secondary purpose when the personal data is used for statistical research, scholarly research, or scientific research and the data subject is anonymous. CC ID 00117 | Privacy protection for information and data | Preventive | |
Document the use of personal data as an acceptable secondary purpose when the data controller believes the use is necessary to prevent a life-threatening emergency. CC ID 00118 | Privacy protection for information and data | Preventive | |
Document the use of personal data as an acceptable secondary purpose when required by law. CC ID 00119 | Privacy protection for information and data | Preventive | |
Document the use of personal data as an acceptable secondary purpose when the personal data is necessary for public emergencies, public health and safety, or individual emergencies. CC ID 00121 | Privacy protection for information and data | Preventive | |
Document the use of personal data as an acceptable secondary purpose when the primary purpose is directly related to the secondary purpose. CC ID 00123 | Privacy protection for information and data | Preventive | |
Document the use of personal data as an acceptable secondary purpose when it is necessary for the enforcement of care and custody. CC ID 15453 | Privacy protection for information and data | Preventive | |
Document the use of data as an acceptable secondary purpose when it is necessary for use in a legal proceeding. CC ID 15451 | Privacy protection for information and data | Preventive | |
Document the use of personal data as an acceptable secondary purpose when it is necessary for a law enforcement investigation. CC ID 15449 | Privacy protection for information and data | Preventive | |
Document the use of personal data as an acceptable secondary purpose when it is necessary to perform a treaty with a foreign government. CC ID 15447 | Privacy protection for information and data | Preventive | |
Establish, implement, and maintain data access procedures. CC ID 00414 | Privacy protection for information and data | Preventive | |
Establish, implement, and maintain procedures for individuals to be able to modify their personal data, as necessary. CC ID 11811 [{allow} An individual may request an organisation to correct an error or omission in the personal data about the individual that is in the possession or under the control of the organisation. § 22.(1)] | Privacy protection for information and data | Preventive | |
Include a liability waiver for any harm caused by the exclusion of personal data in the personal data removal request. CC ID 11975 | Privacy protection for information and data | Preventive | |
Establish, implement, and maintain restricted data use limitation procedures. CC ID 00128 [Subject to subsection (3), an individual is deemed to consent to the collection, use or disclosure of personal data about the individual by an organisation if — the organisation satisfies the requirements in subsection (4); and § 15A.(2)(a)] | Privacy protection for information and data | Preventive | |
Establish and maintain a record of processing activities when processing restricted data. CC ID 12636 | Privacy protection for information and data | Preventive | |
Refrain from maintaining a record of processing activities if the data processor employs a limited number of persons. CC ID 13378 | Privacy protection for information and data | Preventive | |
Refrain from maintaining a record of processing activities if the personal data relates to criminal records. CC ID 13377 | Privacy protection for information and data | Preventive | |
Refrain from maintaining a record of processing activities if the data being processed is restricted data. CC ID 13376 | Privacy protection for information and data | Preventive | |
Refrain from maintaining a record of processing activities if it could result in a risk to the data subject's rights or data subject's freedom. CC ID 13375 | Privacy protection for information and data | Preventive | |
Document the conditions for the use or disclosure of Individually Identifiable Health Information by a covered entity to another covered entity. CC ID 00210 | Privacy protection for information and data | Preventive | |
Disclose Individually Identifiable Health Information for research use when the appropriate requirements are included in the approval documentation or waiver documentation. CC ID 06257 | Privacy protection for information and data | Preventive | |
Document the conditions for the disclosure of Individually Identifiable Health Information by an organization providing healthcare services to organizations other than business associates or other covered entities. CC ID 00201 | Privacy protection for information and data | Preventive | |
Document how Individually Identifiable Health Information is used and disclosed when authorization has been granted. CC ID 00216 | Privacy protection for information and data | Preventive | |
Define and implement valid authorization control requirements. CC ID 06258 | Privacy protection for information and data | Preventive | |
Define security breach notification requirement exceptions. CC ID 04797 | Privacy protection for information and data | Preventive | |
Define what restricted data is not required to be disclosed absent consent. CC ID 00134 | Privacy protection for information and data | Preventive | |
Define the exceptions to disclosure absent consent. CC ID 00135 | Privacy protection for information and data | Preventive | |
Define opt-out exceptions for disclosing restricted data. CC ID 00159 | Privacy protection for information and data | Preventive | |
Define how a data subject may give consent. CC ID 00160 [An individual has not given consent under this Act for the collection, use or disclosure of personal data about the individual by an organisation for a purpose unless— the individual has been provided with the information required under section 20; and § 14.(1)(a) {render invalid} Any consent given in any of the circumstances in subsection (2) is not validly given for the purposes of this Act. § 14.(3) An individual is deemed to consent to the collection, use or disclosure of personal data about the individual by an organisation for a purpose if— the individual, without actually giving consent referred to in section 14, voluntarily provides the personal data to the organisation for that purpose; and § 15.(1)(a) In this Act, references to the consent given or deemed to have been given, by an individual for the collection, use, or disclosure of personal data about the individual shall include consent given, or deemed to have been given, by any person validly acting on behalf of that individual for the collection, use or disclosure of such personal data. § 14.(4) An individual has not given consent under this Act for the collection, use or disclosure of personal data about the individual by an organisation for a purpose unless — the individual provided his consent for that purpose in accordance with this Act. § 14.(1)(b) Subject to subsection (3), an individual is deemed to consent to the collection, use or disclosure of personal data about the individual by an organisation if — the individual does not notify the organisation, before the expiry of the period mentioned in subsection (4)(b)(iii), that the individual does not consent to the proposed collection, use or disclosure of the personal data by the organisation. § 15A.(2)(b) For the purposes of subsection (2)(a), the organisation must, before collecting, using or disclosing any personal data about the individual — take reasonable steps to bring the following information to the attention of the individual: a reasonable period within which, and a reasonable manner by which, the individual may notify the organisation that the individual does not consent to the organisation's proposed collection, use or disclosure of the personal data; and § 15A.(4)(b)(iii)] | Privacy protection for information and data | Preventive | |
Disclose restricted data for judicial decisions, lawsuits, and investigations only after the data controller includes a note of the disclosure in the record. CC ID 00162 | Privacy protection for information and data | Detective | |
Establish, implement, and maintain restricted data retention procedures. CC ID 00167 [the organisation must preserve, for not less than the prescribed period, a copy of the personal data concerned. § 22A.(1) ¶ 1] | Privacy protection for information and data | Preventive | |
Establish, implement, and maintain personal data disposition procedures. CC ID 13498 | Privacy protection for information and data | Preventive | |
Document the redisclosing restricted data exceptions. CC ID 00170 | Privacy protection for information and data | Preventive | |
Document the conditions to use Personal Identification Numbers absent consent. CC ID 00242 | Privacy protection for information and data | Preventive | |
Establish, implement, and maintain data disclosure procedures. CC ID 00133 [Subject to subsection (3), an individual is deemed to consent to the collection, use or disclosure of personal data about the individual by an organisation if — the organisation satisfies the requirements in subsection (4); and § 15A.(2)(a) {business asset transaction}{organization}{prospective party}{individual}If X enters into the relevant transaction, the following conditions apply: Y may use or disclose the personal data collected from Z only for the same purposes for which Z would have been permitted to use or disclose the personal data; FIRST SCHEDULE PART 4 § 2.(3)(b)] | Privacy protection for information and data | Preventive | |
Establish, implement, and maintain data request denial procedures. CC ID 00434 | Privacy protection for information and data | Preventive | |
Document that a data search was conducted in case the requested data cannot be found. CC ID 06953 | Privacy protection for information and data | Preventive | |
Establish, implement, and maintain a personal data collection program. CC ID 06487 | Privacy protection for information and data | Preventive | |
Establish, implement, and maintain personal data collection limitation boundaries. CC ID 00507 [Subject to subsection (3), an individual is deemed to consent to the collection, use or disclosure of personal data about the individual by an organisation if — the organisation satisfies the requirements in subsection (4); and § 15A.(2)(a)] | Privacy protection for information and data | Preventive | |
Establish, implement, and maintain a personal data use policy. CC ID 00076 | Privacy protection for information and data | Preventive | |
Post the collection purpose. CC ID 00101 | Privacy protection for information and data | Preventive | |
Document each individual's personal data collection consent preferences. CC ID 06945 | Privacy protection for information and data | Preventive | |
Establish and maintain a personal data definition. CC ID 00028 | Privacy protection for information and data | Preventive | |
Include the number of children in the personal data definition. CC ID 13759 | Privacy protection for information and data | Preventive | |
Include the individual's religion in the personal data definition. CC ID 13765 | Privacy protection for information and data | Preventive | |
Include an individual's political party affiliation in the personal data definition. CC ID 13764 | Privacy protection for information and data | Preventive | |
Include an individual's license plate number in the personal data definition. CC ID 13763 | Privacy protection for information and data | Preventive | |
Include an individual's account balances in the personal data definition. CC ID 13770 | Privacy protection for information and data | Preventive | |
Include an individual's logon credentials in the personal data definition. CC ID 13771 | Privacy protection for information and data | Preventive | |
Include an individual's military identification number in the personal data definition. CC ID 13083 | Privacy protection for information and data | Preventive | |
Refrain from including publicly available information in the personal data definition. CC ID 13084 | Privacy protection for information and data | Preventive | |
Notify parents or legal representatives of what information is collected from children. CC ID 00040 | Privacy protection for information and data | Preventive | |
Establish, implement, and maintain a personal data collection policy. CC ID 00029 | Privacy protection for information and data | Preventive | |
Provide the data subject with information about the data controller during the collection process. CC ID 00023 | Privacy protection for information and data | Preventive | |
Provide the data subject with the data collector's name and contact information. CC ID 00024 [For the purposes of subsection (4), the organisation must inform the individual of the following: on request by the individual, the business contact information of a person who is able to answer the individual's questions about that collection, use or disclosure (as the case may be) on behalf of the organisation. § 20.(5)(b)] | Privacy protection for information and data | Preventive | |
Provide the data subject with the name of the data collector who will hold the collected restricted data. CC ID 00025 | Privacy protection for information and data | Preventive | |
Provide the data subject with the third party processor's contact information when the data controller is not processing the restricted data. CC ID 00026 | Privacy protection for information and data | Preventive | |
Establish, implement, and maintain a data handling program. CC ID 13427 | Privacy protection for information and data | Preventive | |
Establish, implement, and maintain data handling policies. CC ID 00353 | Privacy protection for information and data | Preventive | |
Establish, implement, and maintain data and information confidentiality policies. CC ID 00361 | Privacy protection for information and data | Preventive | |
Establish, implement, and maintain a personal data transfer program. CC ID 00307 | Privacy protection for information and data | Preventive | |
Include procedures for transferring personal data to third parties in the personal data transfer program. CC ID 00333 | Privacy protection for information and data | Preventive | |
Define the personal data transfer exceptions for transferring personal data to another country when adequate protection level standards are not met. CC ID 00315 [{other country} An organisation shall not transfer any personal data to a country or territory outside Singapore except in accordance with requirements verb">prescribed under this Act to ensure that organisations provide a standard of protection to personal data so transferred that is comparable to the protection under this Act. § 26.(1)] | Privacy protection for information and data | Preventive | |
Establish, implement, and maintain a privacy impact assessment. CC ID 13712 [The organisation must, in respect of the assessment mentioned in subsection (4)(a) — identify and implement reasonable measures to — reduce the likelihood that the adverse effect will occur; or § 15A.(5)(b)(ii) The organisation must, in respect of the assessment mentioned in subsection (4)(a) — identify and implement reasonable measures to — eliminate the adverse effect; § 15A.(5)(b)(i) The organisation must, in respect of the assessment mentioned in subsection (4)(a) — identify and implement reasonable measures to — mitigate the adverse effect; and § 15A.(5)(b)(iii)] | Privacy protection for information and data | Preventive | |
Include the individuals with whom information is shared in the privacy impact assessment. CC ID 15520 | Privacy protection for information and data | Preventive | |
Include how to grant consent in the privacy impact assessment. CC ID 15519 | Privacy protection for information and data | Preventive | |
Include the opportunities for individuals to consent to using their information in the privacy impact assessment. CC ID 15518 | Privacy protection for information and data | Preventive | |
Include the opportunities for opting out of information collection in the privacy impact assessment. CC ID 15517 | Privacy protection for information and data | Preventive | |
Include data handling procedures in the privacy impact assessment. CC ID 15516 | Privacy protection for information and data | Preventive | |
Include the intended use of information in the privacy impact assessment. CC ID 15515 | Privacy protection for information and data | Preventive | |
Include the reason information is being collected in the privacy impact assessment. CC ID 15514 | Privacy protection for information and data | Preventive | |
Establish, implement, and maintain a privacy dispute resolution program. CC ID 12526 [An organisation shall — develop a process to receive and respond to complaints that may arise with respect to the application of this Act; § 12.(b)] | Privacy protection for information and data | Preventive | |
Include potential remedies in the privacy dispute resolution program. CC ID 12531 | Privacy protection for information and data | Preventive | |
Provide the data subject with the name, title, and address to whom complaints are forwarded. CC ID 00395 | Privacy protection for information and data | Preventive | |
Include the time frames in which privacy rights violation complaints are processed in the privacy dispute resolution program. CC ID 12529 | Privacy protection for information and data | Preventive | |
Document unresolved challenges. CC ID 13568 [An individual may request an organisation to correct an error or omission in the personal data about the individual that is in the possession or under the control of the organisation. Section 22 shall not apply in respect of— any erm_secondary-verb">BBC;" class="term_primary-noun">examination> conducted by an education institution, examination scripts and, prior to the release of examination results, <span style="background-color:#F0BBBC;" class="term_primary-noun">examination results; SIXTH SCHEDULE § 1.(b) An individual may request an organisation to correct an error or omission in the personal data about the individual that is in the possession or under the control of the organisation. Section 22 shall not apply in respect of— the personal data of the background-color:#F0BBBC;" class="term_primary-noun">beneficiaries of a tyle="background-color:#F0BBBC;" class="term_primary-noun">private trust kept solely for the purpose of ass="term_primary-verb">administering the trust; SIXTH SCHEDULE § 1.(c) An organisation is not required to provide information under section 21(1) in respect of — a document related to a prosecution if all proceedings related to the prosecution have not been completed; or SIXTH SCHEDULE § 1.(e)] | Privacy protection for information and data | Preventive | |
Establish, implement, and maintain an accuracy resolution policy. CC ID 00460 | Privacy protection for information and data | Preventive | |
Document disagreements as to whether personal data is complete and accurate. CC ID 06952 | Privacy protection for information and data | Preventive | |
Include the change to the personal data that the data subject requested and the reason the organization refused to make the change in the statement of disagreement. CC ID 06954 [An individual may request an organisation to correct an error or omission in the personal data about the individual that is in the possession or under the control of the organisation. Section 22 shall b">not apply in respect of— background-color:#F0BBBC;" class="term_primary-noun">opinion data kept solely for an imary-noun">evaluative purpose; SIXTH SCHEDULE § 1.(a) If no correction is made under subsection (2)(a) or (4), the organisation shall annotate the personal data in its possession or under its control with the correction that was requested but e="background-color:#CBD0E5;" class="term_secondary-verb">not made. § 22.(5)] | Privacy protection for information and data | Preventive | |
Define the organization's liability based on the applicable law. CC ID 00504 | Privacy protection for information and data | Preventive | |
Define the sanctions and fines available for privacy rights violations based on applicable law. CC ID 00505 [A person who suffers loss or damage directly as a result of a contravention — has a right of action for relief in civil proceedings in a court. § 48O.(1) ¶ 1 A telecommunications service provider which contravenes subsection (1) shall be guilty of an offence and shall be liable on conviction to a fine not exceeding $10,000. § 42.(2)] | Privacy protection for information and data | Preventive | |
Define the appeal process based on the applicable law. CC ID 00506 [The application for reconsideration — must be made in the form and manner required by the Commission; and § 48N.(4)(b) An organisation or a person aggrieved by a financial penalty imposed by the Commission under section 48J(1) on the organisation or person may make a written application to the Commission to reconsider the decision to impose the financial penalty or the amount of the financial penalty so imposed in accordance with this section. § 48N.(2) The application for reconsideration — subject to subsection (5), must be submitted to the Commission within the prescribed period; § 48N.(4)(a) The application for reconsideration — must set out the grounds on which the applicant is requesting the reconsideration. § 48N.(4)(c)] | Privacy protection for information and data | Preventive | |
Establish, implement, and maintain customer data authentication procedures. CC ID 13187 | Privacy protection for information and data | Preventive | |
Establish, implement, and maintain an anti-spam policy. CC ID 00283 [Subject to section 48(2), a person must not send a specified message addressed to a Singapore telephone number unless — the specified message includes the information, and complies with the conditions, specified in the regulations, if any; and § 44.(c) Subject to section 48(2), a person must not send a specified message addressed to a Singapore telephone number unless — the specified message includes the information, and complies with the conditions, specified in the regulations, if any; and § 44.(c) For the purposes of subsection (1), the person has valid confirmation that a Singapore telephone number is not listed in the relevant register in either of the following circumstances: the person has obtained from a checker information that the Singapore telephone number is not listed in the relevant register (called in this section the relevant information) and has no reason to believe that, and is not reckless as to whether — § 43.(2)(b)] | Privacy protection for information and data | Preventive | |
Include information identifying the organization hired to send commercial electronic messages when sending commercial electronic messages through a third party. CC ID 00286 | Privacy protection for information and data | Detective | |
Define aggravated violations that relate to commercial electronic messages. CC ID 00293 | Privacy protection for information and data | Preventive | |
Establish, implement, and maintain a do-not-e-mail registry. CC ID 00297 | Privacy protection for information and data | Preventive | |
Include that commercial electronic messages may be sent to an individual in any situation where the sender has prior consent from the individual or another existing business relationship in the anti-spam policy. CC ID 00300 | Privacy protection for information and data | Preventive | |
Document erroneous messages when an unsolicited commercial electronic message is accidentally sent. CC ID 00303 | Privacy protection for information and data | Preventive |
KEY: Primary Verb Primary Noun Secondary Verb Secondary Noun Limiting Term | |||
Mandated - bold Implied - italic Implementation - regular | IMPACT ZONE | CLASS | |
---|---|---|---|
Define and assign workforce roles and responsibilities. CC ID 13267 | Human Resources management | Preventive | |
Assign the role of data controller to be the Point of Contact for the supervisory authority. CC ID 12616 | Human Resources management | Preventive | |
Assign the role of the Data Controller to cooperate with the supervisory authority. CC ID 12615 | Human Resources management | Preventive | |
Assign the data controller to facilitate the exercise of the data subject's rights. CC ID 12666 | Human Resources management | Preventive | |
Assign the role of data controller to provide advice, when requested. CC ID 12611 | Human Resources management | Preventive | |
Assign accountability for maintaining the Governance, Risk, and Compliance framework. CC ID 12523 | Operational management | Preventive | |
Assign defining the program for disseminating and communicating the Governance, Risk, and Compliance framework. CC ID 12524 | Operational management | Preventive | |
Assign the responsibility for establishing, implementing, and maintaining the information security program to the appropriate role. CC ID 11884 | Operational management | Preventive | |
Assign the responsibility for distributing the information security program to the appropriate role. CC ID 11883 | Operational management | Preventive | |
Refrain from discriminating against data subjects who have exercised privacy rights. CC ID 13435 | Privacy protection for information and data | Preventive | |
Assign ownership of the privacy program to the appropriate organizational role. CC ID 11848 [An organisation shall designate one or more individuals to be responsible for ensuring that the organisation verb">complies with this Act. § 11.(3)] | Privacy protection for information and data | Preventive | |
Notify individuals of their ability to challenge personal behavioral assessments on record. CC ID 04798 | Privacy protection for information and data | Preventive |
KEY: Primary Verb Primary Noun Secondary Verb Secondary Noun Limiting Term | |||
Mandated - bold Implied - italic Implementation - regular | IMPACT ZONE | CLASS | |
---|---|---|---|
Audits and risk management CC ID 00677 | Audits and risk management | IT Impact Zone | |
Human Resources management CC ID 00763 | Human Resources management | IT Impact Zone | |
Operational management CC ID 00805 | Operational management | IT Impact Zone | |
Privacy protection for information and data CC ID 00008 | Privacy protection for information and data | IT Impact Zone |
KEY: Primary Verb Primary Noun Secondary Verb Secondary Noun Limiting Term | |||
Mandated - bold Implied - italic Implementation - regular | IMPACT ZONE | CLASS | |
---|---|---|---|
Perform social network analysis, as necessary. CC ID 14864 | Operational management | Detective | |
Analyze requirements for processing personal data in contracts. CC ID 12550 | Privacy protection for information and data | Detective | |
Confirm the data quality of personal data collected from third parties. CC ID 13510 | Privacy protection for information and data | Detective | |
Review the methods for collecting personal data, as necessary. CC ID 13511 | Privacy protection for information and data | Detective |
KEY: Primary Verb Primary Noun Secondary Verb Secondary Noun Limiting Term | |||
Mandated - bold Implied - italic Implementation - regular | IMPACT ZONE | CLASS | |
---|---|---|---|
Submit an incident management audit log to the proper authorities for each security breach that affects a predefined number of individuals, as necessary. CC ID 06326 | Operational management | Detective |
KEY: Primary Verb Primary Noun Secondary Verb Secondary Noun Limiting Term | |||
Mandated - bold Implied - italic Implementation - regular | IMPACT ZONE | CLASS | |
---|---|---|---|
Monitor and review the effectiveness of the information security program. CC ID 12744 | Operational management | Preventive |
KEY: Primary Verb Primary Noun Secondary Verb Secondary Noun Limiting Term | |||
Mandated - bold Implied - italic Implementation - regular | IMPACT ZONE | CLASS | |
---|---|---|---|
Establish, implement, and maintain Data Protection Impact Assessments. CC ID 14830 [For the purposes of subsection (2)(a), the organisation must, before collecting, using or disclosing any personal data about the individual — conduct an assessment to determine that the proposed collection, use or disclosure of the personal data is not likely to have an adverse effect on the individual; § 15A.(4)(a) {legitimate interest}For the purposes of sub-paragraph (1), the organisation must — conduct an assessment, before collecting, using or disclosing the personal data (as the case may be), to determine whether sub-paragraph (1) is satisfied; and FIRST SCHEDULE PART 3 § 1.(2)(a) {legitimate interest}For the purposes of sub-paragraph (1), the organisation must — conduct an assessment, before collecting, using or disclosing the personal data (as the case may be), to determine whether sub-paragraph (1) is satisfied; and FIRST SCHEDULE PART 3 § 1.(2)(a) {legitimate interest}For the purposes of sub-paragraph (1), the organisation must — conduct an assessment, before collecting, using or disclosing the personal data (as the case may be), to determine whether sub-paragraph (1) is satisfied; and FIRST SCHEDULE PART 3 § 1.(2)(a)] | Audits and risk management | Preventive | |
Integrate the use of technology in supporting the Governance, Risk, and Compliance capabilities. CC ID 12915 | Operational management | Preventive | |
Evaluate the use of technology in supporting Governance, Risk, and Compliance capabilities. CC ID 12895 | Operational management | Preventive | |
Evaluate information sharing partners, as necessary. CC ID 12749 | Operational management | Preventive | |
Review and approve access controls, as necessary. CC ID 13074 | Operational management | Detective | |
Provide management direction and support for the information security program. CC ID 11999 | Operational management | Preventive | |
Approve the information security policy at the organization's management level or higher. CC ID 11737 | Operational management | Preventive | |
Define thresholds for approving information security activities in the information security program. CC ID 15702 | Operational management | Preventive | |
Use systems in accordance with the standard operating procedures manual. CC ID 15049 | Operational management | Preventive | |
Provide support for information sharing activities. CC ID 15644 | Operational management | Preventive | |
Analyze how policies used to create management boundaries relates to the Governance, Risk, and Compliance approach. CC ID 12821 | Operational management | Preventive | |
Analyze how the organization sets limits in policies relating to the Governance, Risk, and Compliance approach. CC ID 12819 | Operational management | Preventive | |
Analyze how the Board of Directors' and senior management's tone influences the Governance, Risk, and Compliance approach. CC ID 12818 | Operational management | Preventive | |
Analyze the degree to which the governing body is engaged in the Governance, Risk, and Compliance approach. CC ID 12817 | Operational management | Preventive | |
Analyze the Governance, Risk, and Compliance approach. CC ID 12816 | Operational management | Preventive | |
Analyze the organizational culture. CC ID 12899 | Operational management | Preventive | |
Include individual commitment to the organization's Governance, Risk, and Compliance framework in the analysis of the organizational culture. CC ID 12922 | Operational management | Detective | |
Include the organizational climate in the analysis of the organizational culture. CC ID 12921 | Operational management | Detective | |
Include consistency of leadership actions to mission, vision, and values in the analysis of the organizational culture. CC ID 12920 | Operational management | Detective | |
Establish, implement, and maintain consequences for non-compliance with the organizational compliance framework. CC ID 11747 | Operational management | Corrective | |
Revoke the written request to delay the notification. CC ID 16843 | Operational management | Preventive | |
Post the incident response notification on the organization's website. CC ID 16809 | Operational management | Preventive | |
Document the determination for providing a substitute incident response notification. CC ID 16841 | Operational management | Preventive | |
Provide the data subject with information about automated decision-making during personal data processing. CC ID 12609 | Privacy protection for information and data | Preventive | |
Provide the data subject with contractual requirements requiring the provision of personal data. CC ID 12588 [{person]A checker must — provide the applicable information to P in accordance with any prescribed requirements. § 43A.(2)(b)] | Privacy protection for information and data | Preventive | |
Notify the data subject of the right to data portability. CC ID 12603 | Privacy protection for information and data | Preventive | |
Provide the data subject with information about the right to erasure. CC ID 12602 | Privacy protection for information and data | Preventive | |
Confirm the individual's identity before granting an opt-out request. CC ID 16813 | Privacy protection for information and data | Preventive | |
Approve the approval application unless applicant has been convicted. CC ID 16603 | Privacy protection for information and data | Preventive | |
Provide the supervisory authority with any information requested by the supervisory authority. CC ID 12606 | Privacy protection for information and data | Preventive | |
Refrain from processing restricted data if the restricted data is involved in a legal claim. CC ID 12668 | Privacy protection for information and data | Preventive | |
Refrain from providing information to the data subject when the organization cannot identify the data subject. CC ID 12667 | Privacy protection for information and data | Preventive | |
Refrain from erasing personal data upon data subject request when personal data processing is necessary for statistical purposes. CC ID 12656 | Privacy protection for information and data | Preventive | |
Refrain from erasing personal data upon data subject request when personal data processing is necessary for historical research purposes. CC ID 12655 | Privacy protection for information and data | Preventive | |
Refrain from erasing personal data upon data subject request when personal data processing is necessary for scientific research purposes. CC ID 12654 | Privacy protection for information and data | Preventive | |
Refrain from erasing personal data upon data subject request when personal data processing is necessary for exercising freedom of expression. CC ID 12684 | Privacy protection for information and data | Preventive | |
Refrain from erasing personal data upon data subject request when it is used to provide a service. CC ID 13779 | Privacy protection for information and data | Preventive | |
Refrain from erasing personal data upon data subject request when it is being used for incident detection. CC ID 13778 | Privacy protection for information and data | Detective | |
Refrain from erasing personal data upon data subject request when personal data processing is necessary for archival purposes. CC ID 12653 | Privacy protection for information and data | Preventive | |
Refrain from erasing personal data upon data subject request when personal data processing is for compliance with a legal obligation. CC ID 12652 | Privacy protection for information and data | Preventive | |
Refrain from erasing personal data upon data subject request when personal data processing is necessary for the public interest. CC ID 12649 | Privacy protection for information and data | Preventive | |
Refrain from erasing personal data upon data subject request when personal data processing concerns legal claims. CC ID 12644 | Privacy protection for information and data | Preventive | |
Refrain from processing personal data if the data subject opposes the data erasure of personal data. CC ID 12619 | Privacy protection for information and data | Preventive | |
Rely upon the warranty of the covered entity that the record disclosure request for Individually Identifiable Health Information is to support the treatment of the individual. CC ID 11969 | Privacy protection for information and data | Preventive | |
Process personal data absent consent in order to protect the vital interests of the data subject. CC ID 14012 [{individual's vital interest}{collect}{disclose} Subject to sub-paragraph (2), the collection, use or disclosure (as the case may be) of personal data about an individual is necessary for any purpose which is clearly in the interests of the individual, and — FIRST SCHEDULE PART 1 § 1.(1)] | Privacy protection for information and data | Preventive | |
Refrain from erasing personal data upon receiving a personal data removal request when it is necessary for maintaining information assets. CC ID 13789 | Privacy protection for information and data | Preventive | |
Refrain from erasing personal data upon receiving a personal data removal request when it is necessary to complete a payment transaction. CC ID 13788 | Privacy protection for information and data | Preventive | |
Include disclosing personal data that would threaten facilities, property, transport, or communication systems as a reason for denial in the personal data request denial procedures. CC ID 08702 | Privacy protection for information and data | Preventive | |
Include if the record would constitute an action for breach of a duty of confidence as a reason for denial in the personal data request denial procedures. CC ID 08700 | Privacy protection for information and data | Preventive | |
Define the fee structure for the appeal process. CC ID 16532 | Privacy protection for information and data | Preventive | |
Define the time requirements for the appeal process. CC ID 16531 | Privacy protection for information and data | Preventive |
KEY: Primary Verb Primary Noun Secondary Verb Secondary Noun Limiting Term | |||
Mandated - bold Implied - italic Implementation - regular | IMPACT ZONE | CLASS | |
---|---|---|---|
Include information sharing procedures in standard operating procedures. CC ID 12974 | Operational management | Preventive | |
Refrain from allowing students the right to inspect the financial records of their parent or legal representative. CC ID 13025 | Privacy protection for information and data | Preventive | |
Refrain from allowing students the right to inspect confidential letters and confidential letters of recommendation. CC ID 13019 | Privacy protection for information and data | Preventive | |
Amend education records within a reasonable period after receiving a record amendment request. CC ID 12998 | Privacy protection for information and data | Corrective | |
Decide whether to amend education records based on evidence presented during a hearing. CC ID 13020 | Privacy protection for information and data | Corrective | |
Grant access to education records in support of educational program audits. CC ID 13032 | Privacy protection for information and data | Preventive | |
Grant access to education records in support of external requirements. CC ID 13033 | Privacy protection for information and data | Preventive | |
Collect and retain disclosure authorizations for each data subject. CC ID 13434 | Privacy protection for information and data | Preventive | |
Refrain from destroying records being inspected or reviewed. CC ID 13015 | Privacy protection for information and data | Preventive | |
Submit personal data removal requests in writing. CC ID 11973 | Privacy protection for information and data | Preventive | |
Allow authorized individuals to authenticate record entries containing personal data. CC ID 11812 | Privacy protection for information and data | Corrective | |
Refrain from processing restricted data, as necessary. CC ID 12551 [Notwithstanding the other provisions in this Part, an organisation may use personal data about an individual collected before the appointed day for the purposes for which the personal data was collected unless — the individual, whether before, on or after the appointed day, has otherwise indicated to the organisation that he does not consent to the use of the personal data. § 19.(b) An organisation shall not, on or after the appointed day, collect, use or disclose personal data about an individual unless — § 13.] | Privacy protection for information and data | Preventive | |
Include the data protection officer's contact information in the record of processing activities. CC ID 12640 | Privacy protection for information and data | Preventive | |
Include the data processor's contact information in the record of processing activities. CC ID 12657 | Privacy protection for information and data | Preventive | |
Include the data processor's representative's contact information in the record of processing activities. CC ID 12658 | Privacy protection for information and data | Preventive | |
Include a general description of the implemented security measures in the record of processing activities. CC ID 12641 | Privacy protection for information and data | Preventive | |
Include a description of the data subject categories in the record of processing activities. CC ID 12659 | Privacy protection for information and data | Preventive | |
Include the purpose of processing restricted data in the record of processing activities. CC ID 12663 | Privacy protection for information and data | Preventive | |
Include the personal data processing categories in the record of processing activities. CC ID 12661 | Privacy protection for information and data | Preventive | |
Include the time limits for erasing each data category in the record of processing activities. CC ID 12690 | Privacy protection for information and data | Preventive | |
Include the data recipient categories to whom restricted data has been or will be disclosed in the record of processing activities. CC ID 12664 | Privacy protection for information and data | Preventive | |
Include a description of the personal data categories in the record of processing activities. CC ID 12660 | Privacy protection for information and data | Preventive | |
Include the joint data controller's contact information in the record of processing activities. CC ID 12639 | Privacy protection for information and data | Preventive | |
Include the data controller's representative's contact information in the record of processing activities. CC ID 12638 | Privacy protection for information and data | Preventive | |
Include documentation of the transferee's safeguards for transferring restricted data in the record of processing activities. CC ID 12643 | Privacy protection for information and data | Preventive | |
Include the identification of transferees for transferring restricted data in the record of processing activities. CC ID 12642 | Privacy protection for information and data | Preventive | |
Include the data controller's contact information in the record of processing activities. CC ID 12637 | Privacy protection for information and data | Preventive | |
Refrain from disclosing Individually Identifiable Health Information when in violation of territorial or federal law. CC ID 11966 | Privacy protection for information and data | Preventive | |
Rely upon the warranty of the covered entity that the record disclosure request for Individually Identifiable Health Information is permitted with the consent of the data subject. CC ID 11970 | Privacy protection for information and data | Preventive | |
Rely upon the warranty of the covered entity that the record disclosure request for Individually Identifiable Health Information is permitted by law. CC ID 11976 | Privacy protection for information and data | Preventive | |
Refrain from disclosing personal data absent consent of the individual or for defined exceptions. CC ID 11967 [An organisation shall not, on or after the appointed day, collect, use or disclose personal data about an individual unless — § 13.] | Privacy protection for information and data | Preventive | |
Remove personal data from records after receiving a personal data removal request. CC ID 11972 | Privacy protection for information and data | Preventive |
KEY: Primary Verb Primary Noun Secondary Verb Secondary Noun Limiting Term | |||
Mandated - bold Implied - italic Implementation - regular | IMPACT ZONE | CLASS | |
---|---|---|---|
Include temporary activation of remote access technologies for third parties in the Acceptable Use Policy. CC ID 11892 | Operational management | Preventive | |
Refrain from allowing access rights to education records maintained by another educational institution. CC ID 13014 | Privacy protection for information and data | Preventive | |
Implement technical controls that limit processing restricted data for specific purposes. CC ID 12646 | Privacy protection for information and data | Preventive | |
Employ a random number generator to create authenticators. CC ID 13782 | Privacy protection for information and data | Preventive | |
Provide unobservability of users and resources. CC ID 04551 | Privacy protection for information and data | Preventive | |
Implement security measures to protect personal data. CC ID 13606 [{storage device}An organisation must protect personal data in its possession or under its control by making reasonable security arrangements to prevent — the loss of any storage medium or device on which personal data is stored. § 24.(b) {absent authorization}An organisation must protect personal data in its possession or under its control by making reasonable security arrangements to prevent — unauthorised access, collection, use, disclosure, copying, modification or disposal, or similar risks; and § 24.(a)] | Privacy protection for information and data | Preventive |
KEY: Primary Verb Primary Noun Secondary Verb Secondary Noun Limiting Term | |||
Mandated - bold Implied - italic Implementation - regular | IMPACT ZONE | CLASS | |
---|---|---|---|
Assign and staff all roles appropriately. CC ID 00784 | Human Resources management | Detective | |
Record restricted data correctly. CC ID 00089 | Privacy protection for information and data | Detective | |
Refrain from unknowingly including hyperlinks in commercial electronic messages to the anti-spam policy's country of origin. CC ID 00305 | Privacy protection for information and data | Detective |
There are three types of Common Control classifications; corrective, detective, and preventive. Common Controls at the top level have the default assignment of Impact Zone.
KEY: Primary Verb Primary Noun Secondary Verb Secondary Noun Limiting Term | |||
Mandated - bold Implied - italic Implementation - regular | IMPACT ZONE | TYPE | |
---|---|---|---|
Measure policy compliance when reviewing the internal control framework. CC ID 06442 | Operational management | Actionable Reports or Measurements | |
Update operating procedures that contribute to user errors. CC ID 06935 | Operational management | Establish/Maintain Documentation | |
Include disciplinary actions in the Acceptable Use Policy. CC ID 00296 | Operational management | Establish/Maintain Documentation | |
Establish, implement, and maintain consequences for non-compliance with the organizational compliance framework. CC ID 11747 | Operational management | Process or Activity | |
Share incident information with interested personnel and affected parties. CC ID 01212 [{data breach} The notification under subsection (1) must be made in the form and submitted in the manner required by the Commission. § 26D.(4)] | Operational management | Data and Information Management | |
Share data loss event information with the media. CC ID 01759 | Operational management | Behavior | |
Share data loss event information with interconnected system owners. CC ID 01209 | Operational management | Establish/Maintain Documentation | |
Report data loss event information to breach notification organizations. CC ID 01210 [Where an organisation assesses, in accordance with section 26C, that a data breach is a notifiable data breach, the organisation must notify the Commission as soon as is practicable, but in any case no later than 3 calendar days after the day the organisation makes that assessment. § 26D.(1)] | Operational management | Data and Information Management | |
Report to breach notification organizations the time frame in which the organization will send data loss event notifications to interested personnel and affected parties. CC ID 04731 | Operational management | Behavior | |
Notify interested personnel and affected parties of the privacy breach that affects their personal data. CC ID 00365 [Where a data intermediary (other than a data intermediary mentioned in section 26E) has reason to believe that a data breach has occurred in relation to personal data that the data intermediary is processing on behalf of and for the purposes of another organisation — the data intermediary must, without undue delay, notify that other organisation of the occurrence of the data breach; and § 26C.(3)(a) Subject to subsections (5), (6) and (7), on or after notifying the Commission under subsection (1), the organisation must also notify each affected individual affected by a notifiable data breach mentioned in section 26B(1)(a) in any manner that is reasonable in the circumstances. § 26D.(2) {refrain from delaying} the organisation must, without undue delay, notify the public agency of the occurrence of the data breach. § 26E. ¶ 1] | Operational management | Behavior | |
Delay sending incident response notifications under predetermined conditions. CC ID 00804 | Operational management | Behavior | |
Establish, implement, and maintain incident response notifications. CC ID 12975 [{data breach} The notification under subsection (1) must be made in the form and submitted in the manner required by the Commission. § 26D.(4)] | Operational management | Establish/Maintain Documentation | |
Provide enrollment information for identity theft prevention services or identity theft mitigation services. CC ID 13767 | Operational management | Communicate | |
Offer identity theft prevention services or identity theft mitigation services at no cost to the affected parties. CC ID 13766 | Operational management | Business Processes | |
Send paper incident response notifications to affected parties, as necessary. CC ID 00366 | Operational management | Behavior | |
Determine if a substitute incident response notification is permitted if notifying affected parties. CC ID 00803 | Operational management | Behavior | |
Use a substitute incident response notification to notify interested personnel and affected parties of the privacy breach that affects their personal data. CC ID 00368 | Operational management | Behavior | |
Telephone incident response notifications to affected parties, as necessary. CC ID 04650 | Operational management | Behavior | |
Publish the incident response notification in a general circulation periodical. CC ID 04651 | Operational management | Behavior | |
Send electronic incident response notifications to affected parties, as necessary. CC ID 00367 | Operational management | Behavior | |
Notify interested personnel and affected parties of the privacy breach about any recovered restricted data. CC ID 13347 | Operational management | Communicate | |
Amend education records within a reasonable period after receiving a record amendment request. CC ID 12998 | Privacy protection for information and data | Records Management | |
Decide whether to amend education records based on evidence presented during a hearing. CC ID 13020 | Privacy protection for information and data | Records Management | |
Include any reasons for delay if notifying the supervisory authority after the time limit. CC ID 12675 | Privacy protection for information and data | Communicate | |
Allow authorized individuals to authenticate record entries containing personal data. CC ID 11812 | Privacy protection for information and data | Records Management | |
Notify the subject of care when a lack of availability of health information systems might have adversely affected their care. CC ID 13990 | Privacy protection for information and data | Communicate | |
Refrain from disseminating and communicating with individuals that have opted out of direct marketing communications. CC ID 13708 | Privacy protection for information and data | Communicate | |
Refrain from disclosing a security breach if an investigation concludes none has occurred. CC ID 13086 [{data breach}{notifiable data breach} The organisation must carry out the assessment mentioned in subsection (2) or (3)(b) in accordance with any prescribed requirements. § 26C.(4)] | Privacy protection for information and data | Communicate | |
Notify the data subject when personal data has been inadvertently disclosed. CC ID 13989 | Privacy protection for information and data | Communicate | |
Change or destroy any personal data that is incorrect. CC ID 00462 [When an organisation is notified under subsection (2)(b) or (3) of a correction of personal data, the organisation shall correct the personal data in its possession or under its control unless the organisation is satisfied on reasonable grounds that the correction should "background-color:#CBD0E5;" class="term_secondary-verb">not be made. § 22.(4) Unless the organisation is satisfied on reasonable grounds that a correction should not be made, the organisation shall — correct the personal data as soon as practicable; and § 22.(2)(a)] | Privacy protection for information and data | Data and Information Management | |
Notify the data subject of changes made to personal data as the result of a dispute. CC ID 00463 | Privacy protection for information and data | Behavior | |
Escalate the appeal process to change personal data when the data controller fails to make changes to the disputed data. CC ID 00465 | Privacy protection for information and data | Data and Information Management | |
Notify the data subject of which and why disputed changes were not made to personal data. CC ID 00466 | Privacy protection for information and data | Behavior | |
Notify entities to whom personal data was transferred that the personal data is wrong, along with the corrections. CC ID 00467 [subject to subsection (3), send the corrected personal data to every other organisation to which the personal data was disclosed by the organisation within a year before the date the correction was made, unless that other organisation does not need the corrected personal data for any legal or business purpose. § 22.(2)(b) An organisation (not being a credit bureau) may, if the individual consents, send the corrected personal data only to specific organisations to which the personal data was disclosed by the organisation within a year before the date the correction was made. § 22.(3)] | Privacy protection for information and data | Behavior |
KEY: Primary Verb Primary Noun Secondary Verb Secondary Noun Limiting Term | |||
Mandated - bold Implied - italic Implementation - regular | IMPACT ZONE | TYPE | |
---|---|---|---|
Assign and staff all roles appropriately. CC ID 00784 | Human Resources management | Testing | |
Review the relevance of information supporting internal controls. CC ID 12420 | Operational management | Business Processes | |
Include emergency response procedures in the internal control framework. CC ID 06779 | Operational management | Establish/Maintain Documentation | |
Review and approve access controls, as necessary. CC ID 13074 | Operational management | Process or Activity | |
Perform social network analysis, as necessary. CC ID 14864 | Operational management | Investigate | |
Include individual commitment to the organization's Governance, Risk, and Compliance framework in the analysis of the organizational culture. CC ID 12922 | Operational management | Process or Activity | |
Include the organizational climate in the analysis of the organizational culture. CC ID 12921 | Operational management | Process or Activity | |
Include consistency of leadership actions to mission, vision, and values in the analysis of the organizational culture. CC ID 12920 | Operational management | Process or Activity | |
Submit an incident management audit log to the proper authorities for each security breach that affects a predefined number of individuals, as necessary. CC ID 06326 | Operational management | Log Management | |
Determine whether or not incident response notifications are necessary during the privacy breach investigation. CC ID 00801 [Where a data intermediary (other than a data intermediary mentioned in section 26E) has reason to believe that a data breach has occurred in relation to personal data that the data intermediary is processing on behalf of and for the purposes of another organisation — that other organisations must, upon notification by the data intermediary, conduct an assessment of whether the data breach is a notifiable data breach. § 26C.(3)(b) {reasonable manner}{be efficient} Subject to subsection (3), where an organisation has reason to believe that a data breach affecting personal data in its possession or under its control has occurred, the organisation must conduct, in a reasonable and expeditious manner, an assessment of whether the data breach is a notifiable data breach. § 26C.(2)] | Operational management | Behavior | |
Avoid false positive incident response notifications. CC ID 04732 | Operational management | Behavior | |
Include information required by law in incident response notifications. CC ID 00802 [The notification under subsection (1) or (2) must contain, to the best of the knowledge and belief of the organisation at the time it notifies the Commission or affected individual (as the case may be), all the information that is prescribed for this purpose. § 26D.(3)] | Operational management | Establish/Maintain Documentation | |
Include how the affected parties can protect themselves from identity theft in incident response notifications. CC ID 04738 | Operational management | Establish/Maintain Documentation | |
Refrain from erasing personal data upon data subject request when it is being used for incident detection. CC ID 13778 | Privacy protection for information and data | Process or Activity | |
Analyze requirements for processing personal data in contracts. CC ID 12550 | Privacy protection for information and data | Investigate | |
Disclose personal data when the data subject has consented and has the ability to opt out. CC ID 00158 [Without limiting subsection (2) and subject to subsection (9), an individual (P) who provides personal data to an organisation (A) with a view to P entering into a contract with A is deemed to consent to the following where reasonably necessary for the conclusion of the contract between P and A: the collection and use of that personal data by B; § 15.(3)(b)] | Privacy protection for information and data | Data and Information Management | |
Disclose restricted data for judicial decisions, lawsuits, and investigations only after the data controller includes a note of the disclosure in the record. CC ID 00162 | Privacy protection for information and data | Establish/Maintain Documentation | |
Include personal data that is for the state's economic interest as a reason for denial in the personal data request denial procedures. CC ID 00446 [{contravene} An organisation shall not provide an individual with the individual's personal data or other information under subsection (1)if the provision of that round-color:#F0BBBC;" class="term_primary-noun">personal data or other information, as the case may be, could reasonably be expected to — be contrary to the national interest. § 21.(3)(e)] | Privacy protection for information and data | Data and Information Management | |
Confirm the data quality of personal data collected from third parties. CC ID 13510 | Privacy protection for information and data | Investigate | |
Review the methods for collecting personal data, as necessary. CC ID 13511 | Privacy protection for information and data | Investigate | |
Investigate privacy rights violation complaints. CC ID 00480 | Privacy protection for information and data | Behavior | |
Record restricted data correctly. CC ID 00089 | Privacy protection for information and data | Testing | |
Include information identifying the organization hired to send commercial electronic messages when sending commercial electronic messages through a third party. CC ID 00286 | Privacy protection for information and data | Establish/Maintain Documentation | |
Refrain from unknowingly including hyperlinks in commercial electronic messages to the anti-spam policy's country of origin. CC ID 00305 | Privacy protection for information and data | Testing |
KEY: Primary Verb Primary Noun Secondary Verb Secondary Noun Limiting Term | |||
Mandated - bold Implied - italic Implementation - regular | IMPACT ZONE | TYPE | |
---|---|---|---|
Audits and risk management CC ID 00677 | Audits and risk management | IT Impact Zone | |
Human Resources management CC ID 00763 | Human Resources management | IT Impact Zone | |
Operational management CC ID 00805 | Operational management | IT Impact Zone | |
Privacy protection for information and data CC ID 00008 | Privacy protection for information and data | IT Impact Zone |
KEY: Primary Verb Primary Noun Secondary Verb Secondary Noun Limiting Term | |||
Mandated - bold Implied - italic Implementation - regular | IMPACT ZONE | TYPE | |
---|---|---|---|
Establish, implement, and maintain a risk management program. CC ID 12051 | Audits and risk management | Establish/Maintain Documentation | |
Establish, implement, and maintain the risk assessment framework. CC ID 00685 | Audits and risk management | Establish/Maintain Documentation | |
Establish, implement, and maintain a risk assessment program. CC ID 00687 | Audits and risk management | Establish/Maintain Documentation | |
Establish, implement, and maintain Data Protection Impact Assessments. CC ID 14830 [For the purposes of subsection (2)(a), the organisation must, before collecting, using or disclosing any personal data about the individual — conduct an assessment to determine that the proposed collection, use or disclosure of the personal data is not likely to have an adverse effect on the individual; § 15A.(4)(a) {legitimate interest}For the purposes of sub-paragraph (1), the organisation must — conduct an assessment, before collecting, using or disclosing the personal data (as the case may be), to determine whether sub-paragraph (1) is satisfied; and FIRST SCHEDULE PART 3 § 1.(2)(a) {legitimate interest}For the purposes of sub-paragraph (1), the organisation must — conduct an assessment, before collecting, using or disclosing the personal data (as the case may be), to determine whether sub-paragraph (1) is satisfied; and FIRST SCHEDULE PART 3 § 1.(2)(a) {legitimate interest}For the purposes of sub-paragraph (1), the organisation must — conduct an assessment, before collecting, using or disclosing the personal data (as the case may be), to determine whether sub-paragraph (1) is satisfied; and FIRST SCHEDULE PART 3 § 1.(2)(a)] | Audits and risk management | Process or Activity | |
Include a Data Protection Impact Assessment in the risk assessment program. CC ID 12630 | Audits and risk management | Establish/Maintain Documentation | |
Include an assessment of the necessity and proportionality of the processing operations in relation to the purposes in the Data Protection Impact Assessment. CC ID 12681 | Audits and risk management | Establish/Maintain Documentation | |
Include an assessment of the relationship between the data subject and the parties processing the data in the Data Protection Impact Assessment. CC ID 16371 | Audits and risk management | Establish/Maintain Documentation | |
Include a risk assessment of data subject's rights in the Data Protection Impact Assessment. CC ID 12674 | Audits and risk management | Establish/Maintain Documentation | |
Include the description and purpose of processing restricted data in the Data Protection Impact Assessment. CC ID 12673 | Audits and risk management | Establish/Maintain Documentation | |
Disseminate and communicate the Data Protection Impact Assessment to interested personnel and affected parties. CC ID 15313 | Audits and risk management | Communicate | |
Include consideration of the data subject's expectations in the Data Protection Impact Assessment. CC ID 16370 | Audits and risk management | Establish/Maintain Documentation | |
Include monitoring unsecured areas in the Data Protection Impact Assessment. CC ID 12671 | Audits and risk management | Establish/Maintain Documentation | |
Include security measures for protecting restricted data in the Data Protection Impact Assessment. CC ID 12635 [{legitimate interest}The organisation must, in respect of the assessment mentioned in sub-paragraph (2)(a) — identify and implement reasonable measures — to eliminate the adverse effect; FIRST SCHEDULE PART 3 § 1.(3)(b)(i) {legitimate interest}The organisation must, in respect of the assessment mentioned in sub-paragraph (2)(a) — identify and implement reasonable measures — to reduce the likelihood that the adverse effect will occur; or FIRST SCHEDULE PART 3 § 1.(3)(b)(ii) {legitimate interest}The organisation must, in respect of the assessment mentioned in sub-paragraph (2)(a) — identify and implement reasonable measures — to mitigate the adverse effect; and FIRST SCHEDULE PART 3 § 1.(3)(b)(iii)] | Audits and risk management | Establish/Maintain Documentation | |
Define and assign workforce roles and responsibilities. CC ID 13267 | Human Resources management | Human Resources Management | |
Identify and define all critical roles. CC ID 00777 | Human Resources management | Establish Roles | |
Define and assign the data controller's roles and responsibilities. CC ID 00471 [An organisation is responsible for personal data in its possession or under its yle="background-color:#F0BBBC;" class="term_primary-noun">control. § 11.(2)] | Human Resources management | Establish Roles | |
Assign the role of data controller to be the Point of Contact for the supervisory authority. CC ID 12616 | Human Resources management | Human Resources Management | |
Assign the role of the Data Controller to cooperate with the supervisory authority. CC ID 12615 | Human Resources management | Human Resources Management | |
Assign the data controller to facilitate the exercise of the data subject's rights. CC ID 12666 | Human Resources management | Human Resources Management | |
Assign the role of data controller to applicable controls. CC ID 00354 | Human Resources management | Establish Roles | |
Assign the role of data controller to provide advice, when requested. CC ID 12611 | Human Resources management | Human Resources Management | |
Assign the role of data controller to additional personnel, as necessary. CC ID 00473 | Human Resources management | Establish Roles | |
Establish and maintain the staff structure in line with the strategic plan. CC ID 00764 | Human Resources management | Establish Roles | |
Delegate authority for specific processes, as necessary. CC ID 06780 [An individual designated under subsection (3) may delegate to another individual the responsibility conferred by that BBBC;" class="term_primary-noun">designation. § 11.(4)] | Human Resources management | Behavior | |
Establish, implement, and maintain a Governance, Risk, and Compliance framework. CC ID 01406 [An organisation shall — develop and implement policies and practices that are necessary for the organisation to meet the obligations of the organisation under this Act; § 12.(a)] | Operational management | Establish/Maintain Documentation | |
Include enterprise architecture in the Governance, Risk, and Compliance framework. CC ID 13266 | Operational management | Establish/Maintain Documentation | |
Disseminate and communicate updates to the Governance, Risk, and Compliance framework to interested personnel and affected parties. CC ID 06955 | Operational management | Behavior | |
Establish, implement, and maintain security requirements based on applicable regulations. CC ID 16283 | Operational management | Establish/Maintain Documentation | |
Acquire resources necessary to support Governance, Risk, and Compliance. CC ID 12861 | Operational management | Acquisition/Sale of Assets or Services | |
Establish, implement, and maintain a prioritized plan for updating the Governance, Risk, and Compliance framework. CC ID 12853 | Operational management | Establish/Maintain Documentation | |
Integrate the use of technology in supporting the Governance, Risk, and Compliance capabilities. CC ID 12915 | Operational management | Process or Activity | |
Evaluate the use of technology in supporting Governance, Risk, and Compliance capabilities. CC ID 12895 | Operational management | Process or Activity | |
Analyze the effect of the Governance, Risk, and Compliance capability to achieve organizational objectives. CC ID 12809 | Operational management | Audits and Risk Management | |
Assign accountability for maintaining the Governance, Risk, and Compliance framework. CC ID 12523 | Operational management | Human Resources Management | |
Assign defining the program for disseminating and communicating the Governance, Risk, and Compliance framework. CC ID 12524 | Operational management | Human Resources Management | |
Establish, implement, and maintain a compliance policy. CC ID 14807 | Operational management | Establish/Maintain Documentation | |
Include the standard of conduct and accountability in the compliance policy. CC ID 14813 | Operational management | Establish/Maintain Documentation | |
Include the scope in the compliance policy. CC ID 14812 | Operational management | Establish/Maintain Documentation | |
Include roles and responsibilities in the compliance policy. CC ID 14811 | Operational management | Establish/Maintain Documentation | |
Include a commitment to continual improvement in the compliance policy. CC ID 14810 | Operational management | Establish/Maintain Documentation | |
Disseminate and communicate the compliance policy to interested personnel and affected parties. CC ID 14809 | Operational management | Communicate | |
Include management commitment in the compliance policy. CC ID 14808 | Operational management | Establish/Maintain Documentation | |
Establish, implement, and maintain a governance policy. CC ID 15587 | Operational management | Establish/Maintain Documentation | |
Disseminate and communicate the governance policy to all interested personnel and affected parties. CC ID 15625 | Operational management | Communicate | |
Include a commitment to continuous improvement in the governance policy. CC ID 15595 | Operational management | Establish/Maintain Documentation | |
Include roles and responsibilities in the governance policy. CC ID 15594 | Operational management | Establish/Maintain Documentation | |
Establish, implement, and maintain a positive information control environment. CC ID 00813 | Operational management | Business Processes | |
Make compliance and governance decisions in a timely manner. CC ID 06490 | Operational management | Behavior | |
Establish, implement, and maintain an internal control framework. CC ID 00820 | Operational management | Establish/Maintain Documentation | |
Define the scope for the internal control framework. CC ID 16325 | Operational management | Business Processes | |
Assign ownership of the internal control framework to the appropriate organizational role. CC ID 06437 | Operational management | Establish Roles | |
Assign resources to implement the internal control framework. CC ID 00816 | Operational management | Business Processes | |
Define and assign the roles and responsibilities for interested personnel and affected parties when establishing, implementing, and maintaining the internal control framework. CC ID 07146 | Operational management | Establish Roles | |
Establish, implement, and maintain a baseline of internal controls. CC ID 12415 | Operational management | Business Processes | |
Include the business need justification for excluding controls in the baseline of internal controls. CC ID 16129 | Operational management | Establish/Maintain Documentation | |
Include the implementation status of controls in the baseline of internal controls. CC ID 16128 | Operational management | Establish/Maintain Documentation | |
Leverage actionable information to support internal controls. CC ID 12414 | Operational management | Business Processes | |
Include procedures for continuous quality improvement in the internal control framework. CC ID 00819 | Operational management | Establish/Maintain Documentation | |
Include continuous service account management procedures in the internal control framework. CC ID 13860 | Operational management | Establish/Maintain Documentation | |
Include threat assessment in the internal control framework. CC ID 01347 | Operational management | Establish/Maintain Documentation | |
Automate threat assessments, as necessary. CC ID 06877 | Operational management | Configuration | |
Include vulnerability management and risk assessment in the internal control framework. CC ID 13102 | Operational management | Establish/Maintain Documentation | |
Automate vulnerability management, as necessary. CC ID 11730 | Operational management | Configuration | |
Include personnel security procedures in the internal control framework. CC ID 01349 | Operational management | Establish/Maintain Documentation | |
Include continuous security warning monitoring procedures in the internal control framework. CC ID 01358 | Operational management | Establish/Maintain Documentation | |
Include incident alert thresholds in the continuous security warning monitoring procedures. CC ID 13205 | Operational management | Establish/Maintain Documentation | |
Include security information sharing procedures in the internal control framework. CC ID 06489 | Operational management | Establish/Maintain Documentation | |
Share security information with interested personnel and affected parties. CC ID 11732 | Operational management | Communicate | |
Evaluate information sharing partners, as necessary. CC ID 12749 | Operational management | Process or Activity | |
Include security incident response procedures in the internal control framework. CC ID 01359 | Operational management | Establish/Maintain Documentation | |
Include incident response escalation procedures in the internal control framework. CC ID 11745 | Operational management | Establish/Maintain Documentation | |
Include continuous user account management procedures in the internal control framework. CC ID 01360 | Operational management | Establish/Maintain Documentation | |
Authorize and document all exceptions to the internal control framework. CC ID 06781 | Operational management | Establish/Maintain Documentation | |
Disseminate and communicate the internal control framework to all interested personnel and affected parties. CC ID 15229 | Operational management | Communicate | |
Disseminate and communicate the cybersecurity policy to interested personnel and affected parties. CC ID 16835 | Operational management | Communicate | |
Establish, implement, and maintain a cybersecurity policy. CC ID 16833 | Operational management | Establish/Maintain Documentation | |
Establish, implement, and maintain an information security program. CC ID 00812 | Operational management | Establish/Maintain Documentation | |
Include physical safeguards in the information security program. CC ID 12375 | Operational management | Establish/Maintain Documentation | |
Include technical safeguards in the information security program. CC ID 12374 | Operational management | Establish/Maintain Documentation | |
Include administrative safeguards in the information security program. CC ID 12373 | Operational management | Establish/Maintain Documentation | |
Include system development in the information security program. CC ID 12389 | Operational management | Establish/Maintain Documentation | |
Include system maintenance in the information security program. CC ID 12388 | Operational management | Establish/Maintain Documentation | |
Include system acquisition in the information security program. CC ID 12387 | Operational management | Establish/Maintain Documentation | |
Include access control in the information security program. CC ID 12386 | Operational management | Establish/Maintain Documentation | |
Include operations management in the information security program. CC ID 12385 | Operational management | Establish/Maintain Documentation | |
Include communication management in the information security program. CC ID 12384 | Operational management | Establish/Maintain Documentation | |
Include environmental security in the information security program. CC ID 12383 | Operational management | Establish/Maintain Documentation | |
Include physical security in the information security program. CC ID 12382 | Operational management | Establish/Maintain Documentation | |
Include human resources security in the information security program. CC ID 12381 | Operational management | Establish/Maintain Documentation | |
Include asset management in the information security program. CC ID 12380 | Operational management | Establish/Maintain Documentation | |
Include a continuous monitoring program in the information security program. CC ID 14323 | Operational management | Establish/Maintain Documentation | |
Include change management procedures in the continuous monitoring plan. CC ID 16227 | Operational management | Establish/Maintain Documentation | |
include recovery procedures in the continuous monitoring plan. CC ID 16226 | Operational management | Establish/Maintain Documentation | |
Include mechanisms for decommissioning a system in the continuous monitoring plan. CC ID 16225 | Operational management | Establish/Maintain Documentation | |
Include mechanisms for appeal and override in the continuous monitoring plan. CC ID 16223 | Operational management | Establish/Maintain Documentation | |
Include how the information security department is organized in the information security program. CC ID 12379 | Operational management | Establish/Maintain Documentation | |
Include risk management in the information security program. CC ID 12378 | Operational management | Establish/Maintain Documentation | |
Include mitigating supply chain risks in the information security program. CC ID 13352 | Operational management | Establish/Maintain Documentation | |
Provide management direction and support for the information security program. CC ID 11999 | Operational management | Process or Activity | |
Monitor and review the effectiveness of the information security program. CC ID 12744 | Operational management | Monitor and Evaluate Occurrences | |
Establish, implement, and maintain an information security policy. CC ID 11740 | Operational management | Establish/Maintain Documentation | |
Align the information security policy with the organization's risk acceptance level. CC ID 13042 | Operational management | Business Processes | |
Include business processes in the information security policy. CC ID 16326 | Operational management | Establish/Maintain Documentation | |
Include the information security strategy in the information security policy. CC ID 16125 | Operational management | Establish/Maintain Documentation | |
Include a commitment to continuous improvement in the information security policy. CC ID 16123 | Operational management | Establish/Maintain Documentation | |
Include roles and responsibilities in the information security policy. CC ID 16120 | Operational management | Establish/Maintain Documentation | |
Include a commitment to the information security requirements in the information security policy. CC ID 13496 | Operational management | Establish/Maintain Documentation | |
Include information security objectives in the information security policy. CC ID 13493 | Operational management | Establish/Maintain Documentation | |
Include the use of Cloud Services in the information security policy. CC ID 13146 | Operational management | Establish/Maintain Documentation | |
Include notification procedures in the information security policy. CC ID 16842 | Operational management | Establish/Maintain Documentation | |
Approve the information security policy at the organization's management level or higher. CC ID 11737 | Operational management | Process or Activity | |
Establish, implement, and maintain information security procedures. CC ID 12006 | Operational management | Business Processes | |
Describe the group activities that protect restricted data in the information security procedures. CC ID 12294 | Operational management | Establish/Maintain Documentation | |
Disseminate and communicate the information security procedures to all interested personnel and affected parties. CC ID 16303 | Operational management | Communicate | |
Document the roles and responsibilities for all activities that protect restricted data in the information security procedures. CC ID 12304 | Operational management | Establish/Maintain Documentation | |
Define thresholds for approving information security activities in the information security program. CC ID 15702 | Operational management | Process or Activity | |
Assign ownership of the information security program to the appropriate role. CC ID 00814 | Operational management | Establish Roles | |
Assign the responsibility for establishing, implementing, and maintaining the information security program to the appropriate role. CC ID 11884 | Operational management | Human Resources Management | |
Assign information security responsibilities to interested personnel and affected parties in the information security program. CC ID 11885 | Operational management | Establish/Maintain Documentation | |
Assign the responsibility for distributing the information security program to the appropriate role. CC ID 11883 | Operational management | Human Resources Management | |
Disseminate and communicate the information security policy to interested personnel and affected parties. CC ID 11739 | Operational management | Communicate | |
Establish, implement, and maintain a social media governance program. CC ID 06536 | Operational management | Establish/Maintain Documentation | |
Refrain from requiring supervision when users are accessing social media applications. CC ID 14011 | Operational management | Business Processes | |
Refrain from requiring users to disclose social media account usernames or authenticators. CC ID 14009 | Operational management | Business Processes | |
Refrain from accepting instant messages from unknown senders. CC ID 12537 | Operational management | Behavior | |
Include instant messaging, texting, and tweeting in the social media acceptable use policy. CC ID 04578 | Operational management | Establish/Maintain Documentation | |
Include explicit restrictions in the social media acceptable use policy. CC ID 06655 | Operational management | Establish/Maintain Documentation | |
Include contributive content sites in the social media acceptable use policy. CC ID 06656 | Operational management | Establish/Maintain Documentation | |
Establish, implement, and maintain operational control procedures. CC ID 00831 | Operational management | Establish/Maintain Documentation | |
Include assigning and approving operations in operational control procedures. CC ID 06382 | Operational management | Establish/Maintain Documentation | |
Include startup processes in operational control procedures. CC ID 00833 | Operational management | Establish/Maintain Documentation | |
Include change control processes in the operational control procedures. CC ID 16793 | Operational management | Establish/Maintain Documentation | |
Establish and maintain a data processing run manual. CC ID 00832 | Operational management | Establish/Maintain Documentation | |
Establish, implement, and maintain a Standard Operating Procedures Manual. CC ID 00826 | Operational management | Establish/Maintain Documentation | |
Use systems in accordance with the standard operating procedures manual. CC ID 15049 | Operational management | Process or Activity | |
Include metrics in the standard operating procedures manual. CC ID 14988 | Operational management | Establish/Maintain Documentation | |
Include maintenance measures in the standard operating procedures manual. CC ID 14986 | Operational management | Establish/Maintain Documentation | |
Include the expected lifetime of the system in the standard operating procedures manual. CC ID 14984 | Operational management | Establish/Maintain Documentation | |
Include technical measures used to interpret output in the standard operating procedures manual. CC ID 14982 | Operational management | Establish/Maintain Documentation | |
Include predetermined changes in the standard operating procedures manual. CC ID 14977 | Operational management | Establish/Maintain Documentation | |
Include specifications for input data in the standard operating procedures manual. CC ID 14975 | Operational management | Establish/Maintain Documentation | |
Include risks to health and safety or fundamental rights in the standard operating procedures manual. CC ID 14973 | Operational management | Establish/Maintain Documentation | |
Include circumstances that may impact the system in the standard operating procedures manual. CC ID 14972 | Operational management | Establish/Maintain Documentation | |
Include what the system was tested and validated for in the standard operating procedures manual. CC ID 14969 | Operational management | Establish/Maintain Documentation | |
Include the intended purpose in the standard operating procedures manual. CC ID 14967 | Operational management | Establish/Maintain Documentation | |
Include information on system performance in the standard operating procedures manual. CC ID 14965 | Operational management | Establish/Maintain Documentation | |
Include contact details in the standard operating procedures manual. CC ID 14962 | Operational management | Establish/Maintain Documentation | |
Include information sharing procedures in standard operating procedures. CC ID 12974 | Operational management | Records Management | |
Establish, implement, and maintain information sharing agreements. CC ID 15645 | Operational management | Business Processes | |
Provide support for information sharing activities. CC ID 15644 | Operational management | Process or Activity | |
Adhere to operating procedures as defined in the Standard Operating Procedures Manual. CC ID 06328 | Operational management | Business Processes | |
Disseminate and communicate the Standard Operating Procedures Manual to all interested personnel and affected parties. CC ID 12026 | Operational management | Communicate | |
Establish, implement, and maintain a job scheduling methodology. CC ID 00834 | Operational management | Establish/Maintain Documentation | |
Establish and maintain a job schedule exceptions list. CC ID 00835 | Operational management | Establish/Maintain Documentation | |
Establish, implement, and maintain a data processing continuity plan. CC ID 00836 | Operational management | Establish/Maintain Documentation | |
Establish, implement, and maintain Voice over Internet Protocol operating procedures. CC ID 04583 | Operational management | Establish/Maintain Documentation | |
Establish, implement, and maintain the Acceptable Use Policy. CC ID 01350 | Operational management | Establish/Maintain Documentation | |
Include that explicit management authorization must be given for the use of all technologies and their documentation in the Acceptable Use Policy. CC ID 01351 | Operational management | Establish/Maintain Documentation | |
Include requiring users to protect restricted data in accordance with the Governance, Risk, and Compliance framework in the Acceptable Use Policy. CC ID 11894 | Operational management | Establish/Maintain Documentation | |
Include Bring Your Own Device agreements in the Acceptable Use Policy. CC ID 15703 | Operational management | Establish/Maintain Documentation | |
Include the obligations of users in the Bring Your Own Device agreement. CC ID 15708 | Operational management | Establish/Maintain Documentation | |
Include the rights of the organization in the Bring Your Own Device agreement. CC ID 15707 | Operational management | Establish/Maintain Documentation | |
Include the circumstances in which the organization may confiscate, audit, or inspect assets in the Bring Your Own Device agreement. CC ID 15706 | Operational management | Establish/Maintain Documentation | |
Include the circumstances in which the organization may manage assets in the Bring Your Own Device agreement. CC ID 15705 | Operational management | Establish/Maintain Documentation | |
Include Bring Your Own Device usage in the Acceptable Use Policy. CC ID 12293 | Operational management | Establish/Maintain Documentation | |
Include a web usage policy in the Acceptable Use Policy. CC ID 16496 | Operational management | Establish/Maintain Documentation | |
Include Bring Your Own Device security guidelines in the Acceptable Use Policy. CC ID 01352 | Operational management | Establish/Maintain Documentation | |
Include asset tags in the Acceptable Use Policy. CC ID 01354 | Operational management | Establish/Maintain Documentation | |
Specify the owner of applicable assets in the Acceptable Use Policy. CC ID 15699 | Operational management | Establish/Maintain Documentation | |
Include asset use policies in the Acceptable Use Policy. CC ID 01355 | Operational management | Establish/Maintain Documentation | |
Include authority for access authorization lists for assets in all relevant Acceptable Use Policies. CC ID 11872 | Operational management | Establish/Maintain Documentation | |
Include access control mechanisms in the Acceptable Use Policy. CC ID 01353 | Operational management | Establish/Maintain Documentation | |
Include temporary activation of remote access technologies for third parties in the Acceptable Use Policy. CC ID 11892 | Operational management | Technical Security | |
Include prohibiting the copying or moving of restricted data from its original source onto local hard drives or removable storage media in the Acceptable Use Policy. CC ID 11893 | Operational management | Establish/Maintain Documentation | |
Include a removable storage media use policy in the Acceptable Use Policy. CC ID 06772 | Operational management | Data and Information Management | |
Correlate the Acceptable Use Policy with the network security policy. CC ID 01356 | Operational management | Establish/Maintain Documentation | |
Include appropriate network locations for each technology in the Acceptable Use Policy. CC ID 11881 | Operational management | Establish/Maintain Documentation | |
Correlate the Acceptable Use Policy with the approved product list. CC ID 01357 | Operational management | Establish/Maintain Documentation | |
Include facility access and facility use in the Acceptable Use Policy. CC ID 06441 | Operational management | Establish/Maintain Documentation | |
Include the usage restrictions of mobile code technologies in the Acceptable Use Policy. CC ID 15311 | Operational management | Establish/Maintain Documentation | |
Include a software installation policy in the Acceptable Use Policy. CC ID 06749 | Operational management | Establish/Maintain Documentation | |
Document idle session termination and logout for remote access technologies in the Acceptable Use Policy. CC ID 12472 | Operational management | Establish/Maintain Documentation | |
Disseminate and communicate the Acceptable Use Policy to all interested personnel and affected parties. CC ID 12431 | Operational management | Communicate | |
Require interested personnel and affected parties to sign Acceptable Use Policies. CC ID 06661 | Operational management | Establish/Maintain Documentation | |
Require interested personnel and affected parties to re-sign Acceptable Use Policies, as necessary. CC ID 06663 | Operational management | Establish/Maintain Documentation | |
Establish, implement, and maintain an Intellectual Property Right program. CC ID 00821 | Operational management | Establish/Maintain Documentation | |
Establish, implement, and maintain domain name registration and renewal procedures. CC ID 07075 | Operational management | Business Processes | |
Establish, implement, and maintain Intellectual Property Rights protection procedures. CC ID 11512 | Operational management | Establish/Maintain Documentation | |
Protect against circumvention of the organization's Intellectual Property Rights. CC ID 11513 | Operational management | Establish/Maintain Documentation | |
Establish, implement, and maintain an e-mail policy. CC ID 06439 | Operational management | Establish/Maintain Documentation | |
Include business use of personal e-mail in the e-mail policy. CC ID 14381 | Operational management | Establish/Maintain Documentation | |
Identify the sender in all electronic messages. CC ID 13996 [{be clear}{be accurate}Subject to section 48(2), a person must not send a specified message addressed to a Singapore telephone number unless — the specified message includes clear and accurate information identifying the individual or organisation that sent or authorised the sending of the specified message; § 44.(a) {be clear}{be accurate}Subject to section 48(2), a person must not send a specified message addressed to a Singapore telephone number unless — the specified message includes clear and accurate information about how the recipient can readily contact that individual or organisation; § 44.(b) Subject to section 48(3), a person that makes a voice call containing a specified message or causes a voice call containing a specified message to be made or authorises the making of a voice call containing a specified message, addressed to a Singapore telephone number, from a telephone number or fax number, must not do any of the following: conceal or withhold from the recipient the calling line identity of the sender; § 45.(a) Subject to section 48(3), a person that makes a voice call containing a specified message or causes a voice call containing a specified message to be made or authorises the making of a voice call containing a specified message, addressed to a Singapore telephone number, from a telephone number or fax number, must not do any of the following: perform any operation or issue any instruction in connection with the sending of the specified message for the purpose of, or that has the effect of, concealing or withholding from the recipient the calling line identity of the sender. § 45.(b)] | Operational management | Data and Information Management | |
Protect policies, standards, and procedures from unauthorized modification or disclosure. CC ID 10603 | Operational management | Establish/Maintain Documentation | |
Establish, implement, and maintain nondisclosure agreements. CC ID 04536 | Operational management | Establish/Maintain Documentation | |
Disseminate and communicate nondisclosure agreements to interested personnel and affected parties. CC ID 16191 | Operational management | Communicate | |
Require interested personnel and affected parties to sign nondisclosure agreements. CC ID 06667 | Operational management | Establish/Maintain Documentation | |
Require interested personnel and affected parties to re-sign nondisclosure agreements, as necessary. CC ID 06669 | Operational management | Establish/Maintain Documentation | |
Establish, implement, and maintain a use of information agreement. CC ID 06215 | Operational management | Establish/Maintain Documentation | |
Include use limitations in the use of information agreement. CC ID 06244 | Operational management | Establish/Maintain Documentation | |
Include disclosure requirements in the use of information agreement. CC ID 11735 | Operational management | Establish/Maintain Documentation | |
Include information recipients in the use of information agreement. CC ID 06245 | Operational management | Establish/Maintain Documentation | |
Include reporting out of scope use of information in the use of information agreement. CC ID 06246 | Operational management | Establish/Maintain Documentation | |
Include disclosure of information in the use of information agreement. CC ID 11830 | Operational management | Establish/Maintain Documentation | |
Include information security procedures assigned to the information recipient in the use of information agreement. CC ID 07130 | Operational management | Establish/Maintain Documentation | |
Include information security procedures assigned to the originator in the use of information agreement. CC ID 14418 | Operational management | Establish/Maintain Documentation | |
Include a do not contact rule for the individuals identified in a data set in the use of information agreement. CC ID 07131 | Operational management | Establish/Maintain Documentation | |
Include the information recipient's third parties accepting the agreement in the use of information agreement. CC ID 07132 | Operational management | Establish/Maintain Documentation | |
Implement and comply with the Governance, Risk, and Compliance framework. CC ID 00818 | Operational management | Business Processes | |
Analyze how policies used to create management boundaries relates to the Governance, Risk, and Compliance approach. CC ID 12821 | Operational management | Process or Activity | |
Analyze how the organization sets limits in policies relating to the Governance, Risk, and Compliance approach. CC ID 12819 | Operational management | Process or Activity | |
Analyze how the Board of Directors' and senior management's tone influences the Governance, Risk, and Compliance approach. CC ID 12818 | Operational management | Process or Activity | |
Analyze the degree to which the governing body is engaged in the Governance, Risk, and Compliance approach. CC ID 12817 | Operational management | Process or Activity | |
Analyze the Governance, Risk, and Compliance approach. CC ID 12816 | Operational management | Process or Activity | |
Analyze the organizational culture. CC ID 12899 | Operational management | Process or Activity | |
Include employee engagement in the analysis of the organizational culture. CC ID 12914 | Operational management | Behavior | |
Include contractual relationships with workforce members in the analysis of the organizational culture. CC ID 15674 | Operational management | Business Processes | |
Include the number of workforce members who are not employees in the analysis of the organizational culture. CC ID 15673 | Operational management | Business Processes | |
Include the type of work performed by workforce members in the analysis of the organizational culture. CC ID 15675 | Operational management | Business Processes | |
Include skill development in the analysis of the organizational culture. CC ID 12913 | Operational management | Behavior | |
Include employee turnover rates in the analysis of the organizational culture. CC ID 12912 | Operational management | Behavior | |
Include demographic characteristics of employees in the analysis of the organizational culture. CC ID 15671 | Operational management | Business Processes | |
Include employee loyalty in the analysis of the organizational culture. CC ID 12911 | Operational management | Behavior | |
Include employee satisfaction in the analysis of the organizational culture. CC ID 12910 | Operational management | Behavior | |
Comply with all implemented policies in the organization's compliance framework. CC ID 06384 [{reasonable and appropriate measure} In meeting its responsibilities under this Act, an organisation shall "term_primary-verb">consider what a reasonable person would consider appropriate in the circumstances. § 11.(1) {reasonable and appropriate measure} In meeting its responsibilities under this Act, an organisation shall "term_primary-verb">consider what a reasonable person would consider appropriate in the circumstances. § 11.(1) The designation of an individual by an organisation under subsection (3) shall not relieve the organisation of any of its obligations under this Act. § 11.(6) {legitimate interest}{personal data}The organisation must, in respect of the assessment mentioned in sub-paragraph (2)(a) — comply with any other prescribed requirements. FIRST SCHEDULE PART 3 § 1.(3)(c)] | Operational management | Establish/Maintain Documentation | |
Provide assurance to interested personnel and affected parties that the Governance, Risk, and Compliance capability is reliable, effective, efficient, and responsive. CC ID 12788 | Operational management | Communicate | |
Review systems for compliance with organizational information security policies. CC ID 12004 | Operational management | Business Processes | |
Disseminate and communicate the Governance, Risk, and Compliance framework to all interested personnel and affected parties. CC ID 00815 [An organisation shall — communicate to its staff information about the organisation's policies and practices referred to in paragraph (a); and § 12.(c) An organisation shall — make information available on request about— the policies and practices referred to in paragraph (a); and § 12.(d)(i)] | Operational management | Behavior | |
Establish, implement, and maintain a customer service program. CC ID 00846 | Operational management | Establish/Maintain Documentation | |
Establish, implement, and maintain an Incident Management program. CC ID 00853 | Operational management | Business Processes | |
Include detection procedures in the Incident Management program. CC ID 00588 | Operational management | Establish/Maintain Documentation | |
Comply with privacy regulations and civil liberties requirements when sharing data loss event information. CC ID 10036 | Operational management | Data and Information Management | |
Notify interested personnel and affected parties of an extortion payment in the event of a cybersecurity event. CC ID 16539 | Operational management | Communicate | |
Notify interested personnel and affected parties of the reasons for the extortion payment, along with any alternative solutions. CC ID 16538 | Operational management | Communicate | |
Document the justification for not reporting incidents to interested personnel and affected parties. CC ID 16547 | Operational management | Establish/Maintain Documentation | |
Report to breach notification organizations the reasons for a delay in sending breach notifications. CC ID 16797 | Operational management | Communicate | |
Report to breach notification organizations the distribution list to which the organization will send data loss event notifications. CC ID 16782 | Operational management | Communicate | |
Include data loss event notifications in the Incident Response program. CC ID 00364 | Operational management | Establish/Maintain Documentation | |
Include required information in the written request to delay the notification to affected parties. CC ID 16785 | Operational management | Establish/Maintain Documentation | |
Submit written requests to delay the notification of affected parties. CC ID 16783 | Operational management | Communicate | |
Revoke the written request to delay the notification. CC ID 16843 | Operational management | Process or Activity | |
Design the text of the notice for all incident response notifications to be no smaller than 10-point type. CC ID 12985 | Operational management | Establish/Maintain Documentation | |
Refrain from charging for providing incident response notifications. CC ID 13876 | Operational management | Business Processes | |
Title breach notifications "Notice of Data Breach". CC ID 12977 | Operational management | Establish/Maintain Documentation | |
Display titles of incident response notifications clearly and conspicuously. CC ID 12986 | Operational management | Establish/Maintain Documentation | |
Display headings in incident response notifications clearly and conspicuously. CC ID 12987 | Operational management | Establish/Maintain Documentation | |
Design the incident response notification to call attention to its nature and significance. CC ID 12984 | Operational management | Establish/Maintain Documentation | |
Use plain language to write incident response notifications. CC ID 12976 | Operational management | Establish/Maintain Documentation | |
Include directions for changing the user's authenticator or security questions and answers in the breach notification. CC ID 12983 | Operational management | Establish/Maintain Documentation | |
Refrain from including restricted information in the incident response notification. CC ID 16806 | Operational management | Actionable Reports or Measurements | |
Include the affected parties rights in the incident response notification. CC ID 16811 | Operational management | Establish/Maintain Documentation | |
Include details of the investigation in incident response notifications. CC ID 12296 | Operational management | Establish/Maintain Documentation | |
Include the issuer's name in incident response notifications. CC ID 12062 | Operational management | Establish/Maintain Documentation | |
Include a "What Happened" heading in breach notifications. CC ID 12978 | Operational management | Establish/Maintain Documentation | |
Include a general description of the data loss event in incident response notifications. CC ID 04734 | Operational management | Establish/Maintain Documentation | |
Include time information in incident response notifications. CC ID 04745 | Operational management | Establish/Maintain Documentation | |
Include the identification of the data source in incident response notifications. CC ID 12305 | Operational management | Establish/Maintain Documentation | |
Include a "What Information Was Involved" heading in the breach notification. CC ID 12979 | Operational management | Establish/Maintain Documentation | |
Include the type of information that was lost in incident response notifications. CC ID 04735 | Operational management | Establish/Maintain Documentation | |
Include the type of information the organization maintains about the affected parties in incident response notifications. CC ID 04776 | Operational management | Establish/Maintain Documentation | |
Include a "What We Are Doing" heading in the breach notification. CC ID 12982 | Operational management | Establish/Maintain Documentation | |
Include what the organization has done to enhance data protection controls in incident response notifications. CC ID 04736 | Operational management | Establish/Maintain Documentation | |
Include what the organization is offering or has already done to assist affected parties in incident response notifications. CC ID 04737 | Operational management | Establish/Maintain Documentation | |
Include a "For More Information" heading in breach notifications. CC ID 12981 | Operational management | Establish/Maintain Documentation | |
Include details of the companies and persons involved in incident response notifications. CC ID 12295 | Operational management | Establish/Maintain Documentation | |
Include the credit reporting agencies' contact information in incident response notifications. CC ID 04744 | Operational management | Establish/Maintain Documentation | |
Include the reporting individual's contact information in incident response notifications. CC ID 12297 | Operational management | Establish/Maintain Documentation | |
Include any consequences in the incident response notifications. CC ID 12604 | Operational management | Establish/Maintain Documentation | |
Include whether the notification was delayed due to a law enforcement investigation in incident response notifications. CC ID 04746 | Operational management | Establish/Maintain Documentation | |
Include a "What You Can Do" heading in the breach notification. CC ID 12980 | Operational management | Establish/Maintain Documentation | |
Include contact information in incident response notifications. CC ID 04739 | Operational management | Establish/Maintain Documentation | |
Include a copy of the incident response notification in breach notifications, as necessary. CC ID 13085 | Operational management | Communicate | |
Post the incident response notification on the organization's website. CC ID 16809 | Operational management | Process or Activity | |
Document the determination for providing a substitute incident response notification. CC ID 16841 | Operational management | Process or Activity | |
Send electronic substitute incident response notifications to affected parties, as necessary. CC ID 04747 | Operational management | Behavior | |
Include contact information in the substitute incident response notification. CC ID 16776 | Operational management | Establish/Maintain Documentation | |
Post substitute incident response notifications to the organization's website, as necessary. CC ID 04748 | Operational management | Establish/Maintain Documentation | |
Send substitute incident response notifications to breach notification organizations, as necessary. CC ID 04750 | Operational management | Behavior | |
Publish the substitute incident response notification in a general circulation periodical, as necessary. CC ID 04769 | Operational management | Behavior | |
Establish, implement, and maintain a privacy framework that protects restricted data. CC ID 11850 | Privacy protection for information and data | Establish/Maintain Documentation | |
Establish, implement, and maintain a personal data transparency program. CC ID 00375 | Privacy protection for information and data | Data and Information Management | |
Establish, implement, and maintain opt-out notices. CC ID 13448 [A subscriber may apply to the Commission, in the form and manner prescribed — to remove his Singapore y-verb">oun">telephone numberspan> from a register. § 40.(1)(b)] | Privacy protection for information and data | Establish/Maintain Documentation | |
Include how opt out directions for joint consumers are treated in the opt-out notice. CC ID 13465 | Privacy protection for information and data | Establish/Maintain Documentation | |
Include the opt out method for data subjects in the opt-out notice. CC ID 13467 | Privacy protection for information and data | Establish/Maintain Documentation | |
Include the data subject's right to opt out of personal data disclosure in the opt-out notice. CC ID 13463 | Privacy protection for information and data | Establish/Maintain Documentation | |
Explain the right to opt out in the opt-out notice. CC ID 13462 | Privacy protection for information and data | Establish/Maintain Documentation | |
Include the organization's right to share personal data in the opt-out notice. CC ID 13450 | Privacy protection for information and data | Establish/Maintain Documentation | |
Establish, implement, and maintain adequate openness procedures. CC ID 00377 [{absent consent} An organisation, on or before collecting personal data about an individual from another organisation without the consent of the individual, shall provide the other organisation with sufficient :#CBD0E5;" class="term_secondary-verb">ary-noun">informationpan> regarding the purpose of the An organisation shall — make information available on request about — § 12.(d)] | Privacy protection for information and data | Data and Information Management | |
Provide public proof the organization participates in a privacy program. CC ID 12349 | Privacy protection for information and data | Communicate | |
Publish a description of processing activities in an official register. CC ID 00379 | Privacy protection for information and data | Establish/Maintain Documentation | |
Establish and maintain a records request manual. CC ID 00381 | Privacy protection for information and data | Establish/Maintain Documentation | |
Establish and maintain a description of voluntary disclosure and automatic availability of certain records. CC ID 00382 | Privacy protection for information and data | Establish/Maintain Documentation | |
Register with public bodies and notify the Data Commissioner before processing personal data. CC ID 00383 | Privacy protection for information and data | Behavior | |
Define what is included in registration notices. CC ID 00386 | Privacy protection for information and data | Establish/Maintain Documentation | |
Include roles and responsibilities in the registration notice. CC ID 16803 | Privacy protection for information and data | Establish Roles | |
Include the verification method in the registration notice. CC ID 16798 | Privacy protection for information and data | Establish/Maintain Documentation | |
Include the statutory authority in the registration notice. CC ID 16799 | Privacy protection for information and data | Establish/Maintain Documentation | |
Include the address where the file or hardware supporting the data processing is located in the registration notice. CC ID 00387 | Privacy protection for information and data | Establish/Maintain Documentation | |
Include a purpose specification description in the registration notice. CC ID 00388 | Privacy protection for information and data | Establish/Maintain Documentation | |
Include information about the dispute resolution body in the registration notice. CC ID 16800 | Privacy protection for information and data | Establish/Maintain Documentation | |
Include the data subject category being processed in the registration notice. CC ID 00389 | Privacy protection for information and data | Establish/Maintain Documentation | |
Include the time period for data processing in the registration notice. CC ID 00390 | Privacy protection for information and data | Establish/Maintain Documentation | |
Include procedures for when the registration notice for processing personal data is insufficient in the registration notice. CC ID 00392 | Privacy protection for information and data | Establish/Maintain Documentation | |
Provide legal authorities access to personal data, upon request. CC ID 06818 | Privacy protection for information and data | Data and Information Management | |
Provide the data subject with information about automated decision-making during personal data processing. CC ID 12609 | Privacy protection for information and data | Process or Activity | |
Provide the data subject with information about obtaining automated decision-making used during personal data processing. CC ID 12618 | Privacy protection for information and data | Establish/Maintain Documentation | |
Provide the data subject with the name, title, and address of the individual accountable for the organizational policies. CC ID 00394 [For the purposes of sections 14(1)(a) and 18(b), an organisation shall inform the individual of— on request by the individual, the business contact information of a person who is able to econdary-verb">answer on behalf of the organisation the individual's questions about the collection, use or disclosure of the personal data. § 20.(1)(c) An organisation shall make available to the public the business contact information of at least one of the individuals designated under subsection (3) or delegated under subsection (4). § 11.(5) Without limiting subsection (5), an organisation is deemed to have satisfied that subsection if the organisation makes available the business contact information of any individual mentioned in subsection (3) in any prescribed manner. 11.(5A)] | Privacy protection for information and data | Establish/Maintain Documentation | |
Provide the data subject with a copy of any brochures or other information that explain policies, standards, or codes. CC ID 00398 [An organisation shall — make information available on request about — the complaint process referred to in paragraph (b). § 12.(d).(ii)] | Privacy protection for information and data | Establish/Maintain Documentation | |
Provide the data subject with contractual requirements requiring the provision of personal data. CC ID 12588 [{person]A checker must — provide the applicable information to P in accordance with any prescribed requirements. § 43A.(2)(b)] | Privacy protection for information and data | Process or Activity | |
Document the countries where restricted data may be stored. CC ID 12750 | Privacy protection for information and data | Data and Information Management | |
Protect the rights of students and their parents or legal representatives. CC ID 00222 | Privacy protection for information and data | Data and Information Management | |
Refrain from allowing access rights to education records maintained by another educational institution. CC ID 13014 | Privacy protection for information and data | Technical Security | |
Refrain from allowing students the right to inspect the financial records of their parent or legal representative. CC ID 13025 | Privacy protection for information and data | Records Management | |
Refrain from allowing students the right to inspect confidential letters and confidential letters of recommendation. CC ID 13019 | Privacy protection for information and data | Records Management | |
Define the criteria for waivers of data subjects' rights. CC ID 16858 | Privacy protection for information and data | Behavior | |
Revoke waivers of data subject's rights, as necessary. CC ID 16859 | Privacy protection for information and data | Behavior | |
Disseminate and communicate the notification of rights to students and their parent or legal representative. CC ID 12996 | Privacy protection for information and data | Establish/Maintain Documentation | |
Include the criteria for determining what constitutes a legitimate educational interest in the notification of rights. CC ID 13004 | Privacy protection for information and data | Establish/Maintain Documentation | |
Include the criteria for determining what constitutes a school official in the notification of rights. CC ID 13003 | Privacy protection for information and data | Establish/Maintain Documentation | |
Disclose educational data, as necessary. CC ID 00223 [{disclose}{without consent} The disclosure of personal data about an individual who is a current or former student of an educational institution to a public agency for the purposes of policy formulation or review. SECOND SCHEDULE PART 3 Division 1 § 2.] | Privacy protection for information and data | Data and Information Management | |
Grant access to education records in support of educational program audits. CC ID 13032 | Privacy protection for information and data | Records Management | |
Grant access to education records in support of external requirements. CC ID 13033 | Privacy protection for information and data | Records Management | |
Disclose statements added to education records, as necessary. CC ID 12990 | Privacy protection for information and data | Communicate | |
Obtain explicit consent from students or their parent or legal representative prior to using or disclosing educational data. CC ID 00220 | Privacy protection for information and data | Data and Information Management | |
Disclose education records when written consent is received. CC ID 00224 | Privacy protection for information and data | Data and Information Management | |
Specify the parties to whom education records may be disclosed in the written consent. CC ID 13002 | Privacy protection for information and data | Establish/Maintain Documentation | |
Specify the purpose of the disclosure in the written consent. CC ID 13001 | Privacy protection for information and data | Establish/Maintain Documentation | |
Specify which education records may be disclosed in the written consent. CC ID 13000 | Privacy protection for information and data | Establish/Maintain Documentation | |
Document the conditions when consent is not required to disclose educational data. CC ID 00225 | Privacy protection for information and data | Establish/Maintain Documentation | |
Disclose educational data absent consent when disclosure is in connection with a disciplinary proceeding. CC ID 13005 | Privacy protection for information and data | Communicate | |
Refrain from disclosing disciplinary proceeding results unless the student has violated the institution's rules or policies. CC ID 13023 | Privacy protection for information and data | Communicate | |
Disclose educational data absent consent when it concerns sex offenders. CC ID 13013 | Privacy protection for information and data | Communicate | |
Disclose educational data absent consent to other school officials. CC ID 00226 | Privacy protection for information and data | Data and Information Management | |
Disclose educational data absent consent to another institution's school officials. CC ID 00227 | Privacy protection for information and data | Data and Information Management | |
Disclose educational data absent consent in connection with financial aid. CC ID 00229 | Privacy protection for information and data | Data and Information Management | |
Disclose educational data absent consent to organizations conducting studies on tests. CC ID 00230 | Privacy protection for information and data | Data and Information Management | |
Disclose educational data absent consent to organizations conducting studies if educational data is destroyed when no longer required. CC ID 12995 | Privacy protection for information and data | Communicate | |
Disclose educational data absent consent to accrediting organizations. CC ID 00231 | Privacy protection for information and data | Data and Information Management | |
Disclose educational data absent consent to a dependent student's parent or legal representative. CC ID 00232 | Privacy protection for information and data | Data and Information Management | |
Disclose educational data absent consent in order to comply with a judicial order. CC ID 00233 | Privacy protection for information and data | Data and Information Management | |
Disclose educational data absent consent for a health and safety emergency. CC ID 00234 | Privacy protection for information and data | Data and Information Management | |
Disclose educational data absent consent when it is merely directory information. CC ID 00235 | Privacy protection for information and data | Data and Information Management | |
Disclose educational data absent consent to a crime victim. CC ID 00236 | Privacy protection for information and data | Data and Information Management | |
Record the health and safety threats of students when disclosing personal data. CC ID 12997 | Privacy protection for information and data | Establish/Maintain Documentation | |
Refrain from providing information to the data subject, as necessary. CC ID 12625 [An organisation is not required to provide information under section 21(1) in respect of— any examination conducted by an education institution, und-color:#F0BBBC;" class="term_primary-noun">examination scripts and, prior to the release of examination results, lass="term_primary-noun">examination results; FIFTH SCHEDULE § 1.(b) An organisation is not required to provide information under section 21(1) in respect of— the personal data of the beneficiaries of a F0BBBC;" class="term_primary-noun">private trust ss="term_primary-verb">kept solely for the purpose of administering the trust; FIFTH SCHEDULE § 1.(c) An organisation is not required to provide information under section 21(1) in respect of— personal data kept by an arbitral institution or a mediation centre solely for the >purposespan> of An organisation is not required to provide information under section 21(1) in respect of— a document related to a prosecution if all 0BBBC;" class="term_primary-noun">proceedings related to the prosecution haground-color:#CBD0E5;" class="term_secondary-verb">ve An organisation is not required to provide information under section 21(1) in respect of— personal data which is primary-verb">subjectspan> to An organisation is not required to provide information under section 21(1) in respect of— personal data kept by an arbitral institution or a mediation centre solely for the >purposespan> of {notifiable data breach}An organisation must not notify any affected individual in accordance with subsection (2) if — the Commission so directs. § 26D.(6)(b) An organisation is not required to provide information under section 21(1) in respect of — derived personal data. SIXTH SCHEDULE § 1.(f)] | Privacy protection for information and data | Communicate | |
Refrain from providing information to the data subject when it is forbidden by law. CC ID 12651 [{notifiable data breach}An organisation must not notify any affected individual in accordance with subsection (2) if — a prescribed law enforcement agency so instructs; or § 26D.(6)(a)] | Privacy protection for information and data | Communicate | |
Refrain from providing information to the data subject when it proves impossible due to statistical purposes. CC ID 12645 | Privacy protection for information and data | Communicate | |
Provide the data subject with information about lifting any restriction of processing, as necessary. CC ID 12634 | Privacy protection for information and data | Communicate | |
Refrain from providing information to the data subject when it proves impossible due to historical research purposes. CC ID 12633 | Privacy protection for information and data | Communicate | |
Refrain from providing information to the data subject when it proves impossible due to scientific research purposes. CC ID 12632 | Privacy protection for information and data | Communicate | |
Refrain from providing information to the data subject when it proves impossible due to archival purposes. CC ID 12631 | Privacy protection for information and data | Communicate | |
Refrain from providing information to the data subject when providing information involves disproportionate effort. CC ID 12629 | Privacy protection for information and data | Communicate | |
Refrain from providing information to the data subject when the data subject has the information. CC ID 12628 | Privacy protection for information and data | Communicate | |
Provide adequate structures, policies, procedures, and mechanisms to support direct access by the data subject to personal data that is provided upon request. CC ID 00393 | Privacy protection for information and data | Establish/Maintain Documentation | |
Provide the data subject with the means of gaining access to personal data held by the organization. CC ID 00396 [{legitimate interest}For the purposes of sub-paragraph (1), the organisation must — provide the individual with reasonable access to information about the organisation's collection, use or disclosure of personal data (as the case may be) in accordance with sub-paragraph (1). FIRST SCHEDULE PART 3 § 1.(2)(b)] | Privacy protection for information and data | Data and Information Management | |
Refrain from requiring the data subject to create an account in order to submit a consumer request. CC ID 13780 | Privacy protection for information and data | Business Processes | |
Provide the data subject with the data protection officer's contact information. CC ID 12573 | Privacy protection for information and data | Business Processes | |
Notify the data subject of the right to data portability. CC ID 12603 | Privacy protection for information and data | Process or Activity | |
Provide the data subject with information about the right to erasure. CC ID 12602 | Privacy protection for information and data | Process or Activity | |
Provide the data subject with a description of the type of information held by the organization and a general account of its use. CC ID 00397 [Any person may apply to the Commission, in the form and manner required by the Commission, to confirm whether any Singapore ;" class="term_primary-noun">telephone number is listed in a oun">register. § 40.(2)] | Privacy protection for information and data | Establish/Maintain Documentation | |
Provide the data subject with what personal data is made available to related organizations or subsidiaries. CC ID 00399 | Privacy protection for information and data | Data and Information Management | |
Establish and maintain a disclosure accounting record. CC ID 13022 | Privacy protection for information and data | Establish/Maintain Documentation | |
Include what information was disclosed and to whom in the disclosure accounting record. CC ID 04680 | Privacy protection for information and data | Establish/Maintain Documentation | |
Include the disclosure purpose in the disclosure accounting record. CC ID 07135 [For the purposes of subsection (2)(a), the organisation must, before collecting, using or disclosing any personal data about the individual — take reasonable steps to bring the following information to the attention of the individual: the organisation's intention to collect, use or disclose the personal data; § 15A.(4)(b)(i)] | Privacy protection for information and data | Establish/Maintain Documentation | |
Disseminate and communicate the disclosure accounting record to interested personnel and affected parties. CC ID 14433 [For the purposes of subsection (2)(a), the organisation must, before collecting, using or disclosing any personal data about the individual — take reasonable steps to bring the following information to the attention of the individual: the purpose for which the personal data will be collected, used or disclosed; § 15A.(4)(b)(ii)] | Privacy protection for information and data | Communicate | |
Establish, implement, and maintain personal data choice and consent program. CC ID 12569 [A subscriber may apply to the Commission, in the form and manner prescribed — to add his Singapore y-verb">">telephone numbern> to a register; or § 40.(1)(a) A person does not contravene subsection (1) if the subscriber or user of the Singapore telephone number to which a specified message is sent — gave clear and unambiguous consent to the sending of the specified message to that Singapore telephone number; and § 43.(4)(a)] | Privacy protection for information and data | Establish/Maintain Documentation | |
Establish, implement, and maintain data request procedures. CC ID 16546 | Privacy protection for information and data | Establish/Maintain Documentation | |
Refrain from discriminating against data subjects who have exercised privacy rights. CC ID 13435 | Privacy protection for information and data | Human Resources Management | |
Refrain from charging a fee to implement an opt-out request. CC ID 13877 | Privacy protection for information and data | Business Processes | |
Establish and maintain disclosure authorization forms for authorization of consent to use personal data. CC ID 13433 [A person does not contravene subsection (1) if the subscriber or user of the Singapore telephone number to which a specified message is sent — the consent is evidenced in written or other form so as to be accessible for subsequent reference. § 43.(4)(b)] | Privacy protection for information and data | Establish/Maintain Documentation | |
Include procedures for revoking authorization of consent to use personal data in the disclosure authorization form. CC ID 13438 | Privacy protection for information and data | Establish/Maintain Documentation | |
Include the identity of the person seeking consent in the disclosure authorization. CC ID 13999 | Privacy protection for information and data | Establish/Maintain Documentation | |
Include the recipients of the disclosed personal data in the disclosure authorization form. CC ID 13440 | Privacy protection for information and data | Establish/Maintain Documentation | |
Include the signature of the data subject and the signing date in the disclosure authorization form. CC ID 13439 | Privacy protection for information and data | Establish/Maintain Documentation | |
Include the identity of the data subject in the disclosure authorization form. CC ID 13436 | Privacy protection for information and data | Establish/Maintain Documentation | |
Include the types of personal data to be disclosed in the disclosure authorization form. CC ID 13442 | Privacy protection for information and data | Establish/Maintain Documentation | |
Include how personal data will be used in the disclosure authorization form. CC ID 13441 | Privacy protection for information and data | Establish/Maintain Documentation | |
Include agreement termination information in the disclosure authorization form. CC ID 13437 | Privacy protection for information and data | Establish/Maintain Documentation | |
Offer incentives for consumers to opt-in to provide their personal data to the organization. CC ID 13781 | Privacy protection for information and data | Business Processes | |
Refrain from using coercive financial incentive programs to entice opt-in consent. CC ID 13795 | Privacy protection for information and data | Business Processes | |
Allow data subjects to opt out and refrain from granting an authorization of consent to use personal data. CC ID 00391 | Privacy protection for information and data | Data and Information Management | |
Treat an opt-out direction by an individual joint consumer as applying to all associated joint consumers. CC ID 13452 | Privacy protection for information and data | Business Processes | |
Treat opt-out directions separately for each customer relationship the data subject establishes with the organization. CC ID 13454 | Privacy protection for information and data | Business Processes | |
Establish, implement, and maintain an opt-out method in accordance with organizational standards. CC ID 16526 | Privacy protection for information and data | Data and Information Management | |
Comply with opt-out directions by the data subject, unless otherwise directed by compliance requirements. CC ID 13451 [{allow} On giving notice, a subscriber or user of a Singapore telephone number may at any time withdraw any consent given to a person for the ="background-color:#CBD0E5;" class="term_secondary-verb">sending of any specified message to that Singapore telephone number. § 47.(1)] | Privacy protection for information and data | Business Processes | |
Confirm the individual's identity before granting an opt-out request. CC ID 16813 | Privacy protection for information and data | Process or Activity | |
Highlight the section regarding data subject's consent from other sections in contracts and agreements. CC ID 13988 | Privacy protection for information and data | Establish/Maintain Documentation | |
Allow consent requests to be provided in any official languages. CC ID 16530 | Privacy protection for information and data | Business Processes | |
Notify interested personnel and affected parties of the reasons the opt-out request was refused. CC ID 16537 | Privacy protection for information and data | Communicate | |
Collect and retain disclosure authorizations for each data subject. CC ID 13434 | Privacy protection for information and data | Records Management | |
Refrain from requiring consent to collect, use, or disclose personal data beyond specified, legitimate reasons in order to receive products and services. CC ID 13605 [{refrain from requiring}(is unreasonable} A person shall not, as a condition for supplying goods, services, land, interest or opportunity, require a subscriber or user of a Singapore telephone number to give -verb">ound-color:#F0BBBC;" class="term_primary-noun">consentspan> for the sending of a specified le="background-color:#F0BBBC;" class="term_primary-noun">message to that Singapore telephone number or any other Singapore telephone number beyond what is reasonable to provide the goods, services, land, interest or opportunity to that subscriber or user, and any consent given in such circumstance is not validly given. § 46.(1) An organisation shall not — as a condition of providing a product or service, require an individual to consent to the collection, use or disclosure of personal data about the individual beyond what is reasonable to provide the product or service to that individual; or § 14.(2)(a)] | Privacy protection for information and data | Data and Information Management | |
Refrain from obtaining consent through deception. CC ID 13556 [{deceptive act or practice}{refrain from accepting} If a person obtains or attempts to obtain consent for sending a specified message to a Singapore telephone number— by providing="term_secondary-verb"> false or misleading information with respect to the sending of the specified message; or by using deceptive or misleading practices, any und-coloy-verb">r:#F0BBBC;" class="term_primary-noun">consent given in such circumstances is not validly given. § 46.(2) ¶ 1 An organisation shall not — obtain or attempt to obtain consent for collecting, using, or disclosing personal data by providing false or misleading information with respect to the collection, use, or disclosure of the personal data, or using deceptive or misleading practices. § 14.(2)(b)] | Privacy protection for information and data | Data and Information Management | |
Give individuals the ability to change the uses of their personal data. CC ID 00469 [{refrain from using} Notwithstanding the other provisions in this Part, an organisation may use personal data about an individual collected before the appointed day for the purposes for which the personal data was collected unless — consent for such use is withdrawn in accordance with section 16; or § 19.(a) A person shall not prohibit a subscriber or user of a Singapore telephone number from withdrawing his consent to the sending of a specified ound-color:#F0BBBC;" class="terd-color:#CBD0E5;" class="term_secondary-verb">m_primary-noun">message to that Singapore telephone number, but this section shall not affect any legal consequences arising from such withdrawal. § 47.(2)] | Privacy protection for information and data | Data and Information Management | |
Notify data subjects of the implications of withdrawing consent. CC ID 13551 [On receipt of the notice referred to in subsection (1), the organisation concerned shall inform the individual of the likely consequences of withdrawing his consent. § 16.(2) An organisation shall not prohibit an individual from withdrawing his consent to the collection, use or disclosure of personal data about the individual, but this section shall not affect any legal consequences arising from such withdrawal. § 16.(3)] | Privacy protection for information and data | Data and Information Management | |
Establish, implement, and maintain a personal data accountability program. CC ID 13432 | Privacy protection for information and data | Establish/Maintain Documentation | |
Assign ownership of the privacy program to the appropriate organizational role. CC ID 11848 [An organisation shall designate one or more individuals to be responsible for ensuring that the organisation verb">complies with this Act. § 11.(3)] | Privacy protection for information and data | Human Resources Management | |
Require data controllers to be accountable for their actions. CC ID 00470 | Privacy protection for information and data | Establish Roles | |
Notify the supervisory authority. CC ID 00472 [{terminated telephone number} Every telecommunications service provider shall report to the ground-color:#F0BBBC;" class="term_primary-noun">Commission, in the form and manner prescribed, all terminated Singapore telephone numbers. § 42.(1) {report}{terminated telephone number}For the purpose of subsection (1), where — it shall be the responsibility of the first provider to satisfy subsection (1). § 42.(4) ¶ 1] | Privacy protection for information and data | Behavior | |
Establish, implement, and maintain approval applications. CC ID 16778 | Privacy protection for information and data | Establish/Maintain Documentation | |
Define the requirements for approving or denying approval applications. CC ID 16780 | Privacy protection for information and data | Business Processes | |
Submit approval applications to the supervisory authority. CC ID 16627 | Privacy protection for information and data | Communicate | |
Include required information in the approval application. CC ID 16628 | Privacy protection for information and data | Establish/Maintain Documentation | |
Extend the time limit for approving or denying approval applications. CC ID 16779 | Privacy protection for information and data | Business Processes | |
Approve the approval application unless applicant has been convicted. CC ID 16603 | Privacy protection for information and data | Process or Activity | |
Provide the supervisory authority with any information requested by the supervisory authority. CC ID 12606 | Privacy protection for information and data | Process or Activity | |
Notify the supervisory authority of the safeguards employed to protect the data subject's rights. CC ID 12605 | Privacy protection for information and data | Communicate | |
Establish, implement, and maintain Binding Corporate Rules for the international transfers of restricted data. CC ID 12584 [{business improvement purpose}Sub-paragraph (1)(a) and (c) applies only if — X and Y are bound by any contract or other agreement or binding corporate rules requiring the recipient of personal data about P to implement and maintain appropriate safeguards for the personal data. FIRST SCHEDULE PART 5 § 1.(3)(c)] | Privacy protection for information and data | Establish/Maintain Documentation | |
Include cooperation mechanisms with the supervisory authority in the Binding Corporate Rules. CC ID 12682 | Privacy protection for information and data | Establish/Maintain Documentation | |
Include the tasks assigned to the role of data controller in the Binding Corporate Rules. CC ID 12612 | Privacy protection for information and data | Establish/Maintain Documentation | |
Include data subject's rights in the Binding Corporate Rules. CC ID 12596 | Privacy protection for information and data | Establish/Maintain Documentation | |
Include the means to exercise the data subject's rights in the Binding Corporate Rules. CC ID 12597 | Privacy protection for information and data | Establish/Maintain Documentation | |
Include the organizational structure and contact information in the Binding Corporate Rules. CC ID 12595 | Privacy protection for information and data | Establish/Maintain Documentation | |
Include the acceptance of liability for breaches of the binding corporate rules in the Binding Corporate Rules. CC ID 12594 | Privacy protection for information and data | Establish/Maintain Documentation | |
Include the mechanisms for reporting legal requirements causing adverse effects on protecting restricted data in the Binding Corporate Rules. CC ID 12620 | Privacy protection for information and data | Establish/Maintain Documentation | |
Include provisions for providing information on the binding corporate rules to the data subject in the Binding Corporate Rules. CC ID 12593 | Privacy protection for information and data | Establish/Maintain Documentation | |
Include reporting changes to the binding corporate rules in the Binding Corporate Rules. CC ID 12591 | Privacy protection for information and data | Establish/Maintain Documentation | |
Include reporting changes of the binding corporate rules to the supervisory authority in the Binding Corporate Rules. CC ID 12592 | Privacy protection for information and data | Establish/Maintain Documentation | |
Include complaint procedures in the Binding Corporate Rules. CC ID 12613 | Privacy protection for information and data | Establish/Maintain Documentation | |
Include the data transfers in the Binding Corporate Rules. CC ID 12590 | Privacy protection for information and data | Establish/Maintain Documentation | |
Include specifying the mechanisms for verifying compliance of the binding corporate rules in the Binding Corporate Rules. CC ID 12662 | Privacy protection for information and data | Establish/Maintain Documentation | |
Include the identification of the countries in question for the data transfers in the Binding Corporate Rules. CC ID 12601 | Privacy protection for information and data | Establish/Maintain Documentation | |
Include the type of data subjects affected by the data transfers in the Binding Corporate Rules. CC ID 12600 | Privacy protection for information and data | Establish/Maintain Documentation | |
Include all pertinent data processing information for data transfers in the Binding Corporate Rules. CC ID 12599 | Privacy protection for information and data | Establish/Maintain Documentation | |
Include the categories of personal data for data transfers in the Binding Corporate Rules. CC ID 12598 | Privacy protection for information and data | Establish/Maintain Documentation | |
Include specifying the legally binding nature of the binding corporate rules in the Binding Corporate Rules. CC ID 12627 | Privacy protection for information and data | Establish/Maintain Documentation | |
Include privacy awareness and training in the Binding Corporate Rules. CC ID 12626 | Privacy protection for information and data | Establish/Maintain Documentation | |
Establish, implement, and maintain Data Processing Contracts. CC ID 12650 | Privacy protection for information and data | Establish/Maintain Documentation | |
Include the stipulation of complying with external requirements in the Data Processing Contract. CC ID 12676 [For the purposes of subsection (2)(a), the organisation must, before collecting, using or disclosing any personal data about the individual — satisfy any other prescribed requirements. § 15A.(4)(c) The organisation must, in respect of the assessment mentioned in subsection (4)(a) — comply with any other prescribed requirements. § 15A.(5)(c) {person}A checker is deemed to have complied with subsection (2)(a) if — the applicable information that the checker provides to P is in accordance with a reply from the Commission in response to the checker's application under section 40(2); and § 43A.(3)(a)] | Privacy protection for information and data | Establish/Maintain Documentation | |
Include the stipulation that personal data will be disposed or returned to the data subject in the Data Processing Contract. CC ID 12669 [{prospective party}{organization}If X enters into the business asset transaction, the following conditions apply: if any personal data X collects from Y does not relate directly to the part of Y or Y's business assets with which the business asset transaction entered into is concerned, X must destroy, or return to Y, that personal data; FIRST SCHEDULE PART 4 § 1.(4)(b)] | Privacy protection for information and data | Establish/Maintain Documentation | |
Establish, implement, and maintain a personal data use limitation program. CC ID 13428 | Privacy protection for information and data | Establish/Maintain Documentation | |
Establish, implement, and maintain a personal data use purpose specification. CC ID 00093 | Privacy protection for information and data | Establish/Maintain Documentation | |
Notify the data subject of the collection purpose. CC ID 00095 [For the purposes of sections 14(1)(a) and 18(b), an organisation shall inform the individual of— the purposes for the collection, use or disclosure of the personal data, as the case may be, on or before For the purposes of subsection (4), the organisation must inform the individual of the following: the purpose for which the organisation is collecting, using or disclosing (as the case may be) the personal data about the individual; § 20.(5)(a) For the purposes of subsection (2)(a), the organisation must, before collecting, using or disclosing any personal data about the individual — take reasonable steps to bring the following information to the attention of the individual: the purpose for which the personal data will be collected, used or disclosed; § 15A.(4)(b)(ii) For the purposes of subsection (2)(a), the organisation must, before collecting, using or disclosing any personal data about the individual — take reasonable steps to bring the following information to the attention of the individual: the organisation's intention to collect, use or disclose the personal data; § 15A.(4)(b)(i) {individual's vital interest} Where the organisation collects, uses or discloses (as the case may be) personal data about the individual under sub-paragraph (1), the organisation must, as soon as is practicable, notify the individual of the collection, use or disclosure (as the case may be) and the purpose for the collection, use or disclosure, as the case may be. FIRST SCHEDULE PART 1 § 1.(2)] | Privacy protection for information and data | Behavior | |
Refrain from using restricted data collected for research and statistics for other purposes. CC ID 00096 | Privacy protection for information and data | Data and Information Management | |
Notify the data subject of changes to personal data use. CC ID 00105 [For the purposes of sections 14(1)(a) and 18(b), an organisation shall inform the individual of— any other purpose of the use or disclosure of the personal data of which the individual has not been informed under paragraph (a), before the un">usepan> or disclosure of the personal data for that purpose; and § 20.(1)(b)] | Privacy protection for information and data | Behavior | |
Establish, implement, and maintain data use change of purpose procedures. CC ID 00106 | Privacy protection for information and data | Establish/Maintain Documentation | |
Document the use of publicly accessible personal data as an acceptable secondary purpose. CC ID 00108 | Privacy protection for information and data | Establish/Maintain Documentation | |
Document the use of privacy-related data as acceptable if the information being used is publicly available information, the secondary use is marketing, and it is not practical to seek consent from the individual before use. CC ID 00110 | Privacy protection for information and data | Establish/Maintain Documentation | |
Document the use of personal data as an acceptable secondary purpose when the data subject is not charged to request to opt out of direct marketing communications. CC ID 00111 | Privacy protection for information and data | Establish/Maintain Documentation | |
Document the use of personal data as an acceptable secondary purpose when the data subject has not requested to opt out of direct marketing communications. CC ID 00112 | Privacy protection for information and data | Establish/Maintain Documentation | |
Document the use of personal data as an acceptable secondary purpose when the organization highlights the opt out option during each direct marketing communication. CC ID 00113 | Privacy protection for information and data | Establish/Maintain Documentation | |
Document the use of personal data as an acceptable secondary purpose when the organization displays contact information in each written direct marketing communication. CC ID 00114 | Privacy protection for information and data | Establish/Maintain Documentation | |
Document the use of personal data as an acceptable secondary purpose when the data subject gives consent. CC ID 00115 [If an individual gives or is deemed to have given, consent to the disclosure of personal data about the individual by one organisation to another organisation for a particular purpose, the individual is deemed to consent to the collection, use, or disclosure of the personal data for that particular purpose by that other organisation. § 15.(2) {consent}{disclosure} Where an organisation collects personal data disclosed to it by B under subsection (3)(c), subsection (3)(b) and (c) applies to the organisation as if the personal data were disclosed by A to the organisation under subsection (3)(a). § 15.(4)] | Privacy protection for information and data | Establish/Maintain Documentation | |
Document the use of personal data as an acceptable secondary purpose when the personal data is Individually Identifiable Health Information used for research. CC ID 00116 | Privacy protection for information and data | Establish/Maintain Documentation | |
Document the use of personal data as an acceptable secondary purpose when the personal data is used for statistical research, scholarly research, or scientific research and the data subject is anonymous. CC ID 00117 | Privacy protection for information and data | Establish/Maintain Documentation | |
Document the use of personal data as an acceptable secondary purpose when the data controller believes the use is necessary to prevent a life-threatening emergency. CC ID 00118 | Privacy protection for information and data | Establish/Maintain Documentation | |
Document the use of personal data as an acceptable secondary purpose when required by law. CC ID 00119 | Privacy protection for information and data | Establish/Maintain Documentation | |
Document the use of personal data as an acceptable secondary purpose when the personal data is necessary for public emergencies, public health and safety, or individual emergencies. CC ID 00121 | Privacy protection for information and data | Establish/Maintain Documentation | |
Document the use of personal data as an acceptable secondary purpose when the primary purpose is directly related to the secondary purpose. CC ID 00123 | Privacy protection for information and data | Establish/Maintain Documentation | |
Document the use of personal data as an acceptable secondary purpose when it is necessary for the enforcement of care and custody. CC ID 15453 | Privacy protection for information and data | Establish/Maintain Documentation | |
Document the use of data as an acceptable secondary purpose when it is necessary for use in a legal proceeding. CC ID 15451 | Privacy protection for information and data | Establish/Maintain Documentation | |
Document the use of personal data as an acceptable secondary purpose when it is necessary for a law enforcement investigation. CC ID 15449 | Privacy protection for information and data | Establish/Maintain Documentation | |
Document the use of personal data as an acceptable secondary purpose when it is necessary to perform a treaty with a foreign government. CC ID 15447 | Privacy protection for information and data | Establish/Maintain Documentation | |
Dispose of media and restricted data in a timely manner. CC ID 00125 [{dispose}{deidentify}{no longer appropriate} An organisation shall cease to retain its documents containing personal data, or remove the means by which the personal data can be associated with particular individuals, as soon as it is reasonable to assume that — the ass="term_primastyle="background-color:#CBD0E5;" class="term_secondary-verb">ry-noun">purpose for which that personal data was collected is no longer being served by retention of the personal data; and § 25.(a) {dispose}{deidentify} An organisation shall cease to retain its documents containing personal data, or remove the means by which the personal data can be associated with particular individuals, as soon as it is reasonable to assume that— <span style="background-color:#F0BBBC;" class="term_primary-noun">retention is style="background-color:#CBD0E5;" class="term_secondary-verb">rm_primary-verb">no longer necessaryspan> for legal or business purposes. § 25.(b) {prospective party}{organization} If the business asset transaction does not proceed or is not completed, X must destroy, or return to Y, all personal data collected. FIRST SCHEDULE PART 4 § 1.(5) {organization}{prospective party}{business asset transaction}{individual}If the relevant transaction does not proceed or is not completed — X must destroy, or return to Y or Z (as the case may be), all personal data collected; and FIRST SCHEDULE PART 4 § 2.(4)(a) {business asset transaction}{organization}If the relevant transaction does not proceed or is not completed — Y must destroy, or return to Z, all personal data collected. FIRST SCHEDULE PART 4 § 2.(4)(b)] | Privacy protection for information and data | Data and Information Management | |
Refrain from destroying records being inspected or reviewed. CC ID 13015 | Privacy protection for information and data | Records Management | |
Notify the data subject after their personal data is disposed, as necessary. CC ID 13502 | Privacy protection for information and data | Communicate | |
Establish, implement, and maintain data access procedures. CC ID 00414 | Privacy protection for information and data | Establish/Maintain Documentation | |
Provide individuals with information about the processing purpose of their personal data. CC ID 00416 [An organisation may collect, use or disclose personal data about an individual only for purposes— that the -noun">individual has been Subject to subsections (2), (3) and (4), on request of an individual, an organisation shall, as soon as reasonably possible, provide the individual with— information about the ways in which the personal data referred to in paragraph (a) has been or may have been used or disclosed by the organisation within a year before the date of the request. § 21.(1)(b) For the purposes of subsection (2)(a), the organisation must, before collecting, using or disclosing any personal data about the individual — take reasonable steps to bring the following information to the attention of the individual: the purpose for which the personal data will be collected, used or disclosed; § 15A.(4)(b)(ii) For the purposes of subsection (2)(a), the organisation must, before collecting, using or disclosing any personal data about the individual — take reasonable steps to bring the following information to the attention of the individual: the organisation's intention to collect, use or disclose the personal data; § 15A.(4)(b)(i) {individual's vital interest} Where the organisation collects, uses or discloses (as the case may be) personal data about the individual under sub-paragraph (1), the organisation must, as soon as is practicable, notify the individual of the collection, use or disclosure (as the case may be) and the purpose for the collection, use or disclosure, as the case may be. FIRST SCHEDULE PART 1 § 1.(2) For the purposes of subsection (4), the organisation must inform the individual of the following: the purpose for which the organisation is collecting, using or disclosing (as the case may be) the personal data about the individual; § 20.(5)(a) {inform}Despite subsection (3), an organisation must comply with subsection (5) on or before collecting, using or disclosing personal data about an individual for the purpose of or in relation to the organisation — entering into an employment relationship with the individual or appointing the individual to any office; or § 20.(4)(a) {inform}Despite subsection (3), an organisation must comply with subsection (5) on or before collecting, using or disclosing personal data about an individual for the purpose of or in relation to the organisation — entering into an employment relationship with the individual or appointing the individual to any office; or § 20.(4)(a) {inform}Despite subsection (3), an organisation must comply with subsection (5) on or before collecting, using or disclosing personal data about an individual for the purpose of or in relation to the organisation — entering into an employment relationship with the individual or appointing the individual to any office; or § 20.(4)(a) {inform}Despite subsection (3), an organisation must comply with subsection (5) on or before collecting, using or disclosing personal data about an individual for the purpose of or in relation to the organisation — managing or terminating the employment relationship with or appointment of the individual. § 20.(4)(b) {inform}Despite subsection (3), an organisation must comply with subsection (5) on or before collecting, using or disclosing personal data about an individual for the purpose of or in relation to the organisation — managing or terminating the employment relationship with or appointment of the individual. § 20.(4)(b) {inform}Despite subsection (3), an organisation must comply with subsection (5) on or before collecting, using or disclosing personal data about an individual for the purpose of or in relation to the organisation — managing or terminating the employment relationship with or appointment of the individual. § 20.(4)(b)] | Privacy protection for information and data | Data and Information Management | |
Provide individuals with information about disclosure of their personal data. CC ID 00417 [{individual's vital interest} Where the organisation collects, uses or discloses (as the case may be) personal data about the individual under sub-paragraph (1), the organisation must, as soon as is practicable, notify the individual of the collection, use or disclosure (as the case may be) and the purpose for the collection, use or disclosure, as the case may be. FIRST SCHEDULE PART 1 § 1.(2)] | Privacy protection for information and data | Data and Information Management | |
Allow guardians and legal representatives access to personal data about the individual for whom they are guardians or legal representatives. CC ID 00418 | Privacy protection for information and data | Data and Information Management | |
Establish, implement, and maintain procedures for individuals to be able to modify their personal data, as necessary. CC ID 11811 [{allow} An individual may request an organisation to correct an error or omission in the personal data about the individual that is in the possession or under the control of the organisation. § 22.(1)] | Privacy protection for information and data | Establish/Maintain Documentation | |
Submit personal data removal requests in writing. CC ID 11973 | Privacy protection for information and data | Records Management | |
Include a liability waiver for any harm caused by the exclusion of personal data in the personal data removal request. CC ID 11975 | Privacy protection for information and data | Establish/Maintain Documentation | |
Establish, implement, and maintain restricted data use limitation procedures. CC ID 00128 [Subject to subsection (3), an individual is deemed to consent to the collection, use or disclosure of personal data about the individual by an organisation if — the organisation satisfies the requirements in subsection (4); and § 15A.(2)(a)] | Privacy protection for information and data | Establish/Maintain Documentation | |
Identify any adverse effects the processing of personal data will have on the data subject. CC ID 15299 [The organisation must, in respect of the assessment mentioned in subsection (4)(a) — identify any adverse effect that the proposed collection, use or disclosure of the personal data for the purpose concerned is likely to have on the individual; § 15A.(5)(a) {legitimate interest}{collect}{disclose}The organisation must, in respect of the assessment mentioned in sub-paragraph (2)(a) — identify any adverse effect that the proposed collection, use or disclosure (as the case may be) of personal data about an individual is likely to have on the individual; FIRST SCHEDULE PART 3 § 1.(3)(a)] | Privacy protection for information and data | Data and Information Management | |
Disclose de-identified data, as necessary. CC ID 13034 | Privacy protection for information and data | Communicate | |
Notify the data subject after personal data is used or disclosed. CC ID 06247 [{business asset transaction}{organization}{prospective party}If X enters into the relevant transaction, the following conditions apply: X, Y or Z must notify the applicable individuals of Z whose personal data is disclosed that — the relevant transaction has taken place; and FIRST SCHEDULE PART 4 § 2.(3)(c)(i) {business asset transaction}{organization}{prospective party}If X enters into the relevant transaction, the following conditions apply: X, Y or Z must notify the applicable individuals of Z whose personal data is disclosed that — the personal data about them has been disclosed to X. FIRST SCHEDULE PART 4 § 2.(3)(c)(ii) If X enters into the business asset transaction, the following conditions apply: X or Y must notify the applicable individuals of Y whose personal data is disclosed that — the business asset transaction has taken place; and FIRST SCHEDULE PART 4 § 1.(4)(c)(i)] | Privacy protection for information and data | Behavior | |
Refrain from processing restricted data, as necessary. CC ID 12551 [Notwithstanding the other provisions in this Part, an organisation may use personal data about an individual collected before the appointed day for the purposes for which the personal data was collected unless — the individual, whether before, on or after the appointed day, has otherwise indicated to the organisation that he does not consent to the use of the personal data. § 19.(b) An organisation shall not, on or after the appointed day, collect, use or disclose personal data about an individual unless — § 13.] | Privacy protection for information and data | Records Management | |
Refrain from processing restricted data if the restricted data is involved in a legal claim. CC ID 12668 | Privacy protection for information and data | Process or Activity | |
Refrain from providing information to the data subject when the organization cannot identify the data subject. CC ID 12667 | Privacy protection for information and data | Process or Activity | |
Refrain from erasing personal data when the data subject consents to retention. CC ID 14326 | Privacy protection for information and data | Business Processes | |
Refrain from erasing personal data upon data subject request when personal data processing is necessary for statistical purposes. CC ID 12656 | Privacy protection for information and data | Process or Activity | |
Refrain from erasing personal data upon data subject request when personal data processing is necessary for historical research purposes. CC ID 12655 | Privacy protection for information and data | Process or Activity | |
Refrain from erasing personal data upon data subject request when personal data processing is necessary for scientific research purposes. CC ID 12654 | Privacy protection for information and data | Process or Activity | |
Refrain from erasing personal data upon data subject request when personal data processing is necessary for exercising freedom of expression. CC ID 12684 | Privacy protection for information and data | Process or Activity | |
Refrain from erasing personal data upon data subject request when it is used to provide a service. CC ID 13779 | Privacy protection for information and data | Process or Activity | |
Refrain from erasing personal data upon data subject request when personal data processing is necessary for archival purposes. CC ID 12653 | Privacy protection for information and data | Process or Activity | |
Refrain from erasing personal data upon data subject request when personal data processing is for compliance with a legal obligation. CC ID 12652 | Privacy protection for information and data | Process or Activity | |
Refrain from erasing personal data upon data subject request when personal data processing is necessary for the public interest. CC ID 12649 | Privacy protection for information and data | Process or Activity | |
Refrain from erasing personal data upon data subject request when personal data processing concerns legal claims. CC ID 12644 | Privacy protection for information and data | Process or Activity | |
Refrain from processing personal data when it is likely to cause unlawful discrimination or arbitrary discrimination. CC ID 00197 | Privacy protection for information and data | Data and Information Management | |
Refrain from processing personal data when it is used for behavioral monitoring. CC ID 16528 | Privacy protection for information and data | Data and Information Management | |
Refrain from processing personal data when it reveals trade union membership. CC ID 12583 | Privacy protection for information and data | Business Processes | |
Refrain from processing personal data when it concerns an individual's sexual orientation. CC ID 12582 | Privacy protection for information and data | Business Processes | |
Refrain from processing personal data when it concerns an individual's sex life. CC ID 12581 | Privacy protection for information and data | Business Processes | |
Refrain from processing personal data when it contains Individually Identifiable Health Information. CC ID 12580 | Privacy protection for information and data | Business Processes | |
Refrain from processing personal data when biometric data is used for the purpose of identifying an individual. CC ID 12579 | Privacy protection for information and data | Business Processes | |
Refrain from processing personal data when the genetic data is used for the purpose of identifying individuals. CC ID 12578 | Privacy protection for information and data | Business Processes | |
Refrain from processing personal data when it reveals philosophical beliefs. CC ID 12577 | Privacy protection for information and data | Business Processes | |
Refrain from processing personal data when it reveals religious beliefs. CC ID 12576 | Privacy protection for information and data | Business Processes | |
Refrain from processing personal data when it reveals political opinions. CC ID 12575 | Privacy protection for information and data | Business Processes | |
Refrain from processing personal data if it reveals ethnic origin. CC ID 12574 | Privacy protection for information and data | Business Processes | |
Refrain from processing personal data if the data subject opposes the data erasure of personal data. CC ID 12619 | Privacy protection for information and data | Process or Activity | |
Establish and maintain a record of processing activities when processing restricted data. CC ID 12636 | Privacy protection for information and data | Establish/Maintain Documentation | |
Refrain from maintaining a record of processing activities if the data processor employs a limited number of persons. CC ID 13378 | Privacy protection for information and data | Establish/Maintain Documentation | |
Refrain from maintaining a record of processing activities if the personal data relates to criminal records. CC ID 13377 | Privacy protection for information and data | Establish/Maintain Documentation | |
Refrain from maintaining a record of processing activities if the data being processed is restricted data. CC ID 13376 | Privacy protection for information and data | Establish/Maintain Documentation | |
Refrain from maintaining a record of processing activities if it could result in a risk to the data subject's rights or data subject's freedom. CC ID 13375 | Privacy protection for information and data | Establish/Maintain Documentation | |
Include the data protection officer's contact information in the record of processing activities. CC ID 12640 | Privacy protection for information and data | Records Management | |
Include the data processor's contact information in the record of processing activities. CC ID 12657 | Privacy protection for information and data | Records Management | |
Include the data processor's representative's contact information in the record of processing activities. CC ID 12658 | Privacy protection for information and data | Records Management | |
Include a general description of the implemented security measures in the record of processing activities. CC ID 12641 | Privacy protection for information and data | Records Management | |
Include a description of the data subject categories in the record of processing activities. CC ID 12659 | Privacy protection for information and data | Records Management | |
Include the purpose of processing restricted data in the record of processing activities. CC ID 12663 | Privacy protection for information and data | Records Management | |
Include the personal data processing categories in the record of processing activities. CC ID 12661 | Privacy protection for information and data | Records Management | |
Include the time limits for erasing each data category in the record of processing activities. CC ID 12690 | Privacy protection for information and data | Records Management | |
Include the data recipient categories to whom restricted data has been or will be disclosed in the record of processing activities. CC ID 12664 | Privacy protection for information and data | Records Management | |
Include a description of the personal data categories in the record of processing activities. CC ID 12660 | Privacy protection for information and data | Records Management | |
Include the joint data controller's contact information in the record of processing activities. CC ID 12639 | Privacy protection for information and data | Records Management | |
Include the data controller's representative's contact information in the record of processing activities. CC ID 12638 | Privacy protection for information and data | Records Management | |
Include documentation of the transferee's safeguards for transferring restricted data in the record of processing activities. CC ID 12643 | Privacy protection for information and data | Records Management | |
Include the identification of transferees for transferring restricted data in the record of processing activities. CC ID 12642 | Privacy protection for information and data | Records Management | |
Include the data controller's contact information in the record of processing activities. CC ID 12637 | Privacy protection for information and data | Records Management | |
Process restricted data lawfully and carefully. CC ID 00086 [{be appropriate} An organisation may collect, use or disclose personal data> about an individual only for purposes— that a reasonable person would consider appropriate in the | Privacy protection for information and data | Establish Roles | |
Implement technical controls that limit processing restricted data for specific purposes. CC ID 12646 | Privacy protection for information and data | Technical Security | |
Process personal data pertaining to a patient's health in order to treat those patients. CC ID 00200 | Privacy protection for information and data | Data and Information Management | |
Refrain from disclosing Individually Identifiable Health Information when in violation of territorial or federal law. CC ID 11966 | Privacy protection for information and data | Records Management | |
Document the conditions for the use or disclosure of Individually Identifiable Health Information by a covered entity to another covered entity. CC ID 00210 | Privacy protection for information and data | Establish/Maintain Documentation | |
Disclose Individually Identifiable Health Information for a covered entity's own use. CC ID 00211 | Privacy protection for information and data | Data and Information Management | |
Disclose Individually Identifiable Health Information for a healthcare provider's treatment activities by a covered entity. CC ID 00212 | Privacy protection for information and data | Data and Information Management | |
Rely upon the warranty of the covered entity that the record disclosure request for Individually Identifiable Health Information is permitted with the consent of the data subject. CC ID 11970 | Privacy protection for information and data | Records Management | |
Rely upon the warranty of the covered entity that the record disclosure request for Individually Identifiable Health Information is to support the treatment of the individual. CC ID 11969 | Privacy protection for information and data | Process or Activity | |
Rely upon the warranty of the covered entity that the record disclosure request for Individually Identifiable Health Information is permitted by law. CC ID 11976 | Privacy protection for information and data | Records Management | |
Disclose Individually Identifiable Health Information for payment activities between covered entities or healthcare providers. CC ID 00213 | Privacy protection for information and data | Data and Information Management | |
Disclose Individually Identifiable Health Information for Treatment, Payment, and Health Care Operations activities when both covered entities have a relationship with the data subject. CC ID 00214 | Privacy protection for information and data | Data and Information Management | |
Disclose Individually Identifiable Health Information for Treatment, Payment, and Health Care Operations activities between a covered entity and a participating healthcare provider when the information is collected from the data subject and a third party. CC ID 00215 | Privacy protection for information and data | Data and Information Management | |
Disclose Individually Identifiable Health Information in accordance with agreed upon restrictions. CC ID 06249 | Privacy protection for information and data | Data and Information Management | |
Disclose Individually Identifiable Health Information in accordance with the privacy notice. CC ID 06250 | Privacy protection for information and data | Data and Information Management | |
Disclose permitted Individually Identifiable Health Information for facility directories. CC ID 06251 | Privacy protection for information and data | Data and Information Management | |
Disclose Individually Identifiable Health Information for cadaveric organ donation purposes, eye donation purposes, or tissue donation purposes. CC ID 06252 | Privacy protection for information and data | Data and Information Management | |
Disclose Individually Identifiable Health Information for medical suitability determinations. CC ID 06253 | Privacy protection for information and data | Data and Information Management | |
Disclose Individually Identifiable Health Information for armed forces personnel appropriately. CC ID 06254 | Privacy protection for information and data | Data and Information Management | |
Disclose Individually Identifiable Health Information in order to provide public benefits by government agencies. CC ID 06255 | Privacy protection for information and data | Data and Information Management | |
Disclose Individually Identifiable Health Information for fundraising. CC ID 06256 | Privacy protection for information and data | Data and Information Management | |
Disclose Individually Identifiable Health Information for research use when the appropriate requirements are included in the approval documentation or waiver documentation. CC ID 06257 | Privacy protection for information and data | Establish/Maintain Documentation | |
Document the conditions for the disclosure of Individually Identifiable Health Information by an organization providing healthcare services to organizations other than business associates or other covered entities. CC ID 00201 | Privacy protection for information and data | Establish/Maintain Documentation | |
Disclose Individually Identifiable Health Information when the data subject cannot physically or legally provide consent and the disclosing organization is a healthcare provider. CC ID 00202 | Privacy protection for information and data | Data and Information Management | |
Disclose Individually Identifiable Health Information to provide appropriate treatment to the data subject when the disclosing organization is a healthcare provider. CC ID 00203 | Privacy protection for information and data | Data and Information Management | |
Disclose Individually Identifiable Health Information when it is not contrary to the data subject's wish prior to becoming unable to provide consent and the disclosing organization is a healthcare provider. CC ID 00204 | Privacy protection for information and data | Data and Information Management | |
Disclose Individually Identifiable Health Information that is reasonable or necessary for the disclosure purpose when the disclosing organization is a healthcare provider. CC ID 00205 [{disclose}The disclosure of personal data about an individual who is a current or former patient of any of the following to a public agency for the purposes of policy formulation or review: a healthcare institution licensed under the Private Hospitals and Medical Clinics Act (Cap. 248); SECOND SCHEDULE PART 3 Division 1 § 3.(a)] | Privacy protection for information and data | Data and Information Management | |
Disclose Individually Identifiable Health Information consistent with the law when the disclosing organization is a healthcare provider. CC ID 00206 [{disclose}The disclosure of personal data about an individual who is a current or former patient of any of the following to a public agency for the purposes of policy formulation or review: a prescribed healthcare body. SECOND SCHEDULE PART 3 Division 1 § 3.(c) {disclose}The disclosure of personal data about an individual who is a current or former patient of any of the following to a public agency for the purposes of policy formulation or review: a licensee under the Healthcare Services Act 2020 (Act 3 of 2020); SECOND SCHEDULE PART 3 Division 1 § 3.(b)] | Privacy protection for information and data | Data and Information Management | |
Disclose Individually Identifiable Health Information in order to carry out treatment when the disclosing organization is a healthcare provider. CC ID 00207 | Privacy protection for information and data | Data and Information Management | |
Disclose Individually Identifiable Health Information in order to carry out treatment when the data subject has provided consent and the disclosing organization is a healthcare provider. CC ID 00208 | Privacy protection for information and data | Data and Information Management | |
Disclose Individually Identifiable Health Information in order to carry out treatment when the data subject's guardian or representative has provided consent and the disclosing organization is a healthcare provider. CC ID 00209 | Privacy protection for information and data | Data and Information Management | |
Disclose Individually Identifiable Health Information when the disclosing organization is a healthcare provider that supports public health and safety activities. CC ID 06248 | Privacy protection for information and data | Data and Information Management | |
Disclose Individually Identifiable Health Information in order to report abuse or neglect when the disclosing organization is a healthcare provider. CC ID 06819 | Privacy protection for information and data | Data and Information Management | |
Document how Individually Identifiable Health Information is used and disclosed when authorization has been granted. CC ID 00216 | Privacy protection for information and data | Establish/Maintain Documentation | |
Define and implement valid authorization control requirements. CC ID 06258 | Privacy protection for information and data | Establish/Maintain Documentation | |
Obtain explicit consent for authorization to release Individually Identifiable Health Information. CC ID 00217 | Privacy protection for information and data | Data and Information Management | |
Obtain explicit consent for authorization to release psychotherapy notes. CC ID 00218 | Privacy protection for information and data | Data and Information Management | |
Refrain from using Individually Identifiable Health Information to determine eligibility or continued eligibility for credit. CC ID 00219 | Privacy protection for information and data | Data and Information Management | |
Process personal data after the data subject has granted explicit consent. CC ID 00180 [{refrain from processing} An organisation shall not, on or after the appointed day, collect, use or disclose personal data about an individual unless— the individual rb">gives</span>, or is deemed to have given, his consent under this Act to the collection, use or disclosure, as the case may be; or § 13.(a)] | Privacy protection for information and data | Data and Information Management | |
Process personal data in order to perform a legal obligation or exercise a legal right. CC ID 00182 | Privacy protection for information and data | Data and Information Management | |
Process personal data relating to criminal offenses when required by law. CC ID 00237 | Privacy protection for information and data | Data and Information Management | |
Process personal data in order to prevent personal injury or damage to the data subject's health. CC ID 00183 | Privacy protection for information and data | Data and Information Management | |
Process personal data in order to prevent personal injury or damage to a third party's health. CC ID 00184 | Privacy protection for information and data | Data and Information Management | |
Process personal data for statistical purposes or scientific purposes. CC ID 00256 | Privacy protection for information and data | Data and Information Management | |
Process personal data during legitimate activities with safeguards for the data subject's legal rights. CC ID 00185 [{collect}{disclose}Subject to sub-paragraphs (2), (3) and (4) — the collection, use or disclosure (as the case may be) of personal data about an individual is in the legitimate interests of the organisation or another person; and FIRST SCHEDULE PART 3 § 1.(1)(a)] | Privacy protection for information and data | Data and Information Management | |
Process traffic data in a controlled manner. CC ID 00130 | Privacy protection for information and data | Data and Information Management | |
Process personal data for health insurance, social insurance, state social benefits, social welfare, or child protection. CC ID 00186 | Privacy protection for information and data | Data and Information Management | |
Process personal data when it is publicly accessible. CC ID 00187 [{without consent}{collect}{disclose} The collection, use or disclosure (as the case may be) of personal data about an individual that is publicly available. FIRST SCHEDULE PART 2 § 1.] | Privacy protection for information and data | Data and Information Management | |
Process personal data for direct marketing and other personalized mail programs. CC ID 00188 | Privacy protection for information and data | Data and Information Management | |
Refrain from processing personal data for marketing or advertising to children. CC ID 14010 | Privacy protection for information and data | Business Processes | |
Process personal data for the purposes of employment. CC ID 16527 | Privacy protection for information and data | Data and Information Management | |
Process personal data for justice administration, lawsuits, judicial decisions, and investigations. CC ID 00189 [{collect}{disclose} The collection, use or disclosure (as the case may be) of personal data about an individual is necessary for the provision of legal services by the organisation to another person, or for the organisation to obtain legal services. FIRST SCHEDULE PART 3 § 5.] | Privacy protection for information and data | Data and Information Management | |
Process personal data for debt collection or benefit payments. CC ID 00190 [{without consent}{collect}{disclose}The collection, use or disclosure (as the case may be) of personal data about an individual is necessary for the organisation — to recover a debt owed by the individual to the organisation; or FIRST SCHEDULE PART 3 § 4.(a) {collect}{disclose}The collection, use or disclosure (as the case may be) of personal data about an individual is necessary for the organisation — to pay to the individual a debt owed by the organisation. FIRST SCHEDULE PART 3 § 4.(b) {legitimate interest}{collect}{disclose}The collection, use or disclosure (as the case may be) of personal data about an individual is to — confer an interest or a benefit on the individual under a private trust or benefit plan; and FIRST SCHEDULE PART 3 § 7.(a)] | Privacy protection for information and data | Data and Information Management | |
Process personal data in order to advance the public interest. CC ID 00191 [The use of personal data about an individual for a research purpose (including historical or statistical research), if — there is a clear public benefit to using the personal data for the research purpose; SECOND SCHEDULE PART 2 Division 3 § 1.(b)] | Privacy protection for information and data | Data and Information Management | |
Process personal data for surveys, archives, or scientific research. CC ID 00192 | Privacy protection for information and data | Data and Information Management | |
Process personal data absent consent for journalistic purposes, artistic purposes, or literary purposes. CC ID 00193 [{without consent} The personal data about an individual is collected, used or disclosed (as the case may be) by a news organisation solely for its news activity. FIRST SCHEDULE PART 2 § 5. {without consent}{artistic purpose}{collect}{disclose} The collection, use or disclosure (as the case may be) of personal data about an individual is solely for artistic or literary purposes. FIRST SCHEDULE PART 2 § 3.] | Privacy protection for information and data | Data and Information Management | |
Process personal data for academic purposes or religious purposes. CC ID 00194 | Privacy protection for information and data | Data and Information Management | |
Process personal data when it is used by a public authority for National Security policy or criminal policy. CC ID 00195 | Privacy protection for information and data | Data and Information Management | |
Refrain from storing data in newly created files or registers which directly or indirectly reveals the restricted data. CC ID 00196 | Privacy protection for information and data | Data and Information Management | |
Follow legal obligations while processing personal data. CC ID 04794 | Privacy protection for information and data | Data and Information Management | |
Start personal data processing only after the needed notifications are submitted. CC ID 04791 | Privacy protection for information and data | Data and Information Management | |
Process personal data absent consent for specific and well-documented circumstances. CC ID 13537 [An individual is deemed to consent to the collection, use or disclosure of personal data about the individual by an organisation for a purpose if— it is reasonable that the individual would voluntarily provide the y-verb">le="background-color:#F0BBBC;" class="term_primary-noun">data. § 15.(1)(b) An organisation may — use personal data about an individual without the consent of the individual, in the circumstances or for the purposes, and subject to any condition, in the First Schedule or Part 2 of the Second Schedule; or § 17.(1)(b) {individual's vital interest}{without consent}Subject to sub-paragraph (2), the collection, use or disclosure (as the case may be) of personal data about an individual is necessary for any purpose which is clearly in the interests of the individual, and — the individual would not reasonably be expected to withhold consent. FIRST SCHEDULE PART 1 § 1.(1)(b) {without consent}{collect}{disclose} The collection, use or disclosure (as the case may be) of personal data about an individual is in the national interest. FIRST SCHEDULE PART 2 § 2. {business improvement purpose}{organization}Subject to the conditions in sub-paragraphs (3), (4) and (5), personal data about an individual (P) — is used by X for a relevant purpose; or FIRST SCHEDULE PART 5 § 1.(1)(b) {business improvement purpose}Sub-paragraph (1)(b) applies only if — a reasonable person would consider the use of personal data about P for the relevant purpose to be appropriate in the circumstances. FIRST SCHEDULE PART 5 § 1.(4)(b) {business improvement purpose}{refrain from achieving}Sub-paragraph (1)(b) applies only if — the relevant purpose for which X uses personal data about P cannot reasonably be achieved without the use of the personal data in an individually identifiable form; and FIRST SCHEDULE PART 5 § 1.(4)(a)] | Privacy protection for information and data | Data and Information Management | |
Process personal data absent consent in order to protect the vital interests of the data subject. CC ID 14012 [{individual's vital interest}{collect}{disclose} Subject to sub-paragraph (2), the collection, use or disclosure (as the case may be) of personal data about an individual is necessary for any purpose which is clearly in the interests of the individual, and — FIRST SCHEDULE PART 1 § 1.(1)] | Privacy protection for information and data | Process or Activity | |
Process personal data absent consent when the data subject has been notified the personal data may be collected, used, or disclosed. CC ID 13617 | Privacy protection for information and data | Data and Information Management | |
Process personal data absent consent in order to establish, manage, or terminate employment contracts. CC ID 13615 [{without consent}The personal data about an individual is collected, used or disclosed (as the case may be) by the organisation, and the collection, use or disclosure (as the case may be) of the personal data is reasonable for the purpose of or in relation to the organisation — entering into an employment relationship with the individual or appointing the individual to any office; or FIRST SCHEDULE PART 3 § 10.(a) {without consent}The personal data about an individual is collected, used or disclosed (as the case may be) by the organisation, and the collection, use or disclosure (as the case may be) of the personal data is reasonable for the purpose of or in relation to the organisation — managing or terminating the employment relationship with or appointment of the individual. FIRST SCHEDULE PART 3 § 10.(b)] | Privacy protection for information and data | Data and Information Management | |
Process personal data absent consent when the data subject is notified that the business transaction is completed and their information was disclosed. CC ID 13612 | Privacy protection for information and data | Data and Information Management | |
Process personal data absent consent when the disclosure concerns the data subject's products and services obtained from the organization. CC ID 13611 [Subject to the conditions in sub-paragraph (2), personal data about an individual (P) is used by the organisation for any of the following purposes: improving or enhancing any goods or services provided, or developing new goods or services to be provided, by the organisation; SECOND SCHEDULE PART 2 Division 2 § 1.(1)(a) Subject to the conditions in sub-paragraph (2), personal data about an individual (P) is used by the organisation for any of the following purposes: learning about and understanding the behaviour and preferences of P or another individual in relation to the goods or services provided by the organisation; SECOND SCHEDULE PART 2 Division 2 § 1.(1)(c) Subject to the conditions in sub-paragraph (2), personal data about an individual (P) is used by the organisation for any of the following purposes: identifying any goods or services provided by the organisation that may be suitable for P or another individual, or personalising or customising any such goods or services for P or another individual. SECOND SCHEDULE PART 2 Division 2 § 1.(1)(d) Subject to the conditions in sub-paragraph (2), personal data about an individual (P) is used by the organisation for any of the following purposes: identifying any goods or services provided by the organisation that may be suitable for P or another individual, or personalising or customising any such goods or services for P or another individual. SECOND SCHEDULE PART 2 Division 2 § 1.(1)(d)] | Privacy protection for information and data | Data and Information Management | |
Process personal data absent consent when it is impracticable to obtain consent. CC ID 13580 [{individual's vital interest}The collection, use or disclosure (as the case may be) of personal data about an individual, where — consent for the collection, use or disclosure (as the case may be) cannot be obtained in a timely way; and FIRST SCHEDULE PART 1 § 3.(a)] | Privacy protection for information and data | Data and Information Management | |
Process personal data absent consent when it is in the data subject's interest and consent cannot be obtained in a timely manner. CC ID 15282 [{individual's vital interest}Subject to sub-paragraph (2), the collection, use or disclosure (as the case may be) of personal data about an individual is necessary for any purpose which is clearly in the interests of the individual, and — consent for the collection, use or disclosure (as the case may be) cannot be obtained in a timely way; or FIRST SCHEDULE PART 1 § 1.(1)(a)] | Privacy protection for information and data | Data and Information Management | |
Process personal data absent consent to determine whether to proceed with business transactions. CC ID 13587 [{without consent}Subject to the conditions in sub-paragraphs (2), (3), (4) and (5), where an organisation (X) is a party or a prospective party to a business asset transaction with another organisation (Y), personal data about an applicable individual of Y — is used or disclosed by X in relation to the business asset transaction; or FIRST SCHEDULE PART 4 § 1.(1)(b) Subject to the conditions in sub-paragraphs (2), (3) and (4), where an organisation (X) is a party or a prospective party to a business asset transaction with another organisation (Y) in respect of Y's interest in a third organisation (Z) (called in this paragraph the relevant transaction), personal data about an applicable individual of Z — is used or disclosed by X or Y in relation to the relevant transaction; or FIRST SCHEDULE PART 4 § 2.(1)(b) {legitimate interest}{collect}{disclose}Subject to sub-paragraph (2), the collection, use or disclosure (as the case may be) of personal data about an individual — relates to a credit report provided by a credit bureau to a member of the credit bureau in relation to a transaction between the member and the individual. FIRST SCHEDULE PART 3 § 6.(1)(b) {business asset transaction}{organization}{prospective party}{individual}If X enters into the relevant transaction, the following conditions apply: X may use or disclose the personal data collected from Y or Z (as the case may be) only for the same purposes for which Y or Z (as the case may be) would have been permitted to use or disclose the personal data; FIRST SCHEDULE PART 4 § 2.(3)(a)] | Privacy protection for information and data | Data and Information Management | |
Process personal data absent consent in order to perform a contract. CC ID 13586 [{prospective party}{organization}If X enters into the business asset transaction, the following conditions apply: X may use or disclose the personal data X collected from Y only for the same purposes for which Y would have been permitted to use or disclose the personal data; FIRST SCHEDULE PART 4 § 1.(4)(a) {organization}If X is a prospective party to the business asset transaction, the following conditions apply: X and Y must have entered into an agreement that requires X to use or disclose the personal data solely for purposes related to the business asset transaction. FIRST SCHEDULE PART 4 § 1.(3)(b) {business asset transaction}{organization}{individual}If X is a prospective party to the relevant transaction, the following conditions apply: where Y collects the personal data mentioned in sub-paragraph (1) from Z — Y and Z must have entered into an agreement that requires Y to use or disclose the personal data solely for purposes related to the relevant transaction. FIRST SCHEDULE PART 4 § 2.(2)(b)(ii)] | Privacy protection for information and data | Data and Information Management | |
Process personal data absent consent when the privacy commissioner is notified before the information is used. CC ID 13581 | Privacy protection for information and data | Data and Information Management | |
Process personal data absent consent to perform obligations in the field of employment law. CC ID 16814 | Privacy protection for information and data | Data and Information Management | |
Process personal data absent consent if the disclosure is to the next of kin or authorized representative. CC ID 15294 [{is necessary}{without consent} The collection, use or disclosure of personal data is for the purpose of contacting the next-of-kin or a friend of any injured, ill or deceased individual. FIRST SCHEDULE PART 1 § 4.] | Privacy protection for information and data | Data and Information Management | |
Process personal data absent consent when it is used in a manner to ensure confidentiality. CC ID 13579 | Privacy protection for information and data | Data and Information Management | |
Process personal data absent consent when it is used for statistical research, scientific research, or scholarly research. CC ID 13578 [{refrain from achieving}The use of personal data about an individual for a research purpose (including historical or statistical research), if — the research purpose cannot reasonably be accomplished unless the personal data is used in an individually identifiable form; SECOND SCHEDULE PART 2 Division 3 § 1.(a) {collect}{disclose} The collection, use or disclosure (as the case may be) of personal data about an individual is necessary for evaluative purposes. FIRST SCHEDULE PART 3 § 2. The use of personal data about an individual for a research purpose (including historical or statistical research), if — the results of the research will not be used to make any decision that affects the individual; and SECOND SCHEDULE PART 2 Division 3 § 1.(c)] | Privacy protection for information and data | Data and Information Management | |
Process personal data absent consent when it is needed by law. CC ID 13577 [{refrain from processing} An organisation shall not, on or after the appointed day, collect,use or disclose personal data about an individual unless— the collection, use or disclosure, as the case may be, without the consent of the individual is 0E5;" class="term_secondary-verb">required or authorised under this Act or any other written law. § 13.(b) Subject to section 25, if an individual withdraws consent to the collection, use or disclosure of personal data about the individual by an organisation for any purpose, the organisation shall cease (and cause its data intermediaries and agents to cease) collecting, using or disclosing the personal data, as the case may be, unless such collection, use or disclosure, as the case may be, without the consent of the individual is required or authorised under this Act or other written law. § 16.(4)] | Privacy protection for information and data | Data and Information Management | |
Process personal data for public interests absent consent in order to protect historical records or archival records. CC ID 15296 [{without consent}{archival purpose} The collection, use or disclosure (as the case may be) of personal data about an individual is solely for archival or historical purposes, if a reasonable person would not consider the personal data to be too sensitive to the individual to be collected, used or disclosed (as the case may be) at the proposed time. FIRST SCHEDULE PART 2 § 4.] | Privacy protection for information and data | Data and Information Management | |
Process personal data absent consent when it is from publicly available information. CC ID 13576 [{without consent}The use of personal data about an individual, if — the personal data was disclosed by a public agency; and SECOND SCHEDULE PART 2 Division 1 § 1.(a)] | Privacy protection for information and data | Data and Information Management | |
Process personal data absent consent to create a credit report. CC ID 15288 [{legitimate interest}{collect}{disclose}Subject to sub-paragraph (2), the collection, use or disclosure (as the case may be) of personal data about an individual — is for the purpose of the preparation by a credit bureau of a credit report; or FIRST SCHEDULE PART 3 § 6.(1)(a)] | Privacy protection for information and data | Data and Information Management | |
Process personal data absent consent if its use is consistent with the intended purpose. CC ID 13575 [Unless otherwise provided under this Act, an organisation may — use or disclose personal data about an individual that — for purposes consistent with the purpose of that collection, or for any purpose permitted by subsection (1)(b) or (c), as the case may be. § 17.(2)(b) ¶ 1 Without limiting subsection (2) and subject to subsection (9), an individual (P) who enters into a contract with an organisation (A) and provides personal data to A pursuant or in relation to that contract is deemed to consent to the following: the collection and use of that personal data by B, where the collection and use are reasonably necessary for any purpose mentioned in paragraph (a); § 15.(6)(b) {without consent}The personal data about an individual — is collected, used or disclosed (as the case may be) for purposes consistent with the purpose for which the document was produced. FIRST SCHEDULE PART 3 § 9.(b) {personal purpose}{domestic purposes}The personal data about an individual — is collected, used or disclosed (as the case may be) by the organisation solely for the purpose in sub-paragraph (a). FIRST SCHEDULE PART 3 § 8.(b) {without consent}The use of personal data about an individual, if — the use of personal data by the organization is consistent with the purpose of the disclosure by the public agency. SECOND SCHEDULE PART 2 Division 1 § 1.(b)] | Privacy protection for information and data | Data and Information Management | |
Process personal data absent consent to administer a trust fund or benefit plan. CC ID 15291 [{collect}{disclose}The collection, use or disclosure (as the case may be) of personal data about an individual is to — administer that trust or benefit plan, at the request of the settlor or the person establishing the benefit plan, as the case may be. FIRST SCHEDULE PART 3 § 7.(b)] | Privacy protection for information and data | Data and Information Management | |
Process personal data absent consent when produced for business purposes. CC ID 13563 [Subject to the conditions in sub-paragraph (2), personal data about an individual (P) is used by the organisation for any of the following purposes: improving or enhancing any goods or services provided, or developing new goods or services to be provided, by the organisation; SECOND SCHEDULE PART 2 Division 2 § 1.(1)(a) Subject to the conditions in sub-paragraph (2), personal data about an individual (P) is used by the organisation for any of the following purposes: improving or enhancing the methods or processes, or developing new methods or processes, for the operations of the organisation; SECOND SCHEDULE PART 2 Division 2 § 1.(1)(b) Subject to the conditions in sub-paragraph (2), personal data about an individual (P) is used by the organisation for any of the following purposes: improving or enhancing the methods or processes, or developing new methods or processes, for the operations of the organisation; SECOND SCHEDULE PART 2 Division 2 § 1.(1)(b) {cannot achieve}Sub-paragraph (1) applies only if — the purpose for which the organisation uses personal data about P cannot reasonably be achieved without the use of the personal data in an individually identifiable form; and SECOND SCHEDULE PART 2 Division 2 § 1.(2)(a) {business improvement purpose}Sub-paragraph (1) applies only if — a reasonable person would consider the use of personal data about P for that purpose to be appropriate in the circumstances. SECOND SCHEDULE PART 2 Division 2 § 1.(2)(b)] | Privacy protection for information and data | Data and Information Management | |
Process personal data absent consent for handling insurance claims. CC ID 13561 | Privacy protection for information and data | Data and Information Management | |
Process personal data absent consent when it is necessary for corporate restructuring. CC ID 16533 | Privacy protection for information and data | Data and Information Management | |
Process personal data absent consent if the information is contained in a witness statement. CC ID 13560 | Privacy protection for information and data | Data and Information Management | |
Process personal data absent consent for life-threatening emergencies. CC ID 13558 [{without consent}{collect}{disclose}The collection, use or disclosure (as the case may be) of personal data about an individual, where — there are reasonable grounds to believe that the health or safety of the individual or another individual will be seriously affected. FIRST SCHEDULE PART 1 § 3.(b)] | Privacy protection for information and data | Data and Information Management | |
Process personal data absent consent for reasonable investigative purposes. CC ID 13557 [{collect}{disclose} The collection, use or disclosure (as the case may be) of personal data about an individual is necessary for any investigation or proceedings. FIRST SCHEDULE PART 3 § 3.] | Privacy protection for information and data | Data and Information Management | |
Notify the individual before restricted data is collected, used, or disclosed. CC ID 00132 [{prospective party}{organization}If X enters into the business asset transaction, the following conditions apply: X or Y must notify the applicable individuals of Y whose personal data is disclosed that — the personal data about them has been disclosed to X. FIRST SCHEDULE PART 4 § 1.(4)(c)(ii)] | Privacy protection for information and data | Behavior | |
Define security breach notification requirement exceptions. CC ID 04797 | Privacy protection for information and data | Establish/Maintain Documentation | |
Refrain from disclosing personal data absent consent of the individual or for defined exceptions. CC ID 11967 [An organisation shall not, on or after the appointed day, collect, use or disclose personal data about an individual unless — § 13.] | Privacy protection for information and data | Records Management | |
Disclose restricted data when the data subject has given unambiguous and implicit consent. CC ID 00157 [Without limiting subsection (2) and subject to subsection (9), an individual (P) who enters into a contract with an organisation (A) and provides personal data to A pursuant or in relation to that contract is deemed to consent to the following: the disclosure of that personal data by A to another organisation (B), where the disclosure is reasonably necessary — § 15.(6)(a)] | Privacy protection for information and data | Data and Information Management | |
Define what restricted data is not required to be disclosed absent consent. CC ID 00134 | Privacy protection for information and data | Establish/Maintain Documentation | |
Define the exceptions to disclosure absent consent. CC ID 00135 | Privacy protection for information and data | Establish/Maintain Documentation | |
Define opt-out exceptions for disclosing restricted data. CC ID 00159 | Privacy protection for information and data | Establish/Maintain Documentation | |
Define how a data subject may give consent. CC ID 00160 [An individual has not given consent under this Act for the collection, use or disclosure of personal data about the individual by an organisation for a purpose unless— the individual has been provided with the information required under section 20; and § 14.(1)(a) {render invalid} Any consent given in any of the circumstances in subsection (2) is not validly given for the purposes of this Act. § 14.(3) An individual is deemed to consent to the collection, use or disclosure of personal data about the individual by an organisation for a purpose if— the individual, without actually giving consent referred to in section 14, voluntarily provides the personal data to the organisation for that purpose; and § 15.(1)(a) In this Act, references to the consent given or deemed to have been given, by an individual for the collection, use, or disclosure of personal data about the individual shall include consent given, or deemed to have been given, by any person validly acting on behalf of that individual for the collection, use or disclosure of such personal data. § 14.(4) An individual has not given consent under this Act for the collection, use or disclosure of personal data about the individual by an organisation for a purpose unless — the individual provided his consent for that purpose in accordance with this Act. § 14.(1)(b) Subject to subsection (3), an individual is deemed to consent to the collection, use or disclosure of personal data about the individual by an organisation if — the individual does not notify the organisation, before the expiry of the period mentioned in subsection (4)(b)(iii), that the individual does not consent to the proposed collection, use or disclosure of the personal data by the organisation. § 15A.(2)(b) For the purposes of subsection (2)(a), the organisation must, before collecting, using or disclosing any personal data about the individual — take reasonable steps to bring the following information to the attention of the individual: a reasonable period within which, and a reasonable manner by which, the individual may notify the organisation that the individual does not consent to the organisation's proposed collection, use or disclosure of the personal data; and § 15A.(4)(b)(iii)] | Privacy protection for information and data | Establish/Maintain Documentation | |
Disclose Personal Identification Numbers absent consent in order to update address information. CC ID 04793 | Privacy protection for information and data | Data and Information Management | |
Disclose personal data absent consent for specific and well-documented circumstances. CC ID 15267 [An organisation may — disclose personal data about an individual without the consent of the individual, in the circumstances or for the purposes, and subject to any condition, in the First Schedule or Part 3 of the Second Schedule. § 17.(1)(c) {individual's vital interest}{without consent}Subject to sub-paragraph (2), the collection, use or disclosure (as the case may be) of personal data about an individual is necessary for any purpose which is clearly in the interests of the individual, and — the individual would not reasonably be expected to withhold consent. FIRST SCHEDULE PART 1 § 1.(1)(b) {organization}{corporation}{business improvement purpose}Subject to the conditions in sub-paragraphs (3), (4) and (5), personal data about an individual (P) — is disclosed by Y to X for a relevant purpose. FIRST SCHEDULE PART 5 § 1.(1)(c)] | Privacy protection for information and data | Communicate | |
Disclose restricted data absent consent when the law does not require consent. CC ID 00136 | Privacy protection for information and data | Data and Information Management | |
Disclose data absent consent if its disclosure is consistent with the intended purpose. CC ID 15270 [Unless otherwise provided under this Act, an organisation may — use or disclose personal data about an individual that — for purposes consistent with the purpose of that collection, or for any purpose permitted by subsection (1)(b) or (c), as the case may be. § 17.(2)(b) ¶ 1 Without limiting subsection (2) and subject to subsection (9), an individual (P) who enters into a contract with an organisation (A) and provides personal data to A pursuant or in relation to that contract is deemed to consent to the following: the disclosure of that personal data by B to another organisation, where the disclosure is reasonably necessary for any purpose mentioned in paragraph (a). § 15.(6)(c) {personal purpose}{domestic purposes}The personal data about an individual — is collected, used or disclosed (as the case may be) by the organisation solely for the purpose in sub-paragraph (a). FIRST SCHEDULE PART 3 § 8.(b) {business improvement purpose}{refrain from achieving}Sub-paragraph (1)(a) and (c) applies only if — the relevant purpose for which X collects, or Y discloses, personal data about P cannot reasonably be achieved without the collection, use or disclosure (as the case may be) of the personal data in an individually identifiable form; FIRST SCHEDULE PART 5 § 1.(3)(a) {without consent}The personal data about an individual — is collected, used or disclosed (as the case may be) for purposes consistent with the purpose for which the document was produced. FIRST SCHEDULE PART 3 § 9.(b)] | Privacy protection for information and data | Data and Information Management | |
Disclose restricted data when a relevant connection exists between the data subject and the data controller's operations. CC ID 00137 [Without limiting subsection (2) and subject to subsection (9), an individual (P) who provides personal data to an organisation (A) with a view to P entering into a contract with A is deemed to consent to the following where reasonably necessary for the conclusion of the contract between P and A: the disclosure of that personal data by A to another organisation (B); § 15.(3)(a) Without limiting subsection (2) and subject to subsection (9), an individual (P) who provides personal data to an organisation (A) with a view to P entering into a contract with A is deemed to consent to the following where reasonably necessary for the conclusion of the contract between P and A: the disclosure of that personal data by B to another organisation. § 15.(3)(c) {business improvement purpose}Where X collects from Y, and Y discloses to X, personal data about P for a purpose mentioned in sub-paragraph (2)(c) or (d), P must be, at the time of the collection or disclosure, as the case may be — an existing customer of Y; and FIRST SCHEDULE PART 5 § 1.(5)(a) {business improvement purpose}Where X collects from Y, and Y discloses to X, personal data about P for a purpose mentioned in sub-paragraph (2)(c) or (d), P must be, at the time of the collection or disclosure, as the case may be — an existing customer or a prospective customer of X. FIRST SCHEDULE PART 5 § 1.(5)(b)] | Privacy protection for information and data | Data and Information Management | |
Disclose personal data absent consent if the disclosure with the consent or knowledge of the data subject would compromise the ability to prevent, detect, or suppress fraud. CC ID 13594 | Privacy protection for information and data | Data and Information Management | |
Disclose personal data absent consent when it is in the data subject's interest and consent cannot be obtained in a timely manner. CC ID 15284 [{individual's vital interest}Subject to sub-paragraph (2), the collection, use or disclosure (as the case may be) of personal data about an individual is necessary for any purpose which is clearly in the interests of the individual, and — consent for the collection, use or disclosure (as the case may be) cannot be obtained in a timely way; or FIRST SCHEDULE PART 1 § 1.(1)(a)] | Privacy protection for information and data | Data and Information Management | |
Disclose personal data absent consent in order to establish, manage, or terminate employment contracts. CC ID 13616 [{without consent}The personal data about an individual is collected, used or disclosed (as the case may be) by the organisation, and the collection, use or disclosure (as the case may be) of the personal data is reasonable for the purpose of or in relation to the organisation — entering into an employment relationship with the individual or appointing the individual to any office; or FIRST SCHEDULE PART 3 § 10.(a) {without consent}The personal data about an individual is collected, used or disclosed (as the case may be) by the organisation, and the collection, use or disclosure (as the case may be) of the personal data is reasonable for the purpose of or in relation to the organisation — managing or terminating the employment relationship with or appointment of the individual. FIRST SCHEDULE PART 3 § 10.(b)] | Privacy protection for information and data | Data and Information Management | |
Disclose personal data absent consent when the data subject is notified that the business transaction is completed and their information was disclosed. CC ID 13613 | Privacy protection for information and data | Data and Information Management | |
Disclose personal data absent consent when the data subject has been notified the personal data may be collected, used, or disclosed. CC ID 13603 | Privacy protection for information and data | Data and Information Management | |
Disclose personal data absent consent if disclosure is made a predetermined number of years after the death of the data subject. CC ID 13598 | Privacy protection for information and data | Data and Information Management | |
Disclose personal data absent consent when disclosure is made a predetermined number of years after the information was created. CC ID 13597 | Privacy protection for information and data | Data and Information Management | |
Disclose personal data absent consent if the data subject is notified of the disclosure. CC ID 13596 | Privacy protection for information and data | Data and Information Management | |
Disclose personal data absent consent to detect, suppress, or prevent fraud. CC ID 13592 | Privacy protection for information and data | Data and Information Management | |
Disclose personal data absent consent to create a credit report. CC ID 15297 [{legitimate interest}{collect}{disclose}Subject to sub-paragraph (2), the collection, use or disclosure (as the case may be) of personal data about an individual — is for the purpose of the preparation by a credit bureau of a credit report; or FIRST SCHEDULE PART 3 § 6.(1)(a)] | Privacy protection for information and data | Data and Information Management | |
Disclose personal data absent consent if it is necessary to identify an individual who is injured, ill or deceased. CC ID 13595 | Privacy protection for information and data | Data and Information Management | |
Disclose restricted data absent consent if the disclosure is to a government institution. CC ID 13583 | Privacy protection for information and data | Data and Information Management | |
Disclose personal data absent consent for reasonable investigative purposes. CC ID 13593 | Privacy protection for information and data | Data and Information Management | |
Disclose personal data absent consent to determine whether to proceed with business transactions. CC ID 15285 [{business asset transaction}{organization}{individual}If X is a prospective party to the relevant transaction, the following conditions apply: where Y collects the personal data mentioned in sub-paragraph (1) from Z — Y may collect, and Z may disclose, only personal data that is necessary for X or Y (as the case may be) to determine whether to proceed with the relevant transaction; and FIRST SCHEDULE PART 4 § 2.(2)(b)(i)] | Privacy protection for information and data | Data and Information Management | |
Disclose personal data absent consent for handling insurance claims. CC ID 13585 | Privacy protection for information and data | Data and Information Management | |
Disclose personal data absent consent if the information is contained in a witness statement. CC ID 13584 | Privacy protection for information and data | Data and Information Management | |
Disclose personal data absent consent if the data subject is believed to be a victim of financial abuse. CC ID 13555 | Privacy protection for information and data | Data and Information Management | |
Disclose personal data absent consent for transactions related to the consumer. CC ID 14853 | Privacy protection for information and data | Data and Information Management | |
Disclose restricted data absent consent to a government institution that has requested the information. CC ID 13582 | Privacy protection for information and data | Data and Information Management | |
Disclose personal data absent consent if the disclosure is to the next of kin or authorized representative. CC ID 13554 [{is necessary}{without consent} The collection, use or disclosure of personal data is for the purpose of contacting the next-of-kin or a friend of any injured, ill or deceased individual. FIRST SCHEDULE PART 1 § 4.] | Privacy protection for information and data | Data and Information Management | |
Disclose restricted data absent consent when it is for the data controller's legitimate interest or third party's legitimate interest and it prevails over individual rights. CC ID 00138 [{collect}{disclose}Subject to sub-paragraphs (2), (3) and (4) — the collection, use or disclosure (as the case may be) of personal data about an individual is in the legitimate interests of the organisation or another person; and FIRST SCHEDULE PART 3 § 1.(1)(a)] | Privacy protection for information and data | Data and Information Management | |
Disclose personal data absent consent if the organization notifies the privacy commissioner before disclosing the information. CC ID 13553 | Privacy protection for information and data | Data and Information Management | |
Disclose personal data absent consent if it is impracticable to obtain consent. CC ID 13552 [{individual's vital interest}The collection, use or disclosure (as the case may be) of personal data about an individual, where — consent for the collection, use or disclosure (as the case may be) cannot be obtained in a timely way; and FIRST SCHEDULE PART 1 § 3.(a) The disclosure of personal data about an individual for a research purpose (including historical or statistical research), if — it is impracticable for the organisation to seek the consent of the individual for the disclosure; SECOND SCHEDULE PART 3 Division 2 § 1.(b)] | Privacy protection for information and data | Data and Information Management | |
Disclose restricted data absent consent in order to perform a contract. CC ID 00139 [Without limiting subsection (2) and subject to subsection (9), an individual (P) who enters into a contract with an organisation (A) and provides personal data to A pursuant or in relation to that contract is deemed to consent to the following: the disclosure of that personal data by A to another organisation (B), where the disclosure is reasonably necessary — for the conclusion or performance of a contract between A and B which is entered into at P's request, or which a reasonable person would consider to be in P's interest; § 15.(6)(a)(ii) {without consent}Subject to the conditions in sub-paragraphs (2), (3), (4) and (5), where an organisation (X) is a party or a prospective party to a business asset transaction with another organisation (Y), personal data about an applicable individual of Y — is used or disclosed by X in relation to the business asset transaction; or FIRST SCHEDULE PART 4 § 1.(1)(b) {without consent}Subject to the conditions in sub-paragraphs (2), (3), (4) and (5), where an organisation (X) is a party or a prospective party to a business asset transaction with another organisation (Y), personal data about an applicable individual of Y — is disclosed by Y to X for the purposes of the business transaction. FIRST SCHEDULE PART 4 § 1.(1)(c) {organization}If X is a prospective party to the business asset transaction, the following conditions apply: X may collect, and Y may disclose, only personal data that is necessary for X to determine whether to proceed with the business asset transaction; FIRST SCHEDULE PART 4 § 1.(3)(a) {prospective party}{organization}If X enters into the business asset transaction, the following conditions apply: X may use or disclose the personal data X collected from Y only for the same purposes for which Y would have been permitted to use or disclose the personal data; FIRST SCHEDULE PART 4 § 1.(4)(a) {organization}If X is a prospective party to the business asset transaction, the following conditions apply: X and Y must have entered into an agreement that requires X to use or disclose the personal data solely for purposes related to the business asset transaction. FIRST SCHEDULE PART 4 § 1.(3)(b) Subject to the conditions in sub-paragraphs (2), (3) and (4), where an organisation (X) is a party or a prospective party to a business asset transaction with another organisation (Y) in respect of Y's interest in a third organisation (Z) (called in this paragraph the relevant transaction), personal data about an applicable individual of Z — is used or disclosed by X or Y in relation to the relevant transaction; or FIRST SCHEDULE PART 4 § 2.(1)(b) Without limiting subsection (2) and subject to subsection (9), an individual (P) who enters into a contract with an organisation (A) and provides personal data to A pursuant or in relation to that contract is deemed to consent to the following: the disclosure of that personal data by A to another organisation (B), where the disclosure is reasonably necessary — for the performance of the contract between P and A; or § 15.(6)(a)(i) {legitimate interest}{collect}{disclose}Subject to sub-paragraph (2), the collection, use or disclosure (as the case may be) of personal data about an individual — relates to a credit report provided by a credit bureau to a member of the credit bureau in relation to a transaction between the member and the individual. FIRST SCHEDULE PART 3 § 6.(1)(b) Subject to the conditions in sub-paragraphs (2), (3) and (4), where an organisation (X) is a party or a prospective party to a business asset transaction with another organisation (Y) in respect of Y's interest in a third organisation (Z) (called in this paragraph the relevant transaction), personal data about an applicable individual of Z — is disclosed by Y or Z (as the case may be) to X, or by Z to Y, for the purposes of the relevant transaction. FIRST SCHEDULE PART 4 § 2.(1)(c) {business asset transaction}If X is a prospective party to the relevant transaction, the following conditions apply: where X collects the personal data mentioned in sub-paragraph (1) from Y or Z — X may collect, and Y or Z (as the case may be) may disclose, only personal data that is necessary for X to determine whether to proceed with the relevant transaction; and FIRST SCHEDULE PART 4 § 2.(2)(a)(i) {business asset transaction}{organization}{prospective party}{individual}If X enters into the relevant transaction, the following conditions apply: X may use or disclose the personal data collected from Y or Z (as the case may be) only for the same purposes for which Y or Z (as the case may be) would have been permitted to use or disclose the personal data; FIRST SCHEDULE PART 4 § 2.(3)(a) {business asset transaction}If X is a prospective party to the relevant transaction, the following conditions apply: where X collects the personal data mentioned in sub-paragraph (1) from Y or Z — X and Y or Z (as the case may be) must have entered into an agreement that requires X to use or disclose the personal data solely for purposes related to the relevant transaction; FIRST SCHEDULE PART 4 § 2.(2)(a)(ii) {business asset transaction}{organization}{individual}If X is a prospective party to the relevant transaction, the following conditions apply: where Y collects the personal data mentioned in sub-paragraph (1) from Z — Y and Z must have entered into an agreement that requires Y to use or disclose the personal data solely for purposes related to the relevant transaction. FIRST SCHEDULE PART 4 § 2.(2)(b)(ii) {legitimate interest}{collect}{disclose}The collection, use or disclosure (as the case may be) of personal data about an individual is to — confer an interest or a benefit on the individual under a private trust or benefit plan; and FIRST SCHEDULE PART 3 § 7.(a)] | Privacy protection for information and data | Data and Information Management | |
Disclose restricted data absent consent in order to assist Telecommunications Ombudsmen in resolving complaints. CC ID 00140 | Privacy protection for information and data | Data and Information Management | |
Disclose personal data absent consent to administer a trust fund or benefit plan. CC ID 15290 [{collect}{disclose}The collection, use or disclosure (as the case may be) of personal data about an individual is to — administer that trust or benefit plan, at the request of the settlor or the person establishing the benefit plan, as the case may be. FIRST SCHEDULE PART 3 § 7.(b)] | Privacy protection for information and data | Data and Information Management | |
Disclose personal data absent consent for research purposes and the data subject is not identified. CC ID 15286 [{disclose}The disclosure of personal data about an individual for a research purpose (including historical or statistical research), if — in the event that the results of the research are published, the organisation publishes the results in a form that does not identify the individual. SECOND SCHEDULE PART 3 Division 2 § 1.(e)] | Privacy protection for information and data | Data and Information Management | |
Disclose personal data absent consent when the personal data is disclosed by calling an emergency service number. CC ID 00141 | Privacy protection for information and data | Data and Information Management | |
Disclose restricted data absent consent when the restricted data prevents life-threatening emergencies to third parties. CC ID 00142 | Privacy protection for information and data | Data and Information Management | |
Disclose restricted data absent consent when the restricted data preserves human life at sea. CC ID 00143 | Privacy protection for information and data | Data and Information Management | |
Disclose restricted data absent consent in order to process the restricted data for public interests. CC ID 00144 [{disclose}{without consent} The disclosure of personal data about an individual to a public agency, where the disclosure is necessary in the public interest. SECOND SCHEDULE PART 3 Division 1 § 1.] | Privacy protection for information and data | Data and Information Management | |
Disclose restricted data for public interests absent consent in order to provide social work assistance services. CC ID 00145 | Privacy protection for information and data | Data and Information Management | |
Disclose restricted data for public interests absent consent if confidentiality is assured and the disclosure is for statistical research, scientific research, or scholarly research. CC ID 00146 [The use of personal data about an individual for a research purpose (including historical or statistical research), if — in the event that the results of the research are published, the organisation publishes the results in a form that does not identify the individual. SECOND SCHEDULE PART 2 Division 3 § 1.(d) {refrain from achieving}The disclosure of personal data about an individual for a research purpose (including historical or statistical research), if — the research purpose cannot reasonably be accomplished unless the personal data is disclosed in an individually identifiable form; SECOND SCHEDULE PART 3 Division 2 § 1.(a) The disclosure of personal data about an individual for a research purpose (including historical or statistical research), if — there is a clear public benefit to disclosing the personal data for the research purpose; SECOND SCHEDULE PART 3 Division 2 § 1.(c) {collect}{disclose} The collection, use or disclosure (as the case may be) of personal data about an individual is necessary for evaluative purposes. FIRST SCHEDULE PART 3 § 2. {disclose}The disclosure of personal data about an individual for a research purpose (including historical or statistical research), if — the results of the research will not be used to make a decision that affects the individual; and SECOND SCHEDULE PART 3 Division 2 § 1.(d)] | Privacy protection for information and data | Data and Information Management | |
Disclose restricted data for public interests absent consent in order to protect historical records or archival records. CC ID 00147 [{without consent}{archival purpose} The collection, use or disclosure (as the case may be) of personal data about an individual is solely for archival or historical purposes, if a reasonable person would not consider the personal data to be too sensitive to the individual to be collected, used or disclosed (as the case may be) at the proposed time. FIRST SCHEDULE PART 2 § 4.] | Privacy protection for information and data | Data and Information Management | |
Disclose restricted data absent consent for public economic interests. CC ID 00148 | Privacy protection for information and data | Data and Information Management | |
Disclose restricted data for public interests absent consent for National Security reasons. CC ID 00149 [{without consent}{collect}{disclose} The collection, use or disclosure (as the case may be) of personal data about an individual is in the national interest. FIRST SCHEDULE PART 2 § 2.] | Privacy protection for information and data | Data and Information Management | |
Disclose restricted data absent consent for journalistic purposes, artistic purposes, or literary purposes. CC ID 00150 [{without consent} The personal data about an individual is collected, used or disclosed (as the case may be) by a news organisation solely for its news activity. FIRST SCHEDULE PART 2 § 5. {without consent}{artistic purpose}{collect}{disclose} The collection, use or disclosure (as the case may be) of personal data about an individual is solely for artistic or literary purposes. FIRST SCHEDULE PART 2 § 3.] | Privacy protection for information and data | Data and Information Management | |
Disclose restricted data absent consent when it is publicly accessible. CC ID 00151 [{without consent}{collect}{disclose} The collection, use or disclosure (as the case may be) of personal data about an individual that is publicly available. FIRST SCHEDULE PART 2 § 1.] | Privacy protection for information and data | Data and Information Management | |
Disclose restricted data absent consent when it is related to publicly available information. CC ID 00152 | Privacy protection for information and data | Data and Information Management | |
Disclose publicly accessible restricted data absent consent when the data subject has already published it. CC ID 00153 | Privacy protection for information and data | Data and Information Management | |
Disclose restricted data absent consent in order to protect the data subject's vital interests. CC ID 00154 [{individual's vital interest}{collect}{disclose} Subject to sub-paragraph (2), the collection, use or disclosure (as the case may be) of personal data about an individual is necessary for any purpose which is clearly in the interests of the individual, and — FIRST SCHEDULE PART 1 § 1.(1)] | Privacy protection for information and data | Data and Information Management | |
Disclose restricted data absent consent in order to protect the data subject's vital interests when there is a life-threatening emergency. CC ID 00155 [{without consent}{collect}{disclose}The collection, use or disclosure (as the case may be) of personal data about an individual, where — there are reasonable grounds to believe that the health or safety of the individual or another individual will be seriously affected. FIRST SCHEDULE PART 1 § 3.(b)] | Privacy protection for information and data | Data and Information Management | |
Disclose restricted data absent consent when it is for judicial decisions, lawsuits, and investigations. CC ID 00161 [{collect}{disclose} The collection, use or disclosure (as the case may be) of personal data about an individual is necessary for any investigation or proceedings. FIRST SCHEDULE PART 3 § 3. {collect}{disclose} The collection, use or disclosure (as the case may be) of personal data about an individual is necessary for the provision of legal services by the organisation to another person, or for the organisation to obtain legal services. FIRST SCHEDULE PART 3 § 5.] | Privacy protection for information and data | Data and Information Management | |
Disclose restricted data absent consent when it is needed by law. CC ID 00163 | Privacy protection for information and data | Data and Information Management | |
Disclose personal data required by law absent consent for special cases involving security or law enforcement. CC ID 04796 [An organisation must not inform any individual under subsection (1)(b) that the organisation has disclosed personal data about the individual to a prescribed law enforcement agency if the disclosure was made under this Act or any other written law without the consent of the individual. § 21.(4) {disclose} The disclosure of personal data about any individual to any officer of a prescribed law enforcement agency, upon production of written authorisation signed by the head or director of that prescribed law enforcement agency or a person of a similar rank, certifying that the personal data is necessary for the purposes of the functions or duties of the officer. SECOND SCHEDULE PART 3 Division 1 § 4.] | Privacy protection for information and data | Data and Information Management | |
Disclose personal data absent consent when it is being disclosed to the data subject. CC ID 00164 | Privacy protection for information and data | Data and Information Management | |
Disclose personal data absent consent for direct marketing or other personalized mail programs. CC ID 14855 | Privacy protection for information and data | Data and Information Management | |
Disclose personal data absent consent in order to collect a debt owed by the data subject. CC ID 00165 [{without consent}{collect}{disclose}The collection, use or disclosure (as the case may be) of personal data about an individual is necessary for the organisation — to recover a debt owed by the individual to the organisation; or FIRST SCHEDULE PART 3 § 4.(a) {collect}{disclose}The collection, use or disclosure (as the case may be) of personal data about an individual is necessary for the organisation — to pay to the individual a debt owed by the organisation. FIRST SCHEDULE PART 3 § 4.(b)] | Privacy protection for information and data | Data and Information Management | |
Disclose personal data absent consent when the data subject or data owner is anonymous. CC ID 00166 | Privacy protection for information and data | Data and Information Management | |
Disclose restricted data absent consent when the disclosure concerns the individual's products or services obtained from the organization. CC ID 13469 | Privacy protection for information and data | Communicate | |
Establish, implement, and maintain restricted data retention procedures. CC ID 00167 [the organisation must preserve, for not less than the prescribed period, a copy of the personal data concerned. § 22A.(1) ¶ 1] | Privacy protection for information and data | Establish/Maintain Documentation | |
Establish, implement, and maintain personal data disposition procedures. CC ID 13498 | Privacy protection for information and data | Establish/Maintain Documentation | |
Capture personal data removal requests. CC ID 13507 | Privacy protection for information and data | Communicate | |
Remove personal data from records after receiving a personal data removal request. CC ID 11972 | Privacy protection for information and data | Records Management | |
Refrain from erasing personal data upon receiving a personal data removal request when it is necessary for maintaining information assets. CC ID 13789 | Privacy protection for information and data | Process or Activity | |
Refrain from erasing personal data upon receiving a personal data removal request when it is necessary to complete a payment transaction. CC ID 13788 | Privacy protection for information and data | Process or Activity | |
Dispose of personal data removal requests, as necessary. CC ID 13512 | Privacy protection for information and data | Business Processes | |
Limit the redisclosure and reuse of restricted data. CC ID 00168 | Privacy protection for information and data | Data and Information Management | |
Refrain from redisclosing or reusing restricted data. CC ID 00169 | Privacy protection for information and data | Data and Information Management | |
Document the redisclosing restricted data exceptions. CC ID 00170 | Privacy protection for information and data | Establish/Maintain Documentation | |
Redisclose restricted data when the data subject consents. CC ID 00171 | Privacy protection for information and data | Data and Information Management | |
Redisclose restricted data when it is for criminal law enforcement. CC ID 00172 | Privacy protection for information and data | Data and Information Management | |
Redisclose restricted data in order to protect public revenue. CC ID 00173 | Privacy protection for information and data | Data and Information Management | |
Redisclose restricted data in order to assist a Telecommunications Ombudsman. CC ID 00174 | Privacy protection for information and data | Data and Information Management | |
Redisclose restricted data in order to prevent a life-threatening emergency. CC ID 00175 | Privacy protection for information and data | Data and Information Management | |
Redisclose restricted data when it deals with installing, maintaining, operating, or providing access to a Public Telecommunications Network or a telecommunication facility. CC ID 00176 | Privacy protection for information and data | Data and Information Management | |
Redisclose restricted data in order to preserve human life at sea. CC ID 00177 | Privacy protection for information and data | Data and Information Management | |
Obtain explicit consent directly from the data subject prior to the use of that person's sensitive data. CC ID 00178 | Privacy protection for information and data | Data and Information Management | |
Obtain consent from a parent or legal representative in order to use or disclose a child's data. CC ID 00198 | Privacy protection for information and data | Data and Information Management | |
Obtain opt-in consent from teenagers prior to the collection, use, or disclosure of personal data. CC ID 00199 | Privacy protection for information and data | Data and Information Management | |
Obtain explicit consent prior to using the data subject's Personal Identification Number. CC ID 00238 | Privacy protection for information and data | Data and Information Management | |
Process Personal Identification Numbers with consent. CC ID 00239 | Privacy protection for information and data | Data and Information Management | |
Refrain from requiring individuals to use Personal Identification Numbers as an account number or password. CC ID 00253 | Privacy protection for information and data | Behavior | |
Obtain consent prior to selling a Personal Identification Number. CC ID 00240 | Privacy protection for information and data | Data and Information Management | |
Obtain consent prior to displaying a Personal Identification Number. CC ID 00241 | Privacy protection for information and data | Data and Information Management | |
Refrain from displaying Personal Identification Numbers on government-issued checks or other paperwork. CC ID 00254 | Privacy protection for information and data | Data and Information Management | |
Refrain from displaying Personal Identification Numbers on identification cards or badges. CC ID 00255 | Privacy protection for information and data | Data and Information Management | |
Document the conditions to use Personal Identification Numbers absent consent. CC ID 00242 | Privacy protection for information and data | Establish/Maintain Documentation | |
Use Personal Identification Numbers absent consent for granting credit or collecting a debt. CC ID 00252 | Privacy protection for information and data | Data and Information Management | |
Use Personal Identification Numbers absent consent for research purposes. CC ID 00247 | Privacy protection for information and data | Data and Information Management | |
Refrain from requiring consent to use a Personal Identification Number when protecting the public health and safety or an individual's safety in an emergency. CC ID 00244 | Privacy protection for information and data | Data and Information Management | |
Use Personal Identification Numbers absent consent when a federal law mandates its use. CC ID 00243 | Privacy protection for information and data | Data and Information Management | |
Allow data subjects the ability to restrict the use and disclosure of personal data. CC ID 06821 | Privacy protection for information and data | Data and Information Management | |
Establish, implement, and maintain data disclosure procedures. CC ID 00133 [Subject to subsection (3), an individual is deemed to consent to the collection, use or disclosure of personal data about the individual by an organisation if — the organisation satisfies the requirements in subsection (4); and § 15A.(2)(a) {business asset transaction}{organization}{prospective party}{individual}If X enters into the relevant transaction, the following conditions apply: Y may use or disclose the personal data collected from Z only for the same purposes for which Z would have been permitted to use or disclose the personal data; FIRST SCHEDULE PART 4 § 2.(3)(b)] | Privacy protection for information and data | Establish/Maintain Documentation | |
Identify any adverse effects the disclosure of personal data will have on the data subject. CC ID 15298 [The organisation must, in respect of the assessment mentioned in subsection (4)(a) — identify any adverse effect that the proposed collection, use or disclosure of the personal data for the purpose concerned is likely to have on the individual; § 15A.(5)(a) {legitimate interest}{collect}{disclose}The organisation must, in respect of the assessment mentioned in sub-paragraph (2)(a) — identify any adverse effect that the proposed collection, use or disclosure (as the case may be) of personal data about an individual is likely to have on the individual; FIRST SCHEDULE PART 3 § 1.(3)(a)] | Privacy protection for information and data | Data and Information Management | |
Review personal data disclosure requests. CC ID 07129 | Privacy protection for information and data | Data and Information Management | |
Notify the data subject of the disclosure purpose. CC ID 15268 [For the purposes of subsection (4), the organisation must inform the individual of the following: the purpose for which the organisation is collecting, using or disclosing (as the case may be) the personal data about the individual; § 20.(5)(a)] | Privacy protection for information and data | Communicate | |
Establish, implement, and maintain data request denial procedures. CC ID 00434 | Privacy protection for information and data | Establish/Maintain Documentation | |
Include frivolous requests or vexatious requests as a reason for denial in the personal data request denial procedures. CC ID 00435 [{personal data request} An organisation is not required to provide information under section 21(1) in respect of— any request— that would unreasonably interfere with the ound-color:#F0BBBC;" class="term_primary-noun">operations of the organisation because of the repetitious or systematic nature of the requests; FIFTH SCHEDULE § 1.(j)(i) {personal data request} An organisation is not required to provide information under section 21(1) in respect of— any request— for y-noun">informatground-color:#CBD0E5;" class="term_secondary-verb">ionan> that is trivial; or FIFTH SCHEDULE § 1.(j)(iv) {personal data request}{is unnecessary} An organisation is not required to provide information under section 21(1) in respect of— any request— that is otherwise frivolous or vexatious. FIFTH SCHEDULE § 1.(j)(v) {interfere}{operation} For the purposes of paragraph 1(j)(i), the organisation may have regard to the number and frequency of requests received. FIFTH SCHEDULE § 2.] | Privacy protection for information and data | Data and Information Management | |
Include when the required information is unavailable as a reason for denial in the personal data request denial procedures. CC ID 00436 [{personal data request} An organisation is not required to provide information under section 21(1) in respect of— any request— for information that lass="term_primary-verb">does not exist or cannot be found; FIFTH SCHEDULE § 1.(j)(iii)] | Privacy protection for information and data | Data and Information Management | |
Include when the disclosure of personal data constitutes contempt of court or contempt of House of Representatives as a reason for denial in the personal data request denial procedures. CC ID 00437 | Privacy protection for information and data | Data and Information Management | |
Include disclosing personal data that would identify suppliers or breaches an express promise of privacy or implied promise of privacy as a reason for denial in the personal data request denial procedures. CC ID 00438 [{other person} An organisation shall not provide an individual with the individual's personal data or other information under subsection (1) if the provision of that personal data or other information, as the case may be, could reasonably be expected to— class="term_primary-verb">reveal personal data about another individual; § 21.(3)(c) {other person} An organisation shall not provide an individual with the individual's personal data or other information under subsection (1) if the provision of that personal data or other information, as the case may be, could reasonably be expected to — m_primary-verb">reveal the identity of an individual who has provided personal data about another individual and the individual providing the personal data does not consent to the disclosure of his identity; or § 21.(3)(d)] | Privacy protection for information and data | Data and Information Management | |
Include disclosing personal data that would compromise National Security as a reason for denial in the personal data request denial procedures. CC ID 00439 | Privacy protection for information and data | Data and Information Management | |
Include information that is protected by attorney-client privilege as a reason for denial in the personal data request denial procedures. CC ID 00440 | Privacy protection for information and data | Data and Information Management | |
Include disclosing personal data that would reveal trade secrets, commercial information, or harmful financial information as a reason for denial in the personal data request denial procedures. CC ID 00441 [An organisation is not required to provide information under section 21(1) in respect of— personal data which, if disclosed, would reveal or:#F0BBBC;" class="term_primary-noun">confidential commercial information that could, in the opispan>nion of a reasonable person, harm the ">competitive position of the organisation; FIFTH SCHEDULE § 1.(g)] | Privacy protection for information and data | Data and Information Management | |
Include disclosing personal data that would threaten an individual's life or an individual's security as a reason for denial in the personal data request denial procedures. CC ID 00442 [An organisation shall not provide an individual with the individual's personal data or other information under subsection (1) if the provision of that personal data or other information, as the case may be, could reasonably be expected to— <span style="background-color:#B7D8ED;" class="term_primary-verb">threaten the safety or physical or mental health of an individual other than the individual who made the request; § 21.(3)(a) An organisation shall not provide an individual with the individual's personal data or other information under subsection (1) if the provision of that personal data or other information, as the case may be, could reasonably be expected to— cause immediate or grave harm> to the ackground-color:#F0BBBC;" class="term_primary-noun">safety or to the physical or mental style="background-color:#F0BBBC;" class="term_primary-noun">health of the individual who made the request; § 21.(3)(b)] | Privacy protection for information and data | Data and Information Management | |
Include disclosing personal data that would have an unreasonable impact on another individual's privacy as a reason for denial in the personal data request denial procedures. CC ID 00443 | Privacy protection for information and data | Data and Information Management | |
Include disclosing personal data that would threaten facilities, property, transport, or communication systems as a reason for denial in the personal data request denial procedures. CC ID 08702 | Privacy protection for information and data | Process or Activity | |
Include responding to access requests after the time limit as a reason for denial in the personal data request denial procedures. CC ID 13600 | Privacy protection for information and data | Data and Information Management | |
Include information that was generated from a formal dispute as a reason for denial in the personal data request denial procedures. CC ID 00444 | Privacy protection for information and data | Data and Information Management | |
Include personal data that is used solely for scientific research, scholarly research, statistical research, library purposes, museum purposes, or archival purposes as a reason for denial in the personal data request denial procedures. CC ID 00445 [An organisation is not required to provide information under section 21(1) in respect of— opinion data rb">keptan> solely for an style="background-color:#F0BBBC;" class="term_primary-noun">evaluative purpose; FIFTH SCHEDULE § 1.(a)] | Privacy protection for information and data | Data and Information Management | |
Include personal data that is for protecting the civil rights or other's freedoms as a reason for denial in the personal data request denial procedures. CC ID 00447 | Privacy protection for information and data | Data and Information Management | |
Include disclosing personal data that constitutes a state secret as a reason for denial in the personal data request denial procedures. CC ID 00448 | Privacy protection for information and data | Data and Information Management | |
Include disclosing personal data that would result in interference with the operation of public functions as a reason for denial in the personal data request denial procedures. CC ID 00449 | Privacy protection for information and data | Data and Information Management | |
Include disclosing personal data that would interrupt criminal investigation and surveillance or other legal purposes as a reason for denial in the personal data request denial procedures. CC ID 00450 [An organisation is not required to provide information under section 21(1) in respect of — personal data collected, used or disclosed without consent, under paragraph 3 of Part 3 of the First Schedule, for the purposes of an investigation if the investigation and associated proceedings and appeals have not been completed; FIFTH SCHEDULE § 1.(h)] | Privacy protection for information and data | Data and Information Management | |
Include when a country's laws prevent disclosure as a reason for denial in the personal data request denial procedures. CC ID 00451 | Privacy protection for information and data | Data and Information Management | |
Include disclosing personal data that would interfere with grievance proceeding or employee security investigations as a reason for denial in the personal data request denial procedures. CC ID 06873 [An organisation is not required to provide information under section 21(1) in respect of— the personal data was collected or created by a mediator or arbitrator in the conduct of a mediation or arbitration for which he was appointed to act— under a un">collective agreement under the Industrial Relations Act (Cap. 136) or by agreement between the parties to the mediation or arbitration; FIFTH SCHEDULE § 1.(i)(i) An organisation is not required to provide information under section 21(1) in respect of— the personal data was collected or created by a mediator or arbitrator in the conduct of a ry-noun">mediationn> or arbitrationan> for which he was appointed to act— under any written m_primary-noun">law; or FIFTH SCHEDULE § 1.(i)(ii) An organisation is not required to provide information under section 21(1) in respect of— the personal data was collected or created by a mediator or arbitrator in the conduct of a mediation or arbitration for which he was style="background-color:#CBD0E5;" class="term_secondary-verb">ED;" class="term_primary-verb">appointed to act— by a | Privacy protection for information and data | Data and Information Management | |
Include disclosing personal data that would interfere with commercial acquisitions or reorganizations as a reason for denial in the personal data request denial procedures. CC ID 06874 | Privacy protection for information and data | Data and Information Management | |
Include if the cost or burden of disclosing the personal data is disproportionate as a reason for denial in the personal data request denial procedures. CC ID 06875 [{personal data request}{be disproportionate} An organisation is not required to provide information under section 21(1) in respect of—any request— if the burden or expense of providing access would "background-color:#B7D8ED;" class="term_primary-verb">be unreasonable to the organisation or disproportionate to the individual's interests; FIFTH SCHEDULE § 1.(j)(ii) {personal data request}{be disproportionate} An organisation is not required to provide information under section 21(1) in respect of—any request— if the burden or expense of providing access would "background-color:#B7D8ED;" class="term_primary-verb">be unreasonable to the organisation or disproportionate to the individual's interests; FIFTH SCHEDULE § 1.(j)(ii)] | Privacy protection for information and data | Data and Information Management | |
Notify interested personnel and affected parties of the reasons the data access request was refused. CC ID 00453 [the organisation must, within the prescribed time and in accordance with the prescribed requirements, notify the individual of the rejection. § 21.(6) ¶ 1] | Privacy protection for information and data | Data and Information Management | |
Notify the individual of the organization's legal rights to refuse the personal data access request, as necessary. CC ID 13509 | Privacy protection for information and data | Communicate | |
Notify individuals of their right to challenge a refusal to a data access request. CC ID 00454 | Privacy protection for information and data | Data and Information Management | |
Include if the record would constitute an action for breach of a duty of confidence as a reason for denial in the personal data request denial procedures. CC ID 08700 | Privacy protection for information and data | Process or Activity | |
Disseminate and communicate personal data to the individual that it relates to. CC ID 00428 [Subject to subsections (2), (3) and (4), on request of an individual, an organisation shall, as soon as reasonably possible, provide the individual with— personal data> about the individual that is in the possession or under the control of the organisation; and § 21.(1)(a) {is complete} If an organisation is able to provide the individual with the individual's personal data and other information requested under subsection (1) without the personal data or other information excluded under subsections (2), (3) and (4), the organisation shall d-color:#B7D8ED;" class="term_primary-verb">provide the individual with ="term_primary-noun">access to the personal data and other information without the personal data or other information excluded under subsections (2), (3) and (4). § 21.(5)] | Privacy protection for information and data | Data and Information Management | |
Provide personal data to an individual after the individual's identity has been confirmed. CC ID 06876 | Privacy protection for information and data | Data and Information Management | |
Notify that data subject of any exclusions to requested personal data. CC ID 15271 [the organisation must notify the individual of the exclusion, under subsection (2) or (3), of any of the personal data or other information so requested. § 21.(7) ¶ 1] | Privacy protection for information and data | Communicate | |
Provide data or records in a reasonable time frame. CC ID 00429 [{person}A checker is deemed to have complied with subsection (2)(a) if — the checker provides the applicable information to P before the expiry of the prescribed period mentioned in section 43(2)(b)(i). § 43A.(3)(b)] | Privacy protection for information and data | Data and Information Management | |
Notify individuals of the new time limit for responding to an access request in a notice of extension. CC ID 13599 | Privacy protection for information and data | Communicate | |
Extend the time limit for providing personal data in order to convert it to an alternative format. CC ID 13591 | Privacy protection for information and data | Data and Information Management | |
Extend the time limit for providing personal data if the time is impracticable to respond to the access request. CC ID 13590 | Privacy protection for information and data | Data and Information Management | |
Extend the time limit for providing data if it would unreasonably interfere with the organization's activities. CC ID 13589 | Privacy protection for information and data | Data and Information Management | |
Provide data at a cost that is not excessive. CC ID 00430 | Privacy protection for information and data | Data and Information Management | |
Provide records or data in a reasonable manner. CC ID 00431 | Privacy protection for information and data | Data and Information Management | |
Provide personal data in a form that is intelligible. CC ID 00432 | Privacy protection for information and data | Data and Information Management | |
Provide restricted data that would threaten the life or security of another individual after that information has been redacted. CC ID 13604 | Privacy protection for information and data | Data and Information Management | |
Provide restricted data that would reveal confidential commercial information after that information has been redacted. CC ID 13602 | Privacy protection for information and data | Data and Information Management | |
Remove data pertaining to third parties before giving the requestor access to the information. CC ID 13601 | Privacy protection for information and data | Data and Information Management | |
Document that a data search was conducted in case the requested data cannot be found. CC ID 06953 | Privacy protection for information and data | Establish/Maintain Documentation | |
Establish, implement, and maintain a personal data collection program. CC ID 06487 | Privacy protection for information and data | Establish/Maintain Documentation | |
Identify any adverse effects the collection of personal data will have on the data subject. CC ID 15279 [The organisation must, in respect of the assessment mentioned in subsection (4)(a) — identify any adverse effect that the proposed collection, use or disclosure of the personal data for the purpose concerned is likely to have on the individual; § 15A.(5)(a) {legitimate interest}{collect}{disclose}The organisation must, in respect of the assessment mentioned in sub-paragraph (2)(a) — identify any adverse effect that the proposed collection, use or disclosure (as the case may be) of personal data about an individual is likely to have on the individual; FIRST SCHEDULE PART 3 § 1.(3)(a)] | Privacy protection for information and data | Data and Information Management | |
Refrain from collecting personal data, as necessary. CC ID 15269 [An organisation shall not, on or after the appointed day, collect, use or disclose personal data about an individual unless — § 13.] | Privacy protection for information and data | Data and Information Management | |
Establish, implement, and maintain personal data collection limitation boundaries. CC ID 00507 [Subject to subsection (3), an individual is deemed to consent to the collection, use or disclosure of personal data about the individual by an organisation if — the organisation satisfies the requirements in subsection (4); and § 15A.(2)(a)] | Privacy protection for information and data | Establish/Maintain Documentation | |
Establish, implement, and maintain a personal data use policy. CC ID 00076 | Privacy protection for information and data | Establish/Maintain Documentation | |
Use personal data for specified purposes. CC ID 11831 [{business asset transaction}{organization}{prospective party}{individual}If X enters into the relevant transaction, the following conditions apply: Y may use or disclose the personal data collected from Z only for the same purposes for which Z would have been permitted to use or disclose the personal data; FIRST SCHEDULE PART 4 § 2.(3)(b)] | Privacy protection for information and data | Data and Information Management | |
Post the collection purpose. CC ID 00101 | Privacy protection for information and data | Establish/Maintain Documentation | |
Obtain the data subject's consent and acknowledgment before collecting data. CC ID 00012 [Without limiting subsection (2) and subject to subsection (9), an individual (P) who enters into a contract with an organisation (A) and provides personal data to A pursuant or in relation to that contract is deemed to consent to the following: § 15.(6)] | Privacy protection for information and data | Data and Information Management | |
Document each individual's personal data collection consent preferences. CC ID 06945 | Privacy protection for information and data | Establish/Maintain Documentation | |
Provide explicit consent that is clear and unambiguous. CC ID 00181 | Privacy protection for information and data | Data and Information Management | |
Allow individuals to change their personal data collection consent preferences. CC ID 06946 [{allow} On giving reasonable notice to the organisation, an individual may at any time withdraw any consent given, or deemed to have been given under this Act, in respect of the collection, use or disclosure by that organisation of personal data about the individual for any purpose. § 16.(1) An organisation shall not prohibit an individual from withdrawing his consent to the collection, use or disclosure of personal data about the individual, but this section shall not affect any legal consequences arising from such withdrawal. § 16.(3)] | Privacy protection for information and data | Data and Information Management | |
Adhere to each individual's personal data collection consent preferences. CC ID 06947 | Privacy protection for information and data | Data and Information Management | |
Notify the data subject of the source of collected personal data. CC ID 00083 | Privacy protection for information and data | Behavior | |
Furnish disclosure of information and usage of information to data subjects when oral consent is given. CC ID 04717 | Privacy protection for information and data | Data and Information Management | |
Disclose the direct marketing purpose before obtaining consent for collecting information. CC ID 04718 | Privacy protection for information and data | Data and Information Management | |
Establish and maintain a personal data definition. CC ID 00028 | Privacy protection for information and data | Establish/Maintain Documentation | |
Include an individual's name in the personal data definition. CC ID 04710 | Privacy protection for information and data | Data and Information Management | |
Include an individual's name combined with other personal data in the personal data definition. CC ID 04709 | Privacy protection for information and data | Data and Information Management | |
Include the legal surname of the parent or legal representative prior to marriage in the personal data definition. CC ID 04686 | Privacy protection for information and data | Data and Information Management | |
Include an individual's signature in the personal data definition. CC ID 04711 | Privacy protection for information and data | Data and Information Management | |
Include an individual's date of birth in the personal data definition. CC ID 04770 | Privacy protection for information and data | Data and Information Management | |
Include the number of children in the personal data definition. CC ID 13759 | Privacy protection for information and data | Establish/Maintain Documentation | |
Include the individual's religion in the personal data definition. CC ID 13765 | Privacy protection for information and data | Establish/Maintain Documentation | |
Include an individual's physical characteristics or description in the personal data definition. CC ID 04712 | Privacy protection for information and data | Data and Information Management | |
Include an individual's biometric data in the personal data definition. CC ID 04698 | Privacy protection for information and data | Data and Information Management | |
Include an individual's photographic image in the personal data definition. CC ID 04779 | Privacy protection for information and data | Data and Information Management | |
Include an individual's fingerprints in the personal data definition. CC ID 04689 | Privacy protection for information and data | Data and Information Management | |
Include an individual's address in the personal data definition. CC ID 04687 | Privacy protection for information and data | Data and Information Management | |
Include an individual's telephone number in the personal data definition. CC ID 04688 | Privacy protection for information and data | Data and Information Management | |
Include an individual's fax number in the personal data definition. CC ID 07120 | Privacy protection for information and data | Data and Information Management | |
Include an individual's political party affiliation in the personal data definition. CC ID 13764 | Privacy protection for information and data | Establish/Maintain Documentation | |
Include an individual's license plate number in the personal data definition. CC ID 13763 | Privacy protection for information and data | Establish/Maintain Documentation | |
Include an individual's financial account number in the personal data definition. CC ID 04692 | Privacy protection for information and data | Data and Information Management | |
Include an individual's account balances in the personal data definition. CC ID 13770 | Privacy protection for information and data | Establish/Maintain Documentation | |
Include stock numbers, bond numbers, and other security certificate numbers in the personal data definition. CC ID 04768 | Privacy protection for information and data | Data and Information Management | |
Include an individual's electronic identification name or number in the personal data definition. CC ID 04694 | Privacy protection for information and data | Data and Information Management | |
Include an individual's logon credentials in the personal data definition. CC ID 13771 | Privacy protection for information and data | Establish/Maintain Documentation | |
Include an individual's Alien Registration Number in the personal data definition. CC ID 04743 | Privacy protection for information and data | Data and Information Management | |
Include an individual's passport number in the personal data definition. CC ID 04713 | Privacy protection for information and data | Data and Information Management | |
Include an individual's driver's license number or an individual's state identification card number in the personal data definition. CC ID 04691 | Privacy protection for information and data | Data and Information Management | |
Include an individual's Social Security Number or Personal Identification Number in the personal data definition. CC ID 04690 | Privacy protection for information and data | Data and Information Management | |
Include an individual's military identification number in the personal data definition. CC ID 13083 | Privacy protection for information and data | Establish/Maintain Documentation | |
Include an individual's e-mail address in the personal data definition. CC ID 04696 | Privacy protection for information and data | Data and Information Management | |
Include electronic signatures in the personal data definition. CC ID 04697 | Privacy protection for information and data | Data and Information Management | |
Include an individual's payment card information in the personal data definition. CC ID 04751 | Privacy protection for information and data | Data and Information Management | |
Include an individual's credit card number or an individual's debit card number in the personal data definition. CC ID 04693 | Privacy protection for information and data | Data and Information Management | |
Include an individual's payment card service code in the personal data definition. CC ID 04753 | Privacy protection for information and data | Data and Information Management | |
Include an individual's payment card expiration date in the personal data definition. CC ID 04755 | Privacy protection for information and data | Data and Information Management | |
Include the payment transaction data and transaction authentication data in the personal data definition. CC ID 04825 | Privacy protection for information and data | Data and Information Management | |
Include an individual's Individually Identifiable Health Information in the personal data definition. CC ID 04700 | Privacy protection for information and data | Data and Information Management | |
Include an individual's medical history in the personal data definition. CC ID 04701 | Privacy protection for information and data | Data and Information Management | |
Include an individual's medical treatment in the personal data definition. CC ID 04702 | Privacy protection for information and data | Data and Information Management | |
Include an individual's medical diagnosis in the personal data definition. CC ID 04703 | Privacy protection for information and data | Data and Information Management | |
Include an individual's mental condition or an individual's physical condition in the personal data definition. CC ID 04704 | Privacy protection for information and data | Data and Information Management | |
Include an individual's medical record numbers in the personal data definition. CC ID 07121 | Privacy protection for information and data | Data and Information Management | |
Include an individual's health insurance information in the personal data definition. CC ID 04705 | Privacy protection for information and data | Data and Information Management | |
Include an individual's health insurance policy number in the personal data definition. CC ID 04706 | Privacy protection for information and data | Data and Information Management | |
Include an individual's health insurance application and health insurance claims history (including appeals) in the personal data definition. CC ID 04707 | Privacy protection for information and data | Data and Information Management | |
Include an individual's education information in the personal data definition. CC ID 04714 | Privacy protection for information and data | Data and Information Management | |
Include an individual's professional certification numbers or an individual's professional license numbers in the personal data definition. CC ID 07122 | Privacy protection for information and data | Data and Information Management | |
Include an individual's employment information in the personal data definition. CC ID 04715 | Privacy protection for information and data | Data and Information Management | |
Include an employer's Taxpayer Identification Number in the personal data definition. CC ID 04767 | Privacy protection for information and data | Data and Information Management | |
Include an individual's Taxpayer Identification Number in the personal data definition. CC ID 04763 | Privacy protection for information and data | Data and Information Management | |
Include an individual's employment history in the personal data definition. CC ID 04716 | Privacy protection for information and data | Data and Information Management | |
Include an individual's place of employment in the personal data definition. CC ID 04765 | Privacy protection for information and data | Data and Information Management | |
Include an individual's Employee Identification Number in the personal data definition. CC ID 04766 | Privacy protection for information and data | Data and Information Management | |
Include an individual's property information in the personal data definition. CC ID 04780 | Privacy protection for information and data | Data and Information Management | |
Include an individual's property title in the personal data definition. CC ID 04781 | Privacy protection for information and data | Data and Information Management | |
Include an individual's vehicle registration in the personal data definition. CC ID 04782 | Privacy protection for information and data | Data and Information Management | |
Include hardware asset identification information in the personal data definition. CC ID 07123 | Privacy protection for information and data | Data and Information Management | |
Include MAC addresses in the personal data definition. CC ID 04778 | Privacy protection for information and data | Data and Information Management | |
Include Internet Protocol addresses in the personal data definition. CC ID 04777 | Privacy protection for information and data | Data and Information Management | |
Include asset serial numbers in the personal data definition. CC ID 07124 | Privacy protection for information and data | Data and Information Management | |
Include Uniform Resource Locators in the personal data definition. CC ID 07125 | Privacy protection for information and data | Data and Information Management | |
Refrain from including publicly available information in the personal data definition. CC ID 13084 | Privacy protection for information and data | Establish/Maintain Documentation | |
Define specially restricted data. CC ID 00037 | Privacy protection for information and data | Data and Information Management | |
Protect an individual's civil rights during personal data collection and personal data processing. CC ID 00079 | Privacy protection for information and data | Data and Information Management | |
Refrain from compiling data that is likely to give rise to unlawful discrimination or arbitrary discrimination. CC ID 00075 | Privacy protection for information and data | Data and Information Management | |
Refrain from subjecting an individual to a solely automated decision process that produces legal effects based on the evaluation of certain characteristics. CC ID 00080 | Privacy protection for information and data | Data and Information Management | |
Implement a nondiscrimination principle. CC ID 00081 | Privacy protection for information and data | Data and Information Management | |
Include the collection and use of personal data in the nondiscrimination principle. CC ID 11799 | Privacy protection for information and data | Data and Information Management | |
Preserve each individual's right to human dignity. CC ID 00082 | Privacy protection for information and data | Data and Information Management | |
Manage Personal Identification Numbers and PIN verification code numbers. CC ID 00058 | Privacy protection for information and data | Data and Information Management | |
Employ a random number generator to create authenticators. CC ID 13782 | Privacy protection for information and data | Technical Security | |
Collect Personal Identification Numbers with the individual's consent. CC ID 00059 | Privacy protection for information and data | Data and Information Management | |
Collect Personal Identification Numbers absent consent when the law mandates. CC ID 00061 | Privacy protection for information and data | Data and Information Management | |
Collect Personal Identification Numbers absent consent for research purposes. CC ID 00065 | Privacy protection for information and data | Data and Information Management | |
Collect Personal Identification Numbers absent consent to realize the rights or duties of the data subject or data controller. CC ID 04792 | Privacy protection for information and data | Data and Information Management | |
Refrain from requiring a Personal Identification Number to purchase goods or services. CC ID 00069 | Privacy protection for information and data | Behavior | |
Manage health data collection. CC ID 00050 | Privacy protection for information and data | Data and Information Management | |
Collect Individually Identifiable Health Information to provide health care services. CC ID 00052 | Privacy protection for information and data | Data and Information Management | |
Collect Individually Identifiable Health Information when the law dictates. CC ID 00053 | Privacy protection for information and data | Data and Information Management | |
Collect Individually Identifiable Health Information for research. CC ID 00054 | Privacy protection for information and data | Data and Information Management | |
Remove personal data before disclosing health data. CC ID 00055 | Privacy protection for information and data | Data and Information Management | |
Give special attention to collecting children's data. CC ID 00038 | Privacy protection for information and data | Data and Information Management | |
Use simple understandable language to collect information from children. CC ID 00039 | Privacy protection for information and data | Behavior | |
Notify parents or legal representatives of what information is collected from children. CC ID 00040 | Privacy protection for information and data | Establish/Maintain Documentation | |
Obtain consent from a parent or legal representative before collecting information from children. CC ID 00041 | Privacy protection for information and data | Data and Information Management | |
Waive verifiable consent from a parent or legal representative for collecting information from children in order to collect online contact information for a one-time only response to a specific request. CC ID 00043 | Privacy protection for information and data | Data and Information Management | |
Waive verifiable consent from a parent or legal representative for collecting information from children in order to request the parent or legal representative's information to obtain consent. CC ID 00044 | Privacy protection for information and data | Data and Information Management | |
Waive verifiable consent from a parent or legal representative for collecting information from children in order to respond to additional requests which do not go beyond the scope of the request. CC ID 00045 | Privacy protection for information and data | Data and Information Management | |
Waive verifiable consent from a parent or legal representative for collecting information from children in order to protect the child's safety. CC ID 00046 | Privacy protection for information and data | Data and Information Management | |
Waive verifiable consent from a parent or legal representative for collecting information from children in order to take liability precautions. CC ID 00047 | Privacy protection for information and data | Data and Information Management | |
Waive verifiable consent from a parent or legal representative for collecting information from children in order to respond to a judicial process. CC ID 00048 | Privacy protection for information and data | Data and Information Management | |
Waive verifiable consent from a parent or legal representative for collecting information from children in order to respond to a request for law enforcement purposes. CC ID 00049 | Privacy protection for information and data | Data and Information Management | |
Waive verifiable consent from a parent or legal representative for collecting information from children in order to protect the website's security or integrity or the online service's security or integrity. CC ID 06199 | Privacy protection for information and data | Data and Information Management | |
Establish, implement, and maintain a personal data collection policy. CC ID 00029 | Privacy protection for information and data | Establish/Maintain Documentation | |
Collect personal data directly from the data subject. CC ID 00011 | Privacy protection for information and data | Data and Information Management | |
Create and manage user account aliases to maintain pseudonymity. CC ID 04549 | Privacy protection for information and data | Data and Information Management | |
Provide unlinkability for users and resources. CC ID 04550 | Privacy protection for information and data | Data and Information Management | |
Provide unobservability of users and resources. CC ID 04551 | Privacy protection for information and data | Technical Security | |
Collect restricted data in a fair and lawful manner. CC ID 00010 [Without limiting subsection (2) and subject to subsection (9), an individual (P) who provides personal data to an organisation (A) with a view to P entering into a contract with A is deemed to consent to the following where reasonably necessary for the conclusion of the contract between P and A: the collection and use of that personal data by B; § 15.(3)(b)] | Privacy protection for information and data | Data and Information Management | |
Collect restricted data absent consent for specific and well-documented circumstances. CC ID 00013 [An organisation may — collect personal data about an individual, without the consent of the individual or from a source other than the individual, in the circumstances or for the purposes, and subject to any condition, in the First Schedule or Part 1 of the Second Schedule; § 17.(1)(a) {individual's vital interest}{without consent}Subject to sub-paragraph (2), the collection, use or disclosure (as the case may be) of personal data about an individual is necessary for any purpose which is clearly in the interests of the individual, and — the individual would not reasonably be expected to withhold consent. FIRST SCHEDULE PART 1 § 1.(1)(b) {without consent}{collect}{disclose} The collection, use or disclosure (as the case may be) of personal data about an individual is in the national interest. FIRST SCHEDULE PART 2 § 2. {business improvement purpose}Sub-paragraph (1)(a) and (c) applies only if — a reasonable person would consider the collection or disclosure of personal data about P for the relevant purpose to be appropriate in the circumstances; and FIRST SCHEDULE PART 5 § 1.(3)(b) Unless otherwise provided under this Act, an organisation may — collect personal data about an individual that the organisation receives by way of a disclosure to the organisation — § 17.(2)(a) Subject to the conditions in sub-paragraphs (3), (4) and (5), personal data about an individual (P) — is collected by an organisation (X) that is a corporation from a related corporation (Y) for a purpose specified in sub-paragraph (2) (called the relevant purpose); FIRST SCHEDULE PART 5 § 1.(1)(a) {business improvement purpose}Where X collects from Y, and Y discloses to X, personal data about P for a purpose mentioned in sub-paragraph (2)(c) or (d), P must be, at the time of the collection or disclosure, as the case may be — an existing customer of Y; and FIRST SCHEDULE PART 5 § 1.(5)(a) {business improvement purpose}Where X collects from Y, and Y discloses to X, personal data about P for a purpose mentioned in sub-paragraph (2)(c) or (d), P must be, at the time of the collection or disclosure, as the case may be — an existing customer or a prospective customer of X. FIRST SCHEDULE PART 5 § 1.(5)(b) {personal purpose}The personal data about an individual — is provided to the organisation by another individual to enable the organisation to provide a service for the personal or domestic purposes of that other individual; and FIRST SCHEDULE PART 3 § 8.(a) {without consent}Unless otherwise provided under this Act, an organisation may — collect personal data about an individual that the organisation receives by way of a disclosure to the organisation — on or after the specified date in accordance with subsection (1)(c); or § 17.(2)(a)(i) {without consent}Unless otherwise provided under this Act, an organisation may — collect personal data about an individual that the organisation receives by way of a disclosure to the organisation — before the specified date in accordance with section 17(3) as in force before the specified date, § 17.(2)(a)(ii)] | Privacy protection for information and data | Data and Information Management | |
Collect restricted data absent consent when the data collection is in the individual's interests and consent can not be obtained in a timely manner. CC ID 00014 [{individual's vital interest}The collection, use or disclosure (as the case may be) of personal data about an individual, where — consent for the collection, use or disclosure (as the case may be) cannot be obtained in a timely way; and FIRST SCHEDULE PART 1 § 3.(a) {individual's vital interest}Subject to sub-paragraph (2), the collection, use or disclosure (as the case may be) of personal data about an individual is necessary for any purpose which is clearly in the interests of the individual, and — consent for the collection, use or disclosure (as the case may be) cannot be obtained in a timely way; or FIRST SCHEDULE PART 1 § 1.(1)(a) {legitimate interest}{collect}{disclose}The collection, use or disclosure (as the case may be) of personal data about an individual is to — confer an interest or a benefit on the individual under a private trust or benefit plan; and FIRST SCHEDULE PART 3 § 7.(a)] | Privacy protection for information and data | Data and Information Management | |
Collect restricted data absent consent when consent compromises data accuracy. CC ID 00015 | Privacy protection for information and data | Data and Information Management | |
Collect personal data absent consent in order to make a disclosure. CC ID 13550 [{individual}{consent} Where an organisation collects personal data disclosed to it by B under subsection (6)(c), subsection (6)(b) and (c) applies to the organisation as if the personal data were disclosed by A to the organisation under subsection (6)(a). § 15.(7) {without consent}{collect}The collection of personal data about an individual, if — the personal data was disclosed by a public agency; and SECOND SCHEDULE PART 1 § 1.(a)] | Privacy protection for information and data | Data and Information Management | |
Collect personal data absent consent for reasonable investigative purposes. CC ID 11801 [{collect}{disclose} The collection, use or disclosure (as the case may be) of personal data about an individual is necessary for any investigation or proceedings. FIRST SCHEDULE PART 3 § 3.] | Privacy protection for information and data | Data and Information Management | |
Collect personal data absent consent if the collection is consistent with the intended purpose. CC ID 13548 [Without limiting subsection (2) and subject to subsection (9), an individual (P) who enters into a contract with an organisation (A) and provides personal data to A pursuant or in relation to that contract is deemed to consent to the following: the collection and use of that personal data by B, where the collection and use are reasonably necessary for any purpose mentioned in paragraph (a); § 15.(6)(b) {without consent}The personal data about an individual — is collected, used or disclosed (as the case may be) for purposes consistent with the purpose for which the document was produced. FIRST SCHEDULE PART 3 § 9.(b) {business improvement purpose}{refrain from achieving}Sub-paragraph (1)(a) and (c) applies only if — the relevant purpose for which X collects, or Y discloses, personal data about P cannot reasonably be achieved without the collection, use or disclosure (as the case may be) of the personal data in an individually identifiable form; FIRST SCHEDULE PART 5 § 1.(3)(a) {collect}{without consent}The collection of personal data about an individual, if — the collection of personal data by the organisation is consistent with the purpose of the disclosure by the public agency. SECOND SCHEDULE PART 1 § 1.(b) {personal purpose}{domestic purposes}The personal data about an individual — is collected, used or disclosed (as the case may be) by the organisation solely for the purpose in sub-paragraph (a). FIRST SCHEDULE PART 3 § 8.(b)] | Privacy protection for information and data | Data and Information Management | |
Collect personal data absent consent when the personal data was produced by the data subject in the course of employment, business, or profession. CC ID 13544 [{collect}{without consent}The personal data about an individual — is included in a document produced in the course, and for the purposes, of the individual's employment, business or profession; and FIRST SCHEDULE PART 3 § 9.(a) {without consent}Subject to the conditions in sub-paragraphs (2), (3), (4) and (5), where an organisation (X) is a party or a prospective party to a business asset transaction with another organisation (Y), personal data about an applicable individual of Y — is collected from Y by X for the purposes of the business asset transaction; FIRST SCHEDULE PART 4 § 1.(1)(a) {organization}{party} Where the business asset transaction concerns any part of Y or Y's business assets, the personal data mentioned in sub-paragraph (1) must relate directly to that part of Y or Y's business assets, as the case may be. FIRST SCHEDULE PART 4 § 1.(2) {organization}If X is a prospective party to the business asset transaction, the following conditions apply: X may collect, and Y may disclose, only personal data that is necessary for X to determine whether to proceed with the business asset transaction; FIRST SCHEDULE PART 4 § 1.(3)(a) Subject to the conditions in sub-paragraphs (2), (3) and (4), where an organisation (X) is a party or a prospective party to a business asset transaction with another organisation (Y) in respect of Y's interest in a third organisation (Z) (called in this paragraph the relevant transaction), personal data about an applicable individual of Z — is collected from Y or Z by X, or from Z by Y, for the purposes of the relevant transaction; FIRST SCHEDULE PART 4 § 2.(1)(a) {legitimate interest}{collect}{disclose}Subject to sub-paragraph (2), the collection, use or disclosure (as the case may be) of personal data about an individual — relates to a credit report provided by a credit bureau to a member of the credit bureau in relation to a transaction between the member and the individual. FIRST SCHEDULE PART 3 § 6.(1)(b) {business asset transaction}If X is a prospective party to the relevant transaction, the following conditions apply: where X collects the personal data mentioned in sub-paragraph (1) from Y or Z — X may collect, and Y or Z (as the case may be) may disclose, only personal data that is necessary for X to determine whether to proceed with the relevant transaction; and FIRST SCHEDULE PART 4 § 2.(2)(a)(i) {business asset transaction}{organization}{individual}If X is a prospective party to the relevant transaction, the following conditions apply: where Y collects the personal data mentioned in sub-paragraph (1) from Z — Y may collect, and Z may disclose, only personal data that is necessary for X or Y (as the case may be) to determine whether to proceed with the relevant transaction; and FIRST SCHEDULE PART 4 § 2.(2)(b)(i) {business asset transaction}If X is a prospective party to the relevant transaction, the following conditions apply: where X collects the personal data mentioned in sub-paragraph (1) from Y or Z — X and Y or Z (as the case may be) must have entered into an agreement that requires X to use or disclose the personal data solely for purposes related to the relevant transaction; FIRST SCHEDULE PART 4 § 2.(2)(a)(ii)] | Privacy protection for information and data | Data and Information Management | |
Collect personal data absent consent for handling insurance claims. CC ID 13543 | Privacy protection for information and data | Data and Information Management | |
Collect personal data absent consent when the data subject has authorized the collection through another individual. CC ID 00016 | Privacy protection for information and data | Data and Information Management | |
Collect personal data absent consent if the disclosure is to the next of kin or authorized representative. CC ID 15295 [{is necessary}{without consent} The collection, use or disclosure of personal data is for the purpose of contacting the next-of-kin or a friend of any injured, ill or deceased individual. FIRST SCHEDULE PART 1 § 4.] | Privacy protection for information and data | Data and Information Management | |
Collect personal data absent consent in order to establish, manage, or terminate employment contracts. CC ID 13614 [{without consent}The personal data about an individual is collected, used or disclosed (as the case may be) by the organisation, and the collection, use or disclosure (as the case may be) of the personal data is reasonable for the purpose of or in relation to the organisation — entering into an employment relationship with the individual or appointing the individual to any office; or FIRST SCHEDULE PART 3 § 10.(a) {without consent}The personal data about an individual is collected, used or disclosed (as the case may be) by the organisation, and the collection, use or disclosure (as the case may be) of the personal data is reasonable for the purpose of or in relation to the organisation — managing or terminating the employment relationship with or appointment of the individual. FIRST SCHEDULE PART 3 § 10.(b)] | Privacy protection for information and data | Data and Information Management | |
Collect personal data absent consent in order to protect the data subject's vital interests. CC ID 15277 [{individual's vital interest}{collect}{disclose} Subject to sub-paragraph (2), the collection, use or disclosure (as the case may be) of personal data about an individual is necessary for any purpose which is clearly in the interests of the individual, and — FIRST SCHEDULE PART 1 § 1.(1)] | Privacy protection for information and data | Data and Information Management | |
Collect personal data for public interests absent consent in order to protect historical records or archival records. CC ID 15289 [{without consent}{archival purpose} The collection, use or disclosure (as the case may be) of personal data about an individual is solely for archival or historical purposes, if a reasonable person would not consider the personal data to be too sensitive to the individual to be collected, used or disclosed (as the case may be) at the proposed time. FIRST SCHEDULE PART 2 § 4.] | Privacy protection for information and data | Data and Information Management | |
Collect personal data absent consent to administer a trust fund or benefit plan. CC ID 15292 [{collect}{disclose}The collection, use or disclosure (as the case may be) of personal data about an individual is to — administer that trust or benefit plan, at the request of the settlor or the person establishing the benefit plan, as the case may be. FIRST SCHEDULE PART 3 § 7.(b)] | Privacy protection for information and data | Data and Information Management | |
Collect restricted data absent consent for journalistic purposes, artistic purposes, or literary purposes. CC ID 00017 [{without consent}{artistic purpose}{collect}{disclose} The collection, use or disclosure (as the case may be) of personal data about an individual is solely for artistic or literary purposes. FIRST SCHEDULE PART 2 § 3. {without consent} The personal data about an individual is collected, used or disclosed (as the case may be) by a news organisation solely for its news activity. FIRST SCHEDULE PART 2 § 5.] | Privacy protection for information and data | Data and Information Management | |
Collect personal data absent consent in order to collect a debt owed by the data subject. CC ID 15293 [{without consent}{collect}{disclose}The collection, use or disclosure (as the case may be) of personal data about an individual is necessary for the organisation — to recover a debt owed by the individual to the organisation; or FIRST SCHEDULE PART 3 § 4.(a) {collect}{disclose}The collection, use or disclosure (as the case may be) of personal data about an individual is necessary for the organisation — to pay to the individual a debt owed by the organisation. FIRST SCHEDULE PART 3 § 4.(b)] | Privacy protection for information and data | Data and Information Management | |
Collect personal data absent consent for statistical purposes or research purposes and the data subject is not identified. CC ID 00018 [{collect}{disclose} The collection, use or disclosure (as the case may be) of personal data about an individual is necessary for evaluative purposes. FIRST SCHEDULE PART 3 § 2.] | Privacy protection for information and data | Data and Information Management | |
Collect restricted data absent consent from publicly available information. CC ID 00019 [{without consent}{collect}{disclose} The collection, use or disclosure (as the case may be) of personal data about an individual that is publicly available. FIRST SCHEDULE PART 2 § 1.] | Privacy protection for information and data | Data and Information Management | |
Collect restricted data absent consent when needed by law. CC ID 00020 | Privacy protection for information and data | Data and Information Management | |
Collect personal data absent consent to create a credit report. CC ID 15287 [{legitimate interest}{collect}{disclose}Subject to sub-paragraph (2), the collection, use or disclosure (as the case may be) of personal data about an individual — is for the purpose of the preparation by a credit bureau of a credit report; or FIRST SCHEDULE PART 3 § 6.(1)(a)] | Privacy protection for information and data | Data and Information Management | |
Collect restricted data absent consent when no potential harm can come to the data subject. CC ID 00021 | Privacy protection for information and data | Data and Information Management | |
Collect personal data absent consent when collecting personal data from the data subject is impossible or the data collection involves a disproportionate effort. CC ID 00022 | Privacy protection for information and data | Data and Information Management | |
Collect the minimum amount of restricted data necessary. CC ID 00078 | Privacy protection for information and data | Data and Information Management | |
Collect restricted data in a proper information framework. CC ID 00009 | Privacy protection for information and data | Data and Information Management | |
Collect and record restricted data for specific, explicit, and legitimate purposes. CC ID 00027 [Unless otherwise provided under this Act, an organisation may — collect personal data about an individual that the organisation receives by way of a disclosure to the organisation — for purposes consistent with the purpose of that disclosure, or for any purpose permitted by subsection (1)(a); or § 17.(2)(a) ¶ 1 {collect}{disclose}Subject to sub-paragraphs (2), (3) and (4) — the collection, use or disclosure (as the case may be) of personal data about an individual is in the legitimate interests of the organisation or another person; and FIRST SCHEDULE PART 3 § 1.(1)(a)] | Privacy protection for information and data | Data and Information Management | |
Collect restricted data when required by law. CC ID 00031 | Privacy protection for information and data | Data and Information Management | |
Collect restricted data to prevent life-threatening emergencies. CC ID 00032 [{without consent}{collect}{disclose}The collection, use or disclosure (as the case may be) of personal data about an individual, where — there are reasonable grounds to believe that the health or safety of the individual or another individual will be seriously affected. FIRST SCHEDULE PART 1 § 3.(b)] | Privacy protection for information and data | Data and Information Management | |
Collect restricted data relating solely to nonprofit organization members or individuals who are in regular contact during the nonprofit organization's activities. CC ID 00034 | Privacy protection for information and data | Data and Information Management | |
Collect restricted data for legal purposes. CC ID 00036 [{collect}{disclose} The collection, use or disclosure (as the case may be) of personal data about an individual is necessary for the provision of legal services by the organisation to another person, or for the organisation to obtain legal services. FIRST SCHEDULE PART 3 § 5.] | Privacy protection for information and data | Data and Information Management | |
Provide the data subject with information about the data controller during the collection process. CC ID 00023 | Privacy protection for information and data | Establish/Maintain Documentation | |
Disseminate and communicate the data collector's name and contact information to all interested personnel. CC ID 13760 | Privacy protection for information and data | Communicate | |
Provide the data subject with the data collector's name and contact information. CC ID 00024 [For the purposes of subsection (4), the organisation must inform the individual of the following: on request by the individual, the business contact information of a person who is able to answer the individual's questions about that collection, use or disclosure (as the case may be) on behalf of the organisation. § 20.(5)(b)] | Privacy protection for information and data | Establish/Maintain Documentation | |
Provide the data subject with the name of the data collector who will hold the collected restricted data. CC ID 00025 | Privacy protection for information and data | Establish/Maintain Documentation | |
Provide the data subject with the third party processor's contact information when the data controller is not processing the restricted data. CC ID 00026 | Privacy protection for information and data | Establish/Maintain Documentation | |
Establish, implement, and maintain a data handling program. CC ID 13427 | Privacy protection for information and data | Establish/Maintain Documentation | |
Establish, implement, and maintain data handling policies. CC ID 00353 | Privacy protection for information and data | Establish/Maintain Documentation | |
Establish, implement, and maintain data and information confidentiality policies. CC ID 00361 | Privacy protection for information and data | Establish/Maintain Documentation | |
Implement security measures to protect personal data. CC ID 13606 [{storage device}An organisation must protect personal data in its possession or under its control by making reasonable security arrangements to prevent — the loss of any storage medium or device on which personal data is stored. § 24.(b) {absent authorization}An organisation must protect personal data in its possession or under its control by making reasonable security arrangements to prevent — unauthorised access, collection, use, disclosure, copying, modification or disposal, or similar risks; and § 24.(a)] | Privacy protection for information and data | Technical Security | |
Establish, implement, and maintain a personal data transfer program. CC ID 00307 | Privacy protection for information and data | Establish/Maintain Documentation | |
Include procedures for transferring personal data to third parties in the personal data transfer program. CC ID 00333 | Privacy protection for information and data | Establish/Maintain Documentation | |
Define the personal data transfer exceptions for transferring personal data to another country when adequate protection level standards are not met. CC ID 00315 [{other country} An organisation shall not transfer any personal data to a country or territory outside Singapore except in accordance with requirements verb">prescribed under this Act to ensure that organisations provide a standard of protection to personal data so transferred that is comparable to the protection under this Act. § 26.(1)] | Privacy protection for information and data | Establish/Maintain Documentation | |
Include publicly available information as a personal data transfer exception for transferring personal data to another country outside an adequate data protection level. CC ID 00316 | Privacy protection for information and data | Data and Information Management | |
Include transfer agreements between data controllers and third parties when it is for the data subject's interest as a personal data transfer exception for transferring personal data to another country outside an adequate data protection level. CC ID 00317 | Privacy protection for information and data | Data and Information Management | |
Include personal data for the health field and for treatment as a personal data transfer exception for transferring personal data to another country outside an adequate data protection level. CC ID 00318 | Privacy protection for information and data | Data and Information Management | |
Include personal data for journalistic purposes or private purposes as a personal data transfer exception for transferring personal data to another country outside an adequate data protection level. CC ID 00319 | Privacy protection for information and data | Data and Information Management | |
Include personal data for important public interest as a personal data transfer exception for transferring personal data to another country outside an adequate data protection level. CC ID 00320 | Privacy protection for information and data | Data and Information Management | |
Include consent by the data subject as a personal data transfer exception for transferring personal data to another country outside an adequate data protection level. CC ID 00321 | Privacy protection for information and data | Data and Information Management | |
Include personal data used for a contract as a personal data transfer exception for transferring personal data to another country outside an adequate data protection level. CC ID 00322 | Privacy protection for information and data | Data and Information Management | |
Include personal data for protecting the data subject or the data subject's interests, such as saving his/her life or providing healthcare as a personal data transfer exception for transferring personal data to another country outside an adequate data protection level. CC ID 00323 | Privacy protection for information and data | Data and Information Management | |
Include personal data that is necessary to fulfill international law obligations as a personal data transfer exception for transferring personal data to another country outside an adequate data protection level. CC ID 00324 | Privacy protection for information and data | Data and Information Management | |
Include personal data used for legal investigations as a personal data transfer exception for transferring personal data to another country outside an adequate data protection level. CC ID 00325 | Privacy protection for information and data | Data and Information Management | |
Include personal data that is authorized by a legislative act as a personal data transfer exception for transferring personal data to another country outside an adequate data protection level. CC ID 00326 | Privacy protection for information and data | Data and Information Management | |
Establish, implement, and maintain a privacy impact assessment. CC ID 13712 [The organisation must, in respect of the assessment mentioned in subsection (4)(a) — identify and implement reasonable measures to — reduce the likelihood that the adverse effect will occur; or § 15A.(5)(b)(ii) The organisation must, in respect of the assessment mentioned in subsection (4)(a) — identify and implement reasonable measures to — eliminate the adverse effect; § 15A.(5)(b)(i) The organisation must, in respect of the assessment mentioned in subsection (4)(a) — identify and implement reasonable measures to — mitigate the adverse effect; and § 15A.(5)(b)(iii)] | Privacy protection for information and data | Establish/Maintain Documentation | |
Include the individuals with whom information is shared in the privacy impact assessment. CC ID 15520 | Privacy protection for information and data | Establish/Maintain Documentation | |
Include how to grant consent in the privacy impact assessment. CC ID 15519 | Privacy protection for information and data | Establish/Maintain Documentation | |
Include the opportunities for individuals to consent to using their information in the privacy impact assessment. CC ID 15518 | Privacy protection for information and data | Establish/Maintain Documentation | |
Include the opportunities for opting out of information collection in the privacy impact assessment. CC ID 15517 | Privacy protection for information and data | Establish/Maintain Documentation | |
Include data handling procedures in the privacy impact assessment. CC ID 15516 | Privacy protection for information and data | Establish/Maintain Documentation | |
Include the intended use of information in the privacy impact assessment. CC ID 15515 | Privacy protection for information and data | Establish/Maintain Documentation | |
Include the reason information is being collected in the privacy impact assessment. CC ID 15514 | Privacy protection for information and data | Establish/Maintain Documentation | |
Include the type of information to be collected in the privacy impact assessment. CC ID 15513 | Privacy protection for information and data | Business Processes | |
Disseminate and communicate the results of the Privacy Impact Assessment to interested personnel and affected parties. CC ID 15458 | Privacy protection for information and data | Communicate | |
Develop remedies and sanctions for privacy policy violations. CC ID 00474 | Privacy protection for information and data | Data and Information Management | |
Refrain from updating personal data on a regular basis, unless it is necessary for the purposes it was collected. CC ID 13610 [{refrain from correcting} Nothing in this section shall require an organisation to correct or otherwise alter an opinion, including a professional or an expert opinion. § 22.(6)] | Privacy protection for information and data | Data and Information Management | |
Establish, implement, and maintain a privacy dispute resolution program. CC ID 12526 [An organisation shall — develop a process to receive and respond to complaints that may arise with respect to the application of this Act; § 12.(b)] | Privacy protection for information and data | Establish/Maintain Documentation | |
Include potential remedies in the privacy dispute resolution program. CC ID 12531 | Privacy protection for information and data | Establish/Maintain Documentation | |
Provide the data subject with the name, title, and address to whom complaints are forwarded. CC ID 00395 | Privacy protection for information and data | Establish/Maintain Documentation | |
Include the time frames in which privacy rights violation complaints are processed in the privacy dispute resolution program. CC ID 12529 | Privacy protection for information and data | Establish/Maintain Documentation | |
Document unresolved challenges. CC ID 13568 [An individual may request an organisation to correct an error or omission in the personal data about the individual that is in the possession or under the control of the organisation. Section 22 shall not apply in respect of— any erm_secondary-verb">BBC;" class="term_primary-noun">examination> conducted by an education institution, examination scripts and, prior to the release of examination results, <span style="background-color:#F0BBBC;" class="term_primary-noun">examination results; SIXTH SCHEDULE § 1.(b) An individual may request an organisation to correct an error or omission in the personal data about the individual that is in the possession or under the control of the organisation. Section 22 shall not apply in respect of— the personal data of the background-color:#F0BBBC;" class="term_primary-noun">beneficiaries of a tyle="background-color:#F0BBBC;" class="term_primary-noun">private trust kept solely for the purpose of ass="term_primary-verb">administering the trust; SIXTH SCHEDULE § 1.(c) An organisation is not required to provide information under section 21(1) in respect of — a document related to a prosecution if all proceedings related to the prosecution have not been completed; or SIXTH SCHEDULE § 1.(e)] | Privacy protection for information and data | Establish/Maintain Documentation | |
Establish, implement, and maintain an accuracy resolution policy. CC ID 00460 | Privacy protection for information and data | Establish/Maintain Documentation | |
Notify individuals of their right to challenge personal data. CC ID 00457 | Privacy protection for information and data | Data and Information Management | |
Notify individuals of their right to object to personal data for legitimate reasons. CC ID 00458 | Privacy protection for information and data | Data and Information Management | |
Terminate an individual's restriction agreement under specific circumstances. CC ID 06260 | Privacy protection for information and data | Configuration | |
Notify individuals of their ability to challenge personal behavioral assessments on record. CC ID 04798 | Privacy protection for information and data | Human Resources Management | |
Notify individuals of their ability to object to personal data processing, absent cost. CC ID 00459 | Privacy protection for information and data | Data and Information Management | |
Notify individuals of the time frame in which they may challenge personal data. CC ID 16861 | Privacy protection for information and data | Communicate | |
Investigate the disputed accuracy of personal data. CC ID 00461 | Privacy protection for information and data | Data and Information Management | |
Notify third parties of unresolved challenges. CC ID 13559 | Privacy protection for information and data | Communicate | |
Document disagreements as to whether personal data is complete and accurate. CC ID 06952 | Privacy protection for information and data | Establish/Maintain Documentation | |
Include the change to the personal data that the data subject requested and the reason the organization refused to make the change in the statement of disagreement. CC ID 06954 [An individual may request an organisation to correct an error or omission in the personal data about the individual that is in the possession or under the control of the organisation. Section 22 shall b">not apply in respect of— background-color:#F0BBBC;" class="term_primary-noun">opinion data kept solely for an imary-noun">evaluative purpose; SIXTH SCHEDULE § 1.(a) If no correction is made under subsection (2)(a) or (4), the organisation shall annotate the personal data in its possession or under its control with the correction that was requested but e="background-color:#CBD0E5;" class="term_secondary-verb">not made. § 22.(5)] | Privacy protection for information and data | Establish/Maintain Documentation | |
Defer privacy rights violation complaint investigations under certain conditions. CC ID 00487 | Privacy protection for information and data | Behavior | |
Defer privacy rights violation complaint investigations when the respondent has made an application for a determination. CC ID 00488 [An organisation or a person (including any individual who is a complainant) aggrieved by — may make a written application to the Commission to reconsider the direction or decision in accordance with this section. § 48N.(1) ¶ 1] | Privacy protection for information and data | Behavior | |
Define the organization's liability based on the applicable law. CC ID 00504 | Privacy protection for information and data | Establish/Maintain Documentation | |
Define the sanctions and fines available for privacy rights violations based on applicable law. CC ID 00505 [A person who suffers loss or damage directly as a result of a contravention — has a right of action for relief in civil proceedings in a court. § 48O.(1) ¶ 1 A telecommunications service provider which contravenes subsection (1) shall be guilty of an offence and shall be liable on conviction to a fine not exceeding $10,000. § 42.(2)] | Privacy protection for information and data | Establish/Maintain Documentation | |
Define the appeal process based on the applicable law. CC ID 00506 [The application for reconsideration — must be made in the form and manner required by the Commission; and § 48N.(4)(b) An organisation or a person aggrieved by a financial penalty imposed by the Commission under section 48J(1) on the organisation or person may make a written application to the Commission to reconsider the decision to impose the financial penalty or the amount of the financial penalty so imposed in accordance with this section. § 48N.(2) The application for reconsideration — subject to subsection (5), must be submitted to the Commission within the prescribed period; § 48N.(4)(a) The application for reconsideration — must set out the grounds on which the applicant is requesting the reconsideration. § 48N.(4)(c)] | Privacy protection for information and data | Establish/Maintain Documentation | |
Define the fee structure for the appeal process. CC ID 16532 | Privacy protection for information and data | Process or Activity | |
Define the time requirements for the appeal process. CC ID 16531 | Privacy protection for information and data | Process or Activity | |
Disseminate and communicate instructions for the appeal process to interested personnel and affected parties. CC ID 16544 | Privacy protection for information and data | Communicate | |
Disseminate and communicate a written explanation of the reasons for appeal decisions to interested personnel and affected parties. CC ID 16542 | Privacy protection for information and data | Communicate | |
Establish, implement, and maintain a Customer Information Management program. CC ID 00084 | Privacy protection for information and data | Data and Information Management | |
Establish, implement, and maintain customer data authentication procedures. CC ID 13187 | Privacy protection for information and data | Establish/Maintain Documentation | |
Check the accuracy of restricted data. CC ID 00088 [{is complete} An organisation shall make a reasonable effort to ensure that personal data collected by or on behalf of the organisation is accurate and complete, if the personal data— is likely to be und-color:#B7D8ED;" class="term_primary-verb">used by the organisation to imary-verb">make a decision that affects the individual to whom the personal data " class="term_secondary-verb">relates; or § 23.(a) {is complete} An organisation shall make a reasonable effort to ensure that personal data collected by or on behalf of the organisation is accurate and complete, if the _primary-noun">personal data— is likely to be e="background-color:#B7D8ED;" class="term_primary-verb">disclosed by the organisation to another organisation. § 23.(b) {person}A checker must — ensure that the applicable information provided to P is accurate; and § 43A.(2)(a) {be complete}{be accurate} The organisation must ensure that the copy of the personal data it preserves for the purposes of subsection (1) is a complete and accurate copy of the personal data concerned. § 22A.(2) {be complete} An organisation shall make a reasonable effort to ensure that personal data collected by or on behalf of the organisation verb">is accurate and complete, if the personal data — § 23.] | Privacy protection for information and data | Data and Information Management | |
Check that restricted data is complete. CC ID 00090 [{be complete}{be accurate} The organisation must ensure that the copy of the personal data it preserves for the purposes of subsection (1) is a complete and accurate copy of the personal data concerned. § 22A.(2) {be complete} An organisation shall make a reasonable effort to ensure that personal data collected by or on behalf of the organisation is accurate and complete, if the personal data — § 23.] | Privacy protection for information and data | Data and Information Management | |
Establish, implement, and maintain an anti-spam policy. CC ID 00283 [Subject to section 48(2), a person must not send a specified message addressed to a Singapore telephone number unless — the specified message includes the information, and complies with the conditions, specified in the regulations, if any; and § 44.(c) Subject to section 48(2), a person must not send a specified message addressed to a Singapore telephone number unless — the specified message includes the information, and complies with the conditions, specified in the regulations, if any; and § 44.(c) For the purposes of subsection (1), the person has valid confirmation that a Singapore telephone number is not listed in the relevant register in either of the following circumstances: the person has obtained from a checker information that the Singapore telephone number is not listed in the relevant register (called in this section the relevant information) and has no reason to believe that, and is not reckless as to whether — § 43.(2)(b)] | Privacy protection for information and data | Establish/Maintain Documentation | |
Refrain from sending unsolicited commercial electronic messages under predetermined conditions. CC ID 13993 [Subject to section 48(2), a person must not send a specified message addressed to a Singapore telephone number unless — the information included in the specified message in compliance with this section is reasonably likely to be valid for at least 30 days after the message is sent. § 44.(d) For the purposes of subsection (1), the person has valid confirmation that a Singapore telephone number is not listed in the relevant register in either of the following circumstances: the person has, within the prescribed duration before sending the specified message — made an application to the Commission under section 40(2) to confirm whether the Singapore telephone number is listed in the relevant register; and § 43.(2)(a)(i)] | Privacy protection for information and data | Communicate | |
Refrain from sending unsolicited commercial electronic messages with hyperlinks to a country with an anti-spam policy. CC ID 00284 | Privacy protection for information and data | Behavior | |
Refrain from including misleading information in the e-mail header when transmitting electronic messages. CC ID 00285 | Privacy protection for information and data | Behavior | |
Include contact information in commercial electronic messages. CC ID 15457 | Privacy protection for information and data | Business Processes | |
Refrain from sending commercial electronic messages to a third party computer when the message does not contain a functioning return e-mail address that is clearly visible to the receiver. CC ID 00287 | Privacy protection for information and data | Behavior | |
Refrain from sending commercial electronic messages, physical mail, or making telephone calls after an opt out by a user. CC ID 00288 [{refrain from sending} If a subscriber or user of a Singapore telephone number gives notice withdrawing consent given to a person for the sending of any specified message="background-color:#CBD0E5;" class="term_secondary-verb">span> to that Singapore telephone number, the person shall cease (and cause its agent to cease) sending any specified message to that Singapore telephone number after the expiry of the prescribed period. § 47.(3)] | Privacy protection for information and data | Behavior | |
Include a personal identifier, an opt-out provision, and a physical address to add the recipient to the do-not-e-mail registry in all commercial e-mails. CC ID 00289 | Privacy protection for information and data | Behavior | |
Make the opt-out functional after the e-mail is sent, as necessary. CC ID 00290 | Privacy protection for information and data | Data and Information Management | |
Unsubscribe users from the opt-out notification, as necessary. CC ID 00291 | Privacy protection for information and data | Data and Information Management | |
Make identifiers accurate after e-mails are sent, as necessary. CC ID 00292 | Privacy protection for information and data | Data and Information Management | |
Define aggravated violations that relate to commercial electronic messages. CC ID 00293 | Privacy protection for information and data | Establish/Maintain Documentation | |
Refrain from using misleading subject lines or false subject line on unsolicited commercial electronic messages. CC ID 00294 | Privacy protection for information and data | Behavior | |
Define who enforces the anti-spam policy. CC ID 00295 | Privacy protection for information and data | Establish Roles | |
Establish, implement, and maintain a do-not-e-mail registry. CC ID 00297 | Privacy protection for information and data | Establish/Maintain Documentation | |
Enter individuals into the do-not-e-mail registry upon request. CC ID 11810 | Privacy protection for information and data | Data and Information Management | |
Refrain from using address-harvesting software to send unsolicited commercial e-mails. CC ID 00298 | Privacy protection for information and data | Behavior | |
Refrain from sending unsolicited commercial electronic messages to nonexistent electronic addresses. CC ID 00299 [Subject to section 48(2), a person must not send a specified message addressed to a Singapore telephone number unless the person has, at the time the person sends the specified message, valid confirmation that the Singapore telephone number is not listed in the relevant register. § 43.(1) For the purposes of subsection (1), the person has valid confirmation that a Singapore telephone number is not listed in the relevant register in either of the following circumstances: the person has, within the prescribed duration before sending the specified message — received confirmation from the Commission that the Singapore telephone number is not listed in the relevant register; § 43.(2)(a)(ii) Subject to subsections (2) and (3), a person must not send, cause to be sent or authorise the sending of an applicable message. § 48B.(1)] | Privacy protection for information and data | Behavior | |
Include that commercial electronic messages may be sent to an individual in any situation where the sender has prior consent from the individual or another existing business relationship in the anti-spam policy. CC ID 00300 | Privacy protection for information and data | Establish/Maintain Documentation | |
Send commercial electronic messages to individuals who have consented to receive them. CC ID 00302 | Privacy protection for information and data | Behavior | |
Send commercial electronic messages to individuals who have an existing relationship with the organization. CC ID 00301 | Privacy protection for information and data | Behavior | |
Send commercial electronic messages to individuals who perform a business function to which the content of the message pertains. CC ID 13995 | Privacy protection for information and data | Communicate | |
Document erroneous messages when an unsolicited commercial electronic message is accidentally sent. CC ID 00303 | Privacy protection for information and data | Establish/Maintain Documentation | |
Give customers the opportunity to object to receiving commercial electronic messages. CC ID 00304 [{allow} For the avoidance of doubt, a subscriber of a Singapore telephone number may, at any time on or after the date of commencement of this Part, withdraw any consent given for the style="background-color:#CBD0E5;" class="term_secondary-verb">sending of a specified message to that Singapore telephone number. § 47.(6)] | Privacy protection for information and data | Data and Information Management |