0003679
Digital Personal Data Protection Act, 2023, August 11, 2023
Ministry of Law and Justice, Government of India
Statutes (Bills or Acts)
Free
Digital Personal Data Protection Act, 2023
Digital Personal Data Protection Act, 2023
2023-08-11
The document as a whole was last reviewed and released on 2023-11-15T00:00:00-0800.
0003679
Free
Ministry of Law and Justice, Government of India
Statutes (Bills or Acts)
Digital Personal Data Protection Act, 2023
Digital Personal Data Protection Act, 2023
2023-08-11
The document as a whole was last reviewed and released on 2023-11-15T00:00:00-0800.
This Authority Document In Depth Report is copyrighted - © 2024 - Network Frontiers LLC. All rights reserved. Copyright in the Authority Document analyzed herein is held by its authors. Network Frontiers makes no claims of copyright in this Authority Document.
This Authority Document In Depth Report is provided for informational purposes only and does not constitute, and should not be construed as, legal advice. The reader is encouraged to consult with an attorney experienced in these areas for further explanation and advice.
This Authority Document In Depth Report provides analysis and guidance for use and implementation of the Authority Document but it is not a substitute for the original authority document itself. Readers should refer to the original authority document as the definitive resource on obligations and compliance requirements.
This document has been mapped into the Unified Compliance Framework using a patented methodology and patented tools (you can research our patents HERE). The mapping team has taken every effort to ensure the quality of mapping is of the highest degree. To learn more about the process we use to map Authority Documents, or to become involved in that process, click HERE.
When the UCF Mapping Teams tag Citations and their associated mandates within an Authority Document, those Citations and Mandates are tied to Common Controls. In addition, and by virtue of those Citations and mandates being tied to Common Controls, there are three sets of meta data that are associated with each Citation; Controls by Impact Zone, Controls by Type, and Controls by Classification.
The online version of the mapping analysis you see here is just a fraction of the work the UCF Mapping Team has done. The downloadable version of this document, available within the Common Controls Hub (available HERE) contains the following:
Document implementation analysis – statistics about the document’s alignment with Common Controls as compared to other Authority Documents and statistics on usage of key terms and non-standard terms.
Citation and Mandate Tagging and Mapping – A complete listing of each and every Citation we found within Digital Personal Data Protection Act, 2023, August 11, 2023 that have been tagged with their primary and secondary nouns and primary and secondary verbs in three column format. The first column shows the Citation (the marker within the Authority Document that points to where we found the guidance). The second column shows the Citation guidance per se, along with the tagging for the mandate we found within the Citation. The third column shows the Common Control ID that the mandate is linked to, and the final column gives us the Common Control itself.
Dictionary Terms – The dictionary terms listed for Digital Personal Data Protection Act, 2023, August 11, 2023 are based upon terms either found within the Authority Document’s defined terms section(which most legal documents have), its glossary, and for the most part, as tagged within each mandate. The terms with links are terms that are the standardized version of the term.
An Impact Zone is a hierarchical way of organizing our suite of Common Controls — it is a taxonomy. The top levels of the UCF hierarchy are called Impact Zones. Common Controls are mapped within the UCF’s Impact Zones and are maintained in a legal hierarchy within that Impact Zone. Each Impact Zone deals with a separate area of policies, standards, and procedures: technology acquisition, physical security, continuity, records management, etc.
The UCF created its taxonomy by looking at the corpus of standards and regulations through the lens of unification and a view toward how the controls impact the organization. Thus, we created a hierarchical structure for each impact zone that takes into account regulatory and standards bodies, doctrines, and language.
KEY: Primary Verb Primary Noun Secondary Verb Secondary Noun Limiting Term | |||
Mandated - bold Implied - italic Implementation - regular | TYPE | CLASS | |
---|---|---|---|
Audits and risk management CC ID 00677 | IT Impact Zone | IT Impact Zone | |
Establish, implement, and maintain an audit program. CC ID 00684 | Establish/Maintain Documentation | Preventive | |
Assign the audit to impartial auditors. CC ID 07118 [The Significant Data Fiduciary shall— appoint an independent data auditor to carry out data audit, who shall evaluate the compliance of the Significant Data Fiduciary in accordance with the provisions of this Act; and § 10.(2)(b)] | Establish Roles | Preventive | |
Define what constitutes a threat to independence. CC ID 16824 | Audits and Risk Management | Preventive | |
Determine if requested services create a threat to independence. CC ID 16823 | Audits and Risk Management | Detective | |
Accept the attestation engagement when all preconditions are met. CC ID 13933 | Business Processes | Preventive | |
Audit in scope audit items and compliance documents. CC ID 06730 [The Significant Data Fiduciary shall— undertake the following other measures, namely:— periodic audit; and § 10.(2)(c)(ii) The Significant Data Fiduciary shall— appoint an independent data auditor to carry out data audit, who shall evaluate the compliance of the Significant Data Fiduciary in accordance with the provisions of this Act; and § 10.(2)(b)] | Audits and Risk Management | Preventive | |
Collect all work papers for the audit and audit report into an engagement file. CC ID 07001 | Actionable Reports or Measurements | Preventive | |
Document any after the fact changes to the engagement file. CC ID 07002 | Establish/Maintain Documentation | Preventive | |
Protect access to the engagement file and all associated audit documentation in compliance with Authority Documents the organization must follow. CC ID 07179 | Establish/Maintain Documentation | Preventive | |
Disclose work papers in the engagement file in compliance with legal requirements. CC ID 07180 | Establish/Maintain Documentation | Preventive | |
Archive the engagement file and all work papers for the period prescribed by law or contract. CC ID 10038 | Records Management | Preventive | |
Conduct onsite inspections, as necessary. CC ID 16199 | Testing | Preventive | |
Identify hypothetical assumptions in forecasts and projections during an audit. CC ID 13946 | Audits and Risk Management | Detective | |
Refrain from examining forecasts and projections which refrain from disclosing assumptions during an audit. CC ID 13932 | Audits and Risk Management | Detective | |
Audit policies, standards, and procedures. CC ID 12927 | Audits and Risk Management | Preventive | |
Audit cybersecurity risk management within the policies, standards, and procedures of the organization. CC ID 13011 | Investigate | Detective | |
Audit information systems, as necessary. CC ID 13010 | Investigate | Detective | |
Audit the potential costs of compromise to information systems. CC ID 13012 | Investigate | Detective | |
Determine the accurateness of the audit assertion's in scope system description. CC ID 06979 | Testing | Detective | |
Determine if the in scope system has been implemented as described in the audit assertion. CC ID 06983 | Testing | Detective | |
Investigate the nature and causes of misstatements in the audit assertion's in scope system description. CC ID 16557 | Audits and Risk Management | Detective | |
Determine the effect of fraud and non-compliance on the description of the system in the audit assertion, as necessary. CC ID 13977 | Process or Activity | Detective | |
Edit the audit assertion for accuracy. CC ID 07030 | Establish/Maintain Documentation | Preventive | |
Determine if the audit assertion's in scope procedures are accurately documented. CC ID 06982 | Establish/Maintain Documentation | Preventive | |
Determine if the audit assertion's in scope controls are reasonable. CC ID 06980 | Testing | Detective | |
Determine the effect of fraud and non-compliance on the achievement of in scope controls in the audit assertion, as necessary. CC ID 13978 | Process or Activity | Detective | |
Document test plans for auditing in scope controls. CC ID 06985 | Testing | Detective | |
Determine the implementation status of the audit assertion's in scope controls. CC ID 06981 | Testing | Detective | |
Determine the effectiveness of in scope controls. CC ID 06984 | Testing | Detective | |
Review incident management audit logs to determine the effectiveness of in scope controls. CC ID 12157 | Audits and Risk Management | Detective | |
Review audit reports to determine the effectiveness of in scope controls. CC ID 12156 | Audits and Risk Management | Detective | |
Observe processes to determine the effectiveness of in scope controls. CC ID 12155 | Audits and Risk Management | Detective | |
Interview stakeholders to determine the effectiveness of in scope controls. CC ID 12154 | Audits and Risk Management | Detective | |
Review documentation to determine the effectiveness of in scope controls. CC ID 16522 | Process or Activity | Preventive | |
Review policies and procedures to determine the effectiveness of in scope controls. CC ID 12144 | Audits and Risk Management | Detective | |
Evaluate personnel status changes to determine the effectiveness of in scope controls. CC ID 16556 | Audits and Risk Management | Detective | |
Determine whether individuals performing a control have the appropriate staff qualifications, staff clearances, and staff competencies. CC ID 16555 | Audits and Risk Management | Detective | |
Determine any errors or material omissions in the audit assertion that affect in scope control implementations. CC ID 06990 | Testing | Detective | |
Include the process of using evidential matter to test in scope controls in the test plan. CC ID 06996 | Establish/Maintain Documentation | Preventive | |
Audit the in scope system according to the test plan using relevant evidence. CC ID 07112 | Testing | Preventive | |
Implement procedures that collect sufficient audit evidence. CC ID 07153 | Audits and Risk Management | Preventive | |
Collect evidence about the in scope audit items of the audit assertion. CC ID 07154 | Audits and Risk Management | Preventive | |
Collect audit evidence sufficient to avoid misstatements. CC ID 07155 | Audits and Risk Management | Preventive | |
Collect audit evidence at the level of the organization's competence in the subject matter. CC ID 07156 | Audits and Risk Management | Preventive | |
Collect audit evidence sufficient to overcome inadequacies in the organization's attestation. CC ID 07157 | Audits and Risk Management | Preventive | |
Report that audit evidence collected was not sufficient to the proper authorities. CC ID 16847 | Communicate | Preventive | |
Provide transactional walkthrough procedures for external auditors. CC ID 00672 | Testing | Preventive | |
Establish, implement, and maintain interview procedures. CC ID 16282 | Establish/Maintain Documentation | Preventive | |
Include roles and responsibilities in the interview procedures. CC ID 16297 | Human Resources Management | Preventive | |
Coordinate the scheduling of interviews. CC ID 16293 | Process or Activity | Preventive | |
Create a schedule for the interviews. CC ID 16292 | Process or Activity | Preventive | |
Identify interviewees. CC ID 16290 | Process or Activity | Preventive | |
Conduct interviews, as necessary. CC ID 07188 | Testing | Detective | |
Verify statements made by interviewees are correct. CC ID 16299 | Behavior | Detective | |
Discuss unsolved questions with the interviewee. CC ID 16298 | Process or Activity | Detective | |
Allow interviewee to respond to explanations. CC ID 16296 | Process or Activity | Detective | |
Explain the requirements being discussed to the interviewee. CC ID 16294 | Process or Activity | Detective | |
Explain the goals of the interview to the interviewee. CC ID 07189 | Behavior | Detective | |
Explain the testing results to the interviewee. CC ID 16291 | Process or Activity | Preventive | |
Withdraw from the audit, when defined conditions exist. CC ID 13885 | Process or Activity | Corrective | |
Establish and maintain work papers, as necessary. CC ID 13891 | Establish/Maintain Documentation | Preventive | |
Include the auditor's conclusions on work performed by individuals assigned to the audit in the work papers. CC ID 16775 | Establish/Maintain Documentation | Preventive | |
Include audit irregularities in the work papers. CC ID 16774 | Establish/Maintain Documentation | Preventive | |
Include corrective actions in the work papers. CC ID 16771 | Establish/Maintain Documentation | Preventive | |
Include information about the organization being audited and the auditor performing the audit in the work papers. CC ID 16770 | Establish/Maintain Documentation | Preventive | |
Include discussions with interested personnel and affected parties in the work papers. CC ID 16768 | Establish/Maintain Documentation | Preventive | |
Include justification for departing from mandatory requirements in the work papers. CC ID 13935 | Establish/Maintain Documentation | Preventive | |
Include audit evidence obtained from previous engagements in the work papers. CC ID 16518 | Audits and Risk Management | Preventive | |
Include the reviewer, and dates, for using evidential matter to test in scope controls in the work papers. CC ID 06998 | Establish/Maintain Documentation | Preventive | |
Include the tests, examinations, interviews and observations performed during the audit in the work papers. CC ID 07190 | Establish/Maintain Documentation | Preventive | |
Include if any subject matter experts or additional research had to be undertaken to test in scope controls in the work papers. CC ID 07026 | Establish/Maintain Documentation | Preventive | |
Include the tester, and dates, for using evidential matter to test in scope controls in the work papers. CC ID 06997 | Establish/Maintain Documentation | Preventive | |
Include if the audit evidence has identified in scope control deficiencies in the work papers. CC ID 07152 | Audits and Risk Management | Detective | |
Include any subsequent events related to the audit assertion or audit subject matter in the work papers. CC ID 07177 | Audits and Risk Management | Preventive | |
Include if in scope control deviations allow in scope controls to be performed acceptably in the work papers. CC ID 06987 | Testing | Detective | |
Include the causes of identified in scope control deficiencies in the work papers. CC ID 07000 | Establish/Maintain Documentation | Preventive | |
Include discussions regarding the causes of identified in scope control deficiencies in the work papers. CC ID 06999 | Establish/Maintain Documentation | Preventive | |
Investigate the nature and causes of identified in scope control deviations. CC ID 06986 | Testing | Detective | |
Supervise interested personnel and affected parties participating in the audit. CC ID 07150 | Monitor and Evaluate Occurrences | Preventive | |
Notify interested personnel and affected parties participating in the audit of their roles and responsibilities during the audit. CC ID 07151 | Establish Roles | Preventive | |
Respond to questions or clarification requests regarding the audit. CC ID 08902 | Business Processes | Preventive | |
Establish, implement, and maintain a risk management program. CC ID 12051 | Establish/Maintain Documentation | Preventive | |
Establish, implement, and maintain the risk assessment framework. CC ID 00685 | Establish/Maintain Documentation | Preventive | |
Establish, implement, and maintain a risk assessment program. CC ID 00687 | Establish/Maintain Documentation | Preventive | |
Establish, implement, and maintain Data Protection Impact Assessments. CC ID 14830 [The Significant Data Fiduciary shall— undertake the following other measures, namely:— periodic Data Protection Impact Assessment, which shall be a process comprising a description of the rights of Data Principals and the purpose of processing of their personal data, assessment and management of the risk to the rights of the Data Principals, and such other matters regarding such process as may be prescribed; § 10.(2)(c)(i)] | Process or Activity | Preventive | |
Include a Data Protection Impact Assessment in the risk assessment program. CC ID 12630 | Establish/Maintain Documentation | Preventive | |
Include an assessment of the necessity and proportionality of the processing operations in relation to the purposes in the Data Protection Impact Assessment. CC ID 12681 | Establish/Maintain Documentation | Preventive | |
Include an assessment of the relationship between the data subject and the parties processing the data in the Data Protection Impact Assessment. CC ID 16371 | Establish/Maintain Documentation | Preventive | |
Include a risk assessment of data subject's rights in the Data Protection Impact Assessment. CC ID 12674 [The Significant Data Fiduciary shall— undertake the following other measures, namely:— periodic Data Protection Impact Assessment, which shall be a process comprising a description of the rights of Data Principals and the purpose of processing of their personal data, assessment and management of the risk to the rights of the Data Principals, and such other matters regarding such process as may be prescribed; § 10.(2)(c)(i)] | Establish/Maintain Documentation | Preventive | |
Include the description and purpose of processing restricted data in the Data Protection Impact Assessment. CC ID 12673 [The Significant Data Fiduciary shall— undertake the following other measures, namely:— periodic Data Protection Impact Assessment, which shall be a process comprising a description of the rights of Data Principals and the purpose of processing of their personal data, assessment and management of the risk to the rights of the Data Principals, and such other matters regarding such process as may be prescribed; § 10.(2)(c)(i)] | Establish/Maintain Documentation | Preventive | |
Disseminate and communicate the Data Protection Impact Assessment to interested personnel and affected parties. CC ID 15313 | Communicate | Preventive | |
Include consideration of the data subject's expectations in the Data Protection Impact Assessment. CC ID 16370 | Establish/Maintain Documentation | Preventive | |
Include monitoring unsecured areas in the Data Protection Impact Assessment. CC ID 12671 | Establish/Maintain Documentation | Preventive | |
Include security measures for protecting restricted data in the Data Protection Impact Assessment. CC ID 12635 [The Significant Data Fiduciary shall— undertake the following other measures, namely:— periodic Data Protection Impact Assessment, which shall be a process comprising a description of the rights of Data Principals and the purpose of processing of their personal data, assessment and management of the risk to the rights of the Data Principals, and such other matters regarding such process as may be prescribed; § 10.(2)(c)(i)] | Establish/Maintain Documentation | Preventive |
KEY: Primary Verb Primary Noun Secondary Verb Secondary Noun Limiting Term | |||
Mandated - bold Implied - italic Implementation - regular | TYPE | CLASS | |
---|---|---|---|
Human Resources management CC ID 00763 | IT Impact Zone | IT Impact Zone | |
Establish, implement, and maintain high level operational roles and responsibilities. CC ID 00806 | Establish Roles | Preventive | |
Define and assign the Data Protection Officer's roles and responsibilities. CC ID 16525 [The Significant Data Fiduciary shall— appoint a Data Protection Officer who shall— be based in India; § 10.(2)(a)(ii) {be responsible} The Significant Data Fiduciary shall— appoint a Data Protection Officer who shall— be an individual responsible to the Board of Directors or similar governing body of the Significant Data Fiduciary; and § 10.(2)(a)(iii) The Significant Data Fiduciary shall— appoint a Data Protection Officer who shall— § 10.(2)(a) The Significant Data Fiduciary shall— appoint a Data Protection Officer who shall— represent the Significant Data Fiduciary under the provisions of this Act; § 10.(2)(a)(i)] | Human Resources Management | Preventive | |
Define and assign the authorized representatives roles and responsibilities. CC ID 15033 [{act on behalf} The Consent Manager shall be accountable to the Data Principal and shall act on her behalf in such manner and subject to such obligations as may be prescribed. § 6.(8)] | Human Resources Management | Preventive | |
Define and assign workforce roles and responsibilities. CC ID 13267 | Human Resources Management | Preventive | |
Define and assign roles and responsibilities for dispute resolution. CC ID 13626 [The Significant Data Fiduciary shall— appoint a Data Protection Officer who shall— be the point of contact for the grievance redressal mechanism under the provisions of this Act; § 10.(2)(a)(iv)] | Human Resources Management | Preventive |
KEY: Primary Verb Primary Noun Secondary Verb Secondary Noun Limiting Term | |||
Mandated - bold Implied - italic Implementation - regular | TYPE | CLASS | |
---|---|---|---|
Leadership and high level objectives CC ID 00597 | IT Impact Zone | IT Impact Zone | |
Establish and maintain the scope of the organizational compliance framework and Information Assurance controls. CC ID 01241 | Establish/Maintain Documentation | Preventive | |
Establish, implement, and maintain a policy and procedure management program. CC ID 06285 | Establish/Maintain Documentation | Preventive | |
Establish and maintain an Authority Document list. CC ID 07113 | Establish/Maintain Documentation | Preventive | |
Document organizational procedures that harmonize external requirements, including all legal requirements. CC ID 00623 [The Significant Data Fiduciary shall— undertake the following other measures, namely:— such other measures, consistent with the provisions of this Act, as may be prescribed. § 10.(2)(c)(iii)] | Establish/Maintain Documentation | Preventive | |
Establish, implement, and maintain a financial management program. CC ID 13228 [{be subject to}{technical condition}{operational condition}{financial condition} Every Consent Manager shall be registered with the Board in such manner and subject to such technical, operational, financial and other conditions as may be prescribed. § 6.(9)] | Establish/Maintain Documentation | Preventive | |
Establish, implement, and maintain funds transfer procedures. CC ID 16754 | Establish/Maintain Documentation | Preventive | |
Provide required information that is missing from a funds transfer to the responsible party. CC ID 16761 | Communicate | Preventive | |
Return the funds from a funds transfer when required information is not received or discrepancies resolved. CC ID 16760 | Business Processes | Preventive | |
Delay the funds transfer until all required information has been received or discrepancies resolved. CC ID 16759 | Business Processes | Preventive | |
Refrain from making funds from a funds transfer available to the interested personnel until all required information is received. CC ID 16758 | Business Processes | Preventive | |
Investigate discrepancies between the information received and the information verified for each funds transfer. CC ID 16757 | Investigate | Detective | |
Attach the required information to each funds transfer. CC ID 16756 | Business Processes | Preventive | |
Verify all required information is attached to each funds transfer. CC ID 16755 | Business Processes | Detective | |
Establish, implement, and maintain protective measures for customers from a bank's insolvency or default. CC ID 16738 | Business Processes | Preventive | |
Test the protective measures for effectiveness to prevent financial impact to responsible parties. CC ID 16750 | Testing | Preventive | |
Include communication protocols in the financial management program. CC ID 16763 | Establish/Maintain Documentation | Preventive | |
Include ongoing monitoring in the financial management program. CC ID 16762 | Process or Activity | Preventive | |
Employ tools to manage settlement and funding flows. CC ID 16743 | Process or Activity | Preventive | |
Refrain from setting up anonymous financial accounts. CC ID 16721 | Business Processes | Preventive | |
Identify and maintain positions in financial accounts. CC ID 16751 | Business Processes | Preventive | |
Establish, implement, and maintain a financial products and services disclosure policy. CC ID 16717 | Establish/Maintain Documentation | Preventive | |
Require acknowledgment of receipt from the customer in the financial products and services disclosure policy. CC ID 16725 | Establish/Maintain Documentation | Preventive | |
Establish, implement, and maintain a subsidiary compliance program. CC ID 16694 | Process or Activity | Preventive | |
Establish, implement, and maintain financial resource management procedures. CC ID 16642 | Establish/Maintain Documentation | Preventive | |
Document the rationale for the amount of financial resources being held. CC ID 16688 | Establish/Maintain Documentation | Preventive | |
Supplement financial resources, as necessary. CC ID 16685 | Business Processes | Preventive | |
Establish, implement, and maintain collateral procedures. CC ID 16653 | Establish/Maintain Documentation | Preventive | |
Include the use of appropriate models in the collateral procedures. CC ID 16687 | Establish/Maintain Documentation | Preventive | |
Define the collateral requirements in the collateral procedures. CC ID 16686 | Establish/Maintain Documentation | Preventive | |
Test the collateral requirements for appropriateness. CC ID 16681 | Testing | Preventive | |
Limit the types of assets accepted as collateral. CC ID 16602 | Business Processes | Preventive | |
Avoid the use of concentrated holdings of assets. CC ID 16651 | Business Processes | Preventive | |
Establish, implement, and maintain stress test plans for financial resources. CC ID 16644 | Testing | Preventive | |
Include stress scenarios in the stress test plan. CC ID 16659 | Testing | Preventive | |
Analyze the effectiveness of the stress test plan. CC ID 16657 | Process or Activity | Detective | |
Perform stress testing in accordance with the stress test plan. CC ID 16652 | Testing | Preventive | |
Disseminate and communicate the results of stress testing to interested personnel and affected parties. CC ID 16630 | Communicate | Preventive | |
Identify and document the financial resources available for use. CC ID 16643 | Establish/Maintain Documentation | Preventive | |
Establish, implement, and maintain credit loss procedures. CC ID 16683 | Establish/Maintain Documentation | Preventive | |
Include the allocation of credit losses in the credit loss procedures. CC ID 16684 | Establish/Maintain Documentation | Preventive | |
Establish, implement, and maintain a securities trading program. CC ID 16626 | Business Processes | Preventive | |
Include fairness and equitability standards in the securities trading program. CC ID 16690 | Establish/Maintain Documentation | Preventive | |
Include roles and responsibilities in the securities trading program. CC ID 16689 | Establish/Maintain Documentation | Preventive | |
Establish, implement, and maintain a capital restoration plan. CC ID 16613 | Establish/Maintain Documentation | Preventive | |
Include performance guarantees in the capital restoration plan. CC ID 16616 | Establish/Maintain Documentation | Preventive | |
Include corrective actions taken in the capital restoration plan. CC ID 16612 | Establish/Maintain Documentation | Preventive | |
Include required information in the capital restoration plan. CC ID 16609 | Establish/Maintain Documentation | Preventive | |
Establish, implement, and maintain valuation procedures. CC ID 16634 | Establish/Maintain Documentation | Preventive | |
Include investment information in approval requests for investments. CC ID 16590 | Business Processes | Preventive | |
Establish, implement, and maintain capital withdrawal requirements. CC ID 16576 | Establish/Maintain Documentation | Preventive | |
Establish, implement, and maintain lending policies. CC ID 16608 | Establish/Maintain Documentation | Preventive | |
Align the lending policy with the organization's risk acceptance level. CC ID 16716 | Process or Activity | Preventive | |
Include the requirements for risk assessments in the lending policy. CC ID 16730 | Establish/Maintain Documentation | Preventive | |
Include the requirements for sensitivity analyses in the lending policy. CC ID 16728 | Establish/Maintain Documentation | Preventive | |
Include the requirements for feasibility studies in the lending policy. CC ID 16726 | Establish/Maintain Documentation | Preventive | |
Include pricing structures in the lending policy. CC ID 16724 | Establish/Maintain Documentation | Preventive | |
Include monitoring requirements in the lending policy. CC ID 16710 | Establish/Maintain Documentation | Preventive | |
Include loan origination procedures in the lending policy. CC ID 16709 | Establish/Maintain Documentation | Preventive | |
Include review procedures and approval procedures for exception loans in the lending policy. CC ID 16708 | Establish/Maintain Documentation | Preventive | |
Include loan requirements in the lending policy. CC ID 16706 | Establish/Maintain Documentation | Preventive | |
Include appraisals and evaluations in the lending policy. CC ID 16705 | Establish/Maintain Documentation | Preventive | |
Include terms and conditions in the lending policy. CC ID 16695 | Establish/Maintain Documentation | Preventive | |
Include the scope and distribution of loans in the lending policy. CC ID 16693 | Establish/Maintain Documentation | Preventive | |
Include geographic areas in the lending policy. CC ID 16691 | Establish/Maintain Documentation | Preventive | |
Include underwriting guidelines in the lending policy. CC ID 16619 | Establish/Maintain Documentation | Preventive | |
Include credit review in the underwriting guidelines. CC ID 16765 | Establish/Maintain Documentation | Preventive | |
Include loan-to-value ratio limits in the lending policy. CC ID 16618 | Establish/Maintain Documentation | Preventive | |
Include documentation requirements in the lending policy. CC ID 16617 | Establish/Maintain Documentation | Preventive | |
Include the purpose of the loan in the loan documentation. CC ID 16747 | Establish/Maintain Documentation | Preventive | |
Include the source of repayment in the loan documentation. CC ID 16746 | Establish/Maintain Documentation | Preventive | |
Include approval requirements in the lending policy. CC ID 16615 | Establish/Maintain Documentation | Preventive | |
Include reporting requirements in the lending policy. CC ID 16614 | Establish/Maintain Documentation | Preventive | |
Include loan portfolio diversification standards in the lending policy. CC ID 16611 | Establish/Maintain Documentation | Preventive | |
Include loan administration procedures in the lending policy. CC ID 16610 | Establish/Maintain Documentation | Preventive | |
Include loan participation agreements in the loan administration procedures. CC ID 16745 | Establish/Maintain Documentation | Preventive | |
Include termination procedures in the loan participation agreement. CC ID 16753 | Establish/Maintain Documentation | Preventive | |
Justify the safety and efficiency of the participation requirements in the loan participation agreement. CC ID 16752 | Establish/Maintain Documentation | Preventive | |
Include servicing agreements in the loan administration procedures. CC ID 16744 | Establish/Maintain Documentation | Preventive | |
Include claims processing in the loan administration procedures. CC ID 16742 | Establish/Maintain Documentation | Preventive | |
Include forbearance management in the loan administration procedures. CC ID 16741 | Establish/Maintain Documentation | Preventive | |
Include foreclosure management in the loan administration procedures. CC ID 16740 | Establish/Maintain Documentation | Preventive | |
Include delinquency management in the loan administration procedures. CC ID 16739 | Establish/Maintain Documentation | Preventive | |
Include customer due diligence in the loan administration procedures. CC ID 16736 | Process or Activity | Preventive | |
Include the requirements for financial statements in the loan administration procedures. CC ID 16735 | Establish/Maintain Documentation | Preventive | |
Include loan closing in the loan administration procedures. CC ID 16734 | Establish/Maintain Documentation | Preventive | |
Include payoff statements in the loan administration procedures. CC ID 16733 | Establish/Maintain Documentation | Preventive | |
Include payment processing in the loan administration procedures. CC ID 16732 | Establish/Maintain Documentation | Preventive | |
Include loan reviews in the loan administration procedures. CC ID 16703 | Establish/Maintain Documentation | Preventive | |
Include collections in the loan administration procedures. CC ID 16701 | Establish/Maintain Documentation | Preventive | |
Include collateral inspections in the loan administration procedures. CC ID 16699 | Establish/Maintain Documentation | Preventive | |
Include disbursements in the loan administration procedures. CC ID 16697 | Establish/Maintain Documentation | Preventive | |
Review and approve lending policies. CC ID 16607 | Business Processes | Preventive | |
Establish, implement, and maintain a dividend policy. CC ID 16569 | Establish/Maintain Documentation | Preventive | |
Include compliance requirements in the dividend policy. CC ID 16570 | Establish/Maintain Documentation | Preventive | |
Establish, implement, and maintain margin systems. CC ID 16601 | Business Processes | Preventive | |
Include valuation models in the margin system. CC ID 16663 | Data and Information Management | Preventive | |
Include procedures for collecting price data in the margin system. CC ID 16662 | Data and Information Management | Preventive | |
Include reliable sources for price data in the margin system. CC ID 16661 | Data and Information Management | Preventive | |
Validate the margin system on a regular basis. CC ID 16660 | Testing | Detective | |
Assess the properties of the margin model used in the margin system. CC ID 16658 | Process or Activity | Detective | |
Monitor the performance of the margin system. CC ID 16655 | Monitor and Evaluate Occurrences | Detective | |
Analyze the performance of the margin system. CC ID 16654 | Process or Activity | Detective | |
Establish, implement, and maintain capital adequacy measures. CC ID 16568 | Business Processes | Preventive | |
Establish, implement, and maintain escrow procedures for financial transactions. CC ID 16564 | Establish/Maintain Documentation | Preventive | |
Determine the amount of assets to be held in escrow. CC ID 16575 | Investigate | Detective | |
Disseminate and communicate the escrow procedures to interested personnel and affected parties. CC ID 16565 | Communicate | Preventive | |
Establish, implement, and maintain a Capital Planning and Investment Control policy. CC ID 06279 | Establish/Maintain Documentation | Preventive | |
Include risk management in the Capital Planning and Investment Control policy. CC ID 16764 | Establish/Maintain Documentation | Preventive | |
Include debt rating requirements in the Capital Planning and Investment Control policy. CC ID 16692 | Establish/Maintain Documentation | Preventive | |
Include divestiture requirements in the Capital Planning and Investment Control policy. CC ID 16591 | Establish/Maintain Documentation | Preventive | |
Establish, implement, and maintain a recordkeeping system for securities transactions. CC ID 16631 | Establish/Maintain Documentation | Preventive | |
Include order tickets in the recordkeeping system for securities transactions. CC ID 16640 | Data and Information Management | Preventive | |
Include receipts and deliveries of securities in the recordkeeping system for securities transactions. CC ID 16650 | Data and Information Management | Preventive | |
Include debits and credits in the recordkeeping system for securities transactions. CC ID 16639 | Data and Information Management | Preventive | |
Include a description of the transaction in the recordkeeping system for securities transactions. CC ID 16645 | Data and Information Management | Preventive | |
Include chronological records of transactions in the recordkeeping system for securities transactions. CC ID 16638 | Data and Information Management | Preventive | |
Include the name of the dealer in the recordkeeping system for securities transactions. CC ID 16637 | Data and Information Management | Preventive | |
Include the execution price in the recordkeeping system for securities transactions. CC ID 16636 | Data and Information Management | Preventive | |
Include the date and time of the transaction in the recordkeeping system for securities transactions. CC ID 16635 | Data and Information Management | Preventive | |
Include the type of transaction in the recordkeeping system for securities transactions. CC ID 16633 | Data and Information Management | Preventive | |
Include account information In the recordkeeping system for securities transactions. CC ID 16632 | Data and Information Management | Preventive | |
Establish, implement, and maintain securities transaction notifications. CC ID 16600 | Establish/Maintain Documentation | Preventive | |
Include the call date in the securities transaction notification. CC ID 16680 | Establish/Maintain Documentation | Preventive | |
Include service charges and commissions in the securities transaction notification. CC ID 16702 | Establish/Maintain Documentation | Preventive | |
Include the funds and securities in the possession of the organization in the securities transaction notification. CC ID 16679 | Establish/Maintain Documentation | Preventive | |
Include the call price in the securities transaction notification. CC ID 16678 | Establish/Maintain Documentation | Preventive | |
Include debits and credits in the securities transaction notification. CC ID 16677 | Establish/Maintain Documentation | Preventive | |
Include transactions in the securities transaction notification. CC ID 16676 | Establish/Maintain Documentation | Preventive | |
Include the credit rating of securities in the securities transaction notification. CC ID 16674 | Establish/Maintain Documentation | Preventive | |
Include yield information in the securities transaction notification. CC ID 16673 | Establish/Maintain Documentation | Preventive | |
Include redemption information in the securities transaction notification. CC ID 16672 | Establish/Maintain Documentation | Preventive | |
Include the price calculated from the yield in the securities transaction notification. CC ID 16669 | Establish/Maintain Documentation | Preventive | |
Include the type of call in the securities transaction notification. CC ID 16668 | Establish/Maintain Documentation | Preventive | |
Include an account statement in the securities transaction notification. CC ID 16666 | Establish/Maintain Documentation | Preventive | |
Include the yield to maturity in the securities transaction notification. CC ID 16665 | Establish/Maintain Documentation | Preventive | |
Include the execution price in the securities transaction notification. CC ID 16664 | Establish/Maintain Documentation | Preventive | |
Include the organization's role in the securities transaction notification. CC ID 16646 | Establish/Maintain Documentation | Preventive | |
Include the name of the broker in the securities transaction notification. CC ID 16647 | Establish/Maintain Documentation | Preventive | |
Include the name of the customer in the securities transaction notification. CC ID 16625 | Establish/Maintain Documentation | Preventive | |
Include the organization's name in the securities transaction notification. CC ID 16624 | Establish/Maintain Documentation | Preventive | |
Include confirmations in the securities transaction notification. CC ID 16623 | Establish/Maintain Documentation | Preventive | |
Include remunerations in the securities transaction notification. CC ID 16622 | Establish/Maintain Documentation | Preventive | |
Include requested information in the securities transaction notification. CC ID 16641 | Establish/Maintain Documentation | Preventive | |
Disseminate and communicate securities transaction notifications to interested personnel and affected parties. CC ID 16621 | Communicate | Preventive | |
Include the execution date in the securities transaction notification. CC ID 16620 | Establish/Maintain Documentation | Preventive | |
Establish, implement, and maintain financial reports. CC ID 14770 | Establish/Maintain Documentation | Preventive | |
Structure financial reports in accordance with external requirements, as necessary. CC ID 14776 | Establish/Maintain Documentation | Preventive | |
Include the report of independent Certified Public Accountants in the financial report. CC ID 14779 | Establish/Maintain Documentation | Preventive | |
Include the business need justification for lost value in the financial report. CC ID 15588 | Establish/Maintain Documentation | Preventive | |
Disseminate and communicate the financial report to interested personnel and affected parties. CC ID 16342 | Communicate | Preventive | |
Include financial statements in the financial report, as necessary. CC ID 14775 | Establish/Maintain Documentation | Preventive | |
Include capital deductions and adjustments in the financial statement. CC ID 16667 | Establish/Maintain Documentation | Preventive | |
Include earnings per share or loss per share in the financial statement. CC ID 16597 | Establish/Maintain Documentation | Preventive | |
Include material contingencies in the financial statement. CC ID 16596 | Establish/Maintain Documentation | Preventive | |
Include notes to financial statements in the financial report, as necessary. CC ID 14780 | Establish/Maintain Documentation | Preventive | |
Include information on loans to small businesses and small farms in the call report. CC ID 16731 | Establish/Maintain Documentation | Preventive | |
Include assets and liabilities in the call report. CC ID 16729 | Establish/Maintain Documentation | Preventive | |
Disseminate and communicate the call report to interested personnel and affected parties. CC ID 16727 | Communicate | Preventive |
KEY: Primary Verb Primary Noun Secondary Verb Secondary Noun Limiting Term | |||
Mandated - bold Implied - italic Implementation - regular | TYPE | CLASS | |
---|---|---|---|
Operational management CC ID 00805 | IT Impact Zone | IT Impact Zone | |
Establish, implement, and maintain a Governance, Risk, and Compliance framework. CC ID 01406 | Establish/Maintain Documentation | Preventive | |
Integrate the use of technology in supporting the Governance, Risk, and Compliance capabilities. CC ID 12915 [{technical measure} A Data Fiduciary shall implement appropriate technical and organisational measures to ensure effective observance of the provisions of this Act and the rules made thereunder. § 8.(4)] | Process or Activity | Preventive | |
Establish, implement, and maintain an information security program. CC ID 00812 | Establish/Maintain Documentation | Preventive | |
Include technical safeguards in the information security program. CC ID 12374 [{be subject to}{technical condition}{operational condition}{financial condition} Every Consent Manager shall be registered with the Board in such manner and subject to such technical, operational, financial and other conditions as may be prescribed. § 6.(9)] | Establish/Maintain Documentation | Preventive | |
Establish, implement, and maintain operational control procedures. CC ID 00831 [{be subject to}{technical condition}{operational condition}{financial condition} Every Consent Manager shall be registered with the Board in such manner and subject to such technical, operational, financial and other conditions as may be prescribed. § 6.(9)] | Establish/Maintain Documentation | Preventive | |
Include assigning and approving operations in operational control procedures. CC ID 06382 | Establish/Maintain Documentation | Preventive | |
Include startup processes in operational control procedures. CC ID 00833 | Establish/Maintain Documentation | Preventive | |
Include change control processes in the operational control procedures. CC ID 16793 | Establish/Maintain Documentation | Preventive | |
Establish and maintain a data processing run manual. CC ID 00832 | Establish/Maintain Documentation | Preventive | |
Establish, implement, and maintain a Standard Operating Procedures Manual. CC ID 00826 | Establish/Maintain Documentation | Preventive | |
Use systems in accordance with the standard operating procedures manual. CC ID 15049 | Process or Activity | Preventive | |
Include metrics in the standard operating procedures manual. CC ID 14988 | Establish/Maintain Documentation | Preventive | |
Include maintenance measures in the standard operating procedures manual. CC ID 14986 | Establish/Maintain Documentation | Preventive | |
Include the expected lifetime of the system in the standard operating procedures manual. CC ID 14984 | Establish/Maintain Documentation | Preventive | |
Include technical measures used to interpret output in the standard operating procedures manual. CC ID 14982 | Establish/Maintain Documentation | Preventive | |
Include predetermined changes in the standard operating procedures manual. CC ID 14977 | Establish/Maintain Documentation | Preventive | |
Include specifications for input data in the standard operating procedures manual. CC ID 14975 | Establish/Maintain Documentation | Preventive | |
Include risks to health and safety or fundamental rights in the standard operating procedures manual. CC ID 14973 | Establish/Maintain Documentation | Preventive | |
Include circumstances that may impact the system in the standard operating procedures manual. CC ID 14972 | Establish/Maintain Documentation | Preventive | |
Include what the system was tested and validated for in the standard operating procedures manual. CC ID 14969 | Establish/Maintain Documentation | Preventive | |
Include the intended purpose in the standard operating procedures manual. CC ID 14967 | Establish/Maintain Documentation | Preventive | |
Include information on system performance in the standard operating procedures manual. CC ID 14965 | Establish/Maintain Documentation | Preventive | |
Include contact details in the standard operating procedures manual. CC ID 14962 | Establish/Maintain Documentation | Preventive | |
Include information sharing procedures in standard operating procedures. CC ID 12974 | Records Management | Preventive | |
Establish, implement, and maintain information sharing agreements. CC ID 15645 | Business Processes | Preventive | |
Provide support for information sharing activities. CC ID 15644 | Process or Activity | Preventive | |
Adhere to operating procedures as defined in the Standard Operating Procedures Manual. CC ID 06328 | Business Processes | Preventive | |
Update operating procedures that contribute to user errors. CC ID 06935 | Establish/Maintain Documentation | Corrective | |
Disseminate and communicate the Standard Operating Procedures Manual to all interested personnel and affected parties. CC ID 12026 | Communicate | Preventive | |
Establish, implement, and maintain a job scheduling methodology. CC ID 00834 | Establish/Maintain Documentation | Preventive | |
Establish and maintain a job schedule exceptions list. CC ID 00835 | Establish/Maintain Documentation | Preventive | |
Establish, implement, and maintain a data processing continuity plan. CC ID 00836 | Establish/Maintain Documentation | Preventive | |
Establish, implement, and maintain Voice over Internet Protocol operating procedures. CC ID 04583 | Establish/Maintain Documentation | Preventive | |
Implement and comply with the Governance, Risk, and Compliance framework. CC ID 00818 [{technical measure} A Data Fiduciary shall implement appropriate technical and organisational measures to ensure effective observance of the provisions of this Act and the rules made thereunder. § 8.(4)] | Business Processes | Preventive | |
Analyze how policies used to create management boundaries relates to the Governance, Risk, and Compliance approach. CC ID 12821 | Process or Activity | Preventive | |
Analyze how the organization sets limits in policies relating to the Governance, Risk, and Compliance approach. CC ID 12819 | Process or Activity | Preventive | |
Analyze how the Board of Directors' and senior management's tone influences the Governance, Risk, and Compliance approach. CC ID 12818 | Process or Activity | Preventive | |
Analyze the degree to which the governing body is engaged in the Governance, Risk, and Compliance approach. CC ID 12817 | Process or Activity | Preventive | |
Analyze the Governance, Risk, and Compliance approach. CC ID 12816 | Process or Activity | Preventive | |
Analyze the organizational culture. CC ID 12899 | Process or Activity | Preventive | |
Include individual commitment to the organization's Governance, Risk, and Compliance framework in the analysis of the organizational culture. CC ID 12922 | Process or Activity | Detective | |
Include the organizational climate in the analysis of the organizational culture. CC ID 12921 | Process or Activity | Detective | |
Include consistency of leadership actions to mission, vision, and values in the analysis of the organizational culture. CC ID 12920 | Process or Activity | Detective | |
Include employee engagement in the analysis of the organizational culture. CC ID 12914 | Behavior | Preventive | |
Include contractual relationships with workforce members in the analysis of the organizational culture. CC ID 15674 | Business Processes | Preventive | |
Include the number of workforce members who are not employees in the analysis of the organizational culture. CC ID 15673 | Business Processes | Preventive | |
Include the type of work performed by workforce members in the analysis of the organizational culture. CC ID 15675 | Business Processes | Preventive | |
Include skill development in the analysis of the organizational culture. CC ID 12913 | Behavior | Preventive | |
Include employee turnover rates in the analysis of the organizational culture. CC ID 12912 | Behavior | Preventive | |
Include demographic characteristics of employees in the analysis of the organizational culture. CC ID 15671 | Business Processes | Preventive | |
Include employee loyalty in the analysis of the organizational culture. CC ID 12911 | Behavior | Preventive | |
Include employee satisfaction in the analysis of the organizational culture. CC ID 12910 | Behavior | Preventive | |
Establish, implement, and maintain consequences for non-compliance with the organizational compliance framework. CC ID 11747 | Process or Activity | Corrective | |
Comply with all implemented policies in the organization's compliance framework. CC ID 06384 [{be subject to}{technical condition}{operational condition}{financial condition} Every Consent Manager shall be registered with the Board in such manner and subject to such technical, operational, financial and other conditions as may be prescribed. § 6.(9) A Data Fiduciary shall, irrespective of any agreement to the contrary or failure of a Data Principal to carry out the duties provided under this Act, be responsible for complying with the provisions of this Act and the rules made thereunder in respect of any processing undertaken by it or on its behalf by a Data Processor. § 8.(1)] | Establish/Maintain Documentation | Preventive | |
Provide assurance to interested personnel and affected parties that the Governance, Risk, and Compliance capability is reliable, effective, efficient, and responsive. CC ID 12788 | Communicate | Preventive | |
Review systems for compliance with organizational information security policies. CC ID 12004 | Business Processes | Preventive | |
Disseminate and communicate the Governance, Risk, and Compliance framework to all interested personnel and affected parties. CC ID 00815 | Behavior | Preventive | |
Establish, implement, and maintain a customer service program. CC ID 00846 | Establish/Maintain Documentation | Preventive | |
Establish, implement, and maintain an Incident Management program. CC ID 00853 | Business Processes | Preventive | |
Include detection procedures in the Incident Management program. CC ID 00588 | Establish/Maintain Documentation | Preventive | |
Share incident information with interested personnel and affected parties. CC ID 01212 | Data and Information Management | Corrective | |
Report data loss event information to breach notification organizations. CC ID 01210 [In the event of a personal data breach, the Data Fiduciary shall give the Board and each affected Data Principal, intimation of such breach in such form and manner as may be prescribed. § 8.(6)] | Data and Information Management | Corrective | |
Submit an incident management audit log to the proper authorities for each security breach that affects a predefined number of individuals, as necessary. CC ID 06326 | Log Management | Detective | |
Report to breach notification organizations the reasons for a delay in sending breach notifications. CC ID 16797 | Communicate | Preventive | |
Report to breach notification organizations the distribution list to which the organization will send data loss event notifications. CC ID 16782 | Communicate | Preventive | |
Report to breach notification organizations the time frame in which the organization will send data loss event notifications to interested personnel and affected parties. CC ID 04731 | Behavior | Corrective |
KEY: Primary Verb Primary Noun Secondary Verb Secondary Noun Limiting Term | |||
Mandated - bold Implied - italic Implementation - regular | TYPE | CLASS | |
---|---|---|---|
Privacy protection for information and data CC ID 00008 | IT Impact Zone | IT Impact Zone | |
Establish, implement, and maintain a privacy framework that protects restricted data. CC ID 11850 | Establish/Maintain Documentation | Preventive | |
Establish, implement, and maintain a personal data transparency program. CC ID 00375 | Data and Information Management | Preventive | |
Establish and maintain privacy notices, as necessary. CC ID 13443 | Establish/Maintain Documentation | Preventive | |
Include the personal data collection categories in the privacy notice. CC ID 13457 [Every request made to a Data Principal under section 6 for consent shall be accompanied or preceded by a notice given by the Data Fiduciary to the Data Principal, informing her,— the personal data and the purpose for which the same is proposed to be processed; § 5.(1) ¶ 1(i)] | Establish/Maintain Documentation | Preventive | |
Deliver privacy notices to data subjects, as necessary. CC ID 13444 [Where a Data Principal has given her consent for the processing of her personal data before the date of commencement of this Act,— the Data Fiduciary shall, as soon as it is reasonably practicable, give to the Data Principal a notice informing her,–– § 5.(2) ¶ 1(a) Every request made to a Data Principal under section 6 for consent shall be accompanied or preceded by a notice given by the Data Fiduciary to the Data Principal, informing her,— § 5.(1) ¶ 1] | Communicate | Preventive | |
Deliver a short-form initial notification along with an opt-out notice as an alternate to delivering a privacy notice, as necessary. CC ID 13464 | Establish/Maintain Documentation | Preventive | |
Notify data subjects about the organization's external requirements relevant to the privacy program. CC ID 12354 | Communicate | Preventive | |
Notify data subjects about their privacy rights. CC ID 12989 [Every request made to a Data Principal under section 6 for consent shall be accompanied or preceded by a notice given by the Data Fiduciary to the Data Principal, informing her,— the manner in which she may exercise her rights under sub-section (4) of section 6 and section 13; and § 5.(1) ¶ 1(ii) Where a Data Principal has given her consent for the processing of her personal data before the date of commencement of this Act,— the Data Fiduciary shall, as soon as it is reasonably practicable, give to the Data Principal a notice informing her,–– the manner in which she may exercise her rights under sub-section (4) of section 6 and section 13; and § 5.(2) ¶ 1(a)(ii)] | Communicate | Preventive | |
Establish, implement, and maintain adequate openness procedures. CC ID 00377 | Data and Information Management | Preventive | |
Register with public bodies and notify the Data Commissioner before processing personal data. CC ID 00383 [{be subject to}{technical condition}{operational condition}{financial condition} Every Consent Manager shall be registered with the Board in such manner and subject to such technical, operational, financial and other conditions as may be prescribed. § 6.(9)] | Behavior | Preventive | |
Define what is included in registration notices. CC ID 00386 | Establish/Maintain Documentation | Preventive | |
Include roles and responsibilities in the registration notice. CC ID 16803 | Establish Roles | Preventive | |
Include the verification method in the registration notice. CC ID 16798 | Establish/Maintain Documentation | Preventive | |
Include the statutory authority in the registration notice. CC ID 16799 | Establish/Maintain Documentation | Preventive | |
Include the address where the file or hardware supporting the data processing is located in the registration notice. CC ID 00387 | Establish/Maintain Documentation | Preventive | |
Include a purpose specification description in the registration notice. CC ID 00388 | Establish/Maintain Documentation | Preventive | |
Include information about the dispute resolution body in the registration notice. CC ID 16800 | Establish/Maintain Documentation | Preventive | |
Include the data subject category being processed in the registration notice. CC ID 00389 | Establish/Maintain Documentation | Preventive | |
Include the time period for data processing in the registration notice. CC ID 00390 | Establish/Maintain Documentation | Preventive | |
Include procedures for when the registration notice for processing personal data is insufficient in the registration notice. CC ID 00392 | Establish/Maintain Documentation | Preventive | |
Refrain from providing information to the data subject, as necessary. CC ID 12625 [{shall not apply} {requirement} {Data Principal} {furnish} {information} Nothing contained in clause (b) or clause (c) of sub-section (1) shall apply in respect of the sharing of any personal data by the said Data Fiduciary with any other Data Fiduciary authorised by law to obtain such personal data, where such sharing is pursuant to a request made in writing by such other Data Fiduciary for the purpose of prevention or detection or investigation of offences or cyber incidents, or for prosecution or punishment of offences. § 11.(2)] | Communicate | Preventive | |
Refrain from providing information to the data subject when it is forbidden by law. CC ID 12651 | Communicate | Preventive | |
Refrain from providing information to the data subject when it proves impossible due to statistical purposes. CC ID 12645 | Communicate | Preventive | |
Provide the data subject with information about lifting any restriction of processing, as necessary. CC ID 12634 | Communicate | Preventive | |
Refrain from providing information to the data subject when it proves impossible due to historical research purposes. CC ID 12633 | Communicate | Preventive | |
Refrain from providing information to the data subject when it proves impossible due to scientific research purposes. CC ID 12632 | Communicate | Preventive | |
Refrain from providing information to the data subject when it proves impossible due to archival purposes. CC ID 12631 | Communicate | Preventive | |
Refrain from providing information to the data subject when providing information involves disproportionate effort. CC ID 12629 | Communicate | Preventive | |
Refrain from providing information to the data subject when the data subject has the information. CC ID 12628 | Communicate | Preventive | |
Provide adequate structures, policies, procedures, and mechanisms to support direct access by the data subject to personal data that is provided upon request. CC ID 00393 | Establish/Maintain Documentation | Preventive | |
Provide the data subject with the means of gaining access to personal data held by the organization. CC ID 00396 | Data and Information Management | Preventive | |
Provide the data subject with the data protection officer's contact information. CC ID 12573 [A Data Fiduciary shall publish, in such manner as may be prescribed, the business contact information of a Data Protection Officer, if applicable, or a person who is able to answer on behalf of the Data Fiduciary, the questions, if any, raised by the Data Principal about the processing of her personal data. § 8.(9) Every request for consent under the provisions of this Act or the rules made thereunder shall be presented to the Data Principal in a clear and plain language, giving her the option to access such request in English or any language specified in the Eighth Schedule to the Constitution and providing the contact details of a Data Protection Officer, where applicable, or of any other person authorised by the Data Fiduciary to respond to any communication from the Data Principal for the purpose of exercise of her rights under the provisions of this Act. § 6.(3)] | Business Processes | Preventive | |
Provide the data subject with information about the right to erasure. CC ID 12602 [A Data Principal shall have the right to correction, completion, updating and erasure of her personal data for the processing of which she has previously given consent, including consent as referred to in clause (a) of section 7, in accordance with any requirement or procedure under any law for the time being in force. § 12.(1)] | Process or Activity | Preventive | |
Provide the data subject with a description of the type of information held by the organization and a general account of its use. CC ID 00397 [Where a Data Principal has given her consent for the processing of her personal data before the date of commencement of this Act,— the Data Fiduciary shall, as soon as it is reasonably practicable, give to the Data Principal a notice informing her,–– the personal data and the purpose for which the same has been processed; § 5.(2) ¶ 1(a)(i) The Data Principal shall have the right to obtain from the Data Fiduciary to whom she has previously given consent, including consent as referred to in clause (a) of section 7 (hereinafter referred to as the said Data Fiduciary), for processing of personal data, upon making to it a request in such manner as may be prescribed,— any other information related to the personal data of such Data Principal and its processing, as may be prescribed. § 11.(1)(c) The Data Principal shall have the right to obtain from the Data Fiduciary to whom she has previously given consent, including consent as referred to in clause (a) of section 7 (hereinafter referred to as the said Data Fiduciary), for processing of personal data, upon making to it a request in such manner as may be prescribed,— a summary of personal data which is being processed by such Data Fiduciary and the processing activities undertaken by that Data Fiduciary with respect to such personal data; § 11.(1)(a)] | Establish/Maintain Documentation | Preventive | |
Provide the data subject with what personal data is made available to related organizations or subsidiaries. CC ID 00399 [The Data Principal shall have the right to obtain from the Data Fiduciary to whom she has previously given consent, including consent as referred to in clause (a) of section 7 (hereinafter referred to as the said Data Fiduciary), for processing of personal data, upon making to it a request in such manner as may be prescribed,— the identities of all other Data Fiduciaries and Data Processors with whom the personal data has been shared by such Data Fiduciary, along with a description of the personal data so shared; and § 11.(1)(b)] | Data and Information Management | Preventive | |
Include individual's names to whom restricted data may be disclosed in the disclosure accounting record. CC ID 13027 | Establish/Maintain Documentation | Preventive | |
Establish and maintain a disclosure accounting record. CC ID 13022 | Establish/Maintain Documentation | Preventive | |
Include the official authorities that are allowed to disclose restricted data absent consent in the disclosure accounting record. CC ID 13029 | Establish/Maintain Documentation | Preventive | |
Include the legitimate interests for accessing restricted data in the disclosure accounting record. CC ID 13028 | Establish/Maintain Documentation | Preventive | |
Include what information was disclosed and to whom in the disclosure accounting record. CC ID 04680 [The Data Principal shall have the right to obtain from the Data Fiduciary to whom she has previously given consent, including consent as referred to in clause (a) of section 7 (hereinafter referred to as the said Data Fiduciary), for processing of personal data, upon making to it a request in such manner as may be prescribed,— the identities of all other Data Fiduciaries and Data Processors with whom the personal data has been shared by such Data Fiduciary, along with a description of the personal data so shared; and § 11.(1)(b)] | Establish/Maintain Documentation | Preventive | |
Include the personal data the organization refrained from disclosing in the disclosure accounting record. CC ID 13769 | Establish/Maintain Documentation | Preventive | |
Include the sale of personal data in the disclosure accounting record, as necessary. CC ID 13768 | Establish/Maintain Documentation | Preventive | |
Include the disclosure date in the disclosure accounting record. CC ID 07133 | Establish/Maintain Documentation | Preventive | |
Include the disclosure recipient in the disclosure accounting record. CC ID 07134 | Establish/Maintain Documentation | Preventive | |
Include the disclosure purpose in the disclosure accounting record. CC ID 07135 | Establish/Maintain Documentation | Preventive | |
Include the frequency, periodicity, or number of disclosures made during the accounting period in the disclosure accounting record. CC ID 07136 | Establish/Maintain Documentation | Preventive | |
Include the final date of multiple disclosures in the disclosure accounting record. CC ID 07137 | Establish/Maintain Documentation | Preventive | |
Include how personal data was used for research purposes in the disclosure accounting record. CC ID 07138 | Establish/Maintain Documentation | Preventive | |
Include the research activity or research protocol in the disclosure accounting record. CC ID 07139 | Establish/Maintain Documentation | Preventive | |
Include the record selection criteria for research activities in the disclosure accounting record. CC ID 07140 | Establish/Maintain Documentation | Preventive | |
Include the contact information of the organization that sponsored the research activity in the disclosure accounting record. CC ID 07141 | Establish/Maintain Documentation | Preventive | |
Include the types of third parties to whom restricted data may be disclosed in the disclosure accounting record. CC ID 16860 | Data and Information Management | Preventive | |
Disseminate and communicate the disclosure accounting record to interested personnel and affected parties. CC ID 14433 | Communicate | Preventive | |
Establish, implement, and maintain a privacy policy. CC ID 06281 | Establish/Maintain Documentation | Preventive | |
Document privacy policies in clearly written and easily understood language. CC ID 00376 | Establish/Maintain Documentation | Detective | |
Write privacy notices in the official languages required by law. CC ID 16529 [The Data Fiduciary shall give the Data Principal the option to access the contents of the notice referred to in sub-sections (1) and (2) in English or any language specified in the Eighth Schedule to the Constitution. § 5.(3)] | Establish/Maintain Documentation | Preventive | |
Establish, implement, and maintain personal data choice and consent program. CC ID 12569 | Establish/Maintain Documentation | Preventive | |
Allow data subjects to opt out and refrain from granting an authorization of consent to use personal data. CC ID 00391 [Where a Data Principal has given her consent for the processing of her personal data before the date of commencement of this Act,— the Data Fiduciary may continue to process the personal data until and unless the Data Principal withdraws her consent. § 5.(2)(b)] | Data and Information Management | Preventive | |
Treat an opt-out direction by an individual joint consumer as applying to all associated joint consumers. CC ID 13452 | Business Processes | Preventive | |
Treat opt-out directions separately for each customer relationship the data subject establishes with the organization. CC ID 13454 | Business Processes | Preventive | |
Establish, implement, and maintain an opt-out method in accordance with organizational standards. CC ID 16526 [Where consent given by the Data Principal is the basis of processing of personal data, such Data Principal shall have the right to withdraw her consent at any time, with the ease of doing so being comparable to the ease with which such consent was given. § 6.(4)] | Data and Information Management | Preventive | |
Establish, implement, and maintain a notification system for opt-out requests. CC ID 16880 | Technical Security | Preventive | |
Comply with opt-out directions by the data subject, unless otherwise directed by compliance requirements. CC ID 13451 [{timely manner} If a Data Principal withdraws her consent to the processing of personal data under sub-section (5), the Data Fiduciary shall, within a reasonable time, cease and cause its Data Processors to cease processing the personal data of such Data Principal unless such processing without her consent is required or authorised under the provisions of this Act or the rules made thereunder or any other law for the time being in force in India. § 6.(6)] | Business Processes | Preventive | |
Allow consent requests to be provided in any official languages. CC ID 16530 [Every request for consent under the provisions of this Act or the rules made thereunder shall be presented to the Data Principal in a clear and plain language, giving her the option to access such request in English or any language specified in the Eighth Schedule to the Constitution and providing the contact details of a Data Protection Officer, where applicable, or of any other person authorised by the Data Fiduciary to respond to any communication from the Data Principal for the purpose of exercise of her rights under the provisions of this Act. § 6.(3)] | Business Processes | Preventive | |
Give individuals the ability to change the uses of their personal data. CC ID 00469 [Where consent given by the Data Principal is the basis of processing of personal data, such Data Principal shall have the right to withdraw her consent at any time, with the ease of doing so being comparable to the ease with which such consent was given. § 6.(4)] | Data and Information Management | Preventive | |
Notify data subjects of the implications of withdrawing consent. CC ID 13551 [The consequences of the withdrawal referred to in sub-section (4) shall be borne by the Data Principal, and such withdrawal shall not affect the legality of processing of the personal data based on consent before its withdrawal. § 6.(5)] | Data and Information Management | Preventive | |
Establish, implement, and maintain a personal data accountability program. CC ID 13432 | Establish/Maintain Documentation | Preventive | |
Require data controllers to be accountable for their actions. CC ID 00470 [Where a consent given by the Data Principal is the basis of processing of personal data and a question arises in this regard in a proceeding, the Data Fiduciary shall be obliged to prove that a notice was given by her to the Data Principal and consent was given by such Data Principal to the Data Fiduciary in accordance with the provisions of this Act and the rules made thereunder. § 6.(10)] | Establish Roles | Preventive | |
Bind data controllers to secrecy concerning the performance of their duties. CC ID 12610 | Human Resources Management | Preventive | |
Notify the supervisory authority. CC ID 00472 | Behavior | Preventive | |
Establish, implement, and maintain approval applications. CC ID 16778 | Establish/Maintain Documentation | Preventive | |
Define the requirements for approving or denying approval applications. CC ID 16780 | Business Processes | Preventive | |
Submit approval applications to the supervisory authority. CC ID 16627 | Communicate | Preventive | |
Include required information in the approval application. CC ID 16628 | Establish/Maintain Documentation | Preventive | |
Extend the time limit for approving or denying approval applications. CC ID 16779 | Business Processes | Preventive | |
Approve the approval application unless applicant has been convicted. CC ID 16603 | Process or Activity | Preventive | |
Provide the supervisory authority with any information requested by the supervisory authority. CC ID 12606 | Process or Activity | Preventive | |
Notify the supervisory authority of the safeguards employed to protect the data subject's rights. CC ID 12605 | Communicate | Preventive | |
Include any reasons for delay if notifying the supervisory authority after the time limit. CC ID 12675 | Communicate | Corrective | |
Cooperate with Data Protection Authorities. CC ID 06870 | Data and Information Management | Preventive | |
Submit a safe harbor self-certification letter. CC ID 06871 | Establish/Maintain Documentation | Preventive | |
Establish, implement, and maintain Data Processing Contracts. CC ID 12650 [A Data Fiduciary may engage, appoint, use or otherwise involve a Data Processor to process personal data on its behalf for any activity related to offering of goods or services to Data Principals only under a valid contract. § 8.(2)] | Establish/Maintain Documentation | Preventive | |
Include the corrective actions to be taken when conditions cannot be met in the Data Processing Contract. CC ID 16812 | Establish/Maintain Documentation | Preventive | |
Include data processor confidentiality requirements in the Data Processing Contract. CC ID 12685 | Establish/Maintain Documentation | Preventive | |
Include the stipulation of notifying the data controller of legal requirements prior to processing restricted data unless the law prohibits such information on important grounds of public interest in the Data Processing Contract. CC ID 12687 | Establish/Maintain Documentation | Preventive | |
Include instructions for processing restricted data in the Data Processing Contract. CC ID 14938 | Establish/Maintain Documentation | Preventive | |
Include the purpose for processing restricted data in the Data Processing Contract. CC ID 14937 | Establish/Maintain Documentation | Preventive | |
Include the types of restricted data subject to processing in the Data Processing Contract. CC ID 14936 | Establish/Maintain Documentation | Preventive | |
Include the duration of processing in the Data Processing Contract. CC ID 14935 | Establish/Maintain Documentation | Preventive | |
Include personal data transfer procedures in the Data Processing Contract. CC ID 12683 | Establish/Maintain Documentation | Preventive | |
Include the stipulation of allowing auditing for compliance in the Data Processing Contract. CC ID 12679 | Establish/Maintain Documentation | Preventive | |
Include the stipulation that the Statement of Compliance will be made available in the Data Processing Contract. CC ID 12678 | Establish/Maintain Documentation | Preventive | |
Include the stipulation of complying with external requirements in the Data Processing Contract. CC ID 12676 | Establish/Maintain Documentation | Preventive | |
Include the stipulation that the data processor will respect the conditions for engaging another data processor in the Data Processing Contract. CC ID 12686 | Human Resources Management | Preventive | |
Include the stipulation that copies of restricted data will be disposed, unless retention is required by law, in the Data Processing Contract. CC ID 12670 | Establish/Maintain Documentation | Preventive | |
Include the stipulation that personal data will be disposed or returned to the data subject in the Data Processing Contract. CC ID 12669 | Establish/Maintain Documentation | Preventive | |
Establish, implement, and maintain a personal data use limitation program. CC ID 13428 | Establish/Maintain Documentation | Preventive | |
Establish, implement, and maintain a personal data use purpose specification. CC ID 00093 [{not be served} The purpose referred to in clause (a) of sub-section (7) shall be deemed to no longer be served, if the Data Principal does not–– exercise any of her rights in relation to such processing, § 8.(8) ¶ 1(b) {requirement} The purpose referred to in clause (a) of sub-section (7) shall be deemed to no longer be served, if the Data Principal does not–– approach the Data Fiduciary for the performance of the specified purpose; and § 8.(8) ¶ 1(a)] | Establish/Maintain Documentation | Preventive | |
Display or print the least amount of personal data necessary. CC ID 04643 | Data and Information Management | Preventive | |
Redact confidential information from public information, as necessary. CC ID 06872 | Data and Information Management | Preventive | |
Notify the data subject of the collection purpose. CC ID 00095 | Behavior | Preventive | |
Refrain from using restricted data collected for research and statistics for other purposes. CC ID 00096 | Data and Information Management | Preventive | |
Document the law that requires restricted data to be collected. CC ID 00103 | Establish/Maintain Documentation | Preventive | |
Notify the data subject of the consequences for not providing personal data. CC ID 00104 [The consequences of the withdrawal referred to in sub-section (4) shall be borne by the Data Principal, and such withdrawal shall not affect the legality of processing of the personal data based on consent before its withdrawal. § 6.(5)] | Behavior | Preventive | |
Notify the data subject of changes to personal data use. CC ID 00105 | Behavior | Preventive | |
Establish, implement, and maintain data use change of purpose procedures. CC ID 00106 | Establish/Maintain Documentation | Preventive | |
Document the use of publicly accessible personal data as an acceptable secondary purpose. CC ID 00108 | Establish/Maintain Documentation | Preventive | |
Document the use of privacy-related data as acceptable if the information being used is publicly available information, the secondary use is marketing, and it is not practical to seek consent from the individual before use. CC ID 00110 | Establish/Maintain Documentation | Preventive | |
Document the use of personal data as an acceptable secondary purpose when the data subject is not charged to request to opt out of direct marketing communications. CC ID 00111 | Establish/Maintain Documentation | Preventive | |
Document the use of personal data as an acceptable secondary purpose when the data subject has not requested to opt out of direct marketing communications. CC ID 00112 | Establish/Maintain Documentation | Preventive | |
Document the use of personal data as an acceptable secondary purpose when the organization highlights the opt out option during each direct marketing communication. CC ID 00113 | Establish/Maintain Documentation | Preventive | |
Document the use of personal data as an acceptable secondary purpose when the organization displays contact information in each written direct marketing communication. CC ID 00114 | Establish/Maintain Documentation | Preventive | |
Document the use of personal data as an acceptable secondary purpose when the data subject gives consent. CC ID 00115 | Establish/Maintain Documentation | Preventive | |
Document the use of personal data as an acceptable secondary purpose when the personal data is Individually Identifiable Health Information used for research. CC ID 00116 | Establish/Maintain Documentation | Preventive | |
Document the use of personal data as an acceptable secondary purpose when the personal data is used for statistical research, scholarly research, or scientific research and the data subject is anonymous. CC ID 00117 | Establish/Maintain Documentation | Preventive | |
Document the use of personal data as an acceptable secondary purpose when the data controller believes the use is necessary to prevent a life-threatening emergency. CC ID 00118 | Establish/Maintain Documentation | Preventive | |
Document the use of personal data as an acceptable secondary purpose when required by law. CC ID 00119 | Establish/Maintain Documentation | Preventive | |
Document the use of personal data as an acceptable secondary purpose when the personal data is necessary for public emergencies, public health and safety, or individual emergencies. CC ID 00121 | Establish/Maintain Documentation | Preventive | |
Document the use of personal data as an acceptable secondary purpose when the primary purpose is directly related to the secondary purpose. CC ID 00123 | Establish/Maintain Documentation | Preventive | |
Document the use of personal data as an acceptable secondary purpose when it is necessary for the enforcement of care and custody. CC ID 15453 | Establish/Maintain Documentation | Preventive | |
Document the use of data as an acceptable secondary purpose when it is necessary for use in a legal proceeding. CC ID 15451 | Establish/Maintain Documentation | Preventive | |
Document the use of personal data as an acceptable secondary purpose when it is necessary for a law enforcement investigation. CC ID 15449 | Establish/Maintain Documentation | Preventive | |
Document the use of personal data as an acceptable secondary purpose when it is necessary to perform a treaty with a foreign government. CC ID 15447 | Establish/Maintain Documentation | Preventive | |
Obtain the data subject's consent when the personal data use changes. CC ID 11832 | Behavior | Preventive | |
Document restricted data that is disclosed for an acceptable secondary purpose. CC ID 00124 | Establish/Maintain Documentation | Preventive | |
Dispose of media and restricted data in a timely manner. CC ID 00125 | Data and Information Management | Preventive | |
Refrain from destroying records being inspected or reviewed. CC ID 13015 | Records Management | Preventive | |
Notify the data subject after their personal data is disposed, as necessary. CC ID 13502 | Communicate | Preventive | |
Establish, implement, and maintain data access procedures. CC ID 00414 | Establish/Maintain Documentation | Preventive | |
Provide individuals with information about the processing purpose of their personal data. CC ID 00416 [Every request made to a Data Principal under section 6 for consent shall be accompanied or preceded by a notice given by the Data Fiduciary to the Data Principal, informing her,— the personal data and the purpose for which the same is proposed to be processed; § 5.(1) ¶ 1(i) Where a Data Principal has given her consent for the processing of her personal data before the date of commencement of this Act,— the Data Fiduciary shall, as soon as it is reasonably practicable, give to the Data Principal a notice informing her,–– the personal data and the purpose for which the same has been processed; § 5.(2) ¶ 1(a)(i)] | Data and Information Management | Preventive | |
Establish, implement, and maintain procedures for individuals to be able to modify their personal data, as necessary. CC ID 11811 [A Data Principal shall make a request in such manner as may be prescribed to the Data Fiduciary for erasure of her personal data, and upon receipt of such a request, the Data Fiduciary shall erase her personal data unless retention of the same is necessary for the specified purpose or for compliance with any law for the time being in force. § 12.(3) A Data Principal shall have the right to correction, completion, updating and erasure of her personal data for the processing of which she has previously given consent, including consent as referred to in clause (a) of section 7, in accordance with any requirement or procedure under any law for the time being in force. § 12.(1)] | Establish/Maintain Documentation | Preventive | |
Submit personal data removal requests in writing. CC ID 11973 | Records Management | Preventive | |
Include a liability waiver for any harm caused by the exclusion of personal data in the personal data removal request. CC ID 11975 | Establish/Maintain Documentation | Preventive | |
Allow authorized individuals to authenticate record entries containing personal data. CC ID 11812 | Records Management | Corrective | |
Establish, implement, and maintain restricted data use limitation procedures. CC ID 00128 | Establish/Maintain Documentation | Preventive | |
Refrain from processing restricted data, as necessary. CC ID 12551 | Records Management | Preventive | |
Refrain from erasing personal data upon data subject request when personal data processing is for compliance with a legal obligation. CC ID 12652 [{requirement} {erase} {personal data} {correct} {complete} {update} In respect of processing by the State or any instrumentality of the State, the provisions of sub-section (7) of section 8 and sub-section (3) of section 12 and, where such processing is for a purpose that does not include making of a decision that affects the Data Principal, sub-section (2) of section 12 shall not apply. § 17.(4)] | Process or Activity | Preventive | |
Refrain from processing personal data when it is likely to cause unlawful discrimination or arbitrary discrimination. CC ID 00197 | Data and Information Management | Preventive | |
Refrain from processing personal data when it is used for behavioral monitoring. CC ID 16528 [A Data Fiduciary shall not undertake tracking or behavioural monitoring of children or targeted advertising directed at children. § 9.(3)] | Data and Information Management | Preventive | |
Process restricted data lawfully and carefully. CC ID 00086 [A Data Fiduciary may process personal data of a Data Principal for any of following uses, namely:— for fulfilling any obligation under any law for the time being in force in India on any person to disclose any information to the State or any of its instrumentalities, subject to such processing being in accordance with the provisions regarding disclosure of such information in any other law for the time being in force; § 7.(d) A person may process the personal data of a Data Principal only in accordance with the provisions of this Act and for a lawful purpose,— § 4.(1) The provisions of this Act shall not apply in respect of the processing of personal data— necessary for research, archiving or statistical purposes if the personal data is not to be used to take any decision specific to a Data Principal and such processing is carried on in accordance with such standards as may be prescribed. § 17.(2)(b) A Data Fiduciary may process personal data of a Data Principal for any of following uses, namely:— for the State and any of its instrumentalities to provide or issue to the Data Principal such subsidy, benefit, service, certificate, licence or permit as may be prescribed, where–– subject to standards followed for processing being in accordance with the policy issued by the Central Government or any law for the time being in force for governance of personal data. § 7.(b) ¶ 2 {requirement} The provisions of Chapter II, except sub-sections (1) and (5) of section 8, and those of Chapter III and section 16 shall not apply where— the processing is for the purpose of ascertaining the financial information and assets and liabilities of any person who has defaulted in payment due on account of a loan or advance taken from a financial institution, subject to such processing being in accordance with the provisions regarding disclosure of information or data in any other law for the time being in force. § 17.(1)(f)] | Establish Roles | Preventive | |
Analyze requirements for processing personal data in contracts. CC ID 12550 | Investigate | Detective | |
Implement technical controls that limit processing restricted data for specific purposes. CC ID 12646 | Technical Security | Preventive | |
Process personal data pertaining to a patient's health in order to treat those patients. CC ID 00200 | Data and Information Management | Preventive | |
Notify the subject of care when a lack of availability of health information systems might have adversely affected their care. CC ID 13990 | Communicate | Corrective | |
Refrain from disclosing Individually Identifiable Health Information when in violation of territorial or federal law. CC ID 11966 | Records Management | Preventive | |
Document the conditions for the use or disclosure of Individually Identifiable Health Information by a covered entity to another covered entity. CC ID 00210 | Establish/Maintain Documentation | Preventive | |
Disclose Individually Identifiable Health Information for a covered entity's own use. CC ID 00211 | Data and Information Management | Preventive | |
Disclose Individually Identifiable Health Information for a healthcare provider's treatment activities by a covered entity. CC ID 00212 | Data and Information Management | Preventive | |
Rely upon the warranty of the covered entity that the record disclosure request for Individually Identifiable Health Information is permitted with the consent of the data subject. CC ID 11970 | Records Management | Preventive | |
Rely upon the warranty of the covered entity that the record disclosure request for Individually Identifiable Health Information is to support the treatment of the individual. CC ID 11969 | Process or Activity | Preventive | |
Rely upon the warranty of the covered entity that the record disclosure request for Individually Identifiable Health Information is permitted by law. CC ID 11976 | Records Management | Preventive | |
Disclose Individually Identifiable Health Information for payment activities between covered entities or healthcare providers. CC ID 00213 | Data and Information Management | Preventive | |
Disclose Individually Identifiable Health Information for Treatment, Payment, and Health Care Operations activities when both covered entities have a relationship with the data subject. CC ID 00214 | Data and Information Management | Preventive | |
Disclose Individually Identifiable Health Information for Treatment, Payment, and Health Care Operations activities between a covered entity and a participating healthcare provider when the information is collected from the data subject and a third party. CC ID 00215 | Data and Information Management | Preventive | |
Disclose Individually Identifiable Health Information in accordance with agreed upon restrictions. CC ID 06249 | Data and Information Management | Preventive | |
Disclose Individually Identifiable Health Information in accordance with the privacy notice. CC ID 06250 | Data and Information Management | Preventive | |
Disclose permitted Individually Identifiable Health Information for facility directories. CC ID 06251 | Data and Information Management | Preventive | |
Disclose Individually Identifiable Health Information for cadaveric organ donation purposes, eye donation purposes, or tissue donation purposes. CC ID 06252 | Data and Information Management | Preventive | |
Disclose Individually Identifiable Health Information for medical suitability determinations. CC ID 06253 | Data and Information Management | Preventive | |
Disclose Individually Identifiable Health Information for armed forces personnel appropriately. CC ID 06254 | Data and Information Management | Preventive | |
Disclose Individually Identifiable Health Information in order to provide public benefits by government agencies. CC ID 06255 | Data and Information Management | Preventive | |
Disclose Individually Identifiable Health Information for fundraising. CC ID 06256 | Data and Information Management | Preventive | |
Disclose Individually Identifiable Health Information for research use when the appropriate requirements are included in the approval documentation or waiver documentation. CC ID 06257 | Establish/Maintain Documentation | Preventive | |
Document the conditions for the disclosure of Individually Identifiable Health Information by an organization providing healthcare services to organizations other than business associates or other covered entities. CC ID 00201 | Establish/Maintain Documentation | Preventive | |
Disclose Individually Identifiable Health Information when the data subject cannot physically or legally provide consent and the disclosing organization is a healthcare provider. CC ID 00202 | Data and Information Management | Preventive | |
Disclose Individually Identifiable Health Information to provide appropriate treatment to the data subject when the disclosing organization is a healthcare provider. CC ID 00203 | Data and Information Management | Preventive | |
Disclose Individually Identifiable Health Information when it is not contrary to the data subject's wish prior to becoming unable to provide consent and the disclosing organization is a healthcare provider. CC ID 00204 | Data and Information Management | Preventive | |
Disclose Individually Identifiable Health Information that is reasonable or necessary for the disclosure purpose when the disclosing organization is a healthcare provider. CC ID 00205 | Data and Information Management | Preventive | |
Disclose Individually Identifiable Health Information consistent with the law when the disclosing organization is a healthcare provider. CC ID 00206 | Data and Information Management | Preventive | |
Disclose Individually Identifiable Health Information in order to carry out treatment when the disclosing organization is a healthcare provider. CC ID 00207 | Data and Information Management | Preventive | |
Disclose Individually Identifiable Health Information in order to carry out treatment when the data subject has provided consent and the disclosing organization is a healthcare provider. CC ID 00208 | Data and Information Management | Preventive | |
Disclose Individually Identifiable Health Information in order to carry out treatment when the data subject's guardian or representative has provided consent and the disclosing organization is a healthcare provider. CC ID 00209 | Data and Information Management | Preventive | |
Disclose Individually Identifiable Health Information when the disclosing organization is a healthcare provider that supports public health and safety activities. CC ID 06248 | Data and Information Management | Preventive | |
Disclose Individually Identifiable Health Information in order to report abuse or neglect when the disclosing organization is a healthcare provider. CC ID 06819 | Data and Information Management | Preventive | |
Document how Individually Identifiable Health Information is used and disclosed when authorization has been granted. CC ID 00216 | Establish/Maintain Documentation | Preventive | |
Define and implement valid authorization control requirements. CC ID 06258 | Establish/Maintain Documentation | Preventive | |
Obtain explicit consent for authorization to release Individually Identifiable Health Information. CC ID 00217 | Data and Information Management | Preventive | |
Obtain explicit consent for authorization to release psychotherapy notes. CC ID 00218 | Data and Information Management | Preventive | |
Refrain from using Individually Identifiable Health Information to determine eligibility or continued eligibility for credit. CC ID 00219 | Data and Information Management | Preventive | |
Process personal data after the data subject has granted explicit consent. CC ID 00180 [{unambiguous and implicit consent} The consent given by the Data Principal shall be free, specific, informed, unconditional and unambiguous with a clear affirmative action, and shall signify an agreement to the processing of her personal data for the specified purpose and be limited to such personal data as is necessary for such specified purpose. § 6.(1) A Data Fiduciary may process personal data of a Data Principal for any of following uses, namely:— for the specified purpose for which the Data Principal has voluntarily provided her personal data to the Data Fiduciary, and in respect of which she has not indicated to the Data Fiduciary that she does not consent to the use of her personal data. § 7.(a) A Data Fiduciary may process personal data of a Data Principal for any of following uses, namely:— for the State and any of its instrumentalities to provide or issue to the Data Principal such subsidy, benefit, service, certificate, licence or permit as may be prescribed, where–– she has previously consented to the processing of her personal data by the State or any of its instrumentalities for any subsidy, benefit, service, certificate, licence or permit; or § 7.(b) ¶ 1(i) A person may process the personal data of a Data Principal only in accordance with the provisions of this Act and for a lawful purpose,— for which the Data Principal has given her consent; or § 4.(1)(a)] | Data and Information Management | Preventive | |
Process personal data in order to perform a legal obligation or exercise a legal right. CC ID 00182 [A Data Fiduciary may process personal data of a Data Principal for any of following uses, namely:— for compliance with any judgment or decree or order issued under any law for the time being in force in India, or any judgment or order relating to claims of a contractual or civil nature under any law for the time being in force outside India; § 7.(e) A Data Fiduciary may process personal data of a Data Principal for any of following uses, namely:— for the performance by the State or any of its instrumentalities of any function under any law for the time being in force in India or in the interest of sovereignty and integrity of India or security of the State; § 7.(c) A Data Fiduciary may process personal data of a Data Principal for any of following uses, namely:— for fulfilling any obligation under any law for the time being in force in India on any person to disclose any information to the State or any of its instrumentalities, subject to such processing being in accordance with the provisions regarding disclosure of such information in any other law for the time being in force; § 7.(d) A Data Fiduciary may process personal data of a Data Principal for any of following uses, namely:— for the purposes of employment or those related to safeguarding the employer from loss or liability, such as prevention of corporate espionage, maintenance of confidentiality of trade secrets, intellectual property, classified information or provision of any service or benefit sought by a Data Principal who is an employee. § 7.(i) The provisions of this Act shall not apply in respect of the processing of personal data— by such instrumentality of the State as the Central Government may notify, in the interests of sovereignty and integrity of India, security of the State, friendly relations with foreign States, maintenance of public order or preventing incitement to any cognizable offence relating to any of these, and the processing by the Central Government of any personal data that such instrumentality may furnish to it; and § 17.(2)(a) A Data Fiduciary may process personal data of a Data Principal for any of following uses, namely:— for the State and any of its instrumentalities to provide or issue to the Data Principal such subsidy, benefit, service, certificate, licence or permit as may be prescribed, where–– such personal data is available in digital form in, or in non-digital form and digitised subsequently from, any database, register, book or other document which is maintained by the State or any of its instrumentalities and is notified by the Central Government, § 7.(b) ¶ 1(ii)] | Data and Information Management | Preventive | |
Process personal data relating to criminal offenses when required by law. CC ID 00237 | Data and Information Management | Preventive | |
Process personal data in order to prevent personal injury or damage to the data subject's health. CC ID 00183 [A Data Fiduciary may process personal data of a Data Principal for any of following uses, namely:— for responding to a medical emergency involving a threat to the life or immediate threat to the health of the Data Principal or any other individual; § 7.(f)] | Data and Information Management | Preventive | |
Process personal data in order to prevent personal injury or damage to a third party's health. CC ID 00184 [A Data Fiduciary may process personal data of a Data Principal for any of following uses, namely:— for taking measures to provide medical treatment or health services to any individual during an epidemic, outbreak of disease, or any other threat to public health; § 7.(g) A Data Fiduciary may process personal data of a Data Principal for any of following uses, namely:— for responding to a medical emergency involving a threat to the life or immediate threat to the health of the Data Principal or any other individual; § 7.(f)] | Data and Information Management | Preventive | |
Process personal data for statistical purposes or scientific purposes. CC ID 00256 | Data and Information Management | Preventive | |
Process personal data during legitimate activities with safeguards for the data subject's legal rights. CC ID 00185 [A person may process the personal data of a Data Principal only in accordance with the provisions of this Act and for a lawful purpose,— for certain legitimate uses. § 4.(1)(b)] | Data and Information Management | Preventive | |
Process traffic data in a controlled manner. CC ID 00130 | Data and Information Management | Preventive | |
Process personal data for health insurance, social insurance, state social benefits, social welfare, or child protection. CC ID 00186 [A Data Fiduciary may process personal data of a Data Principal for any of following uses, namely:— for the State and any of its instrumentalities to providepan> or style="background-color:#CBD0E5;" class="term_secondary-verb">issue to the Data Principal such subsidy, benefit, service, certificate, licence or permit as may be <span style="background-color:#CBD0E5;" class="term_secondary-verb">prescribed, where–– § 7.(b) ¶ 1] | Data and Information Management | Preventive | |
Process personal data when it is publicly accessible. CC ID 00187 | Data and Information Management | Preventive | |
Process personal data for direct marketing and other personalized mail programs. CC ID 00188 | Data and Information Management | Preventive | |
Refrain from processing personal data for marketing or advertising to children. CC ID 14010 [A Data Fiduciary shall not undertake tracking or behavioural monitoring of children or targeted advertising directed at children. § 9.(3)] | Business Processes | Preventive | |
Refrain from disseminating and communicating with individuals that have opted out of direct marketing communications. CC ID 13708 | Communicate | Corrective | |
Process personal data for the purposes of employment. CC ID 16527 [A Data Fiduciary may process personal data of a Data Principal for any of following uses, namely:— for the purposes of employment or those related to safeguarding the employer from loss or liability, such as prevention of corporate espionage, maintenance of confidentiality of trade secrets, intellectual property, classified information or provision of any service or benefit sought by a Data Principal who is an employee. § 7.(i)] | Data and Information Management | Preventive | |
Process personal data for justice administration, lawsuits, judicial decisions, and investigations. CC ID 00189 [A Data Fiduciary may process personal data of a Data Principal for any of following uses, namely:— for compliance with any judgment or decree or order issued under any law for the time being in force in India, or any judgment or order relating to claims of a contractual or civil nature under any law for the time being in force outside India; § 7.(e)] | Data and Information Management | Preventive | |
Process personal data for debt collection or benefit payments. CC ID 00190 [{requirement} The provisions of Chapter II, except sub-sections (1) and (5) of section 8, and those of Chapter III and section 16 shall not apply where— the processing is for the purpose of ascertaining the financial information and assets and liabilities of any person who has defaulted in payment due on account of a loan or advance taken from a financial institution, subject to such processing being in accordance with the provisions regarding disclosure of information or data in any other law for the time being in force. § 17.(1)(f)] | Data and Information Management | Preventive | |
Process personal data in order to advance the public interest. CC ID 00191 [The provisions of this Act shall not apply in respect of the processing of personal data— by such instrumentality of the State as the Central Government may notify, in the interests of sovereignty and integrity of India, security of the State, friendly relations with foreign States, maintenance of public order or preventing incitement to any cognizable offence relating to any of these, and the processing by the Central Government of any personal data that such instrumentality may furnish to it; and § 17.(2)(a)] | Data and Information Management | Preventive | |
Process personal data for surveys, archives, or scientific research. CC ID 00192 | Data and Information Management | Preventive | |
Process personal data absent consent for journalistic purposes, artistic purposes, or literary purposes. CC ID 00193 | Data and Information Management | Preventive | |
Process personal data for academic purposes or religious purposes. CC ID 00194 | Data and Information Management | Preventive | |
Process personal data when it is used by a public authority for National Security policy or criminal policy. CC ID 00195 [A Data Fiduciary may process personal data of a Data Principal for any of following uses, namely:— for taking measures to ensure safety of, or provide assistance or services to, any individual during any disaster, or any breakdown of public order. § 7.(h) A Data Fiduciary may process personal data of a Data Principal for any of following uses, namely:— for the performance by the State or any of its instrumentalities of any function under any law for the time being in force in India or in the interest of sovereignty and integrity of India or security of the State; § 7.(c) The provisions of this Act shall not apply in respect of the processing of personal data— by such instrumentality of the State as the Central Government may notify, in the interests of sovereignty and integrity of India, security of the State, friendly relations with foreign States, maintenance of public order or preventing incitement to any cognizable offence relating to any of these, and the processing by the Central Government of any personal data that such instrumentality may furnish to it; and § 17.(2)(a)] | Data and Information Management | Preventive | |
Refrain from storing data in newly created files or registers which directly or indirectly reveals the restricted data. CC ID 00196 | Data and Information Management | Preventive | |
Follow legal obligations while processing personal data. CC ID 04794 | Data and Information Management | Preventive | |
Start personal data processing only after the needed notifications are submitted. CC ID 04791 | Data and Information Management | Preventive | |
Process personal data absent consent for specific and well-documented circumstances. CC ID 13537 [The provisions of sub-sections (1) and (3) shall not be applicable to processing of personal data of a child by such classes of Data Fiduciaries or for such purposes, and subject to such conditions, as may be prescribed. § 9.(4)] | Data and Information Management | Preventive | |
Process personal data absent consent in order to protect the vital interests of the data subject. CC ID 14012 | Process or Activity | Preventive | |
Process personal data absent consent when the data subject has been notified the personal data may be collected, used, or disclosed. CC ID 13617 | Data and Information Management | Preventive | |
Process personal data absent consent in order to establish, manage, or terminate employment contracts. CC ID 13615 | Data and Information Management | Preventive | |
Process personal data absent consent when the data subject is notified that the business transaction is completed and their information was disclosed. CC ID 13612 | Data and Information Management | Preventive | |
Process personal data absent consent when the disclosure concerns the data subject's products and services obtained from the organization. CC ID 13611 | Data and Information Management | Preventive | |
Process personal data absent consent when it is impracticable to obtain consent. CC ID 13580 | Data and Information Management | Preventive | |
Process personal data absent consent when it is in the data subject's interest and consent cannot be obtained in a timely manner. CC ID 15282 | Data and Information Management | Preventive | |
Process personal data absent consent to determine whether to proceed with business transactions. CC ID 13587 | Data and Information Management | Preventive | |
Process personal data absent consent in order to perform a contract. CC ID 13586 [{requirement} {be outside} The provisions of Chapter II, except sub-sections (1) and (5) of section 8, and those of Chapter III and section 16 shall not apply where— personal data of Data Principals not within the territory of India is processed pursuant to any contract entered into with any person outside the territory of India by any person based in India; § 17.(1)(d)] | Data and Information Management | Preventive | |
Process personal data absent consent when the privacy commissioner is notified before the information is used. CC ID 13581 | Data and Information Management | Preventive | |
Process personal data absent consent to perform obligations in the field of employment law. CC ID 16814 | Data and Information Management | Preventive | |
Process personal data absent consent if the disclosure is to the next of kin or authorized representative. CC ID 15294 | Data and Information Management | Preventive | |
Process personal data absent consent when it is used in a manner to ensure confidentiality. CC ID 13579 | Data and Information Management | Preventive | |
Process personal data absent consent when it is used for statistical research, scientific research, or scholarly research. CC ID 13578 [The provisions of this Act shall not apply in respect of the processing of personal data— necessary for research, archiving or statistical purposes if the personal data is not to be used to take any decision specific to a Data Principal and such processing is carried on in accordance with such standards as may be prescribed. § 17.(2)(b)] | Data and Information Management | Preventive | |
Process personal data absent consent when it is needed by law. CC ID 13577 [{requirement} The provisions of Chapter II, except sub-sections (1) and (5) of section 8, and those of Chapter III and section 16 shall not apply where— the processing of personal data is necessary for enforcing any legal right or claim; § 17.(1)(a) {judicial function} {quasi-judicial function} {regulatory function} {requirement} The provisions of Chapter II, except sub-sections (1) and (5) of section 8, and those of Chapter III and section 16 shall not apply where— the processing of personal data by any court or tribunal or any other body in India which is entrusted by law with the performance of any judicial or quasi-judicial or regulatory or supervisory function, where such processing is necessary for the performance of such function; § 17.(1)(b) {requirement} The provisions of Chapter II, except sub-sections (1) and (5) of section 8, and those of Chapter III and section 16 shall not apply where— personal data is processed in the interest of prevention, detection, investigation or prosecution of any offence or contravention of any law for the time being in force in India; § 17.(1)(c) {timely manner} If a Data Principal withdraws her consent to the processing of personal data under sub-section (5), the Data Fiduciary shall, within a reasonable time, cease and cause its Data Processors to cease processing the personal data of such Data Principal unless such processing without her consent is required or authorised under the provisions of this Act or the rules made thereunder or any other law for the time being in force in India. § 6.(6)] | Data and Information Management | Preventive | |
Process personal data for public interests absent consent in order to protect historical records or archival records. CC ID 15296 | Data and Information Management | Preventive | |
Process personal data absent consent when it is from publicly available information. CC ID 13576 | Data and Information Management | Preventive | |
Process personal data absent consent to create a credit report. CC ID 15288 | Data and Information Management | Preventive | |
Process personal data absent consent if its use is consistent with the intended purpose. CC ID 13575 | Data and Information Management | Preventive | |
Process personal data absent consent to administer a trust fund or benefit plan. CC ID 15291 | Data and Information Management | Preventive | |
Process personal data absent consent when produced for business purposes. CC ID 13563 | Data and Information Management | Preventive | |
Process personal data absent consent for handling insurance claims. CC ID 13561 | Data and Information Management | Preventive | |
Process personal data absent consent when it is necessary for corporate restructuring. CC ID 16533 [{requirement} The provisions of Chapter II, except sub-sections (1) and (5) of section 8, and those of Chapter III and section 16 shall not apply where— the processing is necessary for a scheme of compromise or arrangement or merger or amalgamation of two or more companies or a reconstruction by way of demerger or otherwise of a company, or transfer of undertaking of one or more company to another company, or involving division of one or more companies, approved by a court or tribunal or other authority competent to do so by any law for the time being in force; and § 17.(1)(e)] | Data and Information Management | Preventive | |
Process personal data absent consent if the information is contained in a witness statement. CC ID 13560 | Data and Information Management | Preventive | |
Process personal data absent consent for life-threatening emergencies. CC ID 13558 | Data and Information Management | Preventive | |
Process personal data absent consent for reasonable investigative purposes. CC ID 13557 | Data and Information Management | Preventive | |
Define the exceptions to disclosure absent consent. CC ID 00135 | Establish/Maintain Documentation | Preventive | |
Define how a data subject may give consent. CC ID 00160 [Any part of consent referred in sub-section (1) which constitutes an infringement of the provisions of this Act or the rules made thereunder or any other law for the time being in force shall be invalid to the extent of such infringement. § 6.(2)] | Establish/Maintain Documentation | Preventive | |
Establish, implement, and maintain personal data disposition procedures. CC ID 13498 [{refrain from serving} A Data Fiduciary shall, unless retention is necessary for compliance with any law for the time being in force,— erase personal data, upon the Data Principal withdrawing her consent or as soon as it is reasonable to assume that the specified purpose is no longer being served, whichever is earlier; and § 8.(7)(a)] | Establish/Maintain Documentation | Preventive | |
Capture personal data removal requests. CC ID 13507 | Communicate | Preventive | |
Remove personal data from records after receiving a personal data removal request. CC ID 11972 [A Data Principal shall make a request in such manner as may be prescribed to the Data Fiduciary for erasure of her personal data, and upon receipt of such a request, the Data Fiduciary shall erase her personal data unless retention of the same is necessary for the specified purpose or for compliance with any law for the time being in force. § 12.(3)] | Records Management | Preventive | |
Refrain from erasing personal data upon receiving a personal data removal request when it is necessary for maintaining information assets. CC ID 13789 | Process or Activity | Preventive | |
Refrain from erasing personal data upon receiving a personal data removal request when it is necessary to complete a payment transaction. CC ID 13788 | Process or Activity | Preventive | |
Obtain explicit consent directly from the data subject prior to the use of that person's sensitive data. CC ID 00178 | Data and Information Management | Preventive | |
Obtain consent from a parent or legal representative in order to use or disclose a child's data. CC ID 00198 [The Data Fiduciary shall, before processing any personal data of a child or a person with disability who has a lawful guardian obtain verifiable consent of the parent of such child or the lawful guardian, as the case may be, in such manner as may be prescribed. § 9.(1)] | Data and Information Management | Preventive | |
Obtain opt-in consent from teenagers prior to the collection, use, or disclosure of personal data. CC ID 00199 | Data and Information Management | Preventive | |
Establish, implement, and maintain data disclosure procedures. CC ID 00133 | Establish/Maintain Documentation | Preventive | |
Establish, implement, and maintain data request denial procedures. CC ID 00434 [{requirement} {erase} {personal data} {correct} {complete} {update} In respect of processing by the State or any instrumentality of the State, the provisions of sub-section (7) of section 8 and sub-section (3) of section 12 and, where such processing is for a purpose that does not include making of a decision that affects the Data Principal, sub-section (2) of section 12 shall not apply. § 17.(4)] | Establish/Maintain Documentation | Preventive | |
Include frivolous requests or vexatious requests as a reason for denial in the personal data request denial procedures. CC ID 00435 | Data and Information Management | Preventive | |
Include when the required information is unavailable as a reason for denial in the personal data request denial procedures. CC ID 00436 | Data and Information Management | Preventive | |
Include when the disclosure of personal data constitutes contempt of court or contempt of House of Representatives as a reason for denial in the personal data request denial procedures. CC ID 00437 | Data and Information Management | Preventive | |
Include disclosing personal data that would identify suppliers or breaches an express promise of privacy or implied promise of privacy as a reason for denial in the personal data request denial procedures. CC ID 00438 | Data and Information Management | Preventive | |
Include disclosing personal data that would compromise National Security as a reason for denial in the personal data request denial procedures. CC ID 00439 | Data and Information Management | Preventive | |
Include information that is protected by attorney-client privilege as a reason for denial in the personal data request denial procedures. CC ID 00440 | Data and Information Management | Preventive | |
Include disclosing personal data that would reveal trade secrets, commercial information, or harmful financial information as a reason for denial in the personal data request denial procedures. CC ID 00441 | Data and Information Management | Preventive | |
Include disclosing personal data that would threaten an individual's life or an individual's security as a reason for denial in the personal data request denial procedures. CC ID 00442 | Data and Information Management | Preventive | |
Include disclosing personal data that would have an unreasonable impact on another individual's privacy as a reason for denial in the personal data request denial procedures. CC ID 00443 | Data and Information Management | Preventive | |
Include disclosing personal data that would threaten facilities, property, transport, or communication systems as a reason for denial in the personal data request denial procedures. CC ID 08702 | Process or Activity | Preventive | |
Include responding to access requests after the time limit as a reason for denial in the personal data request denial procedures. CC ID 13600 | Data and Information Management | Preventive | |
Include information that was generated from a formal dispute as a reason for denial in the personal data request denial procedures. CC ID 00444 | Data and Information Management | Preventive | |
Include personal data that is used solely for scientific research, scholarly research, statistical research, library purposes, museum purposes, or archival purposes as a reason for denial in the personal data request denial procedures. CC ID 00445 | Data and Information Management | Preventive | |
Include personal data that is for the state's economic interest as a reason for denial in the personal data request denial procedures. CC ID 00446 | Data and Information Management | Detective | |
Include personal data that is for protecting the civil rights or other's freedoms as a reason for denial in the personal data request denial procedures. CC ID 00447 | Data and Information Management | Preventive | |
Include disclosing personal data that constitutes a state secret as a reason for denial in the personal data request denial procedures. CC ID 00448 | Data and Information Management | Preventive | |
Include disclosing personal data that would result in interference with the operation of public functions as a reason for denial in the personal data request denial procedures. CC ID 00449 | Data and Information Management | Preventive | |
Include disclosing personal data that would interrupt criminal investigation and surveillance or other legal purposes as a reason for denial in the personal data request denial procedures. CC ID 00450 | Data and Information Management | Preventive | |
Include when a country's laws prevent disclosure as a reason for denial in the personal data request denial procedures. CC ID 00451 | Data and Information Management | Preventive | |
Include disclosing personal data that would interfere with grievance proceeding or employee security investigations as a reason for denial in the personal data request denial procedures. CC ID 06873 | Data and Information Management | Preventive | |
Include disclosing personal data that would interfere with commercial acquisitions or reorganizations as a reason for denial in the personal data request denial procedures. CC ID 06874 | Data and Information Management | Preventive | |
Include if the cost or burden of disclosing the personal data is disproportionate as a reason for denial in the personal data request denial procedures. CC ID 06875 | Data and Information Management | Preventive | |
Notify interested personnel and affected parties of the reasons the data access request was refused. CC ID 00453 | Data and Information Management | Preventive | |
Notify the individual of the organization's legal rights to refuse the personal data access request, as necessary. CC ID 13509 | Communicate | Preventive | |
Notify individuals of their right to challenge a refusal to a data access request. CC ID 00454 | Data and Information Management | Preventive | |
Include if the record would constitute an action for breach of a duty of confidence as a reason for denial in the personal data request denial procedures. CC ID 08700 | Process or Activity | Preventive | |
Establish, implement, and maintain a personal data collection program. CC ID 06487 | Establish/Maintain Documentation | Preventive | |
Establish, implement, and maintain personal data collection limitation boundaries. CC ID 00507 | Establish/Maintain Documentation | Preventive | |
Establish, implement, and maintain a personal data use policy. CC ID 00076 | Establish/Maintain Documentation | Preventive | |
Use personal data for specified purposes. CC ID 11831 [{unambiguous and implicit consent} The consent given by the Data Principal shall be free, specific, informed, unconditional and unambiguous with a clear affirmative action, and shall signify an agreement to the processing of her personal data for the specified purpose and be limited to such personal data as is necessary for such specified purpose. § 6.(1) A Data Fiduciary may process personal data of a Data Principal for any of following uses, namely:— for the specified purpose for which the Data Principal has voluntarily provided her personal data to the Data Fiduciary, and in respect of which she has not indicated to the Data Fiduciary that she does not consent to the use of her personal data. § 7.(a)] | Data and Information Management | Preventive | |
Obtain the data subject's consent and acknowledgment before collecting data. CC ID 00012 | Data and Information Management | Preventive | |
Document each individual's personal data collection consent preferences. CC ID 06945 | Establish/Maintain Documentation | Preventive | |
Provide explicit consent that is clear and unambiguous. CC ID 00181 [{unambiguous and implicit consent} The consent given by the Data Principal shall be free, specific, informed, unconditional and unambiguous with a clear affirmative action, and shall signify an agreement to the processing of her personal data for the specified purpose and be limited to such personal data as is necessary for such specified purpose. § 6.(1) Every request for consent under the provisions of this Act or the rules made thereunder shall be presented to the Data Principal in a clear and plain language, giving her the option to access such request in English or any language specified in the Eighth Schedule to the Constitution and providing the contact details of a Data Protection Officer, where applicable, or of any other person authorised by the Data Fiduciary to respond to any communication from the Data Principal for the purpose of exercise of her rights under the provisions of this Act. § 6.(3)] | Data and Information Management | Preventive | |
Give special attention to collecting children's data. CC ID 00038 [A Data Fiduciary shall not undertake such processing of personal data that is likely to cause any detrimental effect on the well-being of a child. § 9.(2)] | Data and Information Management | Preventive | |
Use simple understandable language to collect information from children. CC ID 00039 | Behavior | Preventive | |
Notify parents or legal representatives of what information is collected from children. CC ID 00040 | Establish/Maintain Documentation | Preventive | |
Obtain consent from a parent or legal representative before collecting information from children. CC ID 00041 | Data and Information Management | Preventive | |
Waive verifiable consent from a parent or legal representative for collecting information from children in order to collect online contact information for a one-time only response to a specific request. CC ID 00043 | Data and Information Management | Preventive | |
Waive verifiable consent from a parent or legal representative for collecting information from children in order to request the parent or legal representative's information to obtain consent. CC ID 00044 | Data and Information Management | Preventive | |
Waive verifiable consent from a parent or legal representative for collecting information from children in order to respond to additional requests which do not go beyond the scope of the request. CC ID 00045 | Data and Information Management | Preventive | |
Waive verifiable consent from a parent or legal representative for collecting information from children in order to protect the child's safety. CC ID 00046 | Data and Information Management | Preventive | |
Waive verifiable consent from a parent or legal representative for collecting information from children in order to take liability precautions. CC ID 00047 | Data and Information Management | Preventive | |
Waive verifiable consent from a parent or legal representative for collecting information from children in order to respond to a judicial process. CC ID 00048 | Data and Information Management | Preventive | |
Waive verifiable consent from a parent or legal representative for collecting information from children in order to respond to a request for law enforcement purposes. CC ID 00049 | Data and Information Management | Preventive | |
Waive verifiable consent from a parent or legal representative for collecting information from children in order to protect the website's security or integrity or the online service's security or integrity. CC ID 06199 | Data and Information Management | Preventive | |
Establish, implement, and maintain a data handling program. CC ID 13427 | Establish/Maintain Documentation | Preventive | |
Establish, implement, and maintain data handling policies. CC ID 00353 | Establish/Maintain Documentation | Preventive | |
Establish, implement, and maintain data and information confidentiality policies. CC ID 00361 | Establish/Maintain Documentation | Preventive | |
Implement security measures to protect personal data. CC ID 13606 [A Data Fiduciary shall protect personal data in its possession or under its control, including in respect of any processing undertaken by it or on its behalf by a Data Processor, by taking reasonable security safeguards to prevent personal data breach. § 8.(5)] | Technical Security | Preventive | |
Develop remedies and sanctions for privacy policy violations. CC ID 00474 [A Data Principal shall have the right to have readily available means of grievance redressal provided by a Data Fiduciary or Consent Manager in respect of any act or omission of such Data Fiduciary or Consent Manager regarding the performance of its obligations in relation to the personal data of such Data Principal or the exercise of her rights under the provisions of this Act and the rules made thereunder. § 13.(1)] | Data and Information Management | Preventive | |
Define the behaviors and actions that are included in privacy rights violations. CC ID 14852 | Behavior | Preventive | |
Implement procedures to file privacy rights violation complaints. CC ID 00476 | Data and Information Management | Corrective | |
File privacy rights violation complaints in writing. CC ID 00477 | Establish/Maintain Documentation | Corrective | |
Include the acts or omissions that are in violation of privacy rights in the privacy rights violation complaint. CC ID 14360 | Establish/Maintain Documentation | Corrective | |
Include the individual's name who is the subject of the complaint in the privacy rights violation complaint. CC ID 14359 | Establish/Maintain Documentation | Preventive | |
Provide assistance to data subjects for filing privacy rights violation complaints. CC ID 00478 [Where a Data Principal has given her consent for the processing of her personal data before the date of commencement of this Act,— the Data Fiduciary shall, as soon as it is reasonably practicable, give to the Data Principal a notice informing her,–– the manner in which the Data Principal may make a complaint to the Board, § 5.(2) ¶ 1(a)(iii) Every request made to a Data Principal under section 6 for consent shall be accompanied or preceded by a notice given by the Data Fiduciary to the Data Principal, informing her,— the manner in which the Data Principal may make a complaint to the Board, § 5.(1) ¶ 1(iii)] | Behavior | Corrective | |
Refrain from charging a fee to file a privacy rights violation complaint. CC ID 16807 | Business Processes | Preventive | |
File privacy rights violation complaints inside the mandate stipulated from the refusal. CC ID 00479 | Behavior | Corrective | |
Change or destroy any personal data that is incorrect. CC ID 00462 [A Data Fiduciary shall, upon receiving a request for correction, completion or updating from a Data Principal,— correct the inaccurate or misleading personal data; § 12.(2)(a) A Data Fiduciary shall, upon receiving a request for correction, completion or updating from a Data Principal,— complete the incomplete personal data; and § 12.(2)(b) A Data Fiduciary shall, upon receiving a request for correction, completion or updating from a Data Principal,— update the personal data. § 12.(2)(c)] | Data and Information Management | Corrective | |
Notify the data subject of changes made to personal data as the result of a dispute. CC ID 00463 | Behavior | Corrective | |
Refrain from updating personal data on a regular basis, unless it is necessary for the purposes it was collected. CC ID 13610 | Data and Information Management | Preventive | |
Escalate the appeal process to change personal data when the data controller fails to make changes to the disputed data. CC ID 00465 | Data and Information Management | Corrective | |
Establish, implement, and maintain a privacy dispute resolution program. CC ID 12526 [A Data Fiduciary shall establish an effective mechanism to redress the grievances of Data Principals. § 8.(10)] | Establish/Maintain Documentation | Preventive | |
Include potential remedies in the privacy dispute resolution program. CC ID 12531 | Establish/Maintain Documentation | Preventive | |
Provide the data subject with the name, title, and address to whom complaints are forwarded. CC ID 00395 | Establish/Maintain Documentation | Preventive | |
Include the time frames in which privacy rights violation complaints are processed in the privacy dispute resolution program. CC ID 12529 [{time requirement} The Data Fiduciary or Consent Manager shall respond to any grievances referred to in sub-section (1) within such period as may be prescribed from the date of its receipt for all or any class of Data Fiduciaries. § 13.(2)] | Establish/Maintain Documentation | Preventive | |
Document unresolved challenges. CC ID 13568 | Establish/Maintain Documentation | Preventive | |
Establish, implement, and maintain an accuracy resolution policy. CC ID 00460 | Establish/Maintain Documentation | Preventive | |
Notify individuals of their right to challenge personal data. CC ID 00457 | Data and Information Management | Preventive | |
Notify individuals of their right to object to personal data for legitimate reasons. CC ID 00458 | Data and Information Management | Preventive | |
Terminate an individual's restriction agreement under specific circumstances. CC ID 06260 | Configuration | Preventive | |
Notify individuals of their ability to challenge personal behavioral assessments on record. CC ID 04798 | Human Resources Management | Preventive | |
Notify individuals of their ability to object to personal data processing, absent cost. CC ID 00459 | Data and Information Management | Preventive | |
Notify individuals of the time frame in which they may challenge personal data. CC ID 16861 | Communicate | Preventive | |
Investigate the disputed accuracy of personal data. CC ID 00461 | Data and Information Management | Preventive | |
Notify the data subject of which and why disputed changes were not made to personal data. CC ID 00466 | Behavior | Corrective | |
Notify entities to whom personal data was transferred that the personal data is wrong, along with the corrections. CC ID 00467 [A Data Fiduciary shall, unless retention is necessary for compliance with any law for the time being in force,— cause its Data Processor to erase any personal data that was made available by the Data Fiduciary for processing to such Data Processor. § 8.(7)(b)] | Behavior | Corrective | |
Notify third parties of unresolved challenges. CC ID 13559 | Communicate | Preventive | |
Document disagreements as to whether personal data is complete and accurate. CC ID 06952 | Establish/Maintain Documentation | Preventive | |
Include the change to the personal data that the data subject requested and the reason the organization refused to make the change in the statement of disagreement. CC ID 06954 | Establish/Maintain Documentation | Preventive | |
Order the cessation of data processing when a violation of the privacy policy is detected. CC ID 00475 | Data and Information Management | Corrective | |
Investigate privacy rights violation complaints. CC ID 00480 | Behavior | Detective | |
Cooperate with authorities during a privacy rights violation complaint investigation. CC ID 14364 | Business Processes | Corrective | |
Notify respondents after a privacy rights violation complaint investigation begins. CC ID 00491 | Behavior | Detective | |
Include the allegations against the organization in the notice of investigation. CC ID 13031 | Establish/Maintain Documentation | Preventive | |
Investigate privacy rights violation complaints in private. CC ID 00492 | Behavior | Detective | |
Make appropriate inquiries and obtain appropriate information regarding privacy rights violation complaints. CC ID 00493 | Behavior | Detective | |
Allow the complainant to appear before the commissioner and make a submission, orally or in writing, about the privacy rights violation complaint investigation prior to an adverse decision to the complainant is reached. CC ID 00494 | Behavior | Detective | |
Refer privacy rights violation complaints to the Privacy Commissioner under certain conditions. CC ID 00481 | Behavior | Preventive | |
Determine not to investigate privacy rights violation complaints under certain conditions. CC ID 00482 | Behavior | Preventive | |
Refrain from investigating a privacy rights violation complaint when the act or practice does not interfere with an individual's privacy. CC ID 00483 | Behavior | Preventive | |
Refrain from investigating a privacy rights violation complaint when the complaint is created outside the stipulated time frame after the complainant became aware of it. CC ID 00484 | Behavior | Preventive | |
Refrain from investigating a privacy rights violation complaint when the complaint is frivolous, vexatious, misconceived, or lacking in substance. CC ID 00485 | Behavior | Preventive | |
Refrain from investigating a privacy rights violation complaint if the act or practice is subject to an application under another commonwealth law, state law, or territory law, and the complaint was or is being dealt with adequately under the law. CC ID 00486 | Behavior | Preventive | |
Defer privacy rights violation complaint investigations under certain conditions. CC ID 00487 | Behavior | Preventive | |
Defer privacy rights violation complaint investigations when the respondent has made an application for a determination. CC ID 00488 | Behavior | Preventive | |
Defer privacy rights violation complaint investigations when the Privacy Commissioner believes the data subject's interests would not be affected if the investigation or further investigation were deferred until the application was disposed of. CC ID 00489 | Behavior | Preventive | |
Notify respondents after a privacy rights violation complaint investigation has been resolved. CC ID 13513 | Communicate | Corrective | |
Create an investigative report in regards to a privacy rights violation complaint. CC ID 00495 | Establish/Maintain Documentation | Corrective | |
Respond to an investigative report in regards to a privacy rights violation complaint. CC ID 00496 | Behavior | Corrective | |
Define the available administrative remedies in regards to a privacy rights violation complaint. CC ID 00497 [The Data Principal shall exhaust the opportunity of redressing her grievance under this section before approaching the Board. § 13.(3)] | Establish/Maintain Documentation | Detective | |
Order the organization to change to be in compliance with applicable law. CC ID 00499 | Behavior | Corrective | |
Order the organization to publish a notice with the corrections or actions taken. CC ID 00500 | Behavior | Corrective | |
Award damages based on applicable law. CC ID 00501 | Behavior | Corrective | |
Destroy personal data that breaches privacy after the privacy breach has been detected. CC ID 00503 | Data and Information Management | Corrective | |
Define the organization's liability based on the applicable law. CC ID 00504 | Establish/Maintain Documentation | Preventive | |
Define the sanctions and fines available for privacy rights violations based on applicable law. CC ID 00505 | Establish/Maintain Documentation | Preventive | |
Define the appeal process based on the applicable law. CC ID 00506 [{requirement} {time requirement} Every appeal under sub-section (1) shall be filed within a period of sixty days from the date of receipt of the order or direction appealed against and it shall be in such form and manner and shall be accompanied by such fee as may be prescribed. § 29.(2)] | Establish/Maintain Documentation | Preventive | |
Define the fee structure for the appeal process. CC ID 16532 [{requirement} {time requirement} Every appeal under sub-section (1) shall be filed within a period of sixty days from the date of receipt of the order or direction appealed against and it shall be in such form and manner and shall be accompanied by such fee as may be prescribed. § 29.(2)] | Process or Activity | Preventive | |
Define the time requirements for the appeal process. CC ID 16531 [{requirement} {time requirement} Every appeal under sub-section (1) shall be filed within a period of sixty days from the date of receipt of the order or direction appealed against and it shall be in such form and manner and shall be accompanied by such fee as may be prescribed. § 29.(2)] | Process or Activity | Preventive | |
Disseminate and communicate instructions for the appeal process to interested personnel and affected parties. CC ID 16544 | Communicate | Preventive | |
Disseminate and communicate a written explanation of the reasons for appeal decisions to interested personnel and affected parties. CC ID 16542 | Communicate | Preventive | |
Provide notice of proposed penalties. CC ID 06216 | Establish/Maintain Documentation | Preventive | |
Notify the public and other agencies after a penalty becomes final. CC ID 06217 | Behavior | Preventive | |
Refrain from subjecting individuals to retaliation or intimidation after a complaint is created. CC ID 06218 | Testing | Detective | |
Establish, implement, and maintain a Customer Information Management program. CC ID 00084 | Data and Information Management | Preventive | |
Establish, implement, and maintain customer data authentication procedures. CC ID 13187 | Establish/Maintain Documentation | Preventive | |
Check the accuracy of restricted data. CC ID 00088 [Where personal data processed by a Data Fiduciary is likely to be— used to make a decision that affects the Data Principal; or disclosed to another Data Fiduciary, the Data Fiduciary processing such personal data shall ensure its completeness, accuracy and consistency. § 8.(3) ¶ 2] | Data and Information Management | Preventive | |
Record restricted data correctly. CC ID 00089 | Testing | Detective | |
Check that restricted data is complete. CC ID 00090 [Where personal data processed by a Data Fiduciary is likely to be— used to make a decision that affects the Data Principal; or disclosed to another Data Fiduciary, the Data Fiduciary processing such personal data shall ensure its completeness, accuracy and consistency. § 8.(3) ¶ 2] | Data and Information Management | Preventive |
KEY: Primary Verb Primary Noun Secondary Verb Secondary Noun Limiting Term | |||
Mandated - bold Implied - italic Implementation - regular | TYPE | CLASS | |
---|---|---|---|
Records management CC ID 00902 | IT Impact Zone | IT Impact Zone | |
Establish, implement, and maintain records management procedures. CC ID 11619 | Establish/Maintain Documentation | Preventive | |
Establish, implement, and maintain data processing integrity controls. CC ID 00923 [Where personal data processed by a Data Fiduciary is likely to be— used to make a decision that affects the Data Principal; or disclosed to another Data Fiduciary, the Data Fiduciary processing such personal data shall ensure its completeness, accuracy and consistency. § 8.(3) ¶ 2] | Establish Roles | Preventive | |
Compare each record's data input to its final form. CC ID 11813 | Records Management | Detective | |
Sanitize user input in accordance with organizational standards. CC ID 16856 | Process or Activity | Preventive | |
Establish, implement, and maintain Automated Data Processing validation checks and editing checks. CC ID 00924 | Data and Information Management | Preventive | |
Establish, implement, and maintain Automated Data Processing error handling procedures. CC ID 00925 | Establish/Maintain Documentation | Preventive | |
Establish, implement, and maintain Automated Data Processing error handling reporting. CC ID 11659 | Establish/Maintain Documentation | Preventive |
KEY: Primary Verb Primary Noun Secondary Verb Secondary Noun Limiting Term | |||
Mandated - bold Implied - italic Implementation - regular | TYPE | CLASS | |
---|---|---|---|
Technical security CC ID 00508 | IT Impact Zone | IT Impact Zone | |
Establish, implement, and maintain a digital identity management program. CC ID 13713 | Establish/Maintain Documentation | Preventive | |
Establish, implement, and maintain an authorized representatives policy. CC ID 13798 [The Data Principal may give, manage, review or withdraw her consent to the Data Fiduciary through a Consent Manager. § 6.(7) A Data Principal shall have the right to nominate, in such manner as may be prescribed, any other individual, who shall, in the event of death or incapacity of the Data Principal, exercise the rights of the Data Principal in accordance with the provisions of this Act and the rules made thereunder. § 14.(1)] | Establish/Maintain Documentation | Preventive | |
Include authorized representative life cycle management requirements in the authorized representatives policy. CC ID 13802 | Establish/Maintain Documentation | Preventive | |
Include any necessary restrictions for the authorized representative in the authorized representatives policy. CC ID 13801 | Establish/Maintain Documentation | Preventive | |
Include suspension requirements for authorized representatives in the authorized representatives policy. CC ID 13800 | Establish/Maintain Documentation | Preventive | |
Include the authorized representative's life span in the authorized representatives policy. CC ID 13799 | Establish/Maintain Documentation | Preventive |
KEY: Primary Verb Primary Noun Secondary Verb Secondary Noun Limiting Term | |||
Mandated - bold Implied - italic Implementation - regular | TYPE | CLASS | |
---|---|---|---|
Third Party and supply chain oversight CC ID 08807 | IT Impact Zone | IT Impact Zone | |
Establish, implement, and maintain a supply chain management program. CC ID 11742 | Establish/Maintain Documentation | Preventive | |
Formalize client and third party relationships with contracts or nondisclosure agreements. CC ID 00794 | Process or Activity | Detective | |
Include third party acknowledgment of their data protection responsibilities in third party contracts. CC ID 01364 [A Data Fiduciary shall protect personal data in its possession or under its control, including in respect of any processing undertaken by it or on its behalf by a Data Processor, by taking reasonable security safeguards to prevent personal data breach. § 8.(5)] | Testing | Detective | |
Include auditing third party security controls and compliance controls in third party contracts. CC ID 01366 | Testing | Detective | |
Include responding to privacy rights violation complaints in third party contracts. CC ID 12432 | Establish/Maintain Documentation | Preventive | |
Establish the third party's service continuity. CC ID 00797 | Testing | Detective | |
Determine the adequacy of a third party's alternate site preparations. CC ID 06879 | Testing | Detective | |
Employ access controls that meet the organization's compliance requirements on third party systems with access to the organization's restricted data. CC ID 04264 | Data and Information Management | Detective | |
Maintain the third party's compliance framework to be equivalent to that of the organization's compliance requirements. CC ID 06087 | Testing | Detective |
Each Common Control is assigned a meta-data type to help you determine the objective of the Control and associated Authority Document mandates aligned with it. These types include behavioral controls, process controls, records management, technical security, configuration management, etc. They are provided as another tool to dissect the Authority Document’s mandates and assign them effectively within your organization.
KEY: Primary Verb Primary Noun Secondary Verb Secondary Noun Limiting Term | |||
Mandated - bold Implied - italic Implementation - regular | IMPACT ZONE | CLASS | |
---|---|---|---|
Collect all work papers for the audit and audit report into an engagement file. CC ID 07001 | Audits and risk management | Preventive |
KEY: Primary Verb Primary Noun Secondary Verb Secondary Noun Limiting Term | |||
Mandated - bold Implied - italic Implementation - regular | IMPACT ZONE | CLASS | |
---|---|---|---|
Define what constitutes a threat to independence. CC ID 16824 | Audits and risk management | Preventive | |
Determine if requested services create a threat to independence. CC ID 16823 | Audits and risk management | Detective | |
Audit in scope audit items and compliance documents. CC ID 06730 [The Significant Data Fiduciary shall— undertake the following other measures, namely:— periodic audit; and § 10.(2)(c)(ii) The Significant Data Fiduciary shall— appoint an independent data auditor to carry out data audit, who shall evaluate the compliance of the Significant Data Fiduciary in accordance with the provisions of this Act; and § 10.(2)(b)] | Audits and risk management | Preventive | |
Identify hypothetical assumptions in forecasts and projections during an audit. CC ID 13946 | Audits and risk management | Detective | |
Refrain from examining forecasts and projections which refrain from disclosing assumptions during an audit. CC ID 13932 | Audits and risk management | Detective | |
Audit policies, standards, and procedures. CC ID 12927 | Audits and risk management | Preventive | |
Investigate the nature and causes of misstatements in the audit assertion's in scope system description. CC ID 16557 | Audits and risk management | Detective | |
Review incident management audit logs to determine the effectiveness of in scope controls. CC ID 12157 | Audits and risk management | Detective | |
Review audit reports to determine the effectiveness of in scope controls. CC ID 12156 | Audits and risk management | Detective | |
Observe processes to determine the effectiveness of in scope controls. CC ID 12155 | Audits and risk management | Detective | |
Interview stakeholders to determine the effectiveness of in scope controls. CC ID 12154 | Audits and risk management | Detective | |
Review policies and procedures to determine the effectiveness of in scope controls. CC ID 12144 | Audits and risk management | Detective | |
Evaluate personnel status changes to determine the effectiveness of in scope controls. CC ID 16556 | Audits and risk management | Detective | |
Determine whether individuals performing a control have the appropriate staff qualifications, staff clearances, and staff competencies. CC ID 16555 | Audits and risk management | Detective | |
Implement procedures that collect sufficient audit evidence. CC ID 07153 | Audits and risk management | Preventive | |
Collect evidence about the in scope audit items of the audit assertion. CC ID 07154 | Audits and risk management | Preventive | |
Collect audit evidence sufficient to avoid misstatements. CC ID 07155 | Audits and risk management | Preventive | |
Collect audit evidence at the level of the organization's competence in the subject matter. CC ID 07156 | Audits and risk management | Preventive | |
Collect audit evidence sufficient to overcome inadequacies in the organization's attestation. CC ID 07157 | Audits and risk management | Preventive | |
Include audit evidence obtained from previous engagements in the work papers. CC ID 16518 | Audits and risk management | Preventive | |
Include if the audit evidence has identified in scope control deficiencies in the work papers. CC ID 07152 | Audits and risk management | Detective | |
Include any subsequent events related to the audit assertion or audit subject matter in the work papers. CC ID 07177 | Audits and risk management | Preventive |
KEY: Primary Verb Primary Noun Secondary Verb Secondary Noun Limiting Term | |||
Mandated - bold Implied - italic Implementation - regular | IMPACT ZONE | CLASS | |
---|---|---|---|
Verify statements made by interviewees are correct. CC ID 16299 | Audits and risk management | Detective | |
Explain the goals of the interview to the interviewee. CC ID 07189 | Audits and risk management | Detective | |
Include employee engagement in the analysis of the organizational culture. CC ID 12914 | Operational management | Preventive | |
Include skill development in the analysis of the organizational culture. CC ID 12913 | Operational management | Preventive | |
Include employee turnover rates in the analysis of the organizational culture. CC ID 12912 | Operational management | Preventive | |
Include employee loyalty in the analysis of the organizational culture. CC ID 12911 | Operational management | Preventive | |
Include employee satisfaction in the analysis of the organizational culture. CC ID 12910 | Operational management | Preventive | |
Disseminate and communicate the Governance, Risk, and Compliance framework to all interested personnel and affected parties. CC ID 00815 | Operational management | Preventive | |
Report to breach notification organizations the time frame in which the organization will send data loss event notifications to interested personnel and affected parties. CC ID 04731 | Operational management | Corrective | |
Register with public bodies and notify the Data Commissioner before processing personal data. CC ID 00383 [{be subject to}{technical condition}{operational condition}{financial condition} Every Consent Manager shall be registered with the Board in such manner and subject to such technical, operational, financial and other conditions as may be prescribed. § 6.(9)] | Privacy protection for information and data | Preventive | |
Notify the supervisory authority. CC ID 00472 | Privacy protection for information and data | Preventive | |
Notify the data subject of the collection purpose. CC ID 00095 | Privacy protection for information and data | Preventive | |
Notify the data subject of the consequences for not providing personal data. CC ID 00104 [The consequences of the withdrawal referred to in sub-section (4) shall be borne by the Data Principal, and such withdrawal shall not affect the legality of processing of the personal data based on consent before its withdrawal. § 6.(5)] | Privacy protection for information and data | Preventive | |
Notify the data subject of changes to personal data use. CC ID 00105 | Privacy protection for information and data | Preventive | |
Obtain the data subject's consent when the personal data use changes. CC ID 11832 | Privacy protection for information and data | Preventive | |
Use simple understandable language to collect information from children. CC ID 00039 | Privacy protection for information and data | Preventive | |
Define the behaviors and actions that are included in privacy rights violations. CC ID 14852 | Privacy protection for information and data | Preventive | |
Provide assistance to data subjects for filing privacy rights violation complaints. CC ID 00478 [Where a Data Principal has given her consent for the processing of her personal data before the date of commencement of this Act,— the Data Fiduciary shall, as soon as it is reasonably practicable, give to the Data Principal a notice informing her,–– the manner in which the Data Principal may make a complaint to the Board, § 5.(2) ¶ 1(a)(iii) Every request made to a Data Principal under section 6 for consent shall be accompanied or preceded by a notice given by the Data Fiduciary to the Data Principal, informing her,— the manner in which the Data Principal may make a complaint to the Board, § 5.(1) ¶ 1(iii)] | Privacy protection for information and data | Corrective | |
File privacy rights violation complaints inside the mandate stipulated from the refusal. CC ID 00479 | Privacy protection for information and data | Corrective | |
Notify the data subject of changes made to personal data as the result of a dispute. CC ID 00463 | Privacy protection for information and data | Corrective | |
Notify the data subject of which and why disputed changes were not made to personal data. CC ID 00466 | Privacy protection for information and data | Corrective | |
Notify entities to whom personal data was transferred that the personal data is wrong, along with the corrections. CC ID 00467 [A Data Fiduciary shall, unless retention is necessary for compliance with any law for the time being in force,— cause its Data Processor to erase any personal data that was made available by the Data Fiduciary for processing to such Data Processor. § 8.(7)(b)] | Privacy protection for information and data | Corrective | |
Investigate privacy rights violation complaints. CC ID 00480 | Privacy protection for information and data | Detective | |
Notify respondents after a privacy rights violation complaint investigation begins. CC ID 00491 | Privacy protection for information and data | Detective | |
Investigate privacy rights violation complaints in private. CC ID 00492 | Privacy protection for information and data | Detective | |
Make appropriate inquiries and obtain appropriate information regarding privacy rights violation complaints. CC ID 00493 | Privacy protection for information and data | Detective | |
Allow the complainant to appear before the commissioner and make a submission, orally or in writing, about the privacy rights violation complaint investigation prior to an adverse decision to the complainant is reached. CC ID 00494 | Privacy protection for information and data | Detective | |
Refer privacy rights violation complaints to the Privacy Commissioner under certain conditions. CC ID 00481 | Privacy protection for information and data | Preventive | |
Determine not to investigate privacy rights violation complaints under certain conditions. CC ID 00482 | Privacy protection for information and data | Preventive | |
Refrain from investigating a privacy rights violation complaint when the act or practice does not interfere with an individual's privacy. CC ID 00483 | Privacy protection for information and data | Preventive | |
Refrain from investigating a privacy rights violation complaint when the complaint is created outside the stipulated time frame after the complainant became aware of it. CC ID 00484 | Privacy protection for information and data | Preventive | |
Refrain from investigating a privacy rights violation complaint when the complaint is frivolous, vexatious, misconceived, or lacking in substance. CC ID 00485 | Privacy protection for information and data | Preventive | |
Refrain from investigating a privacy rights violation complaint if the act or practice is subject to an application under another commonwealth law, state law, or territory law, and the complaint was or is being dealt with adequately under the law. CC ID 00486 | Privacy protection for information and data | Preventive | |
Defer privacy rights violation complaint investigations under certain conditions. CC ID 00487 | Privacy protection for information and data | Preventive | |
Defer privacy rights violation complaint investigations when the respondent has made an application for a determination. CC ID 00488 | Privacy protection for information and data | Preventive | |
Defer privacy rights violation complaint investigations when the Privacy Commissioner believes the data subject's interests would not be affected if the investigation or further investigation were deferred until the application was disposed of. CC ID 00489 | Privacy protection for information and data | Preventive | |
Respond to an investigative report in regards to a privacy rights violation complaint. CC ID 00496 | Privacy protection for information and data | Corrective | |
Order the organization to change to be in compliance with applicable law. CC ID 00499 | Privacy protection for information and data | Corrective | |
Order the organization to publish a notice with the corrections or actions taken. CC ID 00500 | Privacy protection for information and data | Corrective | |
Award damages based on applicable law. CC ID 00501 | Privacy protection for information and data | Corrective | |
Notify the public and other agencies after a penalty becomes final. CC ID 06217 | Privacy protection for information and data | Preventive |
KEY: Primary Verb Primary Noun Secondary Verb Secondary Noun Limiting Term | |||
Mandated - bold Implied - italic Implementation - regular | IMPACT ZONE | CLASS | |
---|---|---|---|
Return the funds from a funds transfer when required information is not received or discrepancies resolved. CC ID 16760 | Leadership and high level objectives | Preventive | |
Delay the funds transfer until all required information has been received or discrepancies resolved. CC ID 16759 | Leadership and high level objectives | Preventive | |
Refrain from making funds from a funds transfer available to the interested personnel until all required information is received. CC ID 16758 | Leadership and high level objectives | Preventive | |
Attach the required information to each funds transfer. CC ID 16756 | Leadership and high level objectives | Preventive | |
Verify all required information is attached to each funds transfer. CC ID 16755 | Leadership and high level objectives | Detective | |
Establish, implement, and maintain protective measures for customers from a bank's insolvency or default. CC ID 16738 | Leadership and high level objectives | Preventive | |
Refrain from setting up anonymous financial accounts. CC ID 16721 | Leadership and high level objectives | Preventive | |
Identify and maintain positions in financial accounts. CC ID 16751 | Leadership and high level objectives | Preventive | |
Supplement financial resources, as necessary. CC ID 16685 | Leadership and high level objectives | Preventive | |
Limit the types of assets accepted as collateral. CC ID 16602 | Leadership and high level objectives | Preventive | |
Avoid the use of concentrated holdings of assets. CC ID 16651 | Leadership and high level objectives | Preventive | |
Establish, implement, and maintain a securities trading program. CC ID 16626 | Leadership and high level objectives | Preventive | |
Include investment information in approval requests for investments. CC ID 16590 | Leadership and high level objectives | Preventive | |
Review and approve lending policies. CC ID 16607 | Leadership and high level objectives | Preventive | |
Establish, implement, and maintain margin systems. CC ID 16601 | Leadership and high level objectives | Preventive | |
Establish, implement, and maintain capital adequacy measures. CC ID 16568 | Leadership and high level objectives | Preventive | |
Accept the attestation engagement when all preconditions are met. CC ID 13933 | Audits and risk management | Preventive | |
Respond to questions or clarification requests regarding the audit. CC ID 08902 | Audits and risk management | Preventive | |
Establish, implement, and maintain information sharing agreements. CC ID 15645 | Operational management | Preventive | |
Adhere to operating procedures as defined in the Standard Operating Procedures Manual. CC ID 06328 | Operational management | Preventive | |
Implement and comply with the Governance, Risk, and Compliance framework. CC ID 00818 [{technical measure} A Data Fiduciary shall implement appropriate technical and organisational measures to ensure effective observance of the provisions of this Act and the rules made thereunder. § 8.(4)] | Operational management | Preventive | |
Include contractual relationships with workforce members in the analysis of the organizational culture. CC ID 15674 | Operational management | Preventive | |
Include the number of workforce members who are not employees in the analysis of the organizational culture. CC ID 15673 | Operational management | Preventive | |
Include the type of work performed by workforce members in the analysis of the organizational culture. CC ID 15675 | Operational management | Preventive | |
Include demographic characteristics of employees in the analysis of the organizational culture. CC ID 15671 | Operational management | Preventive | |
Review systems for compliance with organizational information security policies. CC ID 12004 | Operational management | Preventive | |
Establish, implement, and maintain an Incident Management program. CC ID 00853 | Operational management | Preventive | |
Provide the data subject with the data protection officer's contact information. CC ID 12573 [A Data Fiduciary shall publish, in such manner as may be prescribed, the business contact information of a Data Protection Officer, if applicable, or a person who is able to answer on behalf of the Data Fiduciary, the questions, if any, raised by the Data Principal about the processing of her personal data. § 8.(9) Every request for consent under the provisions of this Act or the rules made thereunder shall be presented to the Data Principal in a clear and plain language, giving her the option to access such request in English or any language specified in the Eighth Schedule to the Constitution and providing the contact details of a Data Protection Officer, where applicable, or of any other person authorised by the Data Fiduciary to respond to any communication from the Data Principal for the purpose of exercise of her rights under the provisions of this Act. § 6.(3)] | Privacy protection for information and data | Preventive | |
Treat an opt-out direction by an individual joint consumer as applying to all associated joint consumers. CC ID 13452 | Privacy protection for information and data | Preventive | |
Treat opt-out directions separately for each customer relationship the data subject establishes with the organization. CC ID 13454 | Privacy protection for information and data | Preventive | |
Comply with opt-out directions by the data subject, unless otherwise directed by compliance requirements. CC ID 13451 [{timely manner} If a Data Principal withdraws her consent to the processing of personal data under sub-section (5), the Data Fiduciary shall, within a reasonable time, cease and cause its Data Processors to cease processing the personal data of such Data Principal unless such processing without her consent is required or authorised under the provisions of this Act or the rules made thereunder or any other law for the time being in force in India. § 6.(6)] | Privacy protection for information and data | Preventive | |
Allow consent requests to be provided in any official languages. CC ID 16530 [Every request for consent under the provisions of this Act or the rules made thereunder shall be presented to the Data Principal in a clear and plain language, giving her the option to access such request in English or any language specified in the Eighth Schedule to the Constitution and providing the contact details of a Data Protection Officer, where applicable, or of any other person authorised by the Data Fiduciary to respond to any communication from the Data Principal for the purpose of exercise of her rights under the provisions of this Act. § 6.(3)] | Privacy protection for information and data | Preventive | |
Define the requirements for approving or denying approval applications. CC ID 16780 | Privacy protection for information and data | Preventive | |
Extend the time limit for approving or denying approval applications. CC ID 16779 | Privacy protection for information and data | Preventive | |
Refrain from processing personal data for marketing or advertising to children. CC ID 14010 [A Data Fiduciary shall not undertake tracking or behavioural monitoring of children or targeted advertising directed at children. § 9.(3)] | Privacy protection for information and data | Preventive | |
Refrain from charging a fee to file a privacy rights violation complaint. CC ID 16807 | Privacy protection for information and data | Preventive | |
Cooperate with authorities during a privacy rights violation complaint investigation. CC ID 14364 | Privacy protection for information and data | Corrective |
KEY: Primary Verb Primary Noun Secondary Verb Secondary Noun Limiting Term | |||
Mandated - bold Implied - italic Implementation - regular | IMPACT ZONE | CLASS | |
---|---|---|---|
Provide required information that is missing from a funds transfer to the responsible party. CC ID 16761 | Leadership and high level objectives | Preventive | |
Disseminate and communicate the results of stress testing to interested personnel and affected parties. CC ID 16630 | Leadership and high level objectives | Preventive | |
Disseminate and communicate the escrow procedures to interested personnel and affected parties. CC ID 16565 | Leadership and high level objectives | Preventive | |
Disseminate and communicate securities transaction notifications to interested personnel and affected parties. CC ID 16621 | Leadership and high level objectives | Preventive | |
Disseminate and communicate the financial report to interested personnel and affected parties. CC ID 16342 | Leadership and high level objectives | Preventive | |
Disseminate and communicate the call report to interested personnel and affected parties. CC ID 16727 | Leadership and high level objectives | Preventive | |
Report that audit evidence collected was not sufficient to the proper authorities. CC ID 16847 | Audits and risk management | Preventive | |
Disseminate and communicate the Data Protection Impact Assessment to interested personnel and affected parties. CC ID 15313 | Audits and risk management | Preventive | |
Disseminate and communicate the Standard Operating Procedures Manual to all interested personnel and affected parties. CC ID 12026 | Operational management | Preventive | |
Provide assurance to interested personnel and affected parties that the Governance, Risk, and Compliance capability is reliable, effective, efficient, and responsive. CC ID 12788 | Operational management | Preventive | |
Report to breach notification organizations the reasons for a delay in sending breach notifications. CC ID 16797 | Operational management | Preventive | |
Report to breach notification organizations the distribution list to which the organization will send data loss event notifications. CC ID 16782 | Operational management | Preventive | |
Deliver privacy notices to data subjects, as necessary. CC ID 13444 [Where a Data Principal has given her consent for the processing of her personal data before the date of commencement of this Act,— the Data Fiduciary shall, as soon as it is reasonably practicable, give to the Data Principal a notice informing her,–– § 5.(2) ¶ 1(a) Every request made to a Data Principal under section 6 for consent shall be accompanied or preceded by a notice given by the Data Fiduciary to the Data Principal, informing her,— § 5.(1) ¶ 1] | Privacy protection for information and data | Preventive | |
Notify data subjects about the organization's external requirements relevant to the privacy program. CC ID 12354 | Privacy protection for information and data | Preventive | |
Notify data subjects about their privacy rights. CC ID 12989 [Every request made to a Data Principal under section 6 for consent shall be accompanied or preceded by a notice given by the Data Fiduciary to the Data Principal, informing her,— the manner in which she may exercise her rights under sub-section (4) of section 6 and section 13; and § 5.(1) ¶ 1(ii) Where a Data Principal has given her consent for the processing of her personal data before the date of commencement of this Act,— the Data Fiduciary shall, as soon as it is reasonably practicable, give to the Data Principal a notice informing her,–– the manner in which she may exercise her rights under sub-section (4) of section 6 and section 13; and § 5.(2) ¶ 1(a)(ii)] | Privacy protection for information and data | Preventive | |
Refrain from providing information to the data subject, as necessary. CC ID 12625 [{shall not apply} {requirement} {Data Principal} {furnish} {information} Nothing contained in clause (b) or clause (c) of sub-section (1) shall apply in respect of the sharing of any personal data by the said Data Fiduciary with any other Data Fiduciary authorised by law to obtain such personal data, where such sharing is pursuant to a request made in writing by such other Data Fiduciary for the purpose of prevention or detection or investigation of offences or cyber incidents, or for prosecution or punishment of offences. § 11.(2)] | Privacy protection for information and data | Preventive | |
Refrain from providing information to the data subject when it is forbidden by law. CC ID 12651 | Privacy protection for information and data | Preventive | |
Refrain from providing information to the data subject when it proves impossible due to statistical purposes. CC ID 12645 | Privacy protection for information and data | Preventive | |
Provide the data subject with information about lifting any restriction of processing, as necessary. CC ID 12634 | Privacy protection for information and data | Preventive | |
Refrain from providing information to the data subject when it proves impossible due to historical research purposes. CC ID 12633 | Privacy protection for information and data | Preventive | |
Refrain from providing information to the data subject when it proves impossible due to scientific research purposes. CC ID 12632 | Privacy protection for information and data | Preventive | |
Refrain from providing information to the data subject when it proves impossible due to archival purposes. CC ID 12631 | Privacy protection for information and data | Preventive | |
Refrain from providing information to the data subject when providing information involves disproportionate effort. CC ID 12629 | Privacy protection for information and data | Preventive | |
Refrain from providing information to the data subject when the data subject has the information. CC ID 12628 | Privacy protection for information and data | Preventive | |
Disseminate and communicate the disclosure accounting record to interested personnel and affected parties. CC ID 14433 | Privacy protection for information and data | Preventive | |
Submit approval applications to the supervisory authority. CC ID 16627 | Privacy protection for information and data | Preventive | |
Notify the supervisory authority of the safeguards employed to protect the data subject's rights. CC ID 12605 | Privacy protection for information and data | Preventive | |
Include any reasons for delay if notifying the supervisory authority after the time limit. CC ID 12675 | Privacy protection for information and data | Corrective | |
Notify the data subject after their personal data is disposed, as necessary. CC ID 13502 | Privacy protection for information and data | Preventive | |
Notify the subject of care when a lack of availability of health information systems might have adversely affected their care. CC ID 13990 | Privacy protection for information and data | Corrective | |
Refrain from disseminating and communicating with individuals that have opted out of direct marketing communications. CC ID 13708 | Privacy protection for information and data | Corrective | |
Capture personal data removal requests. CC ID 13507 | Privacy protection for information and data | Preventive | |
Notify the individual of the organization's legal rights to refuse the personal data access request, as necessary. CC ID 13509 | Privacy protection for information and data | Preventive | |
Notify individuals of the time frame in which they may challenge personal data. CC ID 16861 | Privacy protection for information and data | Preventive | |
Notify third parties of unresolved challenges. CC ID 13559 | Privacy protection for information and data | Preventive | |
Notify respondents after a privacy rights violation complaint investigation has been resolved. CC ID 13513 | Privacy protection for information and data | Corrective | |
Disseminate and communicate instructions for the appeal process to interested personnel and affected parties. CC ID 16544 | Privacy protection for information and data | Preventive | |
Disseminate and communicate a written explanation of the reasons for appeal decisions to interested personnel and affected parties. CC ID 16542 | Privacy protection for information and data | Preventive |
KEY: Primary Verb Primary Noun Secondary Verb Secondary Noun Limiting Term | |||
Mandated - bold Implied - italic Implementation - regular | IMPACT ZONE | CLASS | |
---|---|---|---|
Terminate an individual's restriction agreement under specific circumstances. CC ID 06260 | Privacy protection for information and data | Preventive |
KEY: Primary Verb Primary Noun Secondary Verb Secondary Noun Limiting Term | |||
Mandated - bold Implied - italic Implementation - regular | IMPACT ZONE | CLASS | |
---|---|---|---|
Include valuation models in the margin system. CC ID 16663 | Leadership and high level objectives | Preventive | |
Include procedures for collecting price data in the margin system. CC ID 16662 | Leadership and high level objectives | Preventive | |
Include reliable sources for price data in the margin system. CC ID 16661 | Leadership and high level objectives | Preventive | |
Include order tickets in the recordkeeping system for securities transactions. CC ID 16640 | Leadership and high level objectives | Preventive | |
Include receipts and deliveries of securities in the recordkeeping system for securities transactions. CC ID 16650 | Leadership and high level objectives | Preventive | |
Include debits and credits in the recordkeeping system for securities transactions. CC ID 16639 | Leadership and high level objectives | Preventive | |
Include a description of the transaction in the recordkeeping system for securities transactions. CC ID 16645 | Leadership and high level objectives | Preventive | |
Include chronological records of transactions in the recordkeeping system for securities transactions. CC ID 16638 | Leadership and high level objectives | Preventive | |
Include the name of the dealer in the recordkeeping system for securities transactions. CC ID 16637 | Leadership and high level objectives | Preventive | |
Include the execution price in the recordkeeping system for securities transactions. CC ID 16636 | Leadership and high level objectives | Preventive | |
Include the date and time of the transaction in the recordkeeping system for securities transactions. CC ID 16635 | Leadership and high level objectives | Preventive | |
Include the type of transaction in the recordkeeping system for securities transactions. CC ID 16633 | Leadership and high level objectives | Preventive | |
Include account information In the recordkeeping system for securities transactions. CC ID 16632 | Leadership and high level objectives | Preventive | |
Share incident information with interested personnel and affected parties. CC ID 01212 | Operational management | Corrective | |
Report data loss event information to breach notification organizations. CC ID 01210 [In the event of a personal data breach, the Data Fiduciary shall give the Board and each affected Data Principal, intimation of such breach in such form and manner as may be prescribed. § 8.(6)] | Operational management | Corrective | |
Establish, implement, and maintain Automated Data Processing validation checks and editing checks. CC ID 00924 | Records management | Preventive | |
Establish, implement, and maintain a personal data transparency program. CC ID 00375 | Privacy protection for information and data | Preventive | |
Establish, implement, and maintain adequate openness procedures. CC ID 00377 | Privacy protection for information and data | Preventive | |
Provide the data subject with the means of gaining access to personal data held by the organization. CC ID 00396 | Privacy protection for information and data | Preventive | |
Provide the data subject with what personal data is made available to related organizations or subsidiaries. CC ID 00399 [The Data Principal shall have the right to obtain from the Data Fiduciary to whom she has previously given consent, including consent as referred to in clause (a) of section 7 (hereinafter referred to as the said Data Fiduciary), for processing of personal data, upon making to it a request in such manner as may be prescribed,— the identities of all other Data Fiduciaries and Data Processors with whom the personal data has been shared by such Data Fiduciary, along with a description of the personal data so shared; and § 11.(1)(b)] | Privacy protection for information and data | Preventive | |
Include the types of third parties to whom restricted data may be disclosed in the disclosure accounting record. CC ID 16860 | Privacy protection for information and data | Preventive | |
Allow data subjects to opt out and refrain from granting an authorization of consent to use personal data. CC ID 00391 [Where a Data Principal has given her consent for the processing of her personal data before the date of commencement of this Act,— the Data Fiduciary may continue to process the personal data until and unless the Data Principal withdraws her consent. § 5.(2)(b)] | Privacy protection for information and data | Preventive | |
Establish, implement, and maintain an opt-out method in accordance with organizational standards. CC ID 16526 [Where consent given by the Data Principal is the basis of processing of personal data, such Data Principal shall have the right to withdraw her consent at any time, with the ease of doing so being comparable to the ease with which such consent was given. § 6.(4)] | Privacy protection for information and data | Preventive | |
Give individuals the ability to change the uses of their personal data. CC ID 00469 [Where consent given by the Data Principal is the basis of processing of personal data, such Data Principal shall have the right to withdraw her consent at any time, with the ease of doing so being comparable to the ease with which such consent was given. § 6.(4)] | Privacy protection for information and data | Preventive | |
Notify data subjects of the implications of withdrawing consent. CC ID 13551 [The consequences of the withdrawal referred to in sub-section (4) shall be borne by the Data Principal, and such withdrawal shall not affect the legality of processing of the personal data based on consent before its withdrawal. § 6.(5)] | Privacy protection for information and data | Preventive | |
Cooperate with Data Protection Authorities. CC ID 06870 | Privacy protection for information and data | Preventive | |
Display or print the least amount of personal data necessary. CC ID 04643 | Privacy protection for information and data | Preventive | |
Redact confidential information from public information, as necessary. CC ID 06872 | Privacy protection for information and data | Preventive | |
Refrain from using restricted data collected for research and statistics for other purposes. CC ID 00096 | Privacy protection for information and data | Preventive | |
Dispose of media and restricted data in a timely manner. CC ID 00125 | Privacy protection for information and data | Preventive | |
Provide individuals with information about the processing purpose of their personal data. CC ID 00416 [Every request made to a Data Principal under section 6 for consent shall be accompanied or preceded by a notice given by the Data Fiduciary to the Data Principal, informing her,— the personal data and the purpose for which the same is proposed to be processed; § 5.(1) ¶ 1(i) Where a Data Principal has given her consent for the processing of her personal data before the date of commencement of this Act,— the Data Fiduciary shall, as soon as it is reasonably practicable, give to the Data Principal a notice informing her,–– the personal data and the purpose for which the same has been processed; § 5.(2) ¶ 1(a)(i)] | Privacy protection for information and data | Preventive | |
Refrain from processing personal data when it is likely to cause unlawful discrimination or arbitrary discrimination. CC ID 00197 | Privacy protection for information and data | Preventive | |
Refrain from processing personal data when it is used for behavioral monitoring. CC ID 16528 [A Data Fiduciary shall not undertake tracking or behavioural monitoring of children or targeted advertising directed at children. § 9.(3)] | Privacy protection for information and data | Preventive | |
Process personal data pertaining to a patient's health in order to treat those patients. CC ID 00200 | Privacy protection for information and data | Preventive | |
Disclose Individually Identifiable Health Information for a covered entity's own use. CC ID 00211 | Privacy protection for information and data | Preventive | |
Disclose Individually Identifiable Health Information for a healthcare provider's treatment activities by a covered entity. CC ID 00212 | Privacy protection for information and data | Preventive | |
Disclose Individually Identifiable Health Information for payment activities between covered entities or healthcare providers. CC ID 00213 | Privacy protection for information and data | Preventive | |
Disclose Individually Identifiable Health Information for Treatment, Payment, and Health Care Operations activities when both covered entities have a relationship with the data subject. CC ID 00214 | Privacy protection for information and data | Preventive | |
Disclose Individually Identifiable Health Information for Treatment, Payment, and Health Care Operations activities between a covered entity and a participating healthcare provider when the information is collected from the data subject and a third party. CC ID 00215 | Privacy protection for information and data | Preventive | |
Disclose Individually Identifiable Health Information in accordance with agreed upon restrictions. CC ID 06249 | Privacy protection for information and data | Preventive | |
Disclose Individually Identifiable Health Information in accordance with the privacy notice. CC ID 06250 | Privacy protection for information and data | Preventive | |
Disclose permitted Individually Identifiable Health Information for facility directories. CC ID 06251 | Privacy protection for information and data | Preventive | |
Disclose Individually Identifiable Health Information for cadaveric organ donation purposes, eye donation purposes, or tissue donation purposes. CC ID 06252 | Privacy protection for information and data | Preventive | |
Disclose Individually Identifiable Health Information for medical suitability determinations. CC ID 06253 | Privacy protection for information and data | Preventive | |
Disclose Individually Identifiable Health Information for armed forces personnel appropriately. CC ID 06254 | Privacy protection for information and data | Preventive | |
Disclose Individually Identifiable Health Information in order to provide public benefits by government agencies. CC ID 06255 | Privacy protection for information and data | Preventive | |
Disclose Individually Identifiable Health Information for fundraising. CC ID 06256 | Privacy protection for information and data | Preventive | |
Disclose Individually Identifiable Health Information when the data subject cannot physically or legally provide consent and the disclosing organization is a healthcare provider. CC ID 00202 | Privacy protection for information and data | Preventive | |
Disclose Individually Identifiable Health Information to provide appropriate treatment to the data subject when the disclosing organization is a healthcare provider. CC ID 00203 | Privacy protection for information and data | Preventive | |
Disclose Individually Identifiable Health Information when it is not contrary to the data subject's wish prior to becoming unable to provide consent and the disclosing organization is a healthcare provider. CC ID 00204 | Privacy protection for information and data | Preventive | |
Disclose Individually Identifiable Health Information that is reasonable or necessary for the disclosure purpose when the disclosing organization is a healthcare provider. CC ID 00205 | Privacy protection for information and data | Preventive | |
Disclose Individually Identifiable Health Information consistent with the law when the disclosing organization is a healthcare provider. CC ID 00206 | Privacy protection for information and data | Preventive | |
Disclose Individually Identifiable Health Information in order to carry out treatment when the disclosing organization is a healthcare provider. CC ID 00207 | Privacy protection for information and data | Preventive | |
Disclose Individually Identifiable Health Information in order to carry out treatment when the data subject has provided consent and the disclosing organization is a healthcare provider. CC ID 00208 | Privacy protection for information and data | Preventive | |
Disclose Individually Identifiable Health Information in order to carry out treatment when the data subject's guardian or representative has provided consent and the disclosing organization is a healthcare provider. CC ID 00209 | Privacy protection for information and data | Preventive | |
Disclose Individually Identifiable Health Information when the disclosing organization is a healthcare provider that supports public health and safety activities. CC ID 06248 | Privacy protection for information and data | Preventive | |
Disclose Individually Identifiable Health Information in order to report abuse or neglect when the disclosing organization is a healthcare provider. CC ID 06819 | Privacy protection for information and data | Preventive | |
Obtain explicit consent for authorization to release Individually Identifiable Health Information. CC ID 00217 | Privacy protection for information and data | Preventive | |
Obtain explicit consent for authorization to release psychotherapy notes. CC ID 00218 | Privacy protection for information and data | Preventive | |
Refrain from using Individually Identifiable Health Information to determine eligibility or continued eligibility for credit. CC ID 00219 | Privacy protection for information and data | Preventive | |
Process personal data after the data subject has granted explicit consent. CC ID 00180 [{unambiguous and implicit consent} The consent given by the Data Principal shall be free, specific, informed, unconditional and unambiguous with a clear affirmative action, and shall signify an agreement to the processing of her personal data for the specified purpose and be limited to such personal data as is necessary for such specified purpose. § 6.(1) A Data Fiduciary may process personal data of a Data Principal for any of following uses, namely:— for the specified purpose for which the Data Principal has voluntarily provided her personal data to the Data Fiduciary, and in respect of which she has not indicated to the Data Fiduciary that she does not consent to the use of her personal data. § 7.(a) A Data Fiduciary may process personal data of a Data Principal for any of following uses, namely:— for the State and any of its instrumentalities to provide or issue to the Data Principal such subsidy, benefit, service, certificate, licence or permit as may be prescribed, where–– she has previously consented to the processing of her personal data by the State or any of its instrumentalities for any subsidy, benefit, service, certificate, licence or permit; or § 7.(b) ¶ 1(i) A person may process the personal data of a Data Principal only in accordance with the provisions of this Act and for a lawful purpose,— for which the Data Principal has given her consent; or § 4.(1)(a)] | Privacy protection for information and data | Preventive | |
Process personal data in order to perform a legal obligation or exercise a legal right. CC ID 00182 [A Data Fiduciary may process personal data of a Data Principal for any of following uses, namely:— for compliance with any judgment or decree or order issued under any law for the time being in force in India, or any judgment or order relating to claims of a contractual or civil nature under any law for the time being in force outside India; § 7.(e) A Data Fiduciary may process personal data of a Data Principal for any of following uses, namely:— for the performance by the State or any of its instrumentalities of any function under any law for the time being in force in India or in the interest of sovereignty and integrity of India or security of the State; § 7.(c) A Data Fiduciary may process personal data of a Data Principal for any of following uses, namely:— for fulfilling any obligation under any law for the time being in force in India on any person to disclose any information to the State or any of its instrumentalities, subject to such processing being in accordance with the provisions regarding disclosure of such information in any other law for the time being in force; § 7.(d) A Data Fiduciary may process personal data of a Data Principal for any of following uses, namely:— for the purposes of employment or those related to safeguarding the employer from loss or liability, such as prevention of corporate espionage, maintenance of confidentiality of trade secrets, intellectual property, classified information or provision of any service or benefit sought by a Data Principal who is an employee. § 7.(i) The provisions of this Act shall not apply in respect of the processing of personal data— by such instrumentality of the State as the Central Government may notify, in the interests of sovereignty and integrity of India, security of the State, friendly relations with foreign States, maintenance of public order or preventing incitement to any cognizable offence relating to any of these, and the processing by the Central Government of any personal data that such instrumentality may furnish to it; and § 17.(2)(a) A Data Fiduciary may process personal data of a Data Principal for any of following uses, namely:— for the State and any of its instrumentalities to provide or issue to the Data Principal such subsidy, benefit, service, certificate, licence or permit as may be prescribed, where–– such personal data is available in digital form in, or in non-digital form and digitised subsequently from, any database, register, book or other document which is maintained by the State or any of its instrumentalities and is notified by the Central Government, § 7.(b) ¶ 1(ii)] | Privacy protection for information and data | Preventive | |
Process personal data relating to criminal offenses when required by law. CC ID 00237 | Privacy protection for information and data | Preventive | |
Process personal data in order to prevent personal injury or damage to the data subject's health. CC ID 00183 [A Data Fiduciary may process personal data of a Data Principal for any of following uses, namely:— for responding to a medical emergency involving a threat to the life or immediate threat to the health of the Data Principal or any other individual; § 7.(f)] | Privacy protection for information and data | Preventive | |
Process personal data in order to prevent personal injury or damage to a third party's health. CC ID 00184 [A Data Fiduciary may process personal data of a Data Principal for any of following uses, namely:— for taking measures to provide medical treatment or health services to any individual during an epidemic, outbreak of disease, or any other threat to public health; § 7.(g) A Data Fiduciary may process personal data of a Data Principal for any of following uses, namely:— for responding to a medical emergency involving a threat to the life or immediate threat to the health of the Data Principal or any other individual; § 7.(f)] | Privacy protection for information and data | Preventive | |
Process personal data for statistical purposes or scientific purposes. CC ID 00256 | Privacy protection for information and data | Preventive | |
Process personal data during legitimate activities with safeguards for the data subject's legal rights. CC ID 00185 [A person may process the personal data of a Data Principal only in accordance with the provisions of this Act and for a lawful purpose,— for certain legitimate uses. § 4.(1)(b)] | Privacy protection for information and data | Preventive | |
Process traffic data in a controlled manner. CC ID 00130 | Privacy protection for information and data | Preventive | |
Process personal data for health insurance, social insurance, state social benefits, social welfare, or child protection. CC ID 00186 [A Data Fiduciary may process personal data of a Data Principal for any of following uses, namely:— for the State and any of its instrumentalities to providepan> or style="background-color:#CBD0E5;" class="term_secondary-verb">issue to the Data Principal such subsidy, benefit, service, certificate, licence or permit as may be <span style="background-color:#CBD0E5;" class="term_secondary-verb">prescribed, where–– § 7.(b) ¶ 1] | Privacy protection for information and data | Preventive | |
Process personal data when it is publicly accessible. CC ID 00187 | Privacy protection for information and data | Preventive | |
Process personal data for direct marketing and other personalized mail programs. CC ID 00188 | Privacy protection for information and data | Preventive | |
Process personal data for the purposes of employment. CC ID 16527 [A Data Fiduciary may process personal data of a Data Principal for any of following uses, namely:— for the purposes of employment or those related to safeguarding the employer from loss or liability, such as prevention of corporate espionage, maintenance of confidentiality of trade secrets, intellectual property, classified information or provision of any service or benefit sought by a Data Principal who is an employee. § 7.(i)] | Privacy protection for information and data | Preventive | |
Process personal data for justice administration, lawsuits, judicial decisions, and investigations. CC ID 00189 [A Data Fiduciary may process personal data of a Data Principal for any of following uses, namely:— for compliance with any judgment or decree or order issued under any law for the time being in force in India, or any judgment or order relating to claims of a contractual or civil nature under any law for the time being in force outside India; § 7.(e)] | Privacy protection for information and data | Preventive | |
Process personal data for debt collection or benefit payments. CC ID 00190 [{requirement} The provisions of Chapter II, except sub-sections (1) and (5) of section 8, and those of Chapter III and section 16 shall not apply where— the processing is for the purpose of ascertaining the financial information and assets and liabilities of any person who has defaulted in payment due on account of a loan or advance taken from a financial institution, subject to such processing being in accordance with the provisions regarding disclosure of information or data in any other law for the time being in force. § 17.(1)(f)] | Privacy protection for information and data | Preventive | |
Process personal data in order to advance the public interest. CC ID 00191 [The provisions of this Act shall not apply in respect of the processing of personal data— by such instrumentality of the State as the Central Government may notify, in the interests of sovereignty and integrity of India, security of the State, friendly relations with foreign States, maintenance of public order or preventing incitement to any cognizable offence relating to any of these, and the processing by the Central Government of any personal data that such instrumentality may furnish to it; and § 17.(2)(a)] | Privacy protection for information and data | Preventive | |
Process personal data for surveys, archives, or scientific research. CC ID 00192 | Privacy protection for information and data | Preventive | |
Process personal data absent consent for journalistic purposes, artistic purposes, or literary purposes. CC ID 00193 | Privacy protection for information and data | Preventive | |
Process personal data for academic purposes or religious purposes. CC ID 00194 | Privacy protection for information and data | Preventive | |
Process personal data when it is used by a public authority for National Security policy or criminal policy. CC ID 00195 [A Data Fiduciary may process personal data of a Data Principal for any of following uses, namely:— for taking measures to ensure safety of, or provide assistance or services to, any individual during any disaster, or any breakdown of public order. § 7.(h) A Data Fiduciary may process personal data of a Data Principal for any of following uses, namely:— for the performance by the State or any of its instrumentalities of any function under any law for the time being in force in India or in the interest of sovereignty and integrity of India or security of the State; § 7.(c) The provisions of this Act shall not apply in respect of the processing of personal data— by such instrumentality of the State as the Central Government may notify, in the interests of sovereignty and integrity of India, security of the State, friendly relations with foreign States, maintenance of public order or preventing incitement to any cognizable offence relating to any of these, and the processing by the Central Government of any personal data that such instrumentality may furnish to it; and § 17.(2)(a)] | Privacy protection for information and data | Preventive | |
Refrain from storing data in newly created files or registers which directly or indirectly reveals the restricted data. CC ID 00196 | Privacy protection for information and data | Preventive | |
Follow legal obligations while processing personal data. CC ID 04794 | Privacy protection for information and data | Preventive | |
Start personal data processing only after the needed notifications are submitted. CC ID 04791 | Privacy protection for information and data | Preventive | |
Process personal data absent consent for specific and well-documented circumstances. CC ID 13537 [The provisions of sub-sections (1) and (3) shall not be applicable to processing of personal data of a child by such classes of Data Fiduciaries or for such purposes, and subject to such conditions, as may be prescribed. § 9.(4)] | Privacy protection for information and data | Preventive | |
Process personal data absent consent when the data subject has been notified the personal data may be collected, used, or disclosed. CC ID 13617 | Privacy protection for information and data | Preventive | |
Process personal data absent consent in order to establish, manage, or terminate employment contracts. CC ID 13615 | Privacy protection for information and data | Preventive | |
Process personal data absent consent when the data subject is notified that the business transaction is completed and their information was disclosed. CC ID 13612 | Privacy protection for information and data | Preventive | |
Process personal data absent consent when the disclosure concerns the data subject's products and services obtained from the organization. CC ID 13611 | Privacy protection for information and data | Preventive | |
Process personal data absent consent when it is impracticable to obtain consent. CC ID 13580 | Privacy protection for information and data | Preventive | |
Process personal data absent consent when it is in the data subject's interest and consent cannot be obtained in a timely manner. CC ID 15282 | Privacy protection for information and data | Preventive | |
Process personal data absent consent to determine whether to proceed with business transactions. CC ID 13587 | Privacy protection for information and data | Preventive | |
Process personal data absent consent in order to perform a contract. CC ID 13586 [{requirement} {be outside} The provisions of Chapter II, except sub-sections (1) and (5) of section 8, and those of Chapter III and section 16 shall not apply where— personal data of Data Principals not within the territory of India is processed pursuant to any contract entered into with any person outside the territory of India by any person based in India; § 17.(1)(d)] | Privacy protection for information and data | Preventive | |
Process personal data absent consent when the privacy commissioner is notified before the information is used. CC ID 13581 | Privacy protection for information and data | Preventive | |
Process personal data absent consent to perform obligations in the field of employment law. CC ID 16814 | Privacy protection for information and data | Preventive | |
Process personal data absent consent if the disclosure is to the next of kin or authorized representative. CC ID 15294 | Privacy protection for information and data | Preventive | |
Process personal data absent consent when it is used in a manner to ensure confidentiality. CC ID 13579 | Privacy protection for information and data | Preventive | |
Process personal data absent consent when it is used for statistical research, scientific research, or scholarly research. CC ID 13578 [The provisions of this Act shall not apply in respect of the processing of personal data— necessary for research, archiving or statistical purposes if the personal data is not to be used to take any decision specific to a Data Principal and such processing is carried on in accordance with such standards as may be prescribed. § 17.(2)(b)] | Privacy protection for information and data | Preventive | |
Process personal data absent consent when it is needed by law. CC ID 13577 [{requirement} The provisions of Chapter II, except sub-sections (1) and (5) of section 8, and those of Chapter III and section 16 shall not apply where— the processing of personal data is necessary for enforcing any legal right or claim; § 17.(1)(a) {judicial function} {quasi-judicial function} {regulatory function} {requirement} The provisions of Chapter II, except sub-sections (1) and (5) of section 8, and those of Chapter III and section 16 shall not apply where— the processing of personal data by any court or tribunal or any other body in India which is entrusted by law with the performance of any judicial or quasi-judicial or regulatory or supervisory function, where such processing is necessary for the performance of such function; § 17.(1)(b) {requirement} The provisions of Chapter II, except sub-sections (1) and (5) of section 8, and those of Chapter III and section 16 shall not apply where— personal data is processed in the interest of prevention, detection, investigation or prosecution of any offence or contravention of any law for the time being in force in India; § 17.(1)(c) {timely manner} If a Data Principal withdraws her consent to the processing of personal data under sub-section (5), the Data Fiduciary shall, within a reasonable time, cease and cause its Data Processors to cease processing the personal data of such Data Principal unless such processing without her consent is required or authorised under the provisions of this Act or the rules made thereunder or any other law for the time being in force in India. § 6.(6)] | Privacy protection for information and data | Preventive | |
Process personal data for public interests absent consent in order to protect historical records or archival records. CC ID 15296 | Privacy protection for information and data | Preventive | |
Process personal data absent consent when it is from publicly available information. CC ID 13576 | Privacy protection for information and data | Preventive | |
Process personal data absent consent to create a credit report. CC ID 15288 | Privacy protection for information and data | Preventive | |
Process personal data absent consent if its use is consistent with the intended purpose. CC ID 13575 | Privacy protection for information and data | Preventive | |
Process personal data absent consent to administer a trust fund or benefit plan. CC ID 15291 | Privacy protection for information and data | Preventive | |
Process personal data absent consent when produced for business purposes. CC ID 13563 | Privacy protection for information and data | Preventive | |
Process personal data absent consent for handling insurance claims. CC ID 13561 | Privacy protection for information and data | Preventive | |
Process personal data absent consent when it is necessary for corporate restructuring. CC ID 16533 [{requirement} The provisions of Chapter II, except sub-sections (1) and (5) of section 8, and those of Chapter III and section 16 shall not apply where— the processing is necessary for a scheme of compromise or arrangement or merger or amalgamation of two or more companies or a reconstruction by way of demerger or otherwise of a company, or transfer of undertaking of one or more company to another company, or involving division of one or more companies, approved by a court or tribunal or other authority competent to do so by any law for the time being in force; and § 17.(1)(e)] | Privacy protection for information and data | Preventive | |
Process personal data absent consent if the information is contained in a witness statement. CC ID 13560 | Privacy protection for information and data | Preventive | |
Process personal data absent consent for life-threatening emergencies. CC ID 13558 | Privacy protection for information and data | Preventive | |
Process personal data absent consent for reasonable investigative purposes. CC ID 13557 | Privacy protection for information and data | Preventive | |
Obtain explicit consent directly from the data subject prior to the use of that person's sensitive data. CC ID 00178 | Privacy protection for information and data | Preventive | |
Obtain consent from a parent or legal representative in order to use or disclose a child's data. CC ID 00198 [The Data Fiduciary shall, before processing any personal data of a child or a person with disability who has a lawful guardian obtain verifiable consent of the parent of such child or the lawful guardian, as the case may be, in such manner as may be prescribed. § 9.(1)] | Privacy protection for information and data | Preventive | |
Obtain opt-in consent from teenagers prior to the collection, use, or disclosure of personal data. CC ID 00199 | Privacy protection for information and data | Preventive | |
Include frivolous requests or vexatious requests as a reason for denial in the personal data request denial procedures. CC ID 00435 | Privacy protection for information and data | Preventive | |
Include when the required information is unavailable as a reason for denial in the personal data request denial procedures. CC ID 00436 | Privacy protection for information and data | Preventive | |
Include when the disclosure of personal data constitutes contempt of court or contempt of House of Representatives as a reason for denial in the personal data request denial procedures. CC ID 00437 | Privacy protection for information and data | Preventive | |
Include disclosing personal data that would identify suppliers or breaches an express promise of privacy or implied promise of privacy as a reason for denial in the personal data request denial procedures. CC ID 00438 | Privacy protection for information and data | Preventive | |
Include disclosing personal data that would compromise National Security as a reason for denial in the personal data request denial procedures. CC ID 00439 | Privacy protection for information and data | Preventive | |
Include information that is protected by attorney-client privilege as a reason for denial in the personal data request denial procedures. CC ID 00440 | Privacy protection for information and data | Preventive | |
Include disclosing personal data that would reveal trade secrets, commercial information, or harmful financial information as a reason for denial in the personal data request denial procedures. CC ID 00441 | Privacy protection for information and data | Preventive | |
Include disclosing personal data that would threaten an individual's life or an individual's security as a reason for denial in the personal data request denial procedures. CC ID 00442 | Privacy protection for information and data | Preventive | |
Include disclosing personal data that would have an unreasonable impact on another individual's privacy as a reason for denial in the personal data request denial procedures. CC ID 00443 | Privacy protection for information and data | Preventive | |
Include responding to access requests after the time limit as a reason for denial in the personal data request denial procedures. CC ID 13600 | Privacy protection for information and data | Preventive | |
Include information that was generated from a formal dispute as a reason for denial in the personal data request denial procedures. CC ID 00444 | Privacy protection for information and data | Preventive | |
Include personal data that is used solely for scientific research, scholarly research, statistical research, library purposes, museum purposes, or archival purposes as a reason for denial in the personal data request denial procedures. CC ID 00445 | Privacy protection for information and data | Preventive | |
Include personal data that is for the state's economic interest as a reason for denial in the personal data request denial procedures. CC ID 00446 | Privacy protection for information and data | Detective | |
Include personal data that is for protecting the civil rights or other's freedoms as a reason for denial in the personal data request denial procedures. CC ID 00447 | Privacy protection for information and data | Preventive | |
Include disclosing personal data that constitutes a state secret as a reason for denial in the personal data request denial procedures. CC ID 00448 | Privacy protection for information and data | Preventive | |
Include disclosing personal data that would result in interference with the operation of public functions as a reason for denial in the personal data request denial procedures. CC ID 00449 | Privacy protection for information and data | Preventive | |
Include disclosing personal data that would interrupt criminal investigation and surveillance or other legal purposes as a reason for denial in the personal data request denial procedures. CC ID 00450 | Privacy protection for information and data | Preventive | |
Include when a country's laws prevent disclosure as a reason for denial in the personal data request denial procedures. CC ID 00451 | Privacy protection for information and data | Preventive | |
Include disclosing personal data that would interfere with grievance proceeding or employee security investigations as a reason for denial in the personal data request denial procedures. CC ID 06873 | Privacy protection for information and data | Preventive | |
Include disclosing personal data that would interfere with commercial acquisitions or reorganizations as a reason for denial in the personal data request denial procedures. CC ID 06874 | Privacy protection for information and data | Preventive | |
Include if the cost or burden of disclosing the personal data is disproportionate as a reason for denial in the personal data request denial procedures. CC ID 06875 | Privacy protection for information and data | Preventive | |
Notify interested personnel and affected parties of the reasons the data access request was refused. CC ID 00453 | Privacy protection for information and data | Preventive | |
Notify individuals of their right to challenge a refusal to a data access request. CC ID 00454 | Privacy protection for information and data | Preventive | |
Use personal data for specified purposes. CC ID 11831 [{unambiguous and implicit consent} The consent given by the Data Principal shall be free, specific, informed, unconditional and unambiguous with a clear affirmative action, and shall signify an agreement to the processing of her personal data for the specified purpose and be limited to such personal data as is necessary for such specified purpose. § 6.(1) A Data Fiduciary may process personal data of a Data Principal for any of following uses, namely:— for the specified purpose for which the Data Principal has voluntarily provided her personal data to the Data Fiduciary, and in respect of which she has not indicated to the Data Fiduciary that she does not consent to the use of her personal data. § 7.(a)] | Privacy protection for information and data | Preventive | |
Obtain the data subject's consent and acknowledgment before collecting data. CC ID 00012 | Privacy protection for information and data | Preventive | |
Provide explicit consent that is clear and unambiguous. CC ID 00181 [{unambiguous and implicit consent} The consent given by the Data Principal shall be free, specific, informed, unconditional and unambiguous with a clear affirmative action, and shall signify an agreement to the processing of her personal data for the specified purpose and be limited to such personal data as is necessary for such specified purpose. § 6.(1) Every request for consent under the provisions of this Act or the rules made thereunder shall be presented to the Data Principal in a clear and plain language, giving her the option to access such request in English or any language specified in the Eighth Schedule to the Constitution and providing the contact details of a Data Protection Officer, where applicable, or of any other person authorised by the Data Fiduciary to respond to any communication from the Data Principal for the purpose of exercise of her rights under the provisions of this Act. § 6.(3)] | Privacy protection for information and data | Preventive | |
Give special attention to collecting children's data. CC ID 00038 [A Data Fiduciary shall not undertake such processing of personal data that is likely to cause any detrimental effect on the well-being of a child. § 9.(2)] | Privacy protection for information and data | Preventive | |
Obtain consent from a parent or legal representative before collecting information from children. CC ID 00041 | Privacy protection for information and data | Preventive | |
Waive verifiable consent from a parent or legal representative for collecting information from children in order to collect online contact information for a one-time only response to a specific request. CC ID 00043 | Privacy protection for information and data | Preventive | |
Waive verifiable consent from a parent or legal representative for collecting information from children in order to request the parent or legal representative's information to obtain consent. CC ID 00044 | Privacy protection for information and data | Preventive | |
Waive verifiable consent from a parent or legal representative for collecting information from children in order to respond to additional requests which do not go beyond the scope of the request. CC ID 00045 | Privacy protection for information and data | Preventive | |
Waive verifiable consent from a parent or legal representative for collecting information from children in order to protect the child's safety. CC ID 00046 | Privacy protection for information and data | Preventive | |
Waive verifiable consent from a parent or legal representative for collecting information from children in order to take liability precautions. CC ID 00047 | Privacy protection for information and data | Preventive | |
Waive verifiable consent from a parent or legal representative for collecting information from children in order to respond to a judicial process. CC ID 00048 | Privacy protection for information and data | Preventive | |
Waive verifiable consent from a parent or legal representative for collecting information from children in order to respond to a request for law enforcement purposes. CC ID 00049 | Privacy protection for information and data | Preventive | |
Waive verifiable consent from a parent or legal representative for collecting information from children in order to protect the website's security or integrity or the online service's security or integrity. CC ID 06199 | Privacy protection for information and data | Preventive | |
Develop remedies and sanctions for privacy policy violations. CC ID 00474 [A Data Principal shall have the right to have readily available means of grievance redressal provided by a Data Fiduciary or Consent Manager in respect of any act or omission of such Data Fiduciary or Consent Manager regarding the performance of its obligations in relation to the personal data of such Data Principal or the exercise of her rights under the provisions of this Act and the rules made thereunder. § 13.(1)] | Privacy protection for information and data | Preventive | |
Implement procedures to file privacy rights violation complaints. CC ID 00476 | Privacy protection for information and data | Corrective | |
Change or destroy any personal data that is incorrect. CC ID 00462 [A Data Fiduciary shall, upon receiving a request for correction, completion or updating from a Data Principal,— correct the inaccurate or misleading personal data; § 12.(2)(a) A Data Fiduciary shall, upon receiving a request for correction, completion or updating from a Data Principal,— complete the incomplete personal data; and § 12.(2)(b) A Data Fiduciary shall, upon receiving a request for correction, completion or updating from a Data Principal,— update the personal data. § 12.(2)(c)] | Privacy protection for information and data | Corrective | |
Refrain from updating personal data on a regular basis, unless it is necessary for the purposes it was collected. CC ID 13610 | Privacy protection for information and data | Preventive | |
Escalate the appeal process to change personal data when the data controller fails to make changes to the disputed data. CC ID 00465 | Privacy protection for information and data | Corrective | |
Notify individuals of their right to challenge personal data. CC ID 00457 | Privacy protection for information and data | Preventive | |
Notify individuals of their right to object to personal data for legitimate reasons. CC ID 00458 | Privacy protection for information and data | Preventive | |
Notify individuals of their ability to object to personal data processing, absent cost. CC ID 00459 | Privacy protection for information and data | Preventive | |
Investigate the disputed accuracy of personal data. CC ID 00461 | Privacy protection for information and data | Preventive | |
Order the cessation of data processing when a violation of the privacy policy is detected. CC ID 00475 | Privacy protection for information and data | Corrective | |
Destroy personal data that breaches privacy after the privacy breach has been detected. CC ID 00503 | Privacy protection for information and data | Corrective | |
Establish, implement, and maintain a Customer Information Management program. CC ID 00084 | Privacy protection for information and data | Preventive | |
Check the accuracy of restricted data. CC ID 00088 [Where personal data processed by a Data Fiduciary is likely to be— used to make a decision that affects the Data Principal; or disclosed to another Data Fiduciary, the Data Fiduciary processing such personal data shall ensure its completeness, accuracy and consistency. § 8.(3) ¶ 2] | Privacy protection for information and data | Preventive | |
Check that restricted data is complete. CC ID 00090 [Where personal data processed by a Data Fiduciary is likely to be— used to make a decision that affects the Data Principal; or disclosed to another Data Fiduciary, the Data Fiduciary processing such personal data shall ensure its completeness, accuracy and consistency. § 8.(3) ¶ 2] | Privacy protection for information and data | Preventive | |
Employ access controls that meet the organization's compliance requirements on third party systems with access to the organization's restricted data. CC ID 04264 | Third Party and supply chain oversight | Detective |
KEY: Primary Verb Primary Noun Secondary Verb Secondary Noun Limiting Term | |||
Mandated - bold Implied - italic Implementation - regular | IMPACT ZONE | CLASS | |
---|---|---|---|
Assign the audit to impartial auditors. CC ID 07118 [The Significant Data Fiduciary shall— appoint an independent data auditor to carry out data audit, who shall evaluate the compliance of the Significant Data Fiduciary in accordance with the provisions of this Act; and § 10.(2)(b)] | Audits and risk management | Preventive | |
Notify interested personnel and affected parties participating in the audit of their roles and responsibilities during the audit. CC ID 07151 | Audits and risk management | Preventive | |
Establish, implement, and maintain high level operational roles and responsibilities. CC ID 00806 | Human Resources management | Preventive | |
Establish, implement, and maintain data processing integrity controls. CC ID 00923 [Where personal data processed by a Data Fiduciary is likely to be— used to make a decision that affects the Data Principal; or disclosed to another Data Fiduciary, the Data Fiduciary processing such personal data shall ensure its completeness, accuracy and consistency. § 8.(3) ¶ 2] | Records management | Preventive | |
Include roles and responsibilities in the registration notice. CC ID 16803 | Privacy protection for information and data | Preventive | |
Require data controllers to be accountable for their actions. CC ID 00470 [Where a consent given by the Data Principal is the basis of processing of personal data and a question arises in this regard in a proceeding, the Data Fiduciary shall be obliged to prove that a notice was given by her to the Data Principal and consent was given by such Data Principal to the Data Fiduciary in accordance with the provisions of this Act and the rules made thereunder. § 6.(10)] | Privacy protection for information and data | Preventive | |
Process restricted data lawfully and carefully. CC ID 00086 [A Data Fiduciary may process personal data of a Data Principal for any of following uses, namely:— for fulfilling any obligation under any law for the time being in force in India on any person to disclose any information to the State or any of its instrumentalities, subject to such processing being in accordance with the provisions regarding disclosure of such information in any other law for the time being in force; § 7.(d) A person may process the personal data of a Data Principal only in accordance with the provisions of this Act and for a lawful purpose,— § 4.(1) The provisions of this Act shall not apply in respect of the processing of personal data— necessary for research, archiving or statistical purposes if the personal data is not to be used to take any decision specific to a Data Principal and such processing is carried on in accordance with such standards as may be prescribed. § 17.(2)(b) A Data Fiduciary may process personal data of a Data Principal for any of following uses, namely:— for the State and any of its instrumentalities to provide or issue to the Data Principal such subsidy, benefit, service, certificate, licence or permit as may be prescribed, where–– subject to standards followed for processing being in accordance with the policy issued by the Central Government or any law for the time being in force for governance of personal data. § 7.(b) ¶ 2 {requirement} The provisions of Chapter II, except sub-sections (1) and (5) of section 8, and those of Chapter III and section 16 shall not apply where— the processing is for the purpose of ascertaining the financial information and assets and liabilities of any person who has defaulted in payment due on account of a loan or advance taken from a financial institution, subject to such processing being in accordance with the provisions regarding disclosure of information or data in any other law for the time being in force. § 17.(1)(f)] | Privacy protection for information and data | Preventive |
KEY: Primary Verb Primary Noun Secondary Verb Secondary Noun Limiting Term | |||
Mandated - bold Implied - italic Implementation - regular | IMPACT ZONE | CLASS | |
---|---|---|---|
Establish and maintain the scope of the organizational compliance framework and Information Assurance controls. CC ID 01241 | Leadership and high level objectives | Preventive | |
Establish, implement, and maintain a policy and procedure management program. CC ID 06285 | Leadership and high level objectives | Preventive | |
Establish and maintain an Authority Document list. CC ID 07113 | Leadership and high level objectives | Preventive | |
Document organizational procedures that harmonize external requirements, including all legal requirements. CC ID 00623 [The Significant Data Fiduciary shall— undertake the following other measures, namely:— such other measures, consistent with the provisions of this Act, as may be prescribed. § 10.(2)(c)(iii)] | Leadership and high level objectives | Preventive | |
Establish, implement, and maintain a financial management program. CC ID 13228 [{be subject to}{technical condition}{operational condition}{financial condition} Every Consent Manager shall be registered with the Board in such manner and subject to such technical, operational, financial and other conditions as may be prescribed. § 6.(9)] | Leadership and high level objectives | Preventive | |
Establish, implement, and maintain funds transfer procedures. CC ID 16754 | Leadership and high level objectives | Preventive | |
Include communication protocols in the financial management program. CC ID 16763 | Leadership and high level objectives | Preventive | |
Establish, implement, and maintain a financial products and services disclosure policy. CC ID 16717 | Leadership and high level objectives | Preventive | |
Require acknowledgment of receipt from the customer in the financial products and services disclosure policy. CC ID 16725 | Leadership and high level objectives | Preventive | |
Establish, implement, and maintain financial resource management procedures. CC ID 16642 | Leadership and high level objectives | Preventive | |
Document the rationale for the amount of financial resources being held. CC ID 16688 | Leadership and high level objectives | Preventive | |
Establish, implement, and maintain collateral procedures. CC ID 16653 | Leadership and high level objectives | Preventive | |
Include the use of appropriate models in the collateral procedures. CC ID 16687 | Leadership and high level objectives | Preventive | |
Define the collateral requirements in the collateral procedures. CC ID 16686 | Leadership and high level objectives | Preventive | |
Identify and document the financial resources available for use. CC ID 16643 | Leadership and high level objectives | Preventive | |
Establish, implement, and maintain credit loss procedures. CC ID 16683 | Leadership and high level objectives | Preventive | |
Include the allocation of credit losses in the credit loss procedures. CC ID 16684 | Leadership and high level objectives | Preventive | |
Include fairness and equitability standards in the securities trading program. CC ID 16690 | Leadership and high level objectives | Preventive | |
Include roles and responsibilities in the securities trading program. CC ID 16689 | Leadership and high level objectives | Preventive | |
Establish, implement, and maintain a capital restoration plan. CC ID 16613 | Leadership and high level objectives | Preventive | |
Include performance guarantees in the capital restoration plan. CC ID 16616 | Leadership and high level objectives | Preventive | |
Include corrective actions taken in the capital restoration plan. CC ID 16612 | Leadership and high level objectives | Preventive | |
Include required information in the capital restoration plan. CC ID 16609 | Leadership and high level objectives | Preventive | |
Establish, implement, and maintain valuation procedures. CC ID 16634 | Leadership and high level objectives | Preventive | |
Establish, implement, and maintain capital withdrawal requirements. CC ID 16576 | Leadership and high level objectives | Preventive | |
Establish, implement, and maintain lending policies. CC ID 16608 | Leadership and high level objectives | Preventive | |
Include the requirements for risk assessments in the lending policy. CC ID 16730 | Leadership and high level objectives | Preventive | |
Include the requirements for sensitivity analyses in the lending policy. CC ID 16728 | Leadership and high level objectives | Preventive | |
Include the requirements for feasibility studies in the lending policy. CC ID 16726 | Leadership and high level objectives | Preventive | |
Include pricing structures in the lending policy. CC ID 16724 | Leadership and high level objectives | Preventive | |
Include monitoring requirements in the lending policy. CC ID 16710 | Leadership and high level objectives | Preventive | |
Include loan origination procedures in the lending policy. CC ID 16709 | Leadership and high level objectives | Preventive | |
Include review procedures and approval procedures for exception loans in the lending policy. CC ID 16708 | Leadership and high level objectives | Preventive | |
Include loan requirements in the lending policy. CC ID 16706 | Leadership and high level objectives | Preventive | |
Include appraisals and evaluations in the lending policy. CC ID 16705 | Leadership and high level objectives | Preventive | |
Include terms and conditions in the lending policy. CC ID 16695 | Leadership and high level objectives | Preventive | |
Include the scope and distribution of loans in the lending policy. CC ID 16693 | Leadership and high level objectives | Preventive | |
Include geographic areas in the lending policy. CC ID 16691 | Leadership and high level objectives | Preventive | |
Include underwriting guidelines in the lending policy. CC ID 16619 | Leadership and high level objectives | Preventive | |
Include credit review in the underwriting guidelines. CC ID 16765 | Leadership and high level objectives | Preventive | |
Include loan-to-value ratio limits in the lending policy. CC ID 16618 | Leadership and high level objectives | Preventive | |
Include documentation requirements in the lending policy. CC ID 16617 | Leadership and high level objectives | Preventive | |
Include the purpose of the loan in the loan documentation. CC ID 16747 | Leadership and high level objectives | Preventive | |
Include the source of repayment in the loan documentation. CC ID 16746 | Leadership and high level objectives | Preventive | |
Include approval requirements in the lending policy. CC ID 16615 | Leadership and high level objectives | Preventive | |
Include reporting requirements in the lending policy. CC ID 16614 | Leadership and high level objectives | Preventive | |
Include loan portfolio diversification standards in the lending policy. CC ID 16611 | Leadership and high level objectives | Preventive | |
Include loan administration procedures in the lending policy. CC ID 16610 | Leadership and high level objectives | Preventive | |
Include loan participation agreements in the loan administration procedures. CC ID 16745 | Leadership and high level objectives | Preventive | |
Include termination procedures in the loan participation agreement. CC ID 16753 | Leadership and high level objectives | Preventive | |
Justify the safety and efficiency of the participation requirements in the loan participation agreement. CC ID 16752 | Leadership and high level objectives | Preventive | |
Include servicing agreements in the loan administration procedures. CC ID 16744 | Leadership and high level objectives | Preventive | |
Include claims processing in the loan administration procedures. CC ID 16742 | Leadership and high level objectives | Preventive | |
Include forbearance management in the loan administration procedures. CC ID 16741 | Leadership and high level objectives | Preventive | |
Include foreclosure management in the loan administration procedures. CC ID 16740 | Leadership and high level objectives | Preventive | |
Include delinquency management in the loan administration procedures. CC ID 16739 | Leadership and high level objectives | Preventive | |
Include the requirements for financial statements in the loan administration procedures. CC ID 16735 | Leadership and high level objectives | Preventive | |
Include loan closing in the loan administration procedures. CC ID 16734 | Leadership and high level objectives | Preventive | |
Include payoff statements in the loan administration procedures. CC ID 16733 | Leadership and high level objectives | Preventive | |
Include payment processing in the loan administration procedures. CC ID 16732 | Leadership and high level objectives | Preventive | |
Include loan reviews in the loan administration procedures. CC ID 16703 | Leadership and high level objectives | Preventive | |
Include collections in the loan administration procedures. CC ID 16701 | Leadership and high level objectives | Preventive | |
Include collateral inspections in the loan administration procedures. CC ID 16699 | Leadership and high level objectives | Preventive | |
Include disbursements in the loan administration procedures. CC ID 16697 | Leadership and high level objectives | Preventive | |
Establish, implement, and maintain a dividend policy. CC ID 16569 | Leadership and high level objectives | Preventive | |
Include compliance requirements in the dividend policy. CC ID 16570 | Leadership and high level objectives | Preventive | |
Establish, implement, and maintain escrow procedures for financial transactions. CC ID 16564 | Leadership and high level objectives | Preventive | |
Establish, implement, and maintain a Capital Planning and Investment Control policy. CC ID 06279 | Leadership and high level objectives | Preventive | |
Include risk management in the Capital Planning and Investment Control policy. CC ID 16764 | Leadership and high level objectives | Preventive | |
Include debt rating requirements in the Capital Planning and Investment Control policy. CC ID 16692 | Leadership and high level objectives | Preventive | |
Include divestiture requirements in the Capital Planning and Investment Control policy. CC ID 16591 | Leadership and high level objectives | Preventive | |
Establish, implement, and maintain a recordkeeping system for securities transactions. CC ID 16631 | Leadership and high level objectives | Preventive | |
Establish, implement, and maintain securities transaction notifications. CC ID 16600 | Leadership and high level objectives | Preventive | |
Include the call date in the securities transaction notification. CC ID 16680 | Leadership and high level objectives | Preventive | |
Include service charges and commissions in the securities transaction notification. CC ID 16702 | Leadership and high level objectives | Preventive | |
Include the funds and securities in the possession of the organization in the securities transaction notification. CC ID 16679 | Leadership and high level objectives | Preventive | |
Include the call price in the securities transaction notification. CC ID 16678 | Leadership and high level objectives | Preventive | |
Include debits and credits in the securities transaction notification. CC ID 16677 | Leadership and high level objectives | Preventive | |
Include transactions in the securities transaction notification. CC ID 16676 | Leadership and high level objectives | Preventive | |
Include the credit rating of securities in the securities transaction notification. CC ID 16674 | Leadership and high level objectives | Preventive | |
Include yield information in the securities transaction notification. CC ID 16673 | Leadership and high level objectives | Preventive | |
Include redemption information in the securities transaction notification. CC ID 16672 | Leadership and high level objectives | Preventive | |
Include the price calculated from the yield in the securities transaction notification. CC ID 16669 | Leadership and high level objectives | Preventive | |
Include the type of call in the securities transaction notification. CC ID 16668 | Leadership and high level objectives | Preventive | |
Include an account statement in the securities transaction notification. CC ID 16666 | Leadership and high level objectives | Preventive | |
Include the yield to maturity in the securities transaction notification. CC ID 16665 | Leadership and high level objectives | Preventive | |
Include the execution price in the securities transaction notification. CC ID 16664 | Leadership and high level objectives | Preventive | |
Include the organization's role in the securities transaction notification. CC ID 16646 | Leadership and high level objectives | Preventive | |
Include the name of the broker in the securities transaction notification. CC ID 16647 | Leadership and high level objectives | Preventive | |
Include the name of the customer in the securities transaction notification. CC ID 16625 | Leadership and high level objectives | Preventive | |
Include the organization's name in the securities transaction notification. CC ID 16624 | Leadership and high level objectives | Preventive | |
Include confirmations in the securities transaction notification. CC ID 16623 | Leadership and high level objectives | Preventive | |
Include remunerations in the securities transaction notification. CC ID 16622 | Leadership and high level objectives | Preventive | |
Include requested information in the securities transaction notification. CC ID 16641 | Leadership and high level objectives | Preventive | |
Include the execution date in the securities transaction notification. CC ID 16620 | Leadership and high level objectives | Preventive | |
Establish, implement, and maintain financial reports. CC ID 14770 | Leadership and high level objectives | Preventive | |
Structure financial reports in accordance with external requirements, as necessary. CC ID 14776 | Leadership and high level objectives | Preventive | |
Include the report of independent Certified Public Accountants in the financial report. CC ID 14779 | Leadership and high level objectives | Preventive | |
Include the business need justification for lost value in the financial report. CC ID 15588 | Leadership and high level objectives | Preventive | |
Include financial statements in the financial report, as necessary. CC ID 14775 | Leadership and high level objectives | Preventive | |
Include capital deductions and adjustments in the financial statement. CC ID 16667 | Leadership and high level objectives | Preventive | |
Include earnings per share or loss per share in the financial statement. CC ID 16597 | Leadership and high level objectives | Preventive | |
Include material contingencies in the financial statement. CC ID 16596 | Leadership and high level objectives | Preventive | |
Include notes to financial statements in the financial report, as necessary. CC ID 14780 | Leadership and high level objectives | Preventive | |
Include information on loans to small businesses and small farms in the call report. CC ID 16731 | Leadership and high level objectives | Preventive | |
Include assets and liabilities in the call report. CC ID 16729 | Leadership and high level objectives | Preventive | |
Establish, implement, and maintain an audit program. CC ID 00684 | Audits and risk management | Preventive | |
Document any after the fact changes to the engagement file. CC ID 07002 | Audits and risk management | Preventive | |
Protect access to the engagement file and all associated audit documentation in compliance with Authority Documents the organization must follow. CC ID 07179 | Audits and risk management | Preventive | |
Disclose work papers in the engagement file in compliance with legal requirements. CC ID 07180 | Audits and risk management | Preventive | |
Edit the audit assertion for accuracy. CC ID 07030 | Audits and risk management | Preventive | |
Determine if the audit assertion's in scope procedures are accurately documented. CC ID 06982 | Audits and risk management | Preventive | |
Include the process of using evidential matter to test in scope controls in the test plan. CC ID 06996 | Audits and risk management | Preventive | |
Establish, implement, and maintain interview procedures. CC ID 16282 | Audits and risk management | Preventive | |
Establish and maintain work papers, as necessary. CC ID 13891 | Audits and risk management | Preventive | |
Include the auditor's conclusions on work performed by individuals assigned to the audit in the work papers. CC ID 16775 | Audits and risk management | Preventive | |
Include audit irregularities in the work papers. CC ID 16774 | Audits and risk management | Preventive | |
Include corrective actions in the work papers. CC ID 16771 | Audits and risk management | Preventive | |
Include information about the organization being audited and the auditor performing the audit in the work papers. CC ID 16770 | Audits and risk management | Preventive | |
Include discussions with interested personnel and affected parties in the work papers. CC ID 16768 | Audits and risk management | Preventive | |
Include justification for departing from mandatory requirements in the work papers. CC ID 13935 | Audits and risk management | Preventive | |
Include the reviewer, and dates, for using evidential matter to test in scope controls in the work papers. CC ID 06998 | Audits and risk management | Preventive | |
Include the tests, examinations, interviews and observations performed during the audit in the work papers. CC ID 07190 | Audits and risk management | Preventive | |
Include if any subject matter experts or additional research had to be undertaken to test in scope controls in the work papers. CC ID 07026 | Audits and risk management | Preventive | |
Include the tester, and dates, for using evidential matter to test in scope controls in the work papers. CC ID 06997 | Audits and risk management | Preventive | |
Include the causes of identified in scope control deficiencies in the work papers. CC ID 07000 | Audits and risk management | Preventive | |
Include discussions regarding the causes of identified in scope control deficiencies in the work papers. CC ID 06999 | Audits and risk management | Preventive | |
Establish, implement, and maintain a risk management program. CC ID 12051 | Audits and risk management | Preventive | |
Establish, implement, and maintain the risk assessment framework. CC ID 00685 | Audits and risk management | Preventive | |
Establish, implement, and maintain a risk assessment program. CC ID 00687 | Audits and risk management | Preventive | |
Include a Data Protection Impact Assessment in the risk assessment program. CC ID 12630 | Audits and risk management | Preventive | |
Include an assessment of the necessity and proportionality of the processing operations in relation to the purposes in the Data Protection Impact Assessment. CC ID 12681 | Audits and risk management | Preventive | |
Include an assessment of the relationship between the data subject and the parties processing the data in the Data Protection Impact Assessment. CC ID 16371 | Audits and risk management | Preventive | |
Include a risk assessment of data subject's rights in the Data Protection Impact Assessment. CC ID 12674 [The Significant Data Fiduciary shall— undertake the following other measures, namely:— periodic Data Protection Impact Assessment, which shall be a process comprising a description of the rights of Data Principals and the purpose of processing of their personal data, assessment and management of the risk to the rights of the Data Principals, and such other matters regarding such process as may be prescribed; § 10.(2)(c)(i)] | Audits and risk management | Preventive | |
Include the description and purpose of processing restricted data in the Data Protection Impact Assessment. CC ID 12673 [The Significant Data Fiduciary shall— undertake the following other measures, namely:— periodic Data Protection Impact Assessment, which shall be a process comprising a description of the rights of Data Principals and the purpose of processing of their personal data, assessment and management of the risk to the rights of the Data Principals, and such other matters regarding such process as may be prescribed; § 10.(2)(c)(i)] | Audits and risk management | Preventive | |
Include consideration of the data subject's expectations in the Data Protection Impact Assessment. CC ID 16370 | Audits and risk management | Preventive | |
Include monitoring unsecured areas in the Data Protection Impact Assessment. CC ID 12671 | Audits and risk management | Preventive | |
Include security measures for protecting restricted data in the Data Protection Impact Assessment. CC ID 12635 [The Significant Data Fiduciary shall— undertake the following other measures, namely:— periodic Data Protection Impact Assessment, which shall be a process comprising a description of the rights of Data Principals and the purpose of processing of their personal data, assessment and management of the risk to the rights of the Data Principals, and such other matters regarding such process as may be prescribed; § 10.(2)(c)(i)] | Audits and risk management | Preventive | |
Establish, implement, and maintain a digital identity management program. CC ID 13713 | Technical security | Preventive | |
Establish, implement, and maintain an authorized representatives policy. CC ID 13798 [The Data Principal may give, manage, review or withdraw her consent to the Data Fiduciary through a Consent Manager. § 6.(7) A Data Principal shall have the right to nominate, in such manner as may be prescribed, any other individual, who shall, in the event of death or incapacity of the Data Principal, exercise the rights of the Data Principal in accordance with the provisions of this Act and the rules made thereunder. § 14.(1)] | Technical security | Preventive | |
Include authorized representative life cycle management requirements in the authorized representatives policy. CC ID 13802 | Technical security | Preventive | |
Include any necessary restrictions for the authorized representative in the authorized representatives policy. CC ID 13801 | Technical security | Preventive | |
Include suspension requirements for authorized representatives in the authorized representatives policy. CC ID 13800 | Technical security | Preventive | |
Include the authorized representative's life span in the authorized representatives policy. CC ID 13799 | Technical security | Preventive | |
Establish, implement, and maintain a Governance, Risk, and Compliance framework. CC ID 01406 | Operational management | Preventive | |
Establish, implement, and maintain an information security program. CC ID 00812 | Operational management | Preventive | |
Include technical safeguards in the information security program. CC ID 12374 [{be subject to}{technical condition}{operational condition}{financial condition} Every Consent Manager shall be registered with the Board in such manner and subject to such technical, operational, financial and other conditions as may be prescribed. § 6.(9)] | Operational management | Preventive | |
Establish, implement, and maintain operational control procedures. CC ID 00831 [{be subject to}{technical condition}{operational condition}{financial condition} Every Consent Manager shall be registered with the Board in such manner and subject to such technical, operational, financial and other conditions as may be prescribed. § 6.(9)] | Operational management | Preventive | |
Include assigning and approving operations in operational control procedures. CC ID 06382 | Operational management | Preventive | |
Include startup processes in operational control procedures. CC ID 00833 | Operational management | Preventive | |
Include change control processes in the operational control procedures. CC ID 16793 | Operational management | Preventive | |
Establish and maintain a data processing run manual. CC ID 00832 | Operational management | Preventive | |
Establish, implement, and maintain a Standard Operating Procedures Manual. CC ID 00826 | Operational management | Preventive | |
Include metrics in the standard operating procedures manual. CC ID 14988 | Operational management | Preventive | |
Include maintenance measures in the standard operating procedures manual. CC ID 14986 | Operational management | Preventive | |
Include the expected lifetime of the system in the standard operating procedures manual. CC ID 14984 | Operational management | Preventive | |
Include technical measures used to interpret output in the standard operating procedures manual. CC ID 14982 | Operational management | Preventive | |
Include predetermined changes in the standard operating procedures manual. CC ID 14977 | Operational management | Preventive | |
Include specifications for input data in the standard operating procedures manual. CC ID 14975 | Operational management | Preventive | |
Include risks to health and safety or fundamental rights in the standard operating procedures manual. CC ID 14973 | Operational management | Preventive | |
Include circumstances that may impact the system in the standard operating procedures manual. CC ID 14972 | Operational management | Preventive | |
Include what the system was tested and validated for in the standard operating procedures manual. CC ID 14969 | Operational management | Preventive | |
Include the intended purpose in the standard operating procedures manual. CC ID 14967 | Operational management | Preventive | |
Include information on system performance in the standard operating procedures manual. CC ID 14965 | Operational management | Preventive | |
Include contact details in the standard operating procedures manual. CC ID 14962 | Operational management | Preventive | |
Update operating procedures that contribute to user errors. CC ID 06935 | Operational management | Corrective | |
Establish, implement, and maintain a job scheduling methodology. CC ID 00834 | Operational management | Preventive | |
Establish and maintain a job schedule exceptions list. CC ID 00835 | Operational management | Preventive | |
Establish, implement, and maintain a data processing continuity plan. CC ID 00836 | Operational management | Preventive | |
Establish, implement, and maintain Voice over Internet Protocol operating procedures. CC ID 04583 | Operational management | Preventive | |
Comply with all implemented policies in the organization's compliance framework. CC ID 06384 [{be subject to}{technical condition}{operational condition}{financial condition} Every Consent Manager shall be registered with the Board in such manner and subject to such technical, operational, financial and other conditions as may be prescribed. § 6.(9) A Data Fiduciary shall, irrespective of any agreement to the contrary or failure of a Data Principal to carry out the duties provided under this Act, be responsible for complying with the provisions of this Act and the rules made thereunder in respect of any processing undertaken by it or on its behalf by a Data Processor. § 8.(1)] | Operational management | Preventive | |
Establish, implement, and maintain a customer service program. CC ID 00846 | Operational management | Preventive | |
Include detection procedures in the Incident Management program. CC ID 00588 | Operational management | Preventive | |
Establish, implement, and maintain records management procedures. CC ID 11619 | Records management | Preventive | |
Establish, implement, and maintain Automated Data Processing error handling procedures. CC ID 00925 | Records management | Preventive | |
Establish, implement, and maintain Automated Data Processing error handling reporting. CC ID 11659 | Records management | Preventive | |
Establish, implement, and maintain a privacy framework that protects restricted data. CC ID 11850 | Privacy protection for information and data | Preventive | |
Establish and maintain privacy notices, as necessary. CC ID 13443 | Privacy protection for information and data | Preventive | |
Include the personal data collection categories in the privacy notice. CC ID 13457 [Every request made to a Data Principal under section 6 for consent shall be accompanied or preceded by a notice given by the Data Fiduciary to the Data Principal, informing her,— the personal data and the purpose for which the same is proposed to be processed; § 5.(1) ¶ 1(i)] | Privacy protection for information and data | Preventive | |
Deliver a short-form initial notification along with an opt-out notice as an alternate to delivering a privacy notice, as necessary. CC ID 13464 | Privacy protection for information and data | Preventive | |
Define what is included in registration notices. CC ID 00386 | Privacy protection for information and data | Preventive | |
Include the verification method in the registration notice. CC ID 16798 | Privacy protection for information and data | Preventive | |
Include the statutory authority in the registration notice. CC ID 16799 | Privacy protection for information and data | Preventive | |
Include the address where the file or hardware supporting the data processing is located in the registration notice. CC ID 00387 | Privacy protection for information and data | Preventive | |
Include a purpose specification description in the registration notice. CC ID 00388 | Privacy protection for information and data | Preventive | |
Include information about the dispute resolution body in the registration notice. CC ID 16800 | Privacy protection for information and data | Preventive | |
Include the data subject category being processed in the registration notice. CC ID 00389 | Privacy protection for information and data | Preventive | |
Include the time period for data processing in the registration notice. CC ID 00390 | Privacy protection for information and data | Preventive | |
Include procedures for when the registration notice for processing personal data is insufficient in the registration notice. CC ID 00392 | Privacy protection for information and data | Preventive | |
Provide adequate structures, policies, procedures, and mechanisms to support direct access by the data subject to personal data that is provided upon request. CC ID 00393 | Privacy protection for information and data | Preventive | |
Provide the data subject with a description of the type of information held by the organization and a general account of its use. CC ID 00397 [Where a Data Principal has given her consent for the processing of her personal data before the date of commencement of this Act,— the Data Fiduciary shall, as soon as it is reasonably practicable, give to the Data Principal a notice informing her,–– the personal data and the purpose for which the same has been processed; § 5.(2) ¶ 1(a)(i) The Data Principal shall have the right to obtain from the Data Fiduciary to whom she has previously given consent, including consent as referred to in clause (a) of section 7 (hereinafter referred to as the said Data Fiduciary), for processing of personal data, upon making to it a request in such manner as may be prescribed,— any other information related to the personal data of such Data Principal and its processing, as may be prescribed. § 11.(1)(c) The Data Principal shall have the right to obtain from the Data Fiduciary to whom she has previously given consent, including consent as referred to in clause (a) of section 7 (hereinafter referred to as the said Data Fiduciary), for processing of personal data, upon making to it a request in such manner as may be prescribed,— a summary of personal data which is being processed by such Data Fiduciary and the processing activities undertaken by that Data Fiduciary with respect to such personal data; § 11.(1)(a)] | Privacy protection for information and data | Preventive | |
Include individual's names to whom restricted data may be disclosed in the disclosure accounting record. CC ID 13027 | Privacy protection for information and data | Preventive | |
Establish and maintain a disclosure accounting record. CC ID 13022 | Privacy protection for information and data | Preventive | |
Include the official authorities that are allowed to disclose restricted data absent consent in the disclosure accounting record. CC ID 13029 | Privacy protection for information and data | Preventive | |
Include the legitimate interests for accessing restricted data in the disclosure accounting record. CC ID 13028 | Privacy protection for information and data | Preventive | |
Include what information was disclosed and to whom in the disclosure accounting record. CC ID 04680 [The Data Principal shall have the right to obtain from the Data Fiduciary to whom she has previously given consent, including consent as referred to in clause (a) of section 7 (hereinafter referred to as the said Data Fiduciary), for processing of personal data, upon making to it a request in such manner as may be prescribed,— the identities of all other Data Fiduciaries and Data Processors with whom the personal data has been shared by such Data Fiduciary, along with a description of the personal data so shared; and § 11.(1)(b)] | Privacy protection for information and data | Preventive | |
Include the personal data the organization refrained from disclosing in the disclosure accounting record. CC ID 13769 | Privacy protection for information and data | Preventive | |
Include the sale of personal data in the disclosure accounting record, as necessary. CC ID 13768 | Privacy protection for information and data | Preventive | |
Include the disclosure date in the disclosure accounting record. CC ID 07133 | Privacy protection for information and data | Preventive | |
Include the disclosure recipient in the disclosure accounting record. CC ID 07134 | Privacy protection for information and data | Preventive | |
Include the disclosure purpose in the disclosure accounting record. CC ID 07135 | Privacy protection for information and data | Preventive | |
Include the frequency, periodicity, or number of disclosures made during the accounting period in the disclosure accounting record. CC ID 07136 | Privacy protection for information and data | Preventive | |
Include the final date of multiple disclosures in the disclosure accounting record. CC ID 07137 | Privacy protection for information and data | Preventive | |
Include how personal data was used for research purposes in the disclosure accounting record. CC ID 07138 | Privacy protection for information and data | Preventive | |
Include the research activity or research protocol in the disclosure accounting record. CC ID 07139 | Privacy protection for information and data | Preventive | |
Include the record selection criteria for research activities in the disclosure accounting record. CC ID 07140 | Privacy protection for information and data | Preventive | |
Include the contact information of the organization that sponsored the research activity in the disclosure accounting record. CC ID 07141 | Privacy protection for information and data | Preventive | |
Establish, implement, and maintain a privacy policy. CC ID 06281 | Privacy protection for information and data | Preventive | |
Document privacy policies in clearly written and easily understood language. CC ID 00376 | Privacy protection for information and data | Detective | |
Write privacy notices in the official languages required by law. CC ID 16529 [The Data Fiduciary shall give the Data Principal the option to access the contents of the notice referred to in sub-sections (1) and (2) in English or any language specified in the Eighth Schedule to the Constitution. § 5.(3)] | Privacy protection for information and data | Preventive | |
Establish, implement, and maintain personal data choice and consent program. CC ID 12569 | Privacy protection for information and data | Preventive | |
Establish, implement, and maintain a personal data accountability program. CC ID 13432 | Privacy protection for information and data | Preventive | |
Establish, implement, and maintain approval applications. CC ID 16778 | Privacy protection for information and data | Preventive | |
Include required information in the approval application. CC ID 16628 | Privacy protection for information and data | Preventive | |
Submit a safe harbor self-certification letter. CC ID 06871 | Privacy protection for information and data | Preventive | |
Establish, implement, and maintain Data Processing Contracts. CC ID 12650 [A Data Fiduciary may engage, appoint, use or otherwise involve a Data Processor to process personal data on its behalf for any activity related to offering of goods or services to Data Principals only under a valid contract. § 8.(2)] | Privacy protection for information and data | Preventive | |
Include the corrective actions to be taken when conditions cannot be met in the Data Processing Contract. CC ID 16812 | Privacy protection for information and data | Preventive | |
Include data processor confidentiality requirements in the Data Processing Contract. CC ID 12685 | Privacy protection for information and data | Preventive | |
Include the stipulation of notifying the data controller of legal requirements prior to processing restricted data unless the law prohibits such information on important grounds of public interest in the Data Processing Contract. CC ID 12687 | Privacy protection for information and data | Preventive | |
Include instructions for processing restricted data in the Data Processing Contract. CC ID 14938 | Privacy protection for information and data | Preventive | |
Include the purpose for processing restricted data in the Data Processing Contract. CC ID 14937 | Privacy protection for information and data | Preventive | |
Include the types of restricted data subject to processing in the Data Processing Contract. CC ID 14936 | Privacy protection for information and data | Preventive | |
Include the duration of processing in the Data Processing Contract. CC ID 14935 | Privacy protection for information and data | Preventive | |
Include personal data transfer procedures in the Data Processing Contract. CC ID 12683 | Privacy protection for information and data | Preventive | |
Include the stipulation of allowing auditing for compliance in the Data Processing Contract. CC ID 12679 | Privacy protection for information and data | Preventive | |
Include the stipulation that the Statement of Compliance will be made available in the Data Processing Contract. CC ID 12678 | Privacy protection for information and data | Preventive | |
Include the stipulation of complying with external requirements in the Data Processing Contract. CC ID 12676 | Privacy protection for information and data | Preventive | |
Include the stipulation that copies of restricted data will be disposed, unless retention is required by law, in the Data Processing Contract. CC ID 12670 | Privacy protection for information and data | Preventive | |
Include the stipulation that personal data will be disposed or returned to the data subject in the Data Processing Contract. CC ID 12669 | Privacy protection for information and data | Preventive | |
Establish, implement, and maintain a personal data use limitation program. CC ID 13428 | Privacy protection for information and data | Preventive | |
Establish, implement, and maintain a personal data use purpose specification. CC ID 00093 [{not be served} The purpose referred to in clause (a) of sub-section (7) shall be deemed to no longer be served, if the Data Principal does not–– exercise any of her rights in relation to such processing, § 8.(8) ¶ 1(b) {requirement} The purpose referred to in clause (a) of sub-section (7) shall be deemed to no longer be served, if the Data Principal does not–– approach the Data Fiduciary for the performance of the specified purpose; and § 8.(8) ¶ 1(a)] | Privacy protection for information and data | Preventive | |
Document the law that requires restricted data to be collected. CC ID 00103 | Privacy protection for information and data | Preventive | |
Establish, implement, and maintain data use change of purpose procedures. CC ID 00106 | Privacy protection for information and data | Preventive | |
Document the use of publicly accessible personal data as an acceptable secondary purpose. CC ID 00108 | Privacy protection for information and data | Preventive | |
Document the use of privacy-related data as acceptable if the information being used is publicly available information, the secondary use is marketing, and it is not practical to seek consent from the individual before use. CC ID 00110 | Privacy protection for information and data | Preventive | |
Document the use of personal data as an acceptable secondary purpose when the data subject is not charged to request to opt out of direct marketing communications. CC ID 00111 | Privacy protection for information and data | Preventive | |
Document the use of personal data as an acceptable secondary purpose when the data subject has not requested to opt out of direct marketing communications. CC ID 00112 | Privacy protection for information and data | Preventive | |
Document the use of personal data as an acceptable secondary purpose when the organization highlights the opt out option during each direct marketing communication. CC ID 00113 | Privacy protection for information and data | Preventive | |
Document the use of personal data as an acceptable secondary purpose when the organization displays contact information in each written direct marketing communication. CC ID 00114 | Privacy protection for information and data | Preventive | |
Document the use of personal data as an acceptable secondary purpose when the data subject gives consent. CC ID 00115 | Privacy protection for information and data | Preventive | |
Document the use of personal data as an acceptable secondary purpose when the personal data is Individually Identifiable Health Information used for research. CC ID 00116 | Privacy protection for information and data | Preventive | |
Document the use of personal data as an acceptable secondary purpose when the personal data is used for statistical research, scholarly research, or scientific research and the data subject is anonymous. CC ID 00117 | Privacy protection for information and data | Preventive | |
Document the use of personal data as an acceptable secondary purpose when the data controller believes the use is necessary to prevent a life-threatening emergency. CC ID 00118 | Privacy protection for information and data | Preventive | |
Document the use of personal data as an acceptable secondary purpose when required by law. CC ID 00119 | Privacy protection for information and data | Preventive | |
Document the use of personal data as an acceptable secondary purpose when the personal data is necessary for public emergencies, public health and safety, or individual emergencies. CC ID 00121 | Privacy protection for information and data | Preventive | |
Document the use of personal data as an acceptable secondary purpose when the primary purpose is directly related to the secondary purpose. CC ID 00123 | Privacy protection for information and data | Preventive | |
Document the use of personal data as an acceptable secondary purpose when it is necessary for the enforcement of care and custody. CC ID 15453 | Privacy protection for information and data | Preventive | |
Document the use of data as an acceptable secondary purpose when it is necessary for use in a legal proceeding. CC ID 15451 | Privacy protection for information and data | Preventive | |
Document the use of personal data as an acceptable secondary purpose when it is necessary for a law enforcement investigation. CC ID 15449 | Privacy protection for information and data | Preventive | |
Document the use of personal data as an acceptable secondary purpose when it is necessary to perform a treaty with a foreign government. CC ID 15447 | Privacy protection for information and data | Preventive | |
Document restricted data that is disclosed for an acceptable secondary purpose. CC ID 00124 | Privacy protection for information and data | Preventive | |
Establish, implement, and maintain data access procedures. CC ID 00414 | Privacy protection for information and data | Preventive | |
Establish, implement, and maintain procedures for individuals to be able to modify their personal data, as necessary. CC ID 11811 [A Data Principal shall make a request in such manner as may be prescribed to the Data Fiduciary for erasure of her personal data, and upon receipt of such a request, the Data Fiduciary shall erase her personal data unless retention of the same is necessary for the specified purpose or for compliance with any law for the time being in force. § 12.(3) A Data Principal shall have the right to correction, completion, updating and erasure of her personal data for the processing of which she has previously given consent, including consent as referred to in clause (a) of section 7, in accordance with any requirement or procedure under any law for the time being in force. § 12.(1)] | Privacy protection for information and data | Preventive | |
Include a liability waiver for any harm caused by the exclusion of personal data in the personal data removal request. CC ID 11975 | Privacy protection for information and data | Preventive | |
Establish, implement, and maintain restricted data use limitation procedures. CC ID 00128 | Privacy protection for information and data | Preventive | |
Document the conditions for the use or disclosure of Individually Identifiable Health Information by a covered entity to another covered entity. CC ID 00210 | Privacy protection for information and data | Preventive | |
Disclose Individually Identifiable Health Information for research use when the appropriate requirements are included in the approval documentation or waiver documentation. CC ID 06257 | Privacy protection for information and data | Preventive | |
Document the conditions for the disclosure of Individually Identifiable Health Information by an organization providing healthcare services to organizations other than business associates or other covered entities. CC ID 00201 | Privacy protection for information and data | Preventive | |
Document how Individually Identifiable Health Information is used and disclosed when authorization has been granted. CC ID 00216 | Privacy protection for information and data | Preventive | |
Define and implement valid authorization control requirements. CC ID 06258 | Privacy protection for information and data | Preventive | |
Define the exceptions to disclosure absent consent. CC ID 00135 | Privacy protection for information and data | Preventive | |
Define how a data subject may give consent. CC ID 00160 [Any part of consent referred in sub-section (1) which constitutes an infringement of the provisions of this Act or the rules made thereunder or any other law for the time being in force shall be invalid to the extent of such infringement. § 6.(2)] | Privacy protection for information and data | Preventive | |
Establish, implement, and maintain personal data disposition procedures. CC ID 13498 [{refrain from serving} A Data Fiduciary shall, unless retention is necessary for compliance with any law for the time being in force,— erase personal data, upon the Data Principal withdrawing her consent or as soon as it is reasonable to assume that the specified purpose is no longer being served, whichever is earlier; and § 8.(7)(a)] | Privacy protection for information and data | Preventive | |
Establish, implement, and maintain data disclosure procedures. CC ID 00133 | Privacy protection for information and data | Preventive | |
Establish, implement, and maintain data request denial procedures. CC ID 00434 [{requirement} {erase} {personal data} {correct} {complete} {update} In respect of processing by the State or any instrumentality of the State, the provisions of sub-section (7) of section 8 and sub-section (3) of section 12 and, where such processing is for a purpose that does not include making of a decision that affects the Data Principal, sub-section (2) of section 12 shall not apply. § 17.(4)] | Privacy protection for information and data | Preventive | |
Establish, implement, and maintain a personal data collection program. CC ID 06487 | Privacy protection for information and data | Preventive | |
Establish, implement, and maintain personal data collection limitation boundaries. CC ID 00507 | Privacy protection for information and data | Preventive | |
Establish, implement, and maintain a personal data use policy. CC ID 00076 | Privacy protection for information and data | Preventive | |
Document each individual's personal data collection consent preferences. CC ID 06945 | Privacy protection for information and data | Preventive | |
Notify parents or legal representatives of what information is collected from children. CC ID 00040 | Privacy protection for information and data | Preventive | |
Establish, implement, and maintain a data handling program. CC ID 13427 | Privacy protection for information and data | Preventive | |
Establish, implement, and maintain data handling policies. CC ID 00353 | Privacy protection for information and data | Preventive | |
Establish, implement, and maintain data and information confidentiality policies. CC ID 00361 | Privacy protection for information and data | Preventive | |
File privacy rights violation complaints in writing. CC ID 00477 | Privacy protection for information and data | Corrective | |
Include the acts or omissions that are in violation of privacy rights in the privacy rights violation complaint. CC ID 14360 | Privacy protection for information and data | Corrective | |
Include the individual's name who is the subject of the complaint in the privacy rights violation complaint. CC ID 14359 | Privacy protection for information and data | Preventive | |
Establish, implement, and maintain a privacy dispute resolution program. CC ID 12526 [A Data Fiduciary shall establish an effective mechanism to redress the grievances of Data Principals. § 8.(10)] | Privacy protection for information and data | Preventive | |
Include potential remedies in the privacy dispute resolution program. CC ID 12531 | Privacy protection for information and data | Preventive | |
Provide the data subject with the name, title, and address to whom complaints are forwarded. CC ID 00395 | Privacy protection for information and data | Preventive | |
Include the time frames in which privacy rights violation complaints are processed in the privacy dispute resolution program. CC ID 12529 [{time requirement} The Data Fiduciary or Consent Manager shall respond to any grievances referred to in sub-section (1) within such period as may be prescribed from the date of its receipt for all or any class of Data Fiduciaries. § 13.(2)] | Privacy protection for information and data | Preventive | |
Document unresolved challenges. CC ID 13568 | Privacy protection for information and data | Preventive | |
Establish, implement, and maintain an accuracy resolution policy. CC ID 00460 | Privacy protection for information and data | Preventive | |
Document disagreements as to whether personal data is complete and accurate. CC ID 06952 | Privacy protection for information and data | Preventive | |
Include the change to the personal data that the data subject requested and the reason the organization refused to make the change in the statement of disagreement. CC ID 06954 | Privacy protection for information and data | Preventive | |
Include the allegations against the organization in the notice of investigation. CC ID 13031 | Privacy protection for information and data | Preventive | |
Create an investigative report in regards to a privacy rights violation complaint. CC ID 00495 | Privacy protection for information and data | Corrective | |
Define the available administrative remedies in regards to a privacy rights violation complaint. CC ID 00497 [The Data Principal shall exhaust the opportunity of redressing her grievance under this section before approaching the Board. § 13.(3)] | Privacy protection for information and data | Detective | |
Define the organization's liability based on the applicable law. CC ID 00504 | Privacy protection for information and data | Preventive | |
Define the sanctions and fines available for privacy rights violations based on applicable law. CC ID 00505 | Privacy protection for information and data | Preventive | |
Define the appeal process based on the applicable law. CC ID 00506 [{requirement} {time requirement} Every appeal under sub-section (1) shall be filed within a period of sixty days from the date of receipt of the order or direction appealed against and it shall be in such form and manner and shall be accompanied by such fee as may be prescribed. § 29.(2)] | Privacy protection for information and data | Preventive | |
Provide notice of proposed penalties. CC ID 06216 | Privacy protection for information and data | Preventive | |
Establish, implement, and maintain customer data authentication procedures. CC ID 13187 | Privacy protection for information and data | Preventive | |
Establish, implement, and maintain a supply chain management program. CC ID 11742 | Third Party and supply chain oversight | Preventive | |
Include responding to privacy rights violation complaints in third party contracts. CC ID 12432 | Third Party and supply chain oversight | Preventive |
KEY: Primary Verb Primary Noun Secondary Verb Secondary Noun Limiting Term | |||
Mandated - bold Implied - italic Implementation - regular | IMPACT ZONE | CLASS | |
---|---|---|---|
Include roles and responsibilities in the interview procedures. CC ID 16297 | Audits and risk management | Preventive | |
Define and assign the Data Protection Officer's roles and responsibilities. CC ID 16525 [The Significant Data Fiduciary shall— appoint a Data Protection Officer who shall— be based in India; § 10.(2)(a)(ii) {be responsible} The Significant Data Fiduciary shall— appoint a Data Protection Officer who shall— be an individual responsible to the Board of Directors or similar governing body of the Significant Data Fiduciary; and § 10.(2)(a)(iii) The Significant Data Fiduciary shall— appoint a Data Protection Officer who shall— § 10.(2)(a) The Significant Data Fiduciary shall— appoint a Data Protection Officer who shall— represent the Significant Data Fiduciary under the provisions of this Act; § 10.(2)(a)(i)] | Human Resources management | Preventive | |
Define and assign the authorized representatives roles and responsibilities. CC ID 15033 [{act on behalf} The Consent Manager shall be accountable to the Data Principal and shall act on her behalf in such manner and subject to such obligations as may be prescribed. § 6.(8)] | Human Resources management | Preventive | |
Define and assign workforce roles and responsibilities. CC ID 13267 | Human Resources management | Preventive | |
Define and assign roles and responsibilities for dispute resolution. CC ID 13626 [The Significant Data Fiduciary shall— appoint a Data Protection Officer who shall— be the point of contact for the grievance redressal mechanism under the provisions of this Act; § 10.(2)(a)(iv)] | Human Resources management | Preventive | |
Bind data controllers to secrecy concerning the performance of their duties. CC ID 12610 | Privacy protection for information and data | Preventive | |
Include the stipulation that the data processor will respect the conditions for engaging another data processor in the Data Processing Contract. CC ID 12686 | Privacy protection for information and data | Preventive | |
Notify individuals of their ability to challenge personal behavioral assessments on record. CC ID 04798 | Privacy protection for information and data | Preventive |
KEY: Primary Verb Primary Noun Secondary Verb Secondary Noun Limiting Term | |||
Mandated - bold Implied - italic Implementation - regular | IMPACT ZONE | CLASS | |
---|---|---|---|
Leadership and high level objectives CC ID 00597 | Leadership and high level objectives | IT Impact Zone | |
Audits and risk management CC ID 00677 | Audits and risk management | IT Impact Zone | |
Technical security CC ID 00508 | Technical security | IT Impact Zone | |
Human Resources management CC ID 00763 | Human Resources management | IT Impact Zone | |
Operational management CC ID 00805 | Operational management | IT Impact Zone | |
Records management CC ID 00902 | Records management | IT Impact Zone | |
Privacy protection for information and data CC ID 00008 | Privacy protection for information and data | IT Impact Zone | |
Third Party and supply chain oversight CC ID 08807 | Third Party and supply chain oversight | IT Impact Zone |
KEY: Primary Verb Primary Noun Secondary Verb Secondary Noun Limiting Term | |||
Mandated - bold Implied - italic Implementation - regular | IMPACT ZONE | CLASS | |
---|---|---|---|
Investigate discrepancies between the information received and the information verified for each funds transfer. CC ID 16757 | Leadership and high level objectives | Detective | |
Determine the amount of assets to be held in escrow. CC ID 16575 | Leadership and high level objectives | Detective | |
Audit cybersecurity risk management within the policies, standards, and procedures of the organization. CC ID 13011 | Audits and risk management | Detective | |
Audit information systems, as necessary. CC ID 13010 | Audits and risk management | Detective | |
Audit the potential costs of compromise to information systems. CC ID 13012 | Audits and risk management | Detective | |
Analyze requirements for processing personal data in contracts. CC ID 12550 | Privacy protection for information and data | Detective |
KEY: Primary Verb Primary Noun Secondary Verb Secondary Noun Limiting Term | |||
Mandated - bold Implied - italic Implementation - regular | IMPACT ZONE | CLASS | |
---|---|---|---|
Submit an incident management audit log to the proper authorities for each security breach that affects a predefined number of individuals, as necessary. CC ID 06326 | Operational management | Detective |
KEY: Primary Verb Primary Noun Secondary Verb Secondary Noun Limiting Term | |||
Mandated - bold Implied - italic Implementation - regular | IMPACT ZONE | CLASS | |
---|---|---|---|
Monitor the performance of the margin system. CC ID 16655 | Leadership and high level objectives | Detective | |
Supervise interested personnel and affected parties participating in the audit. CC ID 07150 | Audits and risk management | Preventive |
KEY: Primary Verb Primary Noun Secondary Verb Secondary Noun Limiting Term | |||
Mandated - bold Implied - italic Implementation - regular | IMPACT ZONE | CLASS | |
---|---|---|---|
Include ongoing monitoring in the financial management program. CC ID 16762 | Leadership and high level objectives | Preventive | |
Employ tools to manage settlement and funding flows. CC ID 16743 | Leadership and high level objectives | Preventive | |
Establish, implement, and maintain a subsidiary compliance program. CC ID 16694 | Leadership and high level objectives | Preventive | |
Analyze the effectiveness of the stress test plan. CC ID 16657 | Leadership and high level objectives | Detective | |
Align the lending policy with the organization's risk acceptance level. CC ID 16716 | Leadership and high level objectives | Preventive | |
Include customer due diligence in the loan administration procedures. CC ID 16736 | Leadership and high level objectives | Preventive | |
Assess the properties of the margin model used in the margin system. CC ID 16658 | Leadership and high level objectives | Detective | |
Analyze the performance of the margin system. CC ID 16654 | Leadership and high level objectives | Detective | |
Determine the effect of fraud and non-compliance on the description of the system in the audit assertion, as necessary. CC ID 13977 | Audits and risk management | Detective | |
Determine the effect of fraud and non-compliance on the achievement of in scope controls in the audit assertion, as necessary. CC ID 13978 | Audits and risk management | Detective | |
Review documentation to determine the effectiveness of in scope controls. CC ID 16522 | Audits and risk management | Preventive | |
Coordinate the scheduling of interviews. CC ID 16293 | Audits and risk management | Preventive | |
Create a schedule for the interviews. CC ID 16292 | Audits and risk management | Preventive | |
Identify interviewees. CC ID 16290 | Audits and risk management | Preventive | |
Discuss unsolved questions with the interviewee. CC ID 16298 | Audits and risk management | Detective | |
Allow interviewee to respond to explanations. CC ID 16296 | Audits and risk management | Detective | |
Explain the requirements being discussed to the interviewee. CC ID 16294 | Audits and risk management | Detective | |
Explain the testing results to the interviewee. CC ID 16291 | Audits and risk management | Preventive | |
Withdraw from the audit, when defined conditions exist. CC ID 13885 | Audits and risk management | Corrective | |
Establish, implement, and maintain Data Protection Impact Assessments. CC ID 14830 [The Significant Data Fiduciary shall— undertake the following other measures, namely:— periodic Data Protection Impact Assessment, which shall be a process comprising a description of the rights of Data Principals and the purpose of processing of their personal data, assessment and management of the risk to the rights of the Data Principals, and such other matters regarding such process as may be prescribed; § 10.(2)(c)(i)] | Audits and risk management | Preventive | |
Integrate the use of technology in supporting the Governance, Risk, and Compliance capabilities. CC ID 12915 [{technical measure} A Data Fiduciary shall implement appropriate technical and organisational measures to ensure effective observance of the provisions of this Act and the rules made thereunder. § 8.(4)] | Operational management | Preventive | |
Use systems in accordance with the standard operating procedures manual. CC ID 15049 | Operational management | Preventive | |
Provide support for information sharing activities. CC ID 15644 | Operational management | Preventive | |
Analyze how policies used to create management boundaries relates to the Governance, Risk, and Compliance approach. CC ID 12821 | Operational management | Preventive | |
Analyze how the organization sets limits in policies relating to the Governance, Risk, and Compliance approach. CC ID 12819 | Operational management | Preventive | |
Analyze how the Board of Directors' and senior management's tone influences the Governance, Risk, and Compliance approach. CC ID 12818 | Operational management | Preventive | |
Analyze the degree to which the governing body is engaged in the Governance, Risk, and Compliance approach. CC ID 12817 | Operational management | Preventive | |
Analyze the Governance, Risk, and Compliance approach. CC ID 12816 | Operational management | Preventive | |
Analyze the organizational culture. CC ID 12899 | Operational management | Preventive | |
Include individual commitment to the organization's Governance, Risk, and Compliance framework in the analysis of the organizational culture. CC ID 12922 | Operational management | Detective | |
Include the organizational climate in the analysis of the organizational culture. CC ID 12921 | Operational management | Detective | |
Include consistency of leadership actions to mission, vision, and values in the analysis of the organizational culture. CC ID 12920 | Operational management | Detective | |
Establish, implement, and maintain consequences for non-compliance with the organizational compliance framework. CC ID 11747 | Operational management | Corrective | |
Sanitize user input in accordance with organizational standards. CC ID 16856 | Records management | Preventive | |
Provide the data subject with information about the right to erasure. CC ID 12602 [A Data Principal shall have the right to correction, completion, updating and erasure of her personal data for the processing of which she has previously given consent, including consent as referred to in clause (a) of section 7, in accordance with any requirement or procedure under any law for the time being in force. § 12.(1)] | Privacy protection for information and data | Preventive | |
Approve the approval application unless applicant has been convicted. CC ID 16603 | Privacy protection for information and data | Preventive | |
Provide the supervisory authority with any information requested by the supervisory authority. CC ID 12606 | Privacy protection for information and data | Preventive | |
Refrain from erasing personal data upon data subject request when personal data processing is for compliance with a legal obligation. CC ID 12652 [{requirement} {erase} {personal data} {correct} {complete} {update} In respect of processing by the State or any instrumentality of the State, the provisions of sub-section (7) of section 8 and sub-section (3) of section 12 and, where such processing is for a purpose that does not include making of a decision that affects the Data Principal, sub-section (2) of section 12 shall not apply. § 17.(4)] | Privacy protection for information and data | Preventive | |
Rely upon the warranty of the covered entity that the record disclosure request for Individually Identifiable Health Information is to support the treatment of the individual. CC ID 11969 | Privacy protection for information and data | Preventive | |
Process personal data absent consent in order to protect the vital interests of the data subject. CC ID 14012 | Privacy protection for information and data | Preventive | |
Refrain from erasing personal data upon receiving a personal data removal request when it is necessary for maintaining information assets. CC ID 13789 | Privacy protection for information and data | Preventive | |
Refrain from erasing personal data upon receiving a personal data removal request when it is necessary to complete a payment transaction. CC ID 13788 | Privacy protection for information and data | Preventive | |
Include disclosing personal data that would threaten facilities, property, transport, or communication systems as a reason for denial in the personal data request denial procedures. CC ID 08702 | Privacy protection for information and data | Preventive | |
Include if the record would constitute an action for breach of a duty of confidence as a reason for denial in the personal data request denial procedures. CC ID 08700 | Privacy protection for information and data | Preventive | |
Define the fee structure for the appeal process. CC ID 16532 [{requirement} {time requirement} Every appeal under sub-section (1) shall be filed within a period of sixty days from the date of receipt of the order or direction appealed against and it shall be in such form and manner and shall be accompanied by such fee as may be prescribed. § 29.(2)] | Privacy protection for information and data | Preventive | |
Define the time requirements for the appeal process. CC ID 16531 [{requirement} {time requirement} Every appeal under sub-section (1) shall be filed within a period of sixty days from the date of receipt of the order or direction appealed against and it shall be in such form and manner and shall be accompanied by such fee as may be prescribed. § 29.(2)] | Privacy protection for information and data | Preventive | |
Formalize client and third party relationships with contracts or nondisclosure agreements. CC ID 00794 | Third Party and supply chain oversight | Detective |
KEY: Primary Verb Primary Noun Secondary Verb Secondary Noun Limiting Term | |||
Mandated - bold Implied - italic Implementation - regular | IMPACT ZONE | CLASS | |
---|---|---|---|
Archive the engagement file and all work papers for the period prescribed by law or contract. CC ID 10038 | Audits and risk management | Preventive | |
Include information sharing procedures in standard operating procedures. CC ID 12974 | Operational management | Preventive | |
Compare each record's data input to its final form. CC ID 11813 | Records management | Detective | |
Refrain from destroying records being inspected or reviewed. CC ID 13015 | Privacy protection for information and data | Preventive | |
Submit personal data removal requests in writing. CC ID 11973 | Privacy protection for information and data | Preventive | |
Allow authorized individuals to authenticate record entries containing personal data. CC ID 11812 | Privacy protection for information and data | Corrective | |
Refrain from processing restricted data, as necessary. CC ID 12551 | Privacy protection for information and data | Preventive | |
Refrain from disclosing Individually Identifiable Health Information when in violation of territorial or federal law. CC ID 11966 | Privacy protection for information and data | Preventive | |
Rely upon the warranty of the covered entity that the record disclosure request for Individually Identifiable Health Information is permitted with the consent of the data subject. CC ID 11970 | Privacy protection for information and data | Preventive | |
Rely upon the warranty of the covered entity that the record disclosure request for Individually Identifiable Health Information is permitted by law. CC ID 11976 | Privacy protection for information and data | Preventive | |
Remove personal data from records after receiving a personal data removal request. CC ID 11972 [A Data Principal shall make a request in such manner as may be prescribed to the Data Fiduciary for erasure of her personal data, and upon receipt of such a request, the Data Fiduciary shall erase her personal data unless retention of the same is necessary for the specified purpose or for compliance with any law for the time being in force. § 12.(3)] | Privacy protection for information and data | Preventive |
KEY: Primary Verb Primary Noun Secondary Verb Secondary Noun Limiting Term | |||
Mandated - bold Implied - italic Implementation - regular | IMPACT ZONE | CLASS | |
---|---|---|---|
Establish, implement, and maintain a notification system for opt-out requests. CC ID 16880 | Privacy protection for information and data | Preventive | |
Implement technical controls that limit processing restricted data for specific purposes. CC ID 12646 | Privacy protection for information and data | Preventive | |
Implement security measures to protect personal data. CC ID 13606 [A Data Fiduciary shall protect personal data in its possession or under its control, including in respect of any processing undertaken by it or on its behalf by a Data Processor, by taking reasonable security safeguards to prevent personal data breach. § 8.(5)] | Privacy protection for information and data | Preventive |
KEY: Primary Verb Primary Noun Secondary Verb Secondary Noun Limiting Term | |||
Mandated - bold Implied - italic Implementation - regular | IMPACT ZONE | CLASS | |
---|---|---|---|
Test the protective measures for effectiveness to prevent financial impact to responsible parties. CC ID 16750 | Leadership and high level objectives | Preventive | |
Test the collateral requirements for appropriateness. CC ID 16681 | Leadership and high level objectives | Preventive | |
Establish, implement, and maintain stress test plans for financial resources. CC ID 16644 | Leadership and high level objectives | Preventive | |
Include stress scenarios in the stress test plan. CC ID 16659 | Leadership and high level objectives | Preventive | |
Perform stress testing in accordance with the stress test plan. CC ID 16652 | Leadership and high level objectives | Preventive | |
Validate the margin system on a regular basis. CC ID 16660 | Leadership and high level objectives | Detective | |
Conduct onsite inspections, as necessary. CC ID 16199 | Audits and risk management | Preventive | |
Determine the accurateness of the audit assertion's in scope system description. CC ID 06979 | Audits and risk management | Detective | |
Determine if the in scope system has been implemented as described in the audit assertion. CC ID 06983 | Audits and risk management | Detective | |
Determine if the audit assertion's in scope controls are reasonable. CC ID 06980 | Audits and risk management | Detective | |
Document test plans for auditing in scope controls. CC ID 06985 | Audits and risk management | Detective | |
Determine the implementation status of the audit assertion's in scope controls. CC ID 06981 | Audits and risk management | Detective | |
Determine the effectiveness of in scope controls. CC ID 06984 | Audits and risk management | Detective | |
Determine any errors or material omissions in the audit assertion that affect in scope control implementations. CC ID 06990 | Audits and risk management | Detective | |
Audit the in scope system according to the test plan using relevant evidence. CC ID 07112 | Audits and risk management | Preventive | |
Provide transactional walkthrough procedures for external auditors. CC ID 00672 | Audits and risk management | Preventive | |
Conduct interviews, as necessary. CC ID 07188 | Audits and risk management | Detective | |
Include if in scope control deviations allow in scope controls to be performed acceptably in the work papers. CC ID 06987 | Audits and risk management | Detective | |
Investigate the nature and causes of identified in scope control deviations. CC ID 06986 | Audits and risk management | Detective | |
Refrain from subjecting individuals to retaliation or intimidation after a complaint is created. CC ID 06218 | Privacy protection for information and data | Detective | |
Record restricted data correctly. CC ID 00089 | Privacy protection for information and data | Detective | |
Include third party acknowledgment of their data protection responsibilities in third party contracts. CC ID 01364 [A Data Fiduciary shall protect personal data in its possession or under its control, including in respect of any processing undertaken by it or on its behalf by a Data Processor, by taking reasonable security safeguards to prevent personal data breach. § 8.(5)] | Third Party and supply chain oversight | Detective | |
Include auditing third party security controls and compliance controls in third party contracts. CC ID 01366 | Third Party and supply chain oversight | Detective | |
Establish the third party's service continuity. CC ID 00797 | Third Party and supply chain oversight | Detective | |
Determine the adequacy of a third party's alternate site preparations. CC ID 06879 | Third Party and supply chain oversight | Detective | |
Maintain the third party's compliance framework to be equivalent to that of the organization's compliance requirements. CC ID 06087 | Third Party and supply chain oversight | Detective |
There are three types of Common Control classifications; corrective, detective, and preventive. Common Controls at the top level have the default assignment of Impact Zone.
KEY: Primary Verb Primary Noun Secondary Verb Secondary Noun Limiting Term | |||
Mandated - bold Implied - italic Implementation - regular | IMPACT ZONE | TYPE | |
---|---|---|---|
Withdraw from the audit, when defined conditions exist. CC ID 13885 | Audits and risk management | Process or Activity | |
Update operating procedures that contribute to user errors. CC ID 06935 | Operational management | Establish/Maintain Documentation | |
Establish, implement, and maintain consequences for non-compliance with the organizational compliance framework. CC ID 11747 | Operational management | Process or Activity | |
Share incident information with interested personnel and affected parties. CC ID 01212 | Operational management | Data and Information Management | |
Report data loss event information to breach notification organizations. CC ID 01210 [In the event of a personal data breach, the Data Fiduciary shall give the Board and each affected Data Principal, intimation of such breach in such form and manner as may be prescribed. § 8.(6)] | Operational management | Data and Information Management | |
Report to breach notification organizations the time frame in which the organization will send data loss event notifications to interested personnel and affected parties. CC ID 04731 | Operational management | Behavior | |
Include any reasons for delay if notifying the supervisory authority after the time limit. CC ID 12675 | Privacy protection for information and data | Communicate | |
Allow authorized individuals to authenticate record entries containing personal data. CC ID 11812 | Privacy protection for information and data | Records Management | |
Notify the subject of care when a lack of availability of health information systems might have adversely affected their care. CC ID 13990 | Privacy protection for information and data | Communicate | |
Refrain from disseminating and communicating with individuals that have opted out of direct marketing communications. CC ID 13708 | Privacy protection for information and data | Communicate | |
Implement procedures to file privacy rights violation complaints. CC ID 00476 | Privacy protection for information and data | Data and Information Management | |
File privacy rights violation complaints in writing. CC ID 00477 | Privacy protection for information and data | Establish/Maintain Documentation | |
Include the acts or omissions that are in violation of privacy rights in the privacy rights violation complaint. CC ID 14360 | Privacy protection for information and data | Establish/Maintain Documentation | |
Provide assistance to data subjects for filing privacy rights violation complaints. CC ID 00478 [Where a Data Principal has given her consent for the processing of her personal data before the date of commencement of this Act,— the Data Fiduciary shall, as soon as it is reasonably practicable, give to the Data Principal a notice informing her,–– the manner in which the Data Principal may make a complaint to the Board, § 5.(2) ¶ 1(a)(iii) Every request made to a Data Principal under section 6 for consent shall be accompanied or preceded by a notice given by the Data Fiduciary to the Data Principal, informing her,— the manner in which the Data Principal may make a complaint to the Board, § 5.(1) ¶ 1(iii)] | Privacy protection for information and data | Behavior | |
File privacy rights violation complaints inside the mandate stipulated from the refusal. CC ID 00479 | Privacy protection for information and data | Behavior | |
Change or destroy any personal data that is incorrect. CC ID 00462 [A Data Fiduciary shall, upon receiving a request for correction, completion or updating from a Data Principal,— correct the inaccurate or misleading personal data; § 12.(2)(a) A Data Fiduciary shall, upon receiving a request for correction, completion or updating from a Data Principal,— complete the incomplete personal data; and § 12.(2)(b) A Data Fiduciary shall, upon receiving a request for correction, completion or updating from a Data Principal,— update the personal data. § 12.(2)(c)] | Privacy protection for information and data | Data and Information Management | |
Notify the data subject of changes made to personal data as the result of a dispute. CC ID 00463 | Privacy protection for information and data | Behavior | |
Escalate the appeal process to change personal data when the data controller fails to make changes to the disputed data. CC ID 00465 | Privacy protection for information and data | Data and Information Management | |
Notify the data subject of which and why disputed changes were not made to personal data. CC ID 00466 | Privacy protection for information and data | Behavior | |
Notify entities to whom personal data was transferred that the personal data is wrong, along with the corrections. CC ID 00467 [A Data Fiduciary shall, unless retention is necessary for compliance with any law for the time being in force,— cause its Data Processor to erase any personal data that was made available by the Data Fiduciary for processing to such Data Processor. § 8.(7)(b)] | Privacy protection for information and data | Behavior | |
Order the cessation of data processing when a violation of the privacy policy is detected. CC ID 00475 | Privacy protection for information and data | Data and Information Management | |
Cooperate with authorities during a privacy rights violation complaint investigation. CC ID 14364 | Privacy protection for information and data | Business Processes | |
Notify respondents after a privacy rights violation complaint investigation has been resolved. CC ID 13513 | Privacy protection for information and data | Communicate | |
Create an investigative report in regards to a privacy rights violation complaint. CC ID 00495 | Privacy protection for information and data | Establish/Maintain Documentation | |
Respond to an investigative report in regards to a privacy rights violation complaint. CC ID 00496 | Privacy protection for information and data | Behavior | |
Order the organization to change to be in compliance with applicable law. CC ID 00499 | Privacy protection for information and data | Behavior | |
Order the organization to publish a notice with the corrections or actions taken. CC ID 00500 | Privacy protection for information and data | Behavior | |
Award damages based on applicable law. CC ID 00501 | Privacy protection for information and data | Behavior | |
Destroy personal data that breaches privacy after the privacy breach has been detected. CC ID 00503 | Privacy protection for information and data | Data and Information Management |
KEY: Primary Verb Primary Noun Secondary Verb Secondary Noun Limiting Term | |||
Mandated - bold Implied - italic Implementation - regular | IMPACT ZONE | TYPE | |
---|---|---|---|
Investigate discrepancies between the information received and the information verified for each funds transfer. CC ID 16757 | Leadership and high level objectives | Investigate | |
Verify all required information is attached to each funds transfer. CC ID 16755 | Leadership and high level objectives | Business Processes | |
Analyze the effectiveness of the stress test plan. CC ID 16657 | Leadership and high level objectives | Process or Activity | |
Validate the margin system on a regular basis. CC ID 16660 | Leadership and high level objectives | Testing | |
Assess the properties of the margin model used in the margin system. CC ID 16658 | Leadership and high level objectives | Process or Activity | |
Monitor the performance of the margin system. CC ID 16655 | Leadership and high level objectives | Monitor and Evaluate Occurrences | |
Analyze the performance of the margin system. CC ID 16654 | Leadership and high level objectives | Process or Activity | |
Determine the amount of assets to be held in escrow. CC ID 16575 | Leadership and high level objectives | Investigate | |
Determine if requested services create a threat to independence. CC ID 16823 | Audits and risk management | Audits and Risk Management | |
Identify hypothetical assumptions in forecasts and projections during an audit. CC ID 13946 | Audits and risk management | Audits and Risk Management | |
Refrain from examining forecasts and projections which refrain from disclosing assumptions during an audit. CC ID 13932 | Audits and risk management | Audits and Risk Management | |
Audit cybersecurity risk management within the policies, standards, and procedures of the organization. CC ID 13011 | Audits and risk management | Investigate | |
Audit information systems, as necessary. CC ID 13010 | Audits and risk management | Investigate | |
Audit the potential costs of compromise to information systems. CC ID 13012 | Audits and risk management | Investigate | |
Determine the accurateness of the audit assertion's in scope system description. CC ID 06979 | Audits and risk management | Testing | |
Determine if the in scope system has been implemented as described in the audit assertion. CC ID 06983 | Audits and risk management | Testing | |
Investigate the nature and causes of misstatements in the audit assertion's in scope system description. CC ID 16557 | Audits and risk management | Audits and Risk Management | |
Determine the effect of fraud and non-compliance on the description of the system in the audit assertion, as necessary. CC ID 13977 | Audits and risk management | Process or Activity | |
Determine if the audit assertion's in scope controls are reasonable. CC ID 06980 | Audits and risk management | Testing | |
Determine the effect of fraud and non-compliance on the achievement of in scope controls in the audit assertion, as necessary. CC ID 13978 | Audits and risk management | Process or Activity | |
Document test plans for auditing in scope controls. CC ID 06985 | Audits and risk management | Testing | |
Determine the implementation status of the audit assertion's in scope controls. CC ID 06981 | Audits and risk management | Testing | |
Determine the effectiveness of in scope controls. CC ID 06984 | Audits and risk management | Testing | |
Review incident management audit logs to determine the effectiveness of in scope controls. CC ID 12157 | Audits and risk management | Audits and Risk Management | |
Review audit reports to determine the effectiveness of in scope controls. CC ID 12156 | Audits and risk management | Audits and Risk Management | |
Observe processes to determine the effectiveness of in scope controls. CC ID 12155 | Audits and risk management | Audits and Risk Management | |
Interview stakeholders to determine the effectiveness of in scope controls. CC ID 12154 | Audits and risk management | Audits and Risk Management | |
Review policies and procedures to determine the effectiveness of in scope controls. CC ID 12144 | Audits and risk management | Audits and Risk Management | |
Evaluate personnel status changes to determine the effectiveness of in scope controls. CC ID 16556 | Audits and risk management | Audits and Risk Management | |
Determine whether individuals performing a control have the appropriate staff qualifications, staff clearances, and staff competencies. CC ID 16555 | Audits and risk management | Audits and Risk Management | |
Determine any errors or material omissions in the audit assertion that affect in scope control implementations. CC ID 06990 | Audits and risk management | Testing | |
Conduct interviews, as necessary. CC ID 07188 | Audits and risk management | Testing | |
Verify statements made by interviewees are correct. CC ID 16299 | Audits and risk management | Behavior | |
Discuss unsolved questions with the interviewee. CC ID 16298 | Audits and risk management | Process or Activity | |
Allow interviewee to respond to explanations. CC ID 16296 | Audits and risk management | Process or Activity | |
Explain the requirements being discussed to the interviewee. CC ID 16294 | Audits and risk management | Process or Activity | |
Explain the goals of the interview to the interviewee. CC ID 07189 | Audits and risk management | Behavior | |
Include if the audit evidence has identified in scope control deficiencies in the work papers. CC ID 07152 | Audits and risk management | Audits and Risk Management | |
Include if in scope control deviations allow in scope controls to be performed acceptably in the work papers. CC ID 06987 | Audits and risk management | Testing | |
Investigate the nature and causes of identified in scope control deviations. CC ID 06986 | Audits and risk management | Testing | |
Include individual commitment to the organization's Governance, Risk, and Compliance framework in the analysis of the organizational culture. CC ID 12922 | Operational management | Process or Activity | |
Include the organizational climate in the analysis of the organizational culture. CC ID 12921 | Operational management | Process or Activity | |
Include consistency of leadership actions to mission, vision, and values in the analysis of the organizational culture. CC ID 12920 | Operational management | Process or Activity | |
Submit an incident management audit log to the proper authorities for each security breach that affects a predefined number of individuals, as necessary. CC ID 06326 | Operational management | Log Management | |
Compare each record's data input to its final form. CC ID 11813 | Records management | Records Management | |
Document privacy policies in clearly written and easily understood language. CC ID 00376 | Privacy protection for information and data | Establish/Maintain Documentation | |
Analyze requirements for processing personal data in contracts. CC ID 12550 | Privacy protection for information and data | Investigate | |
Include personal data that is for the state's economic interest as a reason for denial in the personal data request denial procedures. CC ID 00446 | Privacy protection for information and data | Data and Information Management | |
Investigate privacy rights violation complaints. CC ID 00480 | Privacy protection for information and data | Behavior | |
Notify respondents after a privacy rights violation complaint investigation begins. CC ID 00491 | Privacy protection for information and data | Behavior | |
Investigate privacy rights violation complaints in private. CC ID 00492 | Privacy protection for information and data | Behavior | |
Make appropriate inquiries and obtain appropriate information regarding privacy rights violation complaints. CC ID 00493 | Privacy protection for information and data | Behavior | |
Allow the complainant to appear before the commissioner and make a submission, orally or in writing, about the privacy rights violation complaint investigation prior to an adverse decision to the complainant is reached. CC ID 00494 | Privacy protection for information and data | Behavior | |
Define the available administrative remedies in regards to a privacy rights violation complaint. CC ID 00497 [The Data Principal shall exhaust the opportunity of redressing her grievance under this section before approaching the Board. § 13.(3)] | Privacy protection for information and data | Establish/Maintain Documentation | |
Refrain from subjecting individuals to retaliation or intimidation after a complaint is created. CC ID 06218 | Privacy protection for information and data | Testing | |
Record restricted data correctly. CC ID 00089 | Privacy protection for information and data | Testing | |
Formalize client and third party relationships with contracts or nondisclosure agreements. CC ID 00794 | Third Party and supply chain oversight | Process or Activity | |
Include third party acknowledgment of their data protection responsibilities in third party contracts. CC ID 01364 [A Data Fiduciary shall protect personal data in its possession or under its control, including in respect of any processing undertaken by it or on its behalf by a Data Processor, by taking reasonable security safeguards to prevent personal data breach. § 8.(5)] | Third Party and supply chain oversight | Testing | |
Include auditing third party security controls and compliance controls in third party contracts. CC ID 01366 | Third Party and supply chain oversight | Testing | |
Establish the third party's service continuity. CC ID 00797 | Third Party and supply chain oversight | Testing | |
Determine the adequacy of a third party's alternate site preparations. CC ID 06879 | Third Party and supply chain oversight | Testing | |
Employ access controls that meet the organization's compliance requirements on third party systems with access to the organization's restricted data. CC ID 04264 | Third Party and supply chain oversight | Data and Information Management | |
Maintain the third party's compliance framework to be equivalent to that of the organization's compliance requirements. CC ID 06087 | Third Party and supply chain oversight | Testing |
KEY: Primary Verb Primary Noun Secondary Verb Secondary Noun Limiting Term | |||
Mandated - bold Implied - italic Implementation - regular | IMPACT ZONE | TYPE | |
---|---|---|---|
Leadership and high level objectives CC ID 00597 | Leadership and high level objectives | IT Impact Zone | |
Audits and risk management CC ID 00677 | Audits and risk management | IT Impact Zone | |
Technical security CC ID 00508 | Technical security | IT Impact Zone | |
Human Resources management CC ID 00763 | Human Resources management | IT Impact Zone | |
Operational management CC ID 00805 | Operational management | IT Impact Zone | |
Records management CC ID 00902 | Records management | IT Impact Zone | |
Privacy protection for information and data CC ID 00008 | Privacy protection for information and data | IT Impact Zone | |
Third Party and supply chain oversight CC ID 08807 | Third Party and supply chain oversight | IT Impact Zone |
KEY: Primary Verb Primary Noun Secondary Verb Secondary Noun Limiting Term | |||
Mandated - bold Implied - italic Implementation - regular | IMPACT ZONE | TYPE | |
---|---|---|---|
Establish and maintain the scope of the organizational compliance framework and Information Assurance controls. CC ID 01241 | Leadership and high level objectives | Establish/Maintain Documentation | |
Establish, implement, and maintain a policy and procedure management program. CC ID 06285 | Leadership and high level objectives | Establish/Maintain Documentation | |
Establish and maintain an Authority Document list. CC ID 07113 | Leadership and high level objectives | Establish/Maintain Documentation | |
Document organizational procedures that harmonize external requirements, including all legal requirements. CC ID 00623 [The Significant Data Fiduciary shall— undertake the following other measures, namely:— such other measures, consistent with the provisions of this Act, as may be prescribed. § 10.(2)(c)(iii)] | Leadership and high level objectives | Establish/Maintain Documentation | |
Establish, implement, and maintain a financial management program. CC ID 13228 [{be subject to}{technical condition}{operational condition}{financial condition} Every Consent Manager shall be registered with the Board in such manner and subject to such technical, operational, financial and other conditions as may be prescribed. § 6.(9)] | Leadership and high level objectives | Establish/Maintain Documentation | |
Establish, implement, and maintain funds transfer procedures. CC ID 16754 | Leadership and high level objectives | Establish/Maintain Documentation | |
Provide required information that is missing from a funds transfer to the responsible party. CC ID 16761 | Leadership and high level objectives | Communicate | |
Return the funds from a funds transfer when required information is not received or discrepancies resolved. CC ID 16760 | Leadership and high level objectives | Business Processes | |
Delay the funds transfer until all required information has been received or discrepancies resolved. CC ID 16759 | Leadership and high level objectives | Business Processes | |
Refrain from making funds from a funds transfer available to the interested personnel until all required information is received. CC ID 16758 | Leadership and high level objectives | Business Processes | |
Attach the required information to each funds transfer. CC ID 16756 | Leadership and high level objectives | Business Processes | |
Establish, implement, and maintain protective measures for customers from a bank's insolvency or default. CC ID 16738 | Leadership and high level objectives | Business Processes | |
Test the protective measures for effectiveness to prevent financial impact to responsible parties. CC ID 16750 | Leadership and high level objectives | Testing | |
Include communication protocols in the financial management program. CC ID 16763 | Leadership and high level objectives | Establish/Maintain Documentation | |
Include ongoing monitoring in the financial management program. CC ID 16762 | Leadership and high level objectives | Process or Activity | |
Employ tools to manage settlement and funding flows. CC ID 16743 | Leadership and high level objectives | Process or Activity | |
Refrain from setting up anonymous financial accounts. CC ID 16721 | Leadership and high level objectives | Business Processes | |
Identify and maintain positions in financial accounts. CC ID 16751 | Leadership and high level objectives | Business Processes | |
Establish, implement, and maintain a financial products and services disclosure policy. CC ID 16717 | Leadership and high level objectives | Establish/Maintain Documentation | |
Require acknowledgment of receipt from the customer in the financial products and services disclosure policy. CC ID 16725 | Leadership and high level objectives | Establish/Maintain Documentation | |
Establish, implement, and maintain a subsidiary compliance program. CC ID 16694 | Leadership and high level objectives | Process or Activity | |
Establish, implement, and maintain financial resource management procedures. CC ID 16642 | Leadership and high level objectives | Establish/Maintain Documentation | |
Document the rationale for the amount of financial resources being held. CC ID 16688 | Leadership and high level objectives | Establish/Maintain Documentation | |
Supplement financial resources, as necessary. CC ID 16685 | Leadership and high level objectives | Business Processes | |
Establish, implement, and maintain collateral procedures. CC ID 16653 | Leadership and high level objectives | Establish/Maintain Documentation | |
Include the use of appropriate models in the collateral procedures. CC ID 16687 | Leadership and high level objectives | Establish/Maintain Documentation | |
Define the collateral requirements in the collateral procedures. CC ID 16686 | Leadership and high level objectives | Establish/Maintain Documentation | |
Test the collateral requirements for appropriateness. CC ID 16681 | Leadership and high level objectives | Testing | |
Limit the types of assets accepted as collateral. CC ID 16602 | Leadership and high level objectives | Business Processes | |
Avoid the use of concentrated holdings of assets. CC ID 16651 | Leadership and high level objectives | Business Processes | |
Establish, implement, and maintain stress test plans for financial resources. CC ID 16644 | Leadership and high level objectives | Testing | |
Include stress scenarios in the stress test plan. CC ID 16659 | Leadership and high level objectives | Testing | |
Perform stress testing in accordance with the stress test plan. CC ID 16652 | Leadership and high level objectives | Testing | |
Disseminate and communicate the results of stress testing to interested personnel and affected parties. CC ID 16630 | Leadership and high level objectives | Communicate | |
Identify and document the financial resources available for use. CC ID 16643 | Leadership and high level objectives | Establish/Maintain Documentation | |
Establish, implement, and maintain credit loss procedures. CC ID 16683 | Leadership and high level objectives | Establish/Maintain Documentation | |
Include the allocation of credit losses in the credit loss procedures. CC ID 16684 | Leadership and high level objectives | Establish/Maintain Documentation | |
Establish, implement, and maintain a securities trading program. CC ID 16626 | Leadership and high level objectives | Business Processes | |
Include fairness and equitability standards in the securities trading program. CC ID 16690 | Leadership and high level objectives | Establish/Maintain Documentation | |
Include roles and responsibilities in the securities trading program. CC ID 16689 | Leadership and high level objectives | Establish/Maintain Documentation | |
Establish, implement, and maintain a capital restoration plan. CC ID 16613 | Leadership and high level objectives | Establish/Maintain Documentation | |
Include performance guarantees in the capital restoration plan. CC ID 16616 | Leadership and high level objectives | Establish/Maintain Documentation | |
Include corrective actions taken in the capital restoration plan. CC ID 16612 | Leadership and high level objectives | Establish/Maintain Documentation | |
Include required information in the capital restoration plan. CC ID 16609 | Leadership and high level objectives | Establish/Maintain Documentation | |
Establish, implement, and maintain valuation procedures. CC ID 16634 | Leadership and high level objectives | Establish/Maintain Documentation | |
Include investment information in approval requests for investments. CC ID 16590 | Leadership and high level objectives | Business Processes | |
Establish, implement, and maintain capital withdrawal requirements. CC ID 16576 | Leadership and high level objectives | Establish/Maintain Documentation | |
Establish, implement, and maintain lending policies. CC ID 16608 | Leadership and high level objectives | Establish/Maintain Documentation | |
Align the lending policy with the organization's risk acceptance level. CC ID 16716 | Leadership and high level objectives | Process or Activity | |
Include the requirements for risk assessments in the lending policy. CC ID 16730 | Leadership and high level objectives | Establish/Maintain Documentation | |
Include the requirements for sensitivity analyses in the lending policy. CC ID 16728 | Leadership and high level objectives | Establish/Maintain Documentation | |
Include the requirements for feasibility studies in the lending policy. CC ID 16726 | Leadership and high level objectives | Establish/Maintain Documentation | |
Include pricing structures in the lending policy. CC ID 16724 | Leadership and high level objectives | Establish/Maintain Documentation | |
Include monitoring requirements in the lending policy. CC ID 16710 | Leadership and high level objectives | Establish/Maintain Documentation | |
Include loan origination procedures in the lending policy. CC ID 16709 | Leadership and high level objectives | Establish/Maintain Documentation | |
Include review procedures and approval procedures for exception loans in the lending policy. CC ID 16708 | Leadership and high level objectives | Establish/Maintain Documentation | |
Include loan requirements in the lending policy. CC ID 16706 | Leadership and high level objectives | Establish/Maintain Documentation | |
Include appraisals and evaluations in the lending policy. CC ID 16705 | Leadership and high level objectives | Establish/Maintain Documentation | |
Include terms and conditions in the lending policy. CC ID 16695 | Leadership and high level objectives | Establish/Maintain Documentation | |
Include the scope and distribution of loans in the lending policy. CC ID 16693 | Leadership and high level objectives | Establish/Maintain Documentation | |
Include geographic areas in the lending policy. CC ID 16691 | Leadership and high level objectives | Establish/Maintain Documentation | |
Include underwriting guidelines in the lending policy. CC ID 16619 | Leadership and high level objectives | Establish/Maintain Documentation | |
Include credit review in the underwriting guidelines. CC ID 16765 | Leadership and high level objectives | Establish/Maintain Documentation | |
Include loan-to-value ratio limits in the lending policy. CC ID 16618 | Leadership and high level objectives | Establish/Maintain Documentation | |
Include documentation requirements in the lending policy. CC ID 16617 | Leadership and high level objectives | Establish/Maintain Documentation | |
Include the purpose of the loan in the loan documentation. CC ID 16747 | Leadership and high level objectives | Establish/Maintain Documentation | |
Include the source of repayment in the loan documentation. CC ID 16746 | Leadership and high level objectives | Establish/Maintain Documentation | |
Include approval requirements in the lending policy. CC ID 16615 | Leadership and high level objectives | Establish/Maintain Documentation | |
Include reporting requirements in the lending policy. CC ID 16614 | Leadership and high level objectives | Establish/Maintain Documentation | |
Include loan portfolio diversification standards in the lending policy. CC ID 16611 | Leadership and high level objectives | Establish/Maintain Documentation | |
Include loan administration procedures in the lending policy. CC ID 16610 | Leadership and high level objectives | Establish/Maintain Documentation | |
Include loan participation agreements in the loan administration procedures. CC ID 16745 | Leadership and high level objectives | Establish/Maintain Documentation | |
Include termination procedures in the loan participation agreement. CC ID 16753 | Leadership and high level objectives | Establish/Maintain Documentation | |
Justify the safety and efficiency of the participation requirements in the loan participation agreement. CC ID 16752 | Leadership and high level objectives | Establish/Maintain Documentation | |
Include servicing agreements in the loan administration procedures. CC ID 16744 | Leadership and high level objectives | Establish/Maintain Documentation | |
Include claims processing in the loan administration procedures. CC ID 16742 | Leadership and high level objectives | Establish/Maintain Documentation | |
Include forbearance management in the loan administration procedures. CC ID 16741 | Leadership and high level objectives | Establish/Maintain Documentation | |
Include foreclosure management in the loan administration procedures. CC ID 16740 | Leadership and high level objectives | Establish/Maintain Documentation | |
Include delinquency management in the loan administration procedures. CC ID 16739 | Leadership and high level objectives | Establish/Maintain Documentation | |
Include customer due diligence in the loan administration procedures. CC ID 16736 | Leadership and high level objectives | Process or Activity | |
Include the requirements for financial statements in the loan administration procedures. CC ID 16735 | Leadership and high level objectives | Establish/Maintain Documentation | |
Include loan closing in the loan administration procedures. CC ID 16734 | Leadership and high level objectives | Establish/Maintain Documentation | |
Include payoff statements in the loan administration procedures. CC ID 16733 | Leadership and high level objectives | Establish/Maintain Documentation | |
Include payment processing in the loan administration procedures. CC ID 16732 | Leadership and high level objectives | Establish/Maintain Documentation | |
Include loan reviews in the loan administration procedures. CC ID 16703 | Leadership and high level objectives | Establish/Maintain Documentation | |
Include collections in the loan administration procedures. CC ID 16701 | Leadership and high level objectives | Establish/Maintain Documentation | |
Include collateral inspections in the loan administration procedures. CC ID 16699 | Leadership and high level objectives | Establish/Maintain Documentation | |
Include disbursements in the loan administration procedures. CC ID 16697 | Leadership and high level objectives | Establish/Maintain Documentation | |
Review and approve lending policies. CC ID 16607 | Leadership and high level objectives | Business Processes | |
Establish, implement, and maintain a dividend policy. CC ID 16569 | Leadership and high level objectives | Establish/Maintain Documentation | |
Include compliance requirements in the dividend policy. CC ID 16570 | Leadership and high level objectives | Establish/Maintain Documentation | |
Establish, implement, and maintain margin systems. CC ID 16601 | Leadership and high level objectives | Business Processes | |
Include valuation models in the margin system. CC ID 16663 | Leadership and high level objectives | Data and Information Management | |
Include procedures for collecting price data in the margin system. CC ID 16662 | Leadership and high level objectives | Data and Information Management | |
Include reliable sources for price data in the margin system. CC ID 16661 | Leadership and high level objectives | Data and Information Management | |
Establish, implement, and maintain capital adequacy measures. CC ID 16568 | Leadership and high level objectives | Business Processes | |
Establish, implement, and maintain escrow procedures for financial transactions. CC ID 16564 | Leadership and high level objectives | Establish/Maintain Documentation | |
Disseminate and communicate the escrow procedures to interested personnel and affected parties. CC ID 16565 | Leadership and high level objectives | Communicate | |
Establish, implement, and maintain a Capital Planning and Investment Control policy. CC ID 06279 | Leadership and high level objectives | Establish/Maintain Documentation | |
Include risk management in the Capital Planning and Investment Control policy. CC ID 16764 | Leadership and high level objectives | Establish/Maintain Documentation | |
Include debt rating requirements in the Capital Planning and Investment Control policy. CC ID 16692 | Leadership and high level objectives | Establish/Maintain Documentation | |
Include divestiture requirements in the Capital Planning and Investment Control policy. CC ID 16591 | Leadership and high level objectives | Establish/Maintain Documentation | |
Establish, implement, and maintain a recordkeeping system for securities transactions. CC ID 16631 | Leadership and high level objectives | Establish/Maintain Documentation | |
Include order tickets in the recordkeeping system for securities transactions. CC ID 16640 | Leadership and high level objectives | Data and Information Management | |
Include receipts and deliveries of securities in the recordkeeping system for securities transactions. CC ID 16650 | Leadership and high level objectives | Data and Information Management | |
Include debits and credits in the recordkeeping system for securities transactions. CC ID 16639 | Leadership and high level objectives | Data and Information Management | |
Include a description of the transaction in the recordkeeping system for securities transactions. CC ID 16645 | Leadership and high level objectives | Data and Information Management | |
Include chronological records of transactions in the recordkeeping system for securities transactions. CC ID 16638 | Leadership and high level objectives | Data and Information Management | |
Include the name of the dealer in the recordkeeping system for securities transactions. CC ID 16637 | Leadership and high level objectives | Data and Information Management | |
Include the execution price in the recordkeeping system for securities transactions. CC ID 16636 | Leadership and high level objectives | Data and Information Management | |
Include the date and time of the transaction in the recordkeeping system for securities transactions. CC ID 16635 | Leadership and high level objectives | Data and Information Management | |
Include the type of transaction in the recordkeeping system for securities transactions. CC ID 16633 | Leadership and high level objectives | Data and Information Management | |
Include account information In the recordkeeping system for securities transactions. CC ID 16632 | Leadership and high level objectives | Data and Information Management | |
Establish, implement, and maintain securities transaction notifications. CC ID 16600 | Leadership and high level objectives | Establish/Maintain Documentation | |
Include the call date in the securities transaction notification. CC ID 16680 | Leadership and high level objectives | Establish/Maintain Documentation | |
Include service charges and commissions in the securities transaction notification. CC ID 16702 | Leadership and high level objectives | Establish/Maintain Documentation | |
Include the funds and securities in the possession of the organization in the securities transaction notification. CC ID 16679 | Leadership and high level objectives | Establish/Maintain Documentation | |
Include the call price in the securities transaction notification. CC ID 16678 | Leadership and high level objectives | Establish/Maintain Documentation | |
Include debits and credits in the securities transaction notification. CC ID 16677 | Leadership and high level objectives | Establish/Maintain Documentation | |
Include transactions in the securities transaction notification. CC ID 16676 | Leadership and high level objectives | Establish/Maintain Documentation | |
Include the credit rating of securities in the securities transaction notification. CC ID 16674 | Leadership and high level objectives | Establish/Maintain Documentation | |
Include yield information in the securities transaction notification. CC ID 16673 | Leadership and high level objectives | Establish/Maintain Documentation | |
Include redemption information in the securities transaction notification. CC ID 16672 | Leadership and high level objectives | Establish/Maintain Documentation | |
Include the price calculated from the yield in the securities transaction notification. CC ID 16669 | Leadership and high level objectives | Establish/Maintain Documentation | |
Include the type of call in the securities transaction notification. CC ID 16668 | Leadership and high level objectives | Establish/Maintain Documentation | |
Include an account statement in the securities transaction notification. CC ID 16666 | Leadership and high level objectives | Establish/Maintain Documentation | |
Include the yield to maturity in the securities transaction notification. CC ID 16665 | Leadership and high level objectives | Establish/Maintain Documentation | |
Include the execution price in the securities transaction notification. CC ID 16664 | Leadership and high level objectives | Establish/Maintain Documentation | |
Include the organization's role in the securities transaction notification. CC ID 16646 | Leadership and high level objectives | Establish/Maintain Documentation | |
Include the name of the broker in the securities transaction notification. CC ID 16647 | Leadership and high level objectives | Establish/Maintain Documentation | |
Include the name of the customer in the securities transaction notification. CC ID 16625 | Leadership and high level objectives | Establish/Maintain Documentation | |
Include the organization's name in the securities transaction notification. CC ID 16624 | Leadership and high level objectives | Establish/Maintain Documentation | |
Include confirmations in the securities transaction notification. CC ID 16623 | Leadership and high level objectives | Establish/Maintain Documentation | |
Include remunerations in the securities transaction notification. CC ID 16622 | Leadership and high level objectives | Establish/Maintain Documentation | |
Include requested information in the securities transaction notification. CC ID 16641 | Leadership and high level objectives | Establish/Maintain Documentation | |
Disseminate and communicate securities transaction notifications to interested personnel and affected parties. CC ID 16621 | Leadership and high level objectives | Communicate | |
Include the execution date in the securities transaction notification. CC ID 16620 | Leadership and high level objectives | Establish/Maintain Documentation | |
Establish, implement, and maintain financial reports. CC ID 14770 | Leadership and high level objectives | Establish/Maintain Documentation | |
Structure financial reports in accordance with external requirements, as necessary. CC ID 14776 | Leadership and high level objectives | Establish/Maintain Documentation | |
Include the report of independent Certified Public Accountants in the financial report. CC ID 14779 | Leadership and high level objectives | Establish/Maintain Documentation | |
Include the business need justification for lost value in the financial report. CC ID 15588 | Leadership and high level objectives | Establish/Maintain Documentation | |
Disseminate and communicate the financial report to interested personnel and affected parties. CC ID 16342 | Leadership and high level objectives | Communicate | |
Include financial statements in the financial report, as necessary. CC ID 14775 | Leadership and high level objectives | Establish/Maintain Documentation | |
Include capital deductions and adjustments in the financial statement. CC ID 16667 | Leadership and high level objectives | Establish/Maintain Documentation | |
Include earnings per share or loss per share in the financial statement. CC ID 16597 | Leadership and high level objectives | Establish/Maintain Documentation | |
Include material contingencies in the financial statement. CC ID 16596 | Leadership and high level objectives | Establish/Maintain Documentation | |
Include notes to financial statements in the financial report, as necessary. CC ID 14780 | Leadership and high level objectives | Establish/Maintain Documentation | |
Include information on loans to small businesses and small farms in the call report. CC ID 16731 | Leadership and high level objectives | Establish/Maintain Documentation | |
Include assets and liabilities in the call report. CC ID 16729 | Leadership and high level objectives | Establish/Maintain Documentation | |
Disseminate and communicate the call report to interested personnel and affected parties. CC ID 16727 | Leadership and high level objectives | Communicate | |
Establish, implement, and maintain an audit program. CC ID 00684 | Audits and risk management | Establish/Maintain Documentation | |
Assign the audit to impartial auditors. CC ID 07118 [The Significant Data Fiduciary shall— appoint an independent data auditor to carry out data audit, who shall evaluate the compliance of the Significant Data Fiduciary in accordance with the provisions of this Act; and § 10.(2)(b)] | Audits and risk management | Establish Roles | |
Define what constitutes a threat to independence. CC ID 16824 | Audits and risk management | Audits and Risk Management | |
Accept the attestation engagement when all preconditions are met. CC ID 13933 | Audits and risk management | Business Processes | |
Audit in scope audit items and compliance documents. CC ID 06730 [The Significant Data Fiduciary shall— undertake the following other measures, namely:— periodic audit; and § 10.(2)(c)(ii) The Significant Data Fiduciary shall— appoint an independent data auditor to carry out data audit, who shall evaluate the compliance of the Significant Data Fiduciary in accordance with the provisions of this Act; and § 10.(2)(b)] | Audits and risk management | Audits and Risk Management | |
Collect all work papers for the audit and audit report into an engagement file. CC ID 07001 | Audits and risk management | Actionable Reports or Measurements | |
Document any after the fact changes to the engagement file. CC ID 07002 | Audits and risk management | Establish/Maintain Documentation | |
Protect access to the engagement file and all associated audit documentation in compliance with Authority Documents the organization must follow. CC ID 07179 | Audits and risk management | Establish/Maintain Documentation | |
Disclose work papers in the engagement file in compliance with legal requirements. CC ID 07180 | Audits and risk management | Establish/Maintain Documentation | |
Archive the engagement file and all work papers for the period prescribed by law or contract. CC ID 10038 | Audits and risk management | Records Management | |
Conduct onsite inspections, as necessary. CC ID 16199 | Audits and risk management | Testing | |
Audit policies, standards, and procedures. CC ID 12927 | Audits and risk management | Audits and Risk Management | |
Edit the audit assertion for accuracy. CC ID 07030 | Audits and risk management | Establish/Maintain Documentation | |
Determine if the audit assertion's in scope procedures are accurately documented. CC ID 06982 | Audits and risk management | Establish/Maintain Documentation | |
Review documentation to determine the effectiveness of in scope controls. CC ID 16522 | Audits and risk management | Process or Activity | |
Include the process of using evidential matter to test in scope controls in the test plan. CC ID 06996 | Audits and risk management | Establish/Maintain Documentation | |
Audit the in scope system according to the test plan using relevant evidence. CC ID 07112 | Audits and risk management | Testing | |
Implement procedures that collect sufficient audit evidence. CC ID 07153 | Audits and risk management | Audits and Risk Management | |
Collect evidence about the in scope audit items of the audit assertion. CC ID 07154 | Audits and risk management | Audits and Risk Management | |
Collect audit evidence sufficient to avoid misstatements. CC ID 07155 | Audits and risk management | Audits and Risk Management | |
Collect audit evidence at the level of the organization's competence in the subject matter. CC ID 07156 | Audits and risk management | Audits and Risk Management | |
Collect audit evidence sufficient to overcome inadequacies in the organization's attestation. CC ID 07157 | Audits and risk management | Audits and Risk Management | |
Report that audit evidence collected was not sufficient to the proper authorities. CC ID 16847 | Audits and risk management | Communicate | |
Provide transactional walkthrough procedures for external auditors. CC ID 00672 | Audits and risk management | Testing | |
Establish, implement, and maintain interview procedures. CC ID 16282 | Audits and risk management | Establish/Maintain Documentation | |
Include roles and responsibilities in the interview procedures. CC ID 16297 | Audits and risk management | Human Resources Management | |
Coordinate the scheduling of interviews. CC ID 16293 | Audits and risk management | Process or Activity | |
Create a schedule for the interviews. CC ID 16292 | Audits and risk management | Process or Activity | |
Identify interviewees. CC ID 16290 | Audits and risk management | Process or Activity | |
Explain the testing results to the interviewee. CC ID 16291 | Audits and risk management | Process or Activity | |
Establish and maintain work papers, as necessary. CC ID 13891 | Audits and risk management | Establish/Maintain Documentation | |
Include the auditor's conclusions on work performed by individuals assigned to the audit in the work papers. CC ID 16775 | Audits and risk management | Establish/Maintain Documentation | |
Include audit irregularities in the work papers. CC ID 16774 | Audits and risk management | Establish/Maintain Documentation | |
Include corrective actions in the work papers. CC ID 16771 | Audits and risk management | Establish/Maintain Documentation | |
Include information about the organization being audited and the auditor performing the audit in the work papers. CC ID 16770 | Audits and risk management | Establish/Maintain Documentation | |
Include discussions with interested personnel and affected parties in the work papers. CC ID 16768 | Audits and risk management | Establish/Maintain Documentation | |
Include justification for departing from mandatory requirements in the work papers. CC ID 13935 | Audits and risk management | Establish/Maintain Documentation | |
Include audit evidence obtained from previous engagements in the work papers. CC ID 16518 | Audits and risk management | Audits and Risk Management | |
Include the reviewer, and dates, for using evidential matter to test in scope controls in the work papers. CC ID 06998 | Audits and risk management | Establish/Maintain Documentation | |
Include the tests, examinations, interviews and observations performed during the audit in the work papers. CC ID 07190 | Audits and risk management | Establish/Maintain Documentation | |
Include if any subject matter experts or additional research had to be undertaken to test in scope controls in the work papers. CC ID 07026 | Audits and risk management | Establish/Maintain Documentation | |
Include the tester, and dates, for using evidential matter to test in scope controls in the work papers. CC ID 06997 | Audits and risk management | Establish/Maintain Documentation | |
Include any subsequent events related to the audit assertion or audit subject matter in the work papers. CC ID 07177 | Audits and risk management | Audits and Risk Management | |
Include the causes of identified in scope control deficiencies in the work papers. CC ID 07000 | Audits and risk management | Establish/Maintain Documentation | |
Include discussions regarding the causes of identified in scope control deficiencies in the work papers. CC ID 06999 | Audits and risk management | Establish/Maintain Documentation | |
Supervise interested personnel and affected parties participating in the audit. CC ID 07150 | Audits and risk management | Monitor and Evaluate Occurrences | |
Notify interested personnel and affected parties participating in the audit of their roles and responsibilities during the audit. CC ID 07151 | Audits and risk management | Establish Roles | |
Respond to questions or clarification requests regarding the audit. CC ID 08902 | Audits and risk management | Business Processes | |
Establish, implement, and maintain a risk management program. CC ID 12051 | Audits and risk management | Establish/Maintain Documentation | |
Establish, implement, and maintain the risk assessment framework. CC ID 00685 | Audits and risk management | Establish/Maintain Documentation | |
Establish, implement, and maintain a risk assessment program. CC ID 00687 | Audits and risk management | Establish/Maintain Documentation | |
Establish, implement, and maintain Data Protection Impact Assessments. CC ID 14830 [The Significant Data Fiduciary shall— undertake the following other measures, namely:— periodic Data Protection Impact Assessment, which shall be a process comprising a description of the rights of Data Principals and the purpose of processing of their personal data, assessment and management of the risk to the rights of the Data Principals, and such other matters regarding such process as may be prescribed; § 10.(2)(c)(i)] | Audits and risk management | Process or Activity | |
Include a Data Protection Impact Assessment in the risk assessment program. CC ID 12630 | Audits and risk management | Establish/Maintain Documentation | |
Include an assessment of the necessity and proportionality of the processing operations in relation to the purposes in the Data Protection Impact Assessment. CC ID 12681 | Audits and risk management | Establish/Maintain Documentation | |
Include an assessment of the relationship between the data subject and the parties processing the data in the Data Protection Impact Assessment. CC ID 16371 | Audits and risk management | Establish/Maintain Documentation | |
Include a risk assessment of data subject's rights in the Data Protection Impact Assessment. CC ID 12674 [The Significant Data Fiduciary shall— undertake the following other measures, namely:— periodic Data Protection Impact Assessment, which shall be a process comprising a description of the rights of Data Principals and the purpose of processing of their personal data, assessment and management of the risk to the rights of the Data Principals, and such other matters regarding such process as may be prescribed; § 10.(2)(c)(i)] | Audits and risk management | Establish/Maintain Documentation | |
Include the description and purpose of processing restricted data in the Data Protection Impact Assessment. CC ID 12673 [The Significant Data Fiduciary shall— undertake the following other measures, namely:— periodic Data Protection Impact Assessment, which shall be a process comprising a description of the rights of Data Principals and the purpose of processing of their personal data, assessment and management of the risk to the rights of the Data Principals, and such other matters regarding such process as may be prescribed; § 10.(2)(c)(i)] | Audits and risk management | Establish/Maintain Documentation | |
Disseminate and communicate the Data Protection Impact Assessment to interested personnel and affected parties. CC ID 15313 | Audits and risk management | Communicate | |
Include consideration of the data subject's expectations in the Data Protection Impact Assessment. CC ID 16370 | Audits and risk management | Establish/Maintain Documentation | |
Include monitoring unsecured areas in the Data Protection Impact Assessment. CC ID 12671 | Audits and risk management | Establish/Maintain Documentation | |
Include security measures for protecting restricted data in the Data Protection Impact Assessment. CC ID 12635 [The Significant Data Fiduciary shall— undertake the following other measures, namely:— periodic Data Protection Impact Assessment, which shall be a process comprising a description of the rights of Data Principals and the purpose of processing of their personal data, assessment and management of the risk to the rights of the Data Principals, and such other matters regarding such process as may be prescribed; § 10.(2)(c)(i)] | Audits and risk management | Establish/Maintain Documentation | |
Establish, implement, and maintain a digital identity management program. CC ID 13713 | Technical security | Establish/Maintain Documentation | |
Establish, implement, and maintain an authorized representatives policy. CC ID 13798 [The Data Principal may give, manage, review or withdraw her consent to the Data Fiduciary through a Consent Manager. § 6.(7) A Data Principal shall have the right to nominate, in such manner as may be prescribed, any other individual, who shall, in the event of death or incapacity of the Data Principal, exercise the rights of the Data Principal in accordance with the provisions of this Act and the rules made thereunder. § 14.(1)] | Technical security | Establish/Maintain Documentation | |
Include authorized representative life cycle management requirements in the authorized representatives policy. CC ID 13802 | Technical security | Establish/Maintain Documentation | |
Include any necessary restrictions for the authorized representative in the authorized representatives policy. CC ID 13801 | Technical security | Establish/Maintain Documentation | |
Include suspension requirements for authorized representatives in the authorized representatives policy. CC ID 13800 | Technical security | Establish/Maintain Documentation | |
Include the authorized representative's life span in the authorized representatives policy. CC ID 13799 | Technical security | Establish/Maintain Documentation | |
Establish, implement, and maintain high level operational roles and responsibilities. CC ID 00806 | Human Resources management | Establish Roles | |
Define and assign the Data Protection Officer's roles and responsibilities. CC ID 16525 [The Significant Data Fiduciary shall— appoint a Data Protection Officer who shall— be based in India; § 10.(2)(a)(ii) {be responsible} The Significant Data Fiduciary shall— appoint a Data Protection Officer who shall— be an individual responsible to the Board of Directors or similar governing body of the Significant Data Fiduciary; and § 10.(2)(a)(iii) The Significant Data Fiduciary shall— appoint a Data Protection Officer who shall— § 10.(2)(a) The Significant Data Fiduciary shall— appoint a Data Protection Officer who shall— represent the Significant Data Fiduciary under the provisions of this Act; § 10.(2)(a)(i)] | Human Resources management | Human Resources Management | |
Define and assign the authorized representatives roles and responsibilities. CC ID 15033 [{act on behalf} The Consent Manager shall be accountable to the Data Principal and shall act on her behalf in such manner and subject to such obligations as may be prescribed. § 6.(8)] | Human Resources management | Human Resources Management | |
Define and assign workforce roles and responsibilities. CC ID 13267 | Human Resources management | Human Resources Management | |
Define and assign roles and responsibilities for dispute resolution. CC ID 13626 [The Significant Data Fiduciary shall— appoint a Data Protection Officer who shall— be the point of contact for the grievance redressal mechanism under the provisions of this Act; § 10.(2)(a)(iv)] | Human Resources management | Human Resources Management | |
Establish, implement, and maintain a Governance, Risk, and Compliance framework. CC ID 01406 | Operational management | Establish/Maintain Documentation | |
Integrate the use of technology in supporting the Governance, Risk, and Compliance capabilities. CC ID 12915 [{technical measure} A Data Fiduciary shall implement appropriate technical and organisational measures to ensure effective observance of the provisions of this Act and the rules made thereunder. § 8.(4)] | Operational management | Process or Activity | |
Establish, implement, and maintain an information security program. CC ID 00812 | Operational management | Establish/Maintain Documentation | |
Include technical safeguards in the information security program. CC ID 12374 [{be subject to}{technical condition}{operational condition}{financial condition} Every Consent Manager shall be registered with the Board in such manner and subject to such technical, operational, financial and other conditions as may be prescribed. § 6.(9)] | Operational management | Establish/Maintain Documentation | |
Establish, implement, and maintain operational control procedures. CC ID 00831 [{be subject to}{technical condition}{operational condition}{financial condition} Every Consent Manager shall be registered with the Board in such manner and subject to such technical, operational, financial and other conditions as may be prescribed. § 6.(9)] | Operational management | Establish/Maintain Documentation | |
Include assigning and approving operations in operational control procedures. CC ID 06382 | Operational management | Establish/Maintain Documentation | |
Include startup processes in operational control procedures. CC ID 00833 | Operational management | Establish/Maintain Documentation | |
Include change control processes in the operational control procedures. CC ID 16793 | Operational management | Establish/Maintain Documentation | |
Establish and maintain a data processing run manual. CC ID 00832 | Operational management | Establish/Maintain Documentation | |
Establish, implement, and maintain a Standard Operating Procedures Manual. CC ID 00826 | Operational management | Establish/Maintain Documentation | |
Use systems in accordance with the standard operating procedures manual. CC ID 15049 | Operational management | Process or Activity | |
Include metrics in the standard operating procedures manual. CC ID 14988 | Operational management | Establish/Maintain Documentation | |
Include maintenance measures in the standard operating procedures manual. CC ID 14986 | Operational management | Establish/Maintain Documentation | |
Include the expected lifetime of the system in the standard operating procedures manual. CC ID 14984 | Operational management | Establish/Maintain Documentation | |
Include technical measures used to interpret output in the standard operating procedures manual. CC ID 14982 | Operational management | Establish/Maintain Documentation | |
Include predetermined changes in the standard operating procedures manual. CC ID 14977 | Operational management | Establish/Maintain Documentation | |
Include specifications for input data in the standard operating procedures manual. CC ID 14975 | Operational management | Establish/Maintain Documentation | |
Include risks to health and safety or fundamental rights in the standard operating procedures manual. CC ID 14973 | Operational management | Establish/Maintain Documentation | |
Include circumstances that may impact the system in the standard operating procedures manual. CC ID 14972 | Operational management | Establish/Maintain Documentation | |
Include what the system was tested and validated for in the standard operating procedures manual. CC ID 14969 | Operational management | Establish/Maintain Documentation | |
Include the intended purpose in the standard operating procedures manual. CC ID 14967 | Operational management | Establish/Maintain Documentation | |
Include information on system performance in the standard operating procedures manual. CC ID 14965 | Operational management | Establish/Maintain Documentation | |
Include contact details in the standard operating procedures manual. CC ID 14962 | Operational management | Establish/Maintain Documentation | |
Include information sharing procedures in standard operating procedures. CC ID 12974 | Operational management | Records Management | |
Establish, implement, and maintain information sharing agreements. CC ID 15645 | Operational management | Business Processes | |
Provide support for information sharing activities. CC ID 15644 | Operational management | Process or Activity | |
Adhere to operating procedures as defined in the Standard Operating Procedures Manual. CC ID 06328 | Operational management | Business Processes | |
Disseminate and communicate the Standard Operating Procedures Manual to all interested personnel and affected parties. CC ID 12026 | Operational management | Communicate | |
Establish, implement, and maintain a job scheduling methodology. CC ID 00834 | Operational management | Establish/Maintain Documentation | |
Establish and maintain a job schedule exceptions list. CC ID 00835 | Operational management | Establish/Maintain Documentation | |
Establish, implement, and maintain a data processing continuity plan. CC ID 00836 | Operational management | Establish/Maintain Documentation | |
Establish, implement, and maintain Voice over Internet Protocol operating procedures. CC ID 04583 | Operational management | Establish/Maintain Documentation | |
Implement and comply with the Governance, Risk, and Compliance framework. CC ID 00818 [{technical measure} A Data Fiduciary shall implement appropriate technical and organisational measures to ensure effective observance of the provisions of this Act and the rules made thereunder. § 8.(4)] | Operational management | Business Processes | |
Analyze how policies used to create management boundaries relates to the Governance, Risk, and Compliance approach. CC ID 12821 | Operational management | Process or Activity | |
Analyze how the organization sets limits in policies relating to the Governance, Risk, and Compliance approach. CC ID 12819 | Operational management | Process or Activity | |
Analyze how the Board of Directors' and senior management's tone influences the Governance, Risk, and Compliance approach. CC ID 12818 | Operational management | Process or Activity | |
Analyze the degree to which the governing body is engaged in the Governance, Risk, and Compliance approach. CC ID 12817 | Operational management | Process or Activity | |
Analyze the Governance, Risk, and Compliance approach. CC ID 12816 | Operational management | Process or Activity | |
Analyze the organizational culture. CC ID 12899 | Operational management | Process or Activity | |
Include employee engagement in the analysis of the organizational culture. CC ID 12914 | Operational management | Behavior | |
Include contractual relationships with workforce members in the analysis of the organizational culture. CC ID 15674 | Operational management | Business Processes | |
Include the number of workforce members who are not employees in the analysis of the organizational culture. CC ID 15673 | Operational management | Business Processes | |
Include the type of work performed by workforce members in the analysis of the organizational culture. CC ID 15675 | Operational management | Business Processes | |
Include skill development in the analysis of the organizational culture. CC ID 12913 | Operational management | Behavior | |
Include employee turnover rates in the analysis of the organizational culture. CC ID 12912 | Operational management | Behavior | |
Include demographic characteristics of employees in the analysis of the organizational culture. CC ID 15671 | Operational management | Business Processes | |
Include employee loyalty in the analysis of the organizational culture. CC ID 12911 | Operational management | Behavior | |
Include employee satisfaction in the analysis of the organizational culture. CC ID 12910 | Operational management | Behavior | |
Comply with all implemented policies in the organization's compliance framework. CC ID 06384 [{be subject to}{technical condition}{operational condition}{financial condition} Every Consent Manager shall be registered with the Board in such manner and subject to such technical, operational, financial and other conditions as may be prescribed. § 6.(9) A Data Fiduciary shall, irrespective of any agreement to the contrary or failure of a Data Principal to carry out the duties provided under this Act, be responsible for complying with the provisions of this Act and the rules made thereunder in respect of any processing undertaken by it or on its behalf by a Data Processor. § 8.(1)] | Operational management | Establish/Maintain Documentation | |
Provide assurance to interested personnel and affected parties that the Governance, Risk, and Compliance capability is reliable, effective, efficient, and responsive. CC ID 12788 | Operational management | Communicate | |
Review systems for compliance with organizational information security policies. CC ID 12004 | Operational management | Business Processes | |
Disseminate and communicate the Governance, Risk, and Compliance framework to all interested personnel and affected parties. CC ID 00815 | Operational management | Behavior | |
Establish, implement, and maintain a customer service program. CC ID 00846 | Operational management | Establish/Maintain Documentation | |
Establish, implement, and maintain an Incident Management program. CC ID 00853 | Operational management | Business Processes | |
Include detection procedures in the Incident Management program. CC ID 00588 | Operational management | Establish/Maintain Documentation | |
Report to breach notification organizations the reasons for a delay in sending breach notifications. CC ID 16797 | Operational management | Communicate | |
Report to breach notification organizations the distribution list to which the organization will send data loss event notifications. CC ID 16782 | Operational management | Communicate | |
Establish, implement, and maintain records management procedures. CC ID 11619 | Records management | Establish/Maintain Documentation | |
Establish, implement, and maintain data processing integrity controls. CC ID 00923 [Where personal data processed by a Data Fiduciary is likely to be— used to make a decision that affects the Data Principal; or disclosed to another Data Fiduciary, the Data Fiduciary processing such personal data shall ensure its completeness, accuracy and consistency. § 8.(3) ¶ 2] | Records management | Establish Roles | |
Sanitize user input in accordance with organizational standards. CC ID 16856 | Records management | Process or Activity | |
Establish, implement, and maintain Automated Data Processing validation checks and editing checks. CC ID 00924 | Records management | Data and Information Management | |
Establish, implement, and maintain Automated Data Processing error handling procedures. CC ID 00925 | Records management | Establish/Maintain Documentation | |
Establish, implement, and maintain Automated Data Processing error handling reporting. CC ID 11659 | Records management | Establish/Maintain Documentation | |
Establish, implement, and maintain a privacy framework that protects restricted data. CC ID 11850 | Privacy protection for information and data | Establish/Maintain Documentation | |
Establish, implement, and maintain a personal data transparency program. CC ID 00375 | Privacy protection for information and data | Data and Information Management | |
Establish and maintain privacy notices, as necessary. CC ID 13443 | Privacy protection for information and data | Establish/Maintain Documentation | |
Include the personal data collection categories in the privacy notice. CC ID 13457 [Every request made to a Data Principal under section 6 for consent shall be accompanied or preceded by a notice given by the Data Fiduciary to the Data Principal, informing her,— the personal data and the purpose for which the same is proposed to be processed; § 5.(1) ¶ 1(i)] | Privacy protection for information and data | Establish/Maintain Documentation | |
Deliver privacy notices to data subjects, as necessary. CC ID 13444 [Where a Data Principal has given her consent for the processing of her personal data before the date of commencement of this Act,— the Data Fiduciary shall, as soon as it is reasonably practicable, give to the Data Principal a notice informing her,–– § 5.(2) ¶ 1(a) Every request made to a Data Principal under section 6 for consent shall be accompanied or preceded by a notice given by the Data Fiduciary to the Data Principal, informing her,— § 5.(1) ¶ 1] | Privacy protection for information and data | Communicate | |
Deliver a short-form initial notification along with an opt-out notice as an alternate to delivering a privacy notice, as necessary. CC ID 13464 | Privacy protection for information and data | Establish/Maintain Documentation | |
Notify data subjects about the organization's external requirements relevant to the privacy program. CC ID 12354 | Privacy protection for information and data | Communicate | |
Notify data subjects about their privacy rights. CC ID 12989 [Every request made to a Data Principal under section 6 for consent shall be accompanied or preceded by a notice given by the Data Fiduciary to the Data Principal, informing her,— the manner in which she may exercise her rights under sub-section (4) of section 6 and section 13; and § 5.(1) ¶ 1(ii) Where a Data Principal has given her consent for the processing of her personal data before the date of commencement of this Act,— the Data Fiduciary shall, as soon as it is reasonably practicable, give to the Data Principal a notice informing her,–– the manner in which she may exercise her rights under sub-section (4) of section 6 and section 13; and § 5.(2) ¶ 1(a)(ii)] | Privacy protection for information and data | Communicate | |
Establish, implement, and maintain adequate openness procedures. CC ID 00377 | Privacy protection for information and data | Data and Information Management | |
Register with public bodies and notify the Data Commissioner before processing personal data. CC ID 00383 [{be subject to}{technical condition}{operational condition}{financial condition} Every Consent Manager shall be registered with the Board in such manner and subject to such technical, operational, financial and other conditions as may be prescribed. § 6.(9)] | Privacy protection for information and data | Behavior | |
Define what is included in registration notices. CC ID 00386 | Privacy protection for information and data | Establish/Maintain Documentation | |
Include roles and responsibilities in the registration notice. CC ID 16803 | Privacy protection for information and data | Establish Roles | |
Include the verification method in the registration notice. CC ID 16798 | Privacy protection for information and data | Establish/Maintain Documentation | |
Include the statutory authority in the registration notice. CC ID 16799 | Privacy protection for information and data | Establish/Maintain Documentation | |
Include the address where the file or hardware supporting the data processing is located in the registration notice. CC ID 00387 | Privacy protection for information and data | Establish/Maintain Documentation | |
Include a purpose specification description in the registration notice. CC ID 00388 | Privacy protection for information and data | Establish/Maintain Documentation | |
Include information about the dispute resolution body in the registration notice. CC ID 16800 | Privacy protection for information and data | Establish/Maintain Documentation | |
Include the data subject category being processed in the registration notice. CC ID 00389 | Privacy protection for information and data | Establish/Maintain Documentation | |
Include the time period for data processing in the registration notice. CC ID 00390 | Privacy protection for information and data | Establish/Maintain Documentation | |
Include procedures for when the registration notice for processing personal data is insufficient in the registration notice. CC ID 00392 | Privacy protection for information and data | Establish/Maintain Documentation | |
Refrain from providing information to the data subject, as necessary. CC ID 12625 [{shall not apply} {requirement} {Data Principal} {furnish} {information} Nothing contained in clause (b) or clause (c) of sub-section (1) shall apply in respect of the sharing of any personal data by the said Data Fiduciary with any other Data Fiduciary authorised by law to obtain such personal data, where such sharing is pursuant to a request made in writing by such other Data Fiduciary for the purpose of prevention or detection or investigation of offences or cyber incidents, or for prosecution or punishment of offences. § 11.(2)] | Privacy protection for information and data | Communicate | |
Refrain from providing information to the data subject when it is forbidden by law. CC ID 12651 | Privacy protection for information and data | Communicate | |
Refrain from providing information to the data subject when it proves impossible due to statistical purposes. CC ID 12645 | Privacy protection for information and data | Communicate | |
Provide the data subject with information about lifting any restriction of processing, as necessary. CC ID 12634 | Privacy protection for information and data | Communicate | |
Refrain from providing information to the data subject when it proves impossible due to historical research purposes. CC ID 12633 | Privacy protection for information and data | Communicate | |
Refrain from providing information to the data subject when it proves impossible due to scientific research purposes. CC ID 12632 | Privacy protection for information and data | Communicate | |
Refrain from providing information to the data subject when it proves impossible due to archival purposes. CC ID 12631 | Privacy protection for information and data | Communicate | |
Refrain from providing information to the data subject when providing information involves disproportionate effort. CC ID 12629 | Privacy protection for information and data | Communicate | |
Refrain from providing information to the data subject when the data subject has the information. CC ID 12628 | Privacy protection for information and data | Communicate | |
Provide adequate structures, policies, procedures, and mechanisms to support direct access by the data subject to personal data that is provided upon request. CC ID 00393 | Privacy protection for information and data | Establish/Maintain Documentation | |
Provide the data subject with the means of gaining access to personal data held by the organization. CC ID 00396 | Privacy protection for information and data | Data and Information Management | |
Provide the data subject with the data protection officer's contact information. CC ID 12573 [A Data Fiduciary shall publish, in such manner as may be prescribed, the business contact information of a Data Protection Officer, if applicable, or a person who is able to answer on behalf of the Data Fiduciary, the questions, if any, raised by the Data Principal about the processing of her personal data. § 8.(9) Every request for consent under the provisions of this Act or the rules made thereunder shall be presented to the Data Principal in a clear and plain language, giving her the option to access such request in English or any language specified in the Eighth Schedule to the Constitution and providing the contact details of a Data Protection Officer, where applicable, or of any other person authorised by the Data Fiduciary to respond to any communication from the Data Principal for the purpose of exercise of her rights under the provisions of this Act. § 6.(3)] | Privacy protection for information and data | Business Processes | |
Provide the data subject with information about the right to erasure. CC ID 12602 [A Data Principal shall have the right to correction, completion, updating and erasure of her personal data for the processing of which she has previously given consent, including consent as referred to in clause (a) of section 7, in accordance with any requirement or procedure under any law for the time being in force. § 12.(1)] | Privacy protection for information and data | Process or Activity | |
Provide the data subject with a description of the type of information held by the organization and a general account of its use. CC ID 00397 [Where a Data Principal has given her consent for the processing of her personal data before the date of commencement of this Act,— the Data Fiduciary shall, as soon as it is reasonably practicable, give to the Data Principal a notice informing her,–– the personal data and the purpose for which the same has been processed; § 5.(2) ¶ 1(a)(i) The Data Principal shall have the right to obtain from the Data Fiduciary to whom she has previously given consent, including consent as referred to in clause (a) of section 7 (hereinafter referred to as the said Data Fiduciary), for processing of personal data, upon making to it a request in such manner as may be prescribed,— any other information related to the personal data of such Data Principal and its processing, as may be prescribed. § 11.(1)(c) The Data Principal shall have the right to obtain from the Data Fiduciary to whom she has previously given consent, including consent as referred to in clause (a) of section 7 (hereinafter referred to as the said Data Fiduciary), for processing of personal data, upon making to it a request in such manner as may be prescribed,— a summary of personal data which is being processed by such Data Fiduciary and the processing activities undertaken by that Data Fiduciary with respect to such personal data; § 11.(1)(a)] | Privacy protection for information and data | Establish/Maintain Documentation | |
Provide the data subject with what personal data is made available to related organizations or subsidiaries. CC ID 00399 [The Data Principal shall have the right to obtain from the Data Fiduciary to whom she has previously given consent, including consent as referred to in clause (a) of section 7 (hereinafter referred to as the said Data Fiduciary), for processing of personal data, upon making to it a request in such manner as may be prescribed,— the identities of all other Data Fiduciaries and Data Processors with whom the personal data has been shared by such Data Fiduciary, along with a description of the personal data so shared; and § 11.(1)(b)] | Privacy protection for information and data | Data and Information Management | |
Include individual's names to whom restricted data may be disclosed in the disclosure accounting record. CC ID 13027 | Privacy protection for information and data | Establish/Maintain Documentation | |
Establish and maintain a disclosure accounting record. CC ID 13022 | Privacy protection for information and data | Establish/Maintain Documentation | |
Include the official authorities that are allowed to disclose restricted data absent consent in the disclosure accounting record. CC ID 13029 | Privacy protection for information and data | Establish/Maintain Documentation | |
Include the legitimate interests for accessing restricted data in the disclosure accounting record. CC ID 13028 | Privacy protection for information and data | Establish/Maintain Documentation | |
Include what information was disclosed and to whom in the disclosure accounting record. CC ID 04680 [The Data Principal shall have the right to obtain from the Data Fiduciary to whom she has previously given consent, including consent as referred to in clause (a) of section 7 (hereinafter referred to as the said Data Fiduciary), for processing of personal data, upon making to it a request in such manner as may be prescribed,— the identities of all other Data Fiduciaries and Data Processors with whom the personal data has been shared by such Data Fiduciary, along with a description of the personal data so shared; and § 11.(1)(b)] | Privacy protection for information and data | Establish/Maintain Documentation | |
Include the personal data the organization refrained from disclosing in the disclosure accounting record. CC ID 13769 | Privacy protection for information and data | Establish/Maintain Documentation | |
Include the sale of personal data in the disclosure accounting record, as necessary. CC ID 13768 | Privacy protection for information and data | Establish/Maintain Documentation | |
Include the disclosure date in the disclosure accounting record. CC ID 07133 | Privacy protection for information and data | Establish/Maintain Documentation | |
Include the disclosure recipient in the disclosure accounting record. CC ID 07134 | Privacy protection for information and data | Establish/Maintain Documentation | |
Include the disclosure purpose in the disclosure accounting record. CC ID 07135 | Privacy protection for information and data | Establish/Maintain Documentation | |
Include the frequency, periodicity, or number of disclosures made during the accounting period in the disclosure accounting record. CC ID 07136 | Privacy protection for information and data | Establish/Maintain Documentation | |
Include the final date of multiple disclosures in the disclosure accounting record. CC ID 07137 | Privacy protection for information and data | Establish/Maintain Documentation | |
Include how personal data was used for research purposes in the disclosure accounting record. CC ID 07138 | Privacy protection for information and data | Establish/Maintain Documentation | |
Include the research activity or research protocol in the disclosure accounting record. CC ID 07139 | Privacy protection for information and data | Establish/Maintain Documentation | |
Include the record selection criteria for research activities in the disclosure accounting record. CC ID 07140 | Privacy protection for information and data | Establish/Maintain Documentation | |
Include the contact information of the organization that sponsored the research activity in the disclosure accounting record. CC ID 07141 | Privacy protection for information and data | Establish/Maintain Documentation | |
Include the types of third parties to whom restricted data may be disclosed in the disclosure accounting record. CC ID 16860 | Privacy protection for information and data | Data and Information Management | |
Disseminate and communicate the disclosure accounting record to interested personnel and affected parties. CC ID 14433 | Privacy protection for information and data | Communicate | |
Establish, implement, and maintain a privacy policy. CC ID 06281 | Privacy protection for information and data | Establish/Maintain Documentation | |
Write privacy notices in the official languages required by law. CC ID 16529 [The Data Fiduciary shall give the Data Principal the option to access the contents of the notice referred to in sub-sections (1) and (2) in English or any language specified in the Eighth Schedule to the Constitution. § 5.(3)] | Privacy protection for information and data | Establish/Maintain Documentation | |
Establish, implement, and maintain personal data choice and consent program. CC ID 12569 | Privacy protection for information and data | Establish/Maintain Documentation | |
Allow data subjects to opt out and refrain from granting an authorization of consent to use personal data. CC ID 00391 [Where a Data Principal has given her consent for the processing of her personal data before the date of commencement of this Act,— the Data Fiduciary may continue to process the personal data until and unless the Data Principal withdraws her consent. § 5.(2)(b)] | Privacy protection for information and data | Data and Information Management | |
Treat an opt-out direction by an individual joint consumer as applying to all associated joint consumers. CC ID 13452 | Privacy protection for information and data | Business Processes | |
Treat opt-out directions separately for each customer relationship the data subject establishes with the organization. CC ID 13454 | Privacy protection for information and data | Business Processes | |
Establish, implement, and maintain an opt-out method in accordance with organizational standards. CC ID 16526 [Where consent given by the Data Principal is the basis of processing of personal data, such Data Principal shall have the right to withdraw her consent at any time, with the ease of doing so being comparable to the ease with which such consent was given. § 6.(4)] | Privacy protection for information and data | Data and Information Management | |
Establish, implement, and maintain a notification system for opt-out requests. CC ID 16880 | Privacy protection for information and data | Technical Security | |
Comply with opt-out directions by the data subject, unless otherwise directed by compliance requirements. CC ID 13451 [{timely manner} If a Data Principal withdraws her consent to the processing of personal data under sub-section (5), the Data Fiduciary shall, within a reasonable time, cease and cause its Data Processors to cease processing the personal data of such Data Principal unless such processing without her consent is required or authorised under the provisions of this Act or the rules made thereunder or any other law for the time being in force in India. § 6.(6)] | Privacy protection for information and data | Business Processes | |
Allow consent requests to be provided in any official languages. CC ID 16530 [Every request for consent under the provisions of this Act or the rules made thereunder shall be presented to the Data Principal in a clear and plain language, giving her the option to access such request in English or any language specified in the Eighth Schedule to the Constitution and providing the contact details of a Data Protection Officer, where applicable, or of any other person authorised by the Data Fiduciary to respond to any communication from the Data Principal for the purpose of exercise of her rights under the provisions of this Act. § 6.(3)] | Privacy protection for information and data | Business Processes | |
Give individuals the ability to change the uses of their personal data. CC ID 00469 [Where consent given by the Data Principal is the basis of processing of personal data, such Data Principal shall have the right to withdraw her consent at any time, with the ease of doing so being comparable to the ease with which such consent was given. § 6.(4)] | Privacy protection for information and data | Data and Information Management | |
Notify data subjects of the implications of withdrawing consent. CC ID 13551 [The consequences of the withdrawal referred to in sub-section (4) shall be borne by the Data Principal, and such withdrawal shall not affect the legality of processing of the personal data based on consent before its withdrawal. § 6.(5)] | Privacy protection for information and data | Data and Information Management | |
Establish, implement, and maintain a personal data accountability program. CC ID 13432 | Privacy protection for information and data | Establish/Maintain Documentation | |
Require data controllers to be accountable for their actions. CC ID 00470 [Where a consent given by the Data Principal is the basis of processing of personal data and a question arises in this regard in a proceeding, the Data Fiduciary shall be obliged to prove that a notice was given by her to the Data Principal and consent was given by such Data Principal to the Data Fiduciary in accordance with the provisions of this Act and the rules made thereunder. § 6.(10)] | Privacy protection for information and data | Establish Roles | |
Bind data controllers to secrecy concerning the performance of their duties. CC ID 12610 | Privacy protection for information and data | Human Resources Management | |
Notify the supervisory authority. CC ID 00472 | Privacy protection for information and data | Behavior | |
Establish, implement, and maintain approval applications. CC ID 16778 | Privacy protection for information and data | Establish/Maintain Documentation | |
Define the requirements for approving or denying approval applications. CC ID 16780 | Privacy protection for information and data | Business Processes | |
Submit approval applications to the supervisory authority. CC ID 16627 | Privacy protection for information and data | Communicate | |
Include required information in the approval application. CC ID 16628 | Privacy protection for information and data | Establish/Maintain Documentation | |
Extend the time limit for approving or denying approval applications. CC ID 16779 | Privacy protection for information and data | Business Processes | |
Approve the approval application unless applicant has been convicted. CC ID 16603 | Privacy protection for information and data | Process or Activity | |
Provide the supervisory authority with any information requested by the supervisory authority. CC ID 12606 | Privacy protection for information and data | Process or Activity | |
Notify the supervisory authority of the safeguards employed to protect the data subject's rights. CC ID 12605 | Privacy protection for information and data | Communicate | |
Cooperate with Data Protection Authorities. CC ID 06870 | Privacy protection for information and data | Data and Information Management | |
Submit a safe harbor self-certification letter. CC ID 06871 | Privacy protection for information and data | Establish/Maintain Documentation | |
Establish, implement, and maintain Data Processing Contracts. CC ID 12650 [A Data Fiduciary may engage, appoint, use or otherwise involve a Data Processor to process personal data on its behalf for any activity related to offering of goods or services to Data Principals only under a valid contract. § 8.(2)] | Privacy protection for information and data | Establish/Maintain Documentation | |
Include the corrective actions to be taken when conditions cannot be met in the Data Processing Contract. CC ID 16812 | Privacy protection for information and data | Establish/Maintain Documentation | |
Include data processor confidentiality requirements in the Data Processing Contract. CC ID 12685 | Privacy protection for information and data | Establish/Maintain Documentation | |
Include the stipulation of notifying the data controller of legal requirements prior to processing restricted data unless the law prohibits such information on important grounds of public interest in the Data Processing Contract. CC ID 12687 | Privacy protection for information and data | Establish/Maintain Documentation | |
Include instructions for processing restricted data in the Data Processing Contract. CC ID 14938 | Privacy protection for information and data | Establish/Maintain Documentation | |
Include the purpose for processing restricted data in the Data Processing Contract. CC ID 14937 | Privacy protection for information and data | Establish/Maintain Documentation | |
Include the types of restricted data subject to processing in the Data Processing Contract. CC ID 14936 | Privacy protection for information and data | Establish/Maintain Documentation | |
Include the duration of processing in the Data Processing Contract. CC ID 14935 | Privacy protection for information and data | Establish/Maintain Documentation | |
Include personal data transfer procedures in the Data Processing Contract. CC ID 12683 | Privacy protection for information and data | Establish/Maintain Documentation | |
Include the stipulation of allowing auditing for compliance in the Data Processing Contract. CC ID 12679 | Privacy protection for information and data | Establish/Maintain Documentation | |
Include the stipulation that the Statement of Compliance will be made available in the Data Processing Contract. CC ID 12678 | Privacy protection for information and data | Establish/Maintain Documentation | |
Include the stipulation of complying with external requirements in the Data Processing Contract. CC ID 12676 | Privacy protection for information and data | Establish/Maintain Documentation | |
Include the stipulation that the data processor will respect the conditions for engaging another data processor in the Data Processing Contract. CC ID 12686 | Privacy protection for information and data | Human Resources Management | |
Include the stipulation that copies of restricted data will be disposed, unless retention is required by law, in the Data Processing Contract. CC ID 12670 | Privacy protection for information and data | Establish/Maintain Documentation | |
Include the stipulation that personal data will be disposed or returned to the data subject in the Data Processing Contract. CC ID 12669 | Privacy protection for information and data | Establish/Maintain Documentation | |
Establish, implement, and maintain a personal data use limitation program. CC ID 13428 | Privacy protection for information and data | Establish/Maintain Documentation | |
Establish, implement, and maintain a personal data use purpose specification. CC ID 00093 [{not be served} The purpose referred to in clause (a) of sub-section (7) shall be deemed to no longer be served, if the Data Principal does not–– exercise any of her rights in relation to such processing, § 8.(8) ¶ 1(b) {requirement} The purpose referred to in clause (a) of sub-section (7) shall be deemed to no longer be served, if the Data Principal does not–– approach the Data Fiduciary for the performance of the specified purpose; and § 8.(8) ¶ 1(a)] | Privacy protection for information and data | Establish/Maintain Documentation | |
Display or print the least amount of personal data necessary. CC ID 04643 | Privacy protection for information and data | Data and Information Management | |
Redact confidential information from public information, as necessary. CC ID 06872 | Privacy protection for information and data | Data and Information Management | |
Notify the data subject of the collection purpose. CC ID 00095 | Privacy protection for information and data | Behavior | |
Refrain from using restricted data collected for research and statistics for other purposes. CC ID 00096 | Privacy protection for information and data | Data and Information Management | |
Document the law that requires restricted data to be collected. CC ID 00103 | Privacy protection for information and data | Establish/Maintain Documentation | |
Notify the data subject of the consequences for not providing personal data. CC ID 00104 [The consequences of the withdrawal referred to in sub-section (4) shall be borne by the Data Principal, and such withdrawal shall not affect the legality of processing of the personal data based on consent before its withdrawal. § 6.(5)] | Privacy protection for information and data | Behavior | |
Notify the data subject of changes to personal data use. CC ID 00105 | Privacy protection for information and data | Behavior | |
Establish, implement, and maintain data use change of purpose procedures. CC ID 00106 | Privacy protection for information and data | Establish/Maintain Documentation | |
Document the use of publicly accessible personal data as an acceptable secondary purpose. CC ID 00108 | Privacy protection for information and data | Establish/Maintain Documentation | |
Document the use of privacy-related data as acceptable if the information being used is publicly available information, the secondary use is marketing, and it is not practical to seek consent from the individual before use. CC ID 00110 | Privacy protection for information and data | Establish/Maintain Documentation | |
Document the use of personal data as an acceptable secondary purpose when the data subject is not charged to request to opt out of direct marketing communications. CC ID 00111 | Privacy protection for information and data | Establish/Maintain Documentation | |
Document the use of personal data as an acceptable secondary purpose when the data subject has not requested to opt out of direct marketing communications. CC ID 00112 | Privacy protection for information and data | Establish/Maintain Documentation | |
Document the use of personal data as an acceptable secondary purpose when the organization highlights the opt out option during each direct marketing communication. CC ID 00113 | Privacy protection for information and data | Establish/Maintain Documentation | |
Document the use of personal data as an acceptable secondary purpose when the organization displays contact information in each written direct marketing communication. CC ID 00114 | Privacy protection for information and data | Establish/Maintain Documentation | |
Document the use of personal data as an acceptable secondary purpose when the data subject gives consent. CC ID 00115 | Privacy protection for information and data | Establish/Maintain Documentation | |
Document the use of personal data as an acceptable secondary purpose when the personal data is Individually Identifiable Health Information used for research. CC ID 00116 | Privacy protection for information and data | Establish/Maintain Documentation | |
Document the use of personal data as an acceptable secondary purpose when the personal data is used for statistical research, scholarly research, or scientific research and the data subject is anonymous. CC ID 00117 | Privacy protection for information and data | Establish/Maintain Documentation | |
Document the use of personal data as an acceptable secondary purpose when the data controller believes the use is necessary to prevent a life-threatening emergency. CC ID 00118 | Privacy protection for information and data | Establish/Maintain Documentation | |
Document the use of personal data as an acceptable secondary purpose when required by law. CC ID 00119 | Privacy protection for information and data | Establish/Maintain Documentation | |
Document the use of personal data as an acceptable secondary purpose when the personal data is necessary for public emergencies, public health and safety, or individual emergencies. CC ID 00121 | Privacy protection for information and data | Establish/Maintain Documentation | |
Document the use of personal data as an acceptable secondary purpose when the primary purpose is directly related to the secondary purpose. CC ID 00123 | Privacy protection for information and data | Establish/Maintain Documentation | |
Document the use of personal data as an acceptable secondary purpose when it is necessary for the enforcement of care and custody. CC ID 15453 | Privacy protection for information and data | Establish/Maintain Documentation | |
Document the use of data as an acceptable secondary purpose when it is necessary for use in a legal proceeding. CC ID 15451 | Privacy protection for information and data | Establish/Maintain Documentation | |
Document the use of personal data as an acceptable secondary purpose when it is necessary for a law enforcement investigation. CC ID 15449 | Privacy protection for information and data | Establish/Maintain Documentation | |
Document the use of personal data as an acceptable secondary purpose when it is necessary to perform a treaty with a foreign government. CC ID 15447 | Privacy protection for information and data | Establish/Maintain Documentation | |
Obtain the data subject's consent when the personal data use changes. CC ID 11832 | Privacy protection for information and data | Behavior | |
Document restricted data that is disclosed for an acceptable secondary purpose. CC ID 00124 | Privacy protection for information and data | Establish/Maintain Documentation | |
Dispose of media and restricted data in a timely manner. CC ID 00125 | Privacy protection for information and data | Data and Information Management | |
Refrain from destroying records being inspected or reviewed. CC ID 13015 | Privacy protection for information and data | Records Management | |
Notify the data subject after their personal data is disposed, as necessary. CC ID 13502 | Privacy protection for information and data | Communicate | |
Establish, implement, and maintain data access procedures. CC ID 00414 | Privacy protection for information and data | Establish/Maintain Documentation | |
Provide individuals with information about the processing purpose of their personal data. CC ID 00416 [Every request made to a Data Principal under section 6 for consent shall be accompanied or preceded by a notice given by the Data Fiduciary to the Data Principal, informing her,— the personal data and the purpose for which the same is proposed to be processed; § 5.(1) ¶ 1(i) Where a Data Principal has given her consent for the processing of her personal data before the date of commencement of this Act,— the Data Fiduciary shall, as soon as it is reasonably practicable, give to the Data Principal a notice informing her,–– the personal data and the purpose for which the same has been processed; § 5.(2) ¶ 1(a)(i)] | Privacy protection for information and data | Data and Information Management | |
Establish, implement, and maintain procedures for individuals to be able to modify their personal data, as necessary. CC ID 11811 [A Data Principal shall make a request in such manner as may be prescribed to the Data Fiduciary for erasure of her personal data, and upon receipt of such a request, the Data Fiduciary shall erase her personal data unless retention of the same is necessary for the specified purpose or for compliance with any law for the time being in force. § 12.(3) A Data Principal shall have the right to correction, completion, updating and erasure of her personal data for the processing of which she has previously given consent, including consent as referred to in clause (a) of section 7, in accordance with any requirement or procedure under any law for the time being in force. § 12.(1)] | Privacy protection for information and data | Establish/Maintain Documentation | |
Submit personal data removal requests in writing. CC ID 11973 | Privacy protection for information and data | Records Management | |
Include a liability waiver for any harm caused by the exclusion of personal data in the personal data removal request. CC ID 11975 | Privacy protection for information and data | Establish/Maintain Documentation | |
Establish, implement, and maintain restricted data use limitation procedures. CC ID 00128 | Privacy protection for information and data | Establish/Maintain Documentation | |
Refrain from processing restricted data, as necessary. CC ID 12551 | Privacy protection for information and data | Records Management | |
Refrain from erasing personal data upon data subject request when personal data processing is for compliance with a legal obligation. CC ID 12652 [{requirement} {erase} {personal data} {correct} {complete} {update} In respect of processing by the State or any instrumentality of the State, the provisions of sub-section (7) of section 8 and sub-section (3) of section 12 and, where such processing is for a purpose that does not include making of a decision that affects the Data Principal, sub-section (2) of section 12 shall not apply. § 17.(4)] | Privacy protection for information and data | Process or Activity | |
Refrain from processing personal data when it is likely to cause unlawful discrimination or arbitrary discrimination. CC ID 00197 | Privacy protection for information and data | Data and Information Management | |
Refrain from processing personal data when it is used for behavioral monitoring. CC ID 16528 [A Data Fiduciary shall not undertake tracking or behavioural monitoring of children or targeted advertising directed at children. § 9.(3)] | Privacy protection for information and data | Data and Information Management | |
Process restricted data lawfully and carefully. CC ID 00086 [A Data Fiduciary may process personal data of a Data Principal for any of following uses, namely:— for fulfilling any obligation under any law for the time being in force in India on any person to disclose any information to the State or any of its instrumentalities, subject to such processing being in accordance with the provisions regarding disclosure of such information in any other law for the time being in force; § 7.(d) A person may process the personal data of a Data Principal only in accordance with the provisions of this Act and for a lawful purpose,— § 4.(1) The provisions of this Act shall not apply in respect of the processing of personal data— necessary for research, archiving or statistical purposes if the personal data is not to be used to take any decision specific to a Data Principal and such processing is carried on in accordance with such standards as may be prescribed. § 17.(2)(b) A Data Fiduciary may process personal data of a Data Principal for any of following uses, namely:— for the State and any of its instrumentalities to provide or issue to the Data Principal such subsidy, benefit, service, certificate, licence or permit as may be prescribed, where–– subject to standards followed for processing being in accordance with the policy issued by the Central Government or any law for the time being in force for governance of personal data. § 7.(b) ¶ 2 {requirement} The provisions of Chapter II, except sub-sections (1) and (5) of section 8, and those of Chapter III and section 16 shall not apply where— the processing is for the purpose of ascertaining the financial information and assets and liabilities of any person who has defaulted in payment due on account of a loan or advance taken from a financial institution, subject to such processing being in accordance with the provisions regarding disclosure of information or data in any other law for the time being in force. § 17.(1)(f)] | Privacy protection for information and data | Establish Roles | |
Implement technical controls that limit processing restricted data for specific purposes. CC ID 12646 | Privacy protection for information and data | Technical Security | |
Process personal data pertaining to a patient's health in order to treat those patients. CC ID 00200 | Privacy protection for information and data | Data and Information Management | |
Refrain from disclosing Individually Identifiable Health Information when in violation of territorial or federal law. CC ID 11966 | Privacy protection for information and data | Records Management | |
Document the conditions for the use or disclosure of Individually Identifiable Health Information by a covered entity to another covered entity. CC ID 00210 | Privacy protection for information and data | Establish/Maintain Documentation | |
Disclose Individually Identifiable Health Information for a covered entity's own use. CC ID 00211 | Privacy protection for information and data | Data and Information Management | |
Disclose Individually Identifiable Health Information for a healthcare provider's treatment activities by a covered entity. CC ID 00212 | Privacy protection for information and data | Data and Information Management | |
Rely upon the warranty of the covered entity that the record disclosure request for Individually Identifiable Health Information is permitted with the consent of the data subject. CC ID 11970 | Privacy protection for information and data | Records Management | |
Rely upon the warranty of the covered entity that the record disclosure request for Individually Identifiable Health Information is to support the treatment of the individual. CC ID 11969 | Privacy protection for information and data | Process or Activity | |
Rely upon the warranty of the covered entity that the record disclosure request for Individually Identifiable Health Information is permitted by law. CC ID 11976 | Privacy protection for information and data | Records Management | |
Disclose Individually Identifiable Health Information for payment activities between covered entities or healthcare providers. CC ID 00213 | Privacy protection for information and data | Data and Information Management | |
Disclose Individually Identifiable Health Information for Treatment, Payment, and Health Care Operations activities when both covered entities have a relationship with the data subject. CC ID 00214 | Privacy protection for information and data | Data and Information Management | |
Disclose Individually Identifiable Health Information for Treatment, Payment, and Health Care Operations activities between a covered entity and a participating healthcare provider when the information is collected from the data subject and a third party. CC ID 00215 | Privacy protection for information and data | Data and Information Management | |
Disclose Individually Identifiable Health Information in accordance with agreed upon restrictions. CC ID 06249 | Privacy protection for information and data | Data and Information Management | |
Disclose Individually Identifiable Health Information in accordance with the privacy notice. CC ID 06250 | Privacy protection for information and data | Data and Information Management | |
Disclose permitted Individually Identifiable Health Information for facility directories. CC ID 06251 | Privacy protection for information and data | Data and Information Management | |
Disclose Individually Identifiable Health Information for cadaveric organ donation purposes, eye donation purposes, or tissue donation purposes. CC ID 06252 | Privacy protection for information and data | Data and Information Management | |
Disclose Individually Identifiable Health Information for medical suitability determinations. CC ID 06253 | Privacy protection for information and data | Data and Information Management | |
Disclose Individually Identifiable Health Information for armed forces personnel appropriately. CC ID 06254 | Privacy protection for information and data | Data and Information Management | |
Disclose Individually Identifiable Health Information in order to provide public benefits by government agencies. CC ID 06255 | Privacy protection for information and data | Data and Information Management | |
Disclose Individually Identifiable Health Information for fundraising. CC ID 06256 | Privacy protection for information and data | Data and Information Management | |
Disclose Individually Identifiable Health Information for research use when the appropriate requirements are included in the approval documentation or waiver documentation. CC ID 06257 | Privacy protection for information and data | Establish/Maintain Documentation | |
Document the conditions for the disclosure of Individually Identifiable Health Information by an organization providing healthcare services to organizations other than business associates or other covered entities. CC ID 00201 | Privacy protection for information and data | Establish/Maintain Documentation | |
Disclose Individually Identifiable Health Information when the data subject cannot physically or legally provide consent and the disclosing organization is a healthcare provider. CC ID 00202 | Privacy protection for information and data | Data and Information Management | |
Disclose Individually Identifiable Health Information to provide appropriate treatment to the data subject when the disclosing organization is a healthcare provider. CC ID 00203 | Privacy protection for information and data | Data and Information Management | |
Disclose Individually Identifiable Health Information when it is not contrary to the data subject's wish prior to becoming unable to provide consent and the disclosing organization is a healthcare provider. CC ID 00204 | Privacy protection for information and data | Data and Information Management | |
Disclose Individually Identifiable Health Information that is reasonable or necessary for the disclosure purpose when the disclosing organization is a healthcare provider. CC ID 00205 | Privacy protection for information and data | Data and Information Management | |
Disclose Individually Identifiable Health Information consistent with the law when the disclosing organization is a healthcare provider. CC ID 00206 | Privacy protection for information and data | Data and Information Management | |
Disclose Individually Identifiable Health Information in order to carry out treatment when the disclosing organization is a healthcare provider. CC ID 00207 | Privacy protection for information and data | Data and Information Management | |
Disclose Individually Identifiable Health Information in order to carry out treatment when the data subject has provided consent and the disclosing organization is a healthcare provider. CC ID 00208 | Privacy protection for information and data | Data and Information Management | |
Disclose Individually Identifiable Health Information in order to carry out treatment when the data subject's guardian or representative has provided consent and the disclosing organization is a healthcare provider. CC ID 00209 | Privacy protection for information and data | Data and Information Management | |
Disclose Individually Identifiable Health Information when the disclosing organization is a healthcare provider that supports public health and safety activities. CC ID 06248 | Privacy protection for information and data | Data and Information Management | |
Disclose Individually Identifiable Health Information in order to report abuse or neglect when the disclosing organization is a healthcare provider. CC ID 06819 | Privacy protection for information and data | Data and Information Management | |
Document how Individually Identifiable Health Information is used and disclosed when authorization has been granted. CC ID 00216 | Privacy protection for information and data | Establish/Maintain Documentation | |
Define and implement valid authorization control requirements. CC ID 06258 | Privacy protection for information and data | Establish/Maintain Documentation | |
Obtain explicit consent for authorization to release Individually Identifiable Health Information. CC ID 00217 | Privacy protection for information and data | Data and Information Management | |
Obtain explicit consent for authorization to release psychotherapy notes. CC ID 00218 | Privacy protection for information and data | Data and Information Management | |
Refrain from using Individually Identifiable Health Information to determine eligibility or continued eligibility for credit. CC ID 00219 | Privacy protection for information and data | Data and Information Management | |
Process personal data after the data subject has granted explicit consent. CC ID 00180 [{unambiguous and implicit consent} The consent given by the Data Principal shall be free, specific, informed, unconditional and unambiguous with a clear affirmative action, and shall signify an agreement to the processing of her personal data for the specified purpose and be limited to such personal data as is necessary for such specified purpose. § 6.(1) A Data Fiduciary may process personal data of a Data Principal for any of following uses, namely:— for the specified purpose for which the Data Principal has voluntarily provided her personal data to the Data Fiduciary, and in respect of which she has not indicated to the Data Fiduciary that she does not consent to the use of her personal data. § 7.(a) A Data Fiduciary may process personal data of a Data Principal for any of following uses, namely:— for the State and any of its instrumentalities to provide or issue to the Data Principal such subsidy, benefit, service, certificate, licence or permit as may be prescribed, where–– she has previously consented to the processing of her personal data by the State or any of its instrumentalities for any subsidy, benefit, service, certificate, licence or permit; or § 7.(b) ¶ 1(i) A person may process the personal data of a Data Principal only in accordance with the provisions of this Act and for a lawful purpose,— for which the Data Principal has given her consent; or § 4.(1)(a)] | Privacy protection for information and data | Data and Information Management | |
Process personal data in order to perform a legal obligation or exercise a legal right. CC ID 00182 [A Data Fiduciary may process personal data of a Data Principal for any of following uses, namely:— for compliance with any judgment or decree or order issued under any law for the time being in force in India, or any judgment or order relating to claims of a contractual or civil nature under any law for the time being in force outside India; § 7.(e) A Data Fiduciary may process personal data of a Data Principal for any of following uses, namely:— for the performance by the State or any of its instrumentalities of any function under any law for the time being in force in India or in the interest of sovereignty and integrity of India or security of the State; § 7.(c) A Data Fiduciary may process personal data of a Data Principal for any of following uses, namely:— for fulfilling any obligation under any law for the time being in force in India on any person to disclose any information to the State or any of its instrumentalities, subject to such processing being in accordance with the provisions regarding disclosure of such information in any other law for the time being in force; § 7.(d) A Data Fiduciary may process personal data of a Data Principal for any of following uses, namely:— for the purposes of employment or those related to safeguarding the employer from loss or liability, such as prevention of corporate espionage, maintenance of confidentiality of trade secrets, intellectual property, classified information or provision of any service or benefit sought by a Data Principal who is an employee. § 7.(i) The provisions of this Act shall not apply in respect of the processing of personal data— by such instrumentality of the State as the Central Government may notify, in the interests of sovereignty and integrity of India, security of the State, friendly relations with foreign States, maintenance of public order or preventing incitement to any cognizable offence relating to any of these, and the processing by the Central Government of any personal data that such instrumentality may furnish to it; and § 17.(2)(a) A Data Fiduciary may process personal data of a Data Principal for any of following uses, namely:— for the State and any of its instrumentalities to provide or issue to the Data Principal such subsidy, benefit, service, certificate, licence or permit as may be prescribed, where–– such personal data is available in digital form in, or in non-digital form and digitised subsequently from, any database, register, book or other document which is maintained by the State or any of its instrumentalities and is notified by the Central Government, § 7.(b) ¶ 1(ii)] | Privacy protection for information and data | Data and Information Management | |
Process personal data relating to criminal offenses when required by law. CC ID 00237 | Privacy protection for information and data | Data and Information Management | |
Process personal data in order to prevent personal injury or damage to the data subject's health. CC ID 00183 [A Data Fiduciary may process personal data of a Data Principal for any of following uses, namely:— for responding to a medical emergency involving a threat to the life or immediate threat to the health of the Data Principal or any other individual; § 7.(f)] | Privacy protection for information and data | Data and Information Management | |
Process personal data in order to prevent personal injury or damage to a third party's health. CC ID 00184 [A Data Fiduciary may process personal data of a Data Principal for any of following uses, namely:— for taking measures to provide medical treatment or health services to any individual during an epidemic, outbreak of disease, or any other threat to public health; § 7.(g) A Data Fiduciary may process personal data of a Data Principal for any of following uses, namely:— for responding to a medical emergency involving a threat to the life or immediate threat to the health of the Data Principal or any other individual; § 7.(f)] | Privacy protection for information and data | Data and Information Management | |
Process personal data for statistical purposes or scientific purposes. CC ID 00256 | Privacy protection for information and data | Data and Information Management | |
Process personal data during legitimate activities with safeguards for the data subject's legal rights. CC ID 00185 [A person may process the personal data of a Data Principal only in accordance with the provisions of this Act and for a lawful purpose,— for certain legitimate uses. § 4.(1)(b)] | Privacy protection for information and data | Data and Information Management | |
Process traffic data in a controlled manner. CC ID 00130 | Privacy protection for information and data | Data and Information Management | |
Process personal data for health insurance, social insurance, state social benefits, social welfare, or child protection. CC ID 00186 [A Data Fiduciary may process personal data of a Data Principal for any of following uses, namely:— for the State and any of its instrumentalities to providepan> or style="background-color:#CBD0E5;" class="term_secondary-verb">issue to the Data Principal such subsidy, benefit, service, certificate, licence or permit as may be <span style="background-color:#CBD0E5;" class="term_secondary-verb">prescribed, where–– § 7.(b) ¶ 1] | Privacy protection for information and data | Data and Information Management | |
Process personal data when it is publicly accessible. CC ID 00187 | Privacy protection for information and data | Data and Information Management | |
Process personal data for direct marketing and other personalized mail programs. CC ID 00188 | Privacy protection for information and data | Data and Information Management | |
Refrain from processing personal data for marketing or advertising to children. CC ID 14010 [A Data Fiduciary shall not undertake tracking or behavioural monitoring of children or targeted advertising directed at children. § 9.(3)] | Privacy protection for information and data | Business Processes | |
Process personal data for the purposes of employment. CC ID 16527 [A Data Fiduciary may process personal data of a Data Principal for any of following uses, namely:— for the purposes of employment or those related to safeguarding the employer from loss or liability, such as prevention of corporate espionage, maintenance of confidentiality of trade secrets, intellectual property, classified information or provision of any service or benefit sought by a Data Principal who is an employee. § 7.(i)] | Privacy protection for information and data | Data and Information Management | |
Process personal data for justice administration, lawsuits, judicial decisions, and investigations. CC ID 00189 [A Data Fiduciary may process personal data of a Data Principal for any of following uses, namely:— for compliance with any judgment or decree or order issued under any law for the time being in force in India, or any judgment or order relating to claims of a contractual or civil nature under any law for the time being in force outside India; § 7.(e)] | Privacy protection for information and data | Data and Information Management | |
Process personal data for debt collection or benefit payments. CC ID 00190 [{requirement} The provisions of Chapter II, except sub-sections (1) and (5) of section 8, and those of Chapter III and section 16 shall not apply where— the processing is for the purpose of ascertaining the financial information and assets and liabilities of any person who has defaulted in payment due on account of a loan or advance taken from a financial institution, subject to such processing being in accordance with the provisions regarding disclosure of information or data in any other law for the time being in force. § 17.(1)(f)] | Privacy protection for information and data | Data and Information Management | |
Process personal data in order to advance the public interest. CC ID 00191 [The provisions of this Act shall not apply in respect of the processing of personal data— by such instrumentality of the State as the Central Government may notify, in the interests of sovereignty and integrity of India, security of the State, friendly relations with foreign States, maintenance of public order or preventing incitement to any cognizable offence relating to any of these, and the processing by the Central Government of any personal data that such instrumentality may furnish to it; and § 17.(2)(a)] | Privacy protection for information and data | Data and Information Management | |
Process personal data for surveys, archives, or scientific research. CC ID 00192 | Privacy protection for information and data | Data and Information Management | |
Process personal data absent consent for journalistic purposes, artistic purposes, or literary purposes. CC ID 00193 | Privacy protection for information and data | Data and Information Management | |
Process personal data for academic purposes or religious purposes. CC ID 00194 | Privacy protection for information and data | Data and Information Management | |
Process personal data when it is used by a public authority for National Security policy or criminal policy. CC ID 00195 [A Data Fiduciary may process personal data of a Data Principal for any of following uses, namely:— for taking measures to ensure safety of, or provide assistance or services to, any individual during any disaster, or any breakdown of public order. § 7.(h) A Data Fiduciary may process personal data of a Data Principal for any of following uses, namely:— for the performance by the State or any of its instrumentalities of any function under any law for the time being in force in India or in the interest of sovereignty and integrity of India or security of the State; § 7.(c) The provisions of this Act shall not apply in respect of the processing of personal data— by such instrumentality of the State as the Central Government may notify, in the interests of sovereignty and integrity of India, security of the State, friendly relations with foreign States, maintenance of public order or preventing incitement to any cognizable offence relating to any of these, and the processing by the Central Government of any personal data that such instrumentality may furnish to it; and § 17.(2)(a)] | Privacy protection for information and data | Data and Information Management | |
Refrain from storing data in newly created files or registers which directly or indirectly reveals the restricted data. CC ID 00196 | Privacy protection for information and data | Data and Information Management | |
Follow legal obligations while processing personal data. CC ID 04794 | Privacy protection for information and data | Data and Information Management | |
Start personal data processing only after the needed notifications are submitted. CC ID 04791 | Privacy protection for information and data | Data and Information Management | |
Process personal data absent consent for specific and well-documented circumstances. CC ID 13537 [The provisions of sub-sections (1) and (3) shall not be applicable to processing of personal data of a child by such classes of Data Fiduciaries or for such purposes, and subject to such conditions, as may be prescribed. § 9.(4)] | Privacy protection for information and data | Data and Information Management | |
Process personal data absent consent in order to protect the vital interests of the data subject. CC ID 14012 | Privacy protection for information and data | Process or Activity | |
Process personal data absent consent when the data subject has been notified the personal data may be collected, used, or disclosed. CC ID 13617 | Privacy protection for information and data | Data and Information Management | |
Process personal data absent consent in order to establish, manage, or terminate employment contracts. CC ID 13615 | Privacy protection for information and data | Data and Information Management | |
Process personal data absent consent when the data subject is notified that the business transaction is completed and their information was disclosed. CC ID 13612 | Privacy protection for information and data | Data and Information Management | |
Process personal data absent consent when the disclosure concerns the data subject's products and services obtained from the organization. CC ID 13611 | Privacy protection for information and data | Data and Information Management | |
Process personal data absent consent when it is impracticable to obtain consent. CC ID 13580 | Privacy protection for information and data | Data and Information Management | |
Process personal data absent consent when it is in the data subject's interest and consent cannot be obtained in a timely manner. CC ID 15282 | Privacy protection for information and data | Data and Information Management | |
Process personal data absent consent to determine whether to proceed with business transactions. CC ID 13587 | Privacy protection for information and data | Data and Information Management | |
Process personal data absent consent in order to perform a contract. CC ID 13586 [{requirement} {be outside} The provisions of Chapter II, except sub-sections (1) and (5) of section 8, and those of Chapter III and section 16 shall not apply where— personal data of Data Principals not within the territory of India is processed pursuant to any contract entered into with any person outside the territory of India by any person based in India; § 17.(1)(d)] | Privacy protection for information and data | Data and Information Management | |
Process personal data absent consent when the privacy commissioner is notified before the information is used. CC ID 13581 | Privacy protection for information and data | Data and Information Management | |
Process personal data absent consent to perform obligations in the field of employment law. CC ID 16814 | Privacy protection for information and data | Data and Information Management | |
Process personal data absent consent if the disclosure is to the next of kin or authorized representative. CC ID 15294 | Privacy protection for information and data | Data and Information Management | |
Process personal data absent consent when it is used in a manner to ensure confidentiality. CC ID 13579 | Privacy protection for information and data | Data and Information Management | |
Process personal data absent consent when it is used for statistical research, scientific research, or scholarly research. CC ID 13578 [The provisions of this Act shall not apply in respect of the processing of personal data— necessary for research, archiving or statistical purposes if the personal data is not to be used to take any decision specific to a Data Principal and such processing is carried on in accordance with such standards as may be prescribed. § 17.(2)(b)] | Privacy protection for information and data | Data and Information Management | |
Process personal data absent consent when it is needed by law. CC ID 13577 [{requirement} The provisions of Chapter II, except sub-sections (1) and (5) of section 8, and those of Chapter III and section 16 shall not apply where— the processing of personal data is necessary for enforcing any legal right or claim; § 17.(1)(a) {judicial function} {quasi-judicial function} {regulatory function} {requirement} The provisions of Chapter II, except sub-sections (1) and (5) of section 8, and those of Chapter III and section 16 shall not apply where— the processing of personal data by any court or tribunal or any other body in India which is entrusted by law with the performance of any judicial or quasi-judicial or regulatory or supervisory function, where such processing is necessary for the performance of such function; § 17.(1)(b) {requirement} The provisions of Chapter II, except sub-sections (1) and (5) of section 8, and those of Chapter III and section 16 shall not apply where— personal data is processed in the interest of prevention, detection, investigation or prosecution of any offence or contravention of any law for the time being in force in India; § 17.(1)(c) {timely manner} If a Data Principal withdraws her consent to the processing of personal data under sub-section (5), the Data Fiduciary shall, within a reasonable time, cease and cause its Data Processors to cease processing the personal data of such Data Principal unless such processing without her consent is required or authorised under the provisions of this Act or the rules made thereunder or any other law for the time being in force in India. § 6.(6)] | Privacy protection for information and data | Data and Information Management | |
Process personal data for public interests absent consent in order to protect historical records or archival records. CC ID 15296 | Privacy protection for information and data | Data and Information Management | |
Process personal data absent consent when it is from publicly available information. CC ID 13576 | Privacy protection for information and data | Data and Information Management | |
Process personal data absent consent to create a credit report. CC ID 15288 | Privacy protection for information and data | Data and Information Management | |
Process personal data absent consent if its use is consistent with the intended purpose. CC ID 13575 | Privacy protection for information and data | Data and Information Management | |
Process personal data absent consent to administer a trust fund or benefit plan. CC ID 15291 | Privacy protection for information and data | Data and Information Management | |
Process personal data absent consent when produced for business purposes. CC ID 13563 | Privacy protection for information and data | Data and Information Management | |
Process personal data absent consent for handling insurance claims. CC ID 13561 | Privacy protection for information and data | Data and Information Management | |
Process personal data absent consent when it is necessary for corporate restructuring. CC ID 16533 [{requirement} The provisions of Chapter II, except sub-sections (1) and (5) of section 8, and those of Chapter III and section 16 shall not apply where— the processing is necessary for a scheme of compromise or arrangement or merger or amalgamation of two or more companies or a reconstruction by way of demerger or otherwise of a company, or transfer of undertaking of one or more company to another company, or involving division of one or more companies, approved by a court or tribunal or other authority competent to do so by any law for the time being in force; and § 17.(1)(e)] | Privacy protection for information and data | Data and Information Management | |
Process personal data absent consent if the information is contained in a witness statement. CC ID 13560 | Privacy protection for information and data | Data and Information Management | |
Process personal data absent consent for life-threatening emergencies. CC ID 13558 | Privacy protection for information and data | Data and Information Management | |
Process personal data absent consent for reasonable investigative purposes. CC ID 13557 | Privacy protection for information and data | Data and Information Management | |
Define the exceptions to disclosure absent consent. CC ID 00135 | Privacy protection for information and data | Establish/Maintain Documentation | |
Define how a data subject may give consent. CC ID 00160 [Any part of consent referred in sub-section (1) which constitutes an infringement of the provisions of this Act or the rules made thereunder or any other law for the time being in force shall be invalid to the extent of such infringement. § 6.(2)] | Privacy protection for information and data | Establish/Maintain Documentation | |
Establish, implement, and maintain personal data disposition procedures. CC ID 13498 [{refrain from serving} A Data Fiduciary shall, unless retention is necessary for compliance with any law for the time being in force,— erase personal data, upon the Data Principal withdrawing her consent or as soon as it is reasonable to assume that the specified purpose is no longer being served, whichever is earlier; and § 8.(7)(a)] | Privacy protection for information and data | Establish/Maintain Documentation | |
Capture personal data removal requests. CC ID 13507 | Privacy protection for information and data | Communicate | |
Remove personal data from records after receiving a personal data removal request. CC ID 11972 [A Data Principal shall make a request in such manner as may be prescribed to the Data Fiduciary for erasure of her personal data, and upon receipt of such a request, the Data Fiduciary shall erase her personal data unless retention of the same is necessary for the specified purpose or for compliance with any law for the time being in force. § 12.(3)] | Privacy protection for information and data | Records Management | |
Refrain from erasing personal data upon receiving a personal data removal request when it is necessary for maintaining information assets. CC ID 13789 | Privacy protection for information and data | Process or Activity | |
Refrain from erasing personal data upon receiving a personal data removal request when it is necessary to complete a payment transaction. CC ID 13788 | Privacy protection for information and data | Process or Activity | |
Obtain explicit consent directly from the data subject prior to the use of that person's sensitive data. CC ID 00178 | Privacy protection for information and data | Data and Information Management | |
Obtain consent from a parent or legal representative in order to use or disclose a child's data. CC ID 00198 [The Data Fiduciary shall, before processing any personal data of a child or a person with disability who has a lawful guardian obtain verifiable consent of the parent of such child or the lawful guardian, as the case may be, in such manner as may be prescribed. § 9.(1)] | Privacy protection for information and data | Data and Information Management | |
Obtain opt-in consent from teenagers prior to the collection, use, or disclosure of personal data. CC ID 00199 | Privacy protection for information and data | Data and Information Management | |
Establish, implement, and maintain data disclosure procedures. CC ID 00133 | Privacy protection for information and data | Establish/Maintain Documentation | |
Establish, implement, and maintain data request denial procedures. CC ID 00434 [{requirement} {erase} {personal data} {correct} {complete} {update} In respect of processing by the State or any instrumentality of the State, the provisions of sub-section (7) of section 8 and sub-section (3) of section 12 and, where such processing is for a purpose that does not include making of a decision that affects the Data Principal, sub-section (2) of section 12 shall not apply. § 17.(4)] | Privacy protection for information and data | Establish/Maintain Documentation | |
Include frivolous requests or vexatious requests as a reason for denial in the personal data request denial procedures. CC ID 00435 | Privacy protection for information and data | Data and Information Management | |
Include when the required information is unavailable as a reason for denial in the personal data request denial procedures. CC ID 00436 | Privacy protection for information and data | Data and Information Management | |
Include when the disclosure of personal data constitutes contempt of court or contempt of House of Representatives as a reason for denial in the personal data request denial procedures. CC ID 00437 | Privacy protection for information and data | Data and Information Management | |
Include disclosing personal data that would identify suppliers or breaches an express promise of privacy or implied promise of privacy as a reason for denial in the personal data request denial procedures. CC ID 00438 | Privacy protection for information and data | Data and Information Management | |
Include disclosing personal data that would compromise National Security as a reason for denial in the personal data request denial procedures. CC ID 00439 | Privacy protection for information and data | Data and Information Management | |
Include information that is protected by attorney-client privilege as a reason for denial in the personal data request denial procedures. CC ID 00440 | Privacy protection for information and data | Data and Information Management | |
Include disclosing personal data that would reveal trade secrets, commercial information, or harmful financial information as a reason for denial in the personal data request denial procedures. CC ID 00441 | Privacy protection for information and data | Data and Information Management | |
Include disclosing personal data that would threaten an individual's life or an individual's security as a reason for denial in the personal data request denial procedures. CC ID 00442 | Privacy protection for information and data | Data and Information Management | |
Include disclosing personal data that would have an unreasonable impact on another individual's privacy as a reason for denial in the personal data request denial procedures. CC ID 00443 | Privacy protection for information and data | Data and Information Management | |
Include disclosing personal data that would threaten facilities, property, transport, or communication systems as a reason for denial in the personal data request denial procedures. CC ID 08702 | Privacy protection for information and data | Process or Activity | |
Include responding to access requests after the time limit as a reason for denial in the personal data request denial procedures. CC ID 13600 | Privacy protection for information and data | Data and Information Management | |
Include information that was generated from a formal dispute as a reason for denial in the personal data request denial procedures. CC ID 00444 | Privacy protection for information and data | Data and Information Management | |
Include personal data that is used solely for scientific research, scholarly research, statistical research, library purposes, museum purposes, or archival purposes as a reason for denial in the personal data request denial procedures. CC ID 00445 | Privacy protection for information and data | Data and Information Management | |
Include personal data that is for protecting the civil rights or other's freedoms as a reason for denial in the personal data request denial procedures. CC ID 00447 | Privacy protection for information and data | Data and Information Management | |
Include disclosing personal data that constitutes a state secret as a reason for denial in the personal data request denial procedures. CC ID 00448 | Privacy protection for information and data | Data and Information Management | |
Include disclosing personal data that would result in interference with the operation of public functions as a reason for denial in the personal data request denial procedures. CC ID 00449 | Privacy protection for information and data | Data and Information Management | |
Include disclosing personal data that would interrupt criminal investigation and surveillance or other legal purposes as a reason for denial in the personal data request denial procedures. CC ID 00450 | Privacy protection for information and data | Data and Information Management | |
Include when a country's laws prevent disclosure as a reason for denial in the personal data request denial procedures. CC ID 00451 | Privacy protection for information and data | Data and Information Management | |
Include disclosing personal data that would interfere with grievance proceeding or employee security investigations as a reason for denial in the personal data request denial procedures. CC ID 06873 | Privacy protection for information and data | Data and Information Management | |
Include disclosing personal data that would interfere with commercial acquisitions or reorganizations as a reason for denial in the personal data request denial procedures. CC ID 06874 | Privacy protection for information and data | Data and Information Management | |
Include if the cost or burden of disclosing the personal data is disproportionate as a reason for denial in the personal data request denial procedures. CC ID 06875 | Privacy protection for information and data | Data and Information Management | |
Notify interested personnel and affected parties of the reasons the data access request was refused. CC ID 00453 | Privacy protection for information and data | Data and Information Management | |
Notify the individual of the organization's legal rights to refuse the personal data access request, as necessary. CC ID 13509 | Privacy protection for information and data | Communicate | |
Notify individuals of their right to challenge a refusal to a data access request. CC ID 00454 | Privacy protection for information and data | Data and Information Management | |
Include if the record would constitute an action for breach of a duty of confidence as a reason for denial in the personal data request denial procedures. CC ID 08700 | Privacy protection for information and data | Process or Activity | |
Establish, implement, and maintain a personal data collection program. CC ID 06487 | Privacy protection for information and data | Establish/Maintain Documentation | |
Establish, implement, and maintain personal data collection limitation boundaries. CC ID 00507 | Privacy protection for information and data | Establish/Maintain Documentation | |
Establish, implement, and maintain a personal data use policy. CC ID 00076 | Privacy protection for information and data | Establish/Maintain Documentation | |
Use personal data for specified purposes. CC ID 11831 [{unambiguous and implicit consent} The consent given by the Data Principal shall be free, specific, informed, unconditional and unambiguous with a clear affirmative action, and shall signify an agreement to the processing of her personal data for the specified purpose and be limited to such personal data as is necessary for such specified purpose. § 6.(1) A Data Fiduciary may process personal data of a Data Principal for any of following uses, namely:— for the specified purpose for which the Data Principal has voluntarily provided her personal data to the Data Fiduciary, and in respect of which she has not indicated to the Data Fiduciary that she does not consent to the use of her personal data. § 7.(a)] | Privacy protection for information and data | Data and Information Management | |
Obtain the data subject's consent and acknowledgment before collecting data. CC ID 00012 | Privacy protection for information and data | Data and Information Management | |
Document each individual's personal data collection consent preferences. CC ID 06945 | Privacy protection for information and data | Establish/Maintain Documentation | |
Provide explicit consent that is clear and unambiguous. CC ID 00181 [{unambiguous and implicit consent} The consent given by the Data Principal shall be free, specific, informed, unconditional and unambiguous with a clear affirmative action, and shall signify an agreement to the processing of her personal data for the specified purpose and be limited to such personal data as is necessary for such specified purpose. § 6.(1) Every request for consent under the provisions of this Act or the rules made thereunder shall be presented to the Data Principal in a clear and plain language, giving her the option to access such request in English or any language specified in the Eighth Schedule to the Constitution and providing the contact details of a Data Protection Officer, where applicable, or of any other person authorised by the Data Fiduciary to respond to any communication from the Data Principal for the purpose of exercise of her rights under the provisions of this Act. § 6.(3)] | Privacy protection for information and data | Data and Information Management | |
Give special attention to collecting children's data. CC ID 00038 [A Data Fiduciary shall not undertake such processing of personal data that is likely to cause any detrimental effect on the well-being of a child. § 9.(2)] | Privacy protection for information and data | Data and Information Management | |
Use simple understandable language to collect information from children. CC ID 00039 | Privacy protection for information and data | Behavior | |
Notify parents or legal representatives of what information is collected from children. CC ID 00040 | Privacy protection for information and data | Establish/Maintain Documentation | |
Obtain consent from a parent or legal representative before collecting information from children. CC ID 00041 | Privacy protection for information and data | Data and Information Management | |
Waive verifiable consent from a parent or legal representative for collecting information from children in order to collect online contact information for a one-time only response to a specific request. CC ID 00043 | Privacy protection for information and data | Data and Information Management | |
Waive verifiable consent from a parent or legal representative for collecting information from children in order to request the parent or legal representative's information to obtain consent. CC ID 00044 | Privacy protection for information and data | Data and Information Management | |
Waive verifiable consent from a parent or legal representative for collecting information from children in order to respond to additional requests which do not go beyond the scope of the request. CC ID 00045 | Privacy protection for information and data | Data and Information Management | |
Waive verifiable consent from a parent or legal representative for collecting information from children in order to protect the child's safety. CC ID 00046 | Privacy protection for information and data | Data and Information Management | |
Waive verifiable consent from a parent or legal representative for collecting information from children in order to take liability precautions. CC ID 00047 | Privacy protection for information and data | Data and Information Management | |
Waive verifiable consent from a parent or legal representative for collecting information from children in order to respond to a judicial process. CC ID 00048 | Privacy protection for information and data | Data and Information Management | |
Waive verifiable consent from a parent or legal representative for collecting information from children in order to respond to a request for law enforcement purposes. CC ID 00049 | Privacy protection for information and data | Data and Information Management | |
Waive verifiable consent from a parent or legal representative for collecting information from children in order to protect the website's security or integrity or the online service's security or integrity. CC ID 06199 | Privacy protection for information and data | Data and Information Management | |
Establish, implement, and maintain a data handling program. CC ID 13427 | Privacy protection for information and data | Establish/Maintain Documentation | |
Establish, implement, and maintain data handling policies. CC ID 00353 | Privacy protection for information and data | Establish/Maintain Documentation | |
Establish, implement, and maintain data and information confidentiality policies. CC ID 00361 | Privacy protection for information and data | Establish/Maintain Documentation | |
Implement security measures to protect personal data. CC ID 13606 [A Data Fiduciary shall protect personal data in its possession or under its control, including in respect of any processing undertaken by it or on its behalf by a Data Processor, by taking reasonable security safeguards to prevent personal data breach. § 8.(5)] | Privacy protection for information and data | Technical Security | |
Develop remedies and sanctions for privacy policy violations. CC ID 00474 [A Data Principal shall have the right to have readily available means of grievance redressal provided by a Data Fiduciary or Consent Manager in respect of any act or omission of such Data Fiduciary or Consent Manager regarding the performance of its obligations in relation to the personal data of such Data Principal or the exercise of her rights under the provisions of this Act and the rules made thereunder. § 13.(1)] | Privacy protection for information and data | Data and Information Management | |
Define the behaviors and actions that are included in privacy rights violations. CC ID 14852 | Privacy protection for information and data | Behavior | |
Include the individual's name who is the subject of the complaint in the privacy rights violation complaint. CC ID 14359 | Privacy protection for information and data | Establish/Maintain Documentation | |
Refrain from charging a fee to file a privacy rights violation complaint. CC ID 16807 | Privacy protection for information and data | Business Processes | |
Refrain from updating personal data on a regular basis, unless it is necessary for the purposes it was collected. CC ID 13610 | Privacy protection for information and data | Data and Information Management | |
Establish, implement, and maintain a privacy dispute resolution program. CC ID 12526 [A Data Fiduciary shall establish an effective mechanism to redress the grievances of Data Principals. § 8.(10)] | Privacy protection for information and data | Establish/Maintain Documentation | |
Include potential remedies in the privacy dispute resolution program. CC ID 12531 | Privacy protection for information and data | Establish/Maintain Documentation | |
Provide the data subject with the name, title, and address to whom complaints are forwarded. CC ID 00395 | Privacy protection for information and data | Establish/Maintain Documentation | |
Include the time frames in which privacy rights violation complaints are processed in the privacy dispute resolution program. CC ID 12529 [{time requirement} The Data Fiduciary or Consent Manager shall respond to any grievances referred to in sub-section (1) within such period as may be prescribed from the date of its receipt for all or any class of Data Fiduciaries. § 13.(2)] | Privacy protection for information and data | Establish/Maintain Documentation | |
Document unresolved challenges. CC ID 13568 | Privacy protection for information and data | Establish/Maintain Documentation | |
Establish, implement, and maintain an accuracy resolution policy. CC ID 00460 | Privacy protection for information and data | Establish/Maintain Documentation | |
Notify individuals of their right to challenge personal data. CC ID 00457 | Privacy protection for information and data | Data and Information Management | |
Notify individuals of their right to object to personal data for legitimate reasons. CC ID 00458 | Privacy protection for information and data | Data and Information Management | |
Terminate an individual's restriction agreement under specific circumstances. CC ID 06260 | Privacy protection for information and data | Configuration | |
Notify individuals of their ability to challenge personal behavioral assessments on record. CC ID 04798 | Privacy protection for information and data | Human Resources Management | |
Notify individuals of their ability to object to personal data processing, absent cost. CC ID 00459 | Privacy protection for information and data | Data and Information Management | |
Notify individuals of the time frame in which they may challenge personal data. CC ID 16861 | Privacy protection for information and data | Communicate | |
Investigate the disputed accuracy of personal data. CC ID 00461 | Privacy protection for information and data | Data and Information Management | |
Notify third parties of unresolved challenges. CC ID 13559 | Privacy protection for information and data | Communicate | |
Document disagreements as to whether personal data is complete and accurate. CC ID 06952 | Privacy protection for information and data | Establish/Maintain Documentation | |
Include the change to the personal data that the data subject requested and the reason the organization refused to make the change in the statement of disagreement. CC ID 06954 | Privacy protection for information and data | Establish/Maintain Documentation | |
Include the allegations against the organization in the notice of investigation. CC ID 13031 | Privacy protection for information and data | Establish/Maintain Documentation | |
Refer privacy rights violation complaints to the Privacy Commissioner under certain conditions. CC ID 00481 | Privacy protection for information and data | Behavior | |
Determine not to investigate privacy rights violation complaints under certain conditions. CC ID 00482 | Privacy protection for information and data | Behavior | |
Refrain from investigating a privacy rights violation complaint when the act or practice does not interfere with an individual's privacy. CC ID 00483 | Privacy protection for information and data | Behavior | |
Refrain from investigating a privacy rights violation complaint when the complaint is created outside the stipulated time frame after the complainant became aware of it. CC ID 00484 | Privacy protection for information and data | Behavior | |
Refrain from investigating a privacy rights violation complaint when the complaint is frivolous, vexatious, misconceived, or lacking in substance. CC ID 00485 | Privacy protection for information and data | Behavior | |
Refrain from investigating a privacy rights violation complaint if the act or practice is subject to an application under another commonwealth law, state law, or territory law, and the complaint was or is being dealt with adequately under the law. CC ID 00486 | Privacy protection for information and data | Behavior | |
Defer privacy rights violation complaint investigations under certain conditions. CC ID 00487 | Privacy protection for information and data | Behavior | |
Defer privacy rights violation complaint investigations when the respondent has made an application for a determination. CC ID 00488 | Privacy protection for information and data | Behavior | |
Defer privacy rights violation complaint investigations when the Privacy Commissioner believes the data subject's interests would not be affected if the investigation or further investigation were deferred until the application was disposed of. CC ID 00489 | Privacy protection for information and data | Behavior | |
Define the organization's liability based on the applicable law. CC ID 00504 | Privacy protection for information and data | Establish/Maintain Documentation | |
Define the sanctions and fines available for privacy rights violations based on applicable law. CC ID 00505 | Privacy protection for information and data | Establish/Maintain Documentation | |
Define the appeal process based on the applicable law. CC ID 00506 [{requirement} {time requirement} Every appeal under sub-section (1) shall be filed within a period of sixty days from the date of receipt of the order or direction appealed against and it shall be in such form and manner and shall be accompanied by such fee as may be prescribed. § 29.(2)] | Privacy protection for information and data | Establish/Maintain Documentation | |
Define the fee structure for the appeal process. CC ID 16532 [{requirement} {time requirement} Every appeal under sub-section (1) shall be filed within a period of sixty days from the date of receipt of the order or direction appealed against and it shall be in such form and manner and shall be accompanied by such fee as may be prescribed. § 29.(2)] | Privacy protection for information and data | Process or Activity | |
Define the time requirements for the appeal process. CC ID 16531 [{requirement} {time requirement} Every appeal under sub-section (1) shall be filed within a period of sixty days from the date of receipt of the order or direction appealed against and it shall be in such form and manner and shall be accompanied by such fee as may be prescribed. § 29.(2)] | Privacy protection for information and data | Process or Activity | |
Disseminate and communicate instructions for the appeal process to interested personnel and affected parties. CC ID 16544 | Privacy protection for information and data | Communicate | |
Disseminate and communicate a written explanation of the reasons for appeal decisions to interested personnel and affected parties. CC ID 16542 | Privacy protection for information and data | Communicate | |
Provide notice of proposed penalties. CC ID 06216 | Privacy protection for information and data | Establish/Maintain Documentation | |
Notify the public and other agencies after a penalty becomes final. CC ID 06217 | Privacy protection for information and data | Behavior | |
Establish, implement, and maintain a Customer Information Management program. CC ID 00084 | Privacy protection for information and data | Data and Information Management | |
Establish, implement, and maintain customer data authentication procedures. CC ID 13187 | Privacy protection for information and data | Establish/Maintain Documentation | |
Check the accuracy of restricted data. CC ID 00088 [Where personal data processed by a Data Fiduciary is likely to be— used to make a decision that affects the Data Principal; or disclosed to another Data Fiduciary, the Data Fiduciary processing such personal data shall ensure its completeness, accuracy and consistency. § 8.(3) ¶ 2] | Privacy protection for information and data | Data and Information Management | |
Check that restricted data is complete. CC ID 00090 [Where personal data processed by a Data Fiduciary is likely to be— used to make a decision that affects the Data Principal; or disclosed to another Data Fiduciary, the Data Fiduciary processing such personal data shall ensure its completeness, accuracy and consistency. § 8.(3) ¶ 2] | Privacy protection for information and data | Data and Information Management | |
Establish, implement, and maintain a supply chain management program. CC ID 11742 | Third Party and supply chain oversight | Establish/Maintain Documentation | |
Include responding to privacy rights violation complaints in third party contracts. CC ID 12432 | Third Party and supply chain oversight | Establish/Maintain Documentation |