Privacy protection for information and data

IT Impact Zone
IT Impact Zone


This is a top level control.

This Control has the following implementation support Control(s):
  • Establish, implement, and maintain a privacy framework that protects restricted data., CC ID: 11850
  • Establish, implement, and maintain a Customer Information Management program., CC ID: 00084
  • Establish, implement, and maintain a consumer credit report policy., CC ID: 00257
  • Establish, implement, and maintain an anti-spam policy., CC ID: 00283


  • (Sched 1 Principle 1, Hong Kong Personal Data (Privacy) Ordinance)
  • These guidelines apply to personal data processed, in whole or part, by electronic computers, optical information processing devices, or other automatic processing systems, including personal data that is processed in document form. It does not apply to personal data that is collected by an individu… (Art 3, Japan Handbook Concerning Protection Of Personal Data, February 1998)
  • The organization must develop policies on personal information processing, protection of intellectual property rights, and disclosure of information outside the organization from the standpoint of rights in and outside of the organization. (App 2-1 Item Number I.6(4), Appendix 1 Correspondence of the System Management Standards - Supplementary Edition to other standards)
  • Art 4: The State must comprehensively formulate and implement measures necessary to ensure the proper handling of personal information with regard to the purpose of this Act. Art 5: Local governments must formulate and implement measures necessary to ensure the proper handling of personal informatio… (Art 4, Art 5, Art 6, Art 46, Japan Act on the Protection of Personal Information Protection (Law No. 57 of 2003))
  • (Art 6, Taiwan Computer-Processed Personal Data Protection Law 1995)
  • Member States must protect the freedoms and fundamental rights of natural persons, especially the right to privacy when processing personal data. (Art 1.1, Directive 95/46/EC of the European Parliament and of the Council of 24 October 1995 on the protection of individuals with regard to the processing of personal data and on the free movement of such data, Unofficial Translation)
  • the ability to ensure the ongoing confidentiality, integrity, availability and resilience of processing systems and services; (Art. 32.1.(b), Regulation (EU) 2016/679 of The European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation))
  • The use of information technology must not violate human rights, human identity, privacy, or individual or public liberties. (Art 1, France Data Processing, Data Files and Individual Liberties)
  • (Art 9, Italy Protection of Individuals Other Subject with regard to the Processing of Personal Data)
  • The Government or an authority that has been appointed by the Government may issue more detailed regulations regarding cases where personal data processing is permitted; the requirements imposed on personal data controllers when they are processing personal data; the cases where personal identity nu… (§ 50, Sweden Personal Data Act (1998:204))
  • Everyone has the right to secrecy for personal data, especially private and family life. (§ 1(1), Austria Data Protection Act)
  • Persons have the right to have their personal data protected. Personal data may be processed in the data subject's interest, public interest, or third party's interest within the scope and subject to all procedures provided in this Act. (Art 1, Poland Protection of Personal Data Act)
  • The processing of personal data must not unlawfully infringe upon the privacy of affected persons. Personal data must not be processed without justification if it counters the requirements in Articles 4, 5.1, 6.1, and 7.1. Personal data may be processed by Federal authorities only when there is a le… (Art 12.1, Art 12.2(a), Art 17.1, Switzerland Federal Act of 19 June 1992 on Data Protection (FADP))
  • These Guidelines apply to public or private personal data that, due to the way it is processed or because of its nature or context, pose a danger to individual liberties and privacy. In domestically implementing the principles of Parts Two and Three, Member countries should establish administrative,… (¶ 2, ¶ 19, OECD Guidelines on the Protection of Privacy and Transborder Flows of Personal Data)
  • Whenever the Primary Account Number (PAN) is displayed, the PAN should be masked. The maximum number of digits displayed should be either the first six or the last four. (§ 2.2, Payment Card Industry (PCI) Payment Application Data Security Standard, Version 1.1)
  • A privacy audit should be performed and should include identifying the privacy laws, regulations, and statutes the organization must comply with; ensuring an individual has been assigned responsibility for privacy; establishing privacy policies and procedures for protecting privacy information; and … (App A.5, IIA Global Technology Audit Guide (GTAG) 4: Management of IT Auditing)
  • § 2.2 (Privacy Controls) ¶ 2 The organization must implement an effective privacy program that includes monitoring. § 4.4 ¶ 1, § 5.5 (Identify the Controls and Countermeasures) Setting objectives, establishing monitoring and improvement mechanisms, and establishing procedures and policies are s… (§ 2.2 (Privacy Controls) ¶ 2, § 4.4 ¶ 1, § 5.5 (Identify the Controls and Countermeasures), IIA Global Technology Audit Guide (GTAG) 5: Managing and Auditing Privacy Risks)
  • The Privacy Act provides 3 rights and remedies for individuals regarding the disclosure of information by federal agencies: individuals must be notified and must consent before information is disclosed; individuals can access their own records and request changes to them; and individuals have the ri… (Pg 21-III-15, Pg 22-I-18, Pg 22-I-19, Revised Volume 2 Pg 1-I-48, Protection of Assets Manual, ASIS International)
  • The organization should develop a presumption of privacy policy and enforce it. This policy should contain information such as whether or not email stored on the file server is owned by the organization or the individual user; when encryption is allowed and under what circumstances it is required; a… (Action 1.1.3, SANS Computer Security Incident Handling, Version 2.3.1)
  • A data protection policy and a privacy policy that take into account all applicable laws and regulations should be developed and implemented. All personnel involved in processing personal information should be notified of these policies. A data protection officer should be assigned to provide guidan… (§ 15.1.4, ISO 27002 Code of practice for information security management, 2005)
  • This Act (Canada Privacy Act) does not apply to museum or library material used solely for public reference purposes or exhibitions or material that is placed in the Library and Archives of Canada, the Canadian Museum of Civilization, the National Gallery of Canada, the National Museum of Science an… (§ 69, Canada Privacy Act, P-21)
  • Part 1 of this Act applies to organizations with regard to the personal information (1) they collect, use, or disclose during commercial activities or (2) that is about an employee of an organization that it collects, uses, or discloses in connection with the operation of a federal work, business, o… (§ 4(1), § 4(2), § 5(1), Sched 1 Prin. 4.1.3, Canada Personal Information Protection Electronic Documents Act (PIPEDA), 2000, c.5)
  • The organization should be responsible for personal information management practices consistent with applicable legislation. All personal information stored by the organization should be protected. (§ H1, § M1.6, Canadian Marketing Association Code of Ethics and Standards of Practice)
  • This law is intended to protect and guarantee the rights of protection of personal data as one of the fundamental human rights. It applies to all registered personal data at any site that is processed by both the private and public sector within the State. The following are exempt from this law: fil… (Art 1, Art 2, Colima Personal Data Protection Law (Decree No. 356))
  • Data that relates to a person is considered private information. An individual retains the legal right to his/her data. (Art 40 Bis 1, Art 40 Bis 2, Jalisco (Civil Code of the State of Jalisco (Article 40 Bis 1 to Article 40 Bis 39))
  • This law regulates the right of access to public information and protecting personal data processing. The following are responsible for ensuring and providing access to public information and protecting personal data: the central agencies and parastatals of the State Public Administration, the legis… (Art 1, Art 5, Tlaxcala Law on Access to Public Information and Personal Data Protection)
  • Systems or files that have been established for administrative purposes by institutions, agencies, or public health entities and contains data of a personal nature will be subject to the requirements in this Law. (Art 11, The Personal Data Protection Law for the Federal District (Mexico City))
  • The organization should collect personal information only for the purpose stated in the privacy policies. The organization's privacy policies should include providing notice to individuals; a description of what personal information is being collected; how the personal information is used and retain… (ID 4.0, ID 1.1.0, ID 2.1.0, ID 3.1.0, ID 4.1.0, ID 5.1.0, ID 6.1.0, ID 7.1.0, ID 8.1.0, ID 9.1.0, ID 10.1.0, AICPA/CICA Privacy Framework)
  • Is there a documented Identity Theft Prevention Program in place to detect, prevent, and mitigate identity theft for the services furnished to clients? (§ P.11.1, Shared Assessments Standardized Information Gathering Questionnaire - P. Privacy, 7.0)
  • (§ 310.4(a)(5), 16 CFR Part 310, Telemarketing Sales Rule (TSR))
  • (§ 551(b), Cable Communications Privacy Act Title 47 § 551)
  • (§ 1303, Children's Online Privacy Protection Act of 1998)
  • The organization should protect the security and confidentiality of nonpublic personal information and should respect the privacy of its customers. (§ 6801(a), Gramm-Leach-Bliley Act (GLB), Deprecated)
  • Data brokers involved in interstate commerce are subject to the requirements of Title II of this Act for any service or product offered to third parties that allows use of or access to sensitive personally identifiable information. Prohibitions and requirements may not be imposed by any State with r… (§ 201(a), § 203, § 301(b), § 301(c), § 301(d), § 319, Leahy Personal Data Privacy and Security Act of 2009, Senate Bill 1490, 111th Congress)
  • Information contained in applications, statements, reports, contracts, correspondence, or other documents filed with the Securities and Exchange Commission must be kept confidential. (§ 78x(b), Securities Exchange Act of 1934)
  • § 552a(j): If a system of records is maintained by the Central Intelligence Agency or by an agency or component of an agency pertaining to the enforcement of criminal laws, including police efforts for controlling, preventing, or reducing crime or for apprehending criminals, and the activities of c… (§ 552a(j), § 552a(k), 5 USC § 552a, Records maintained on individuals (Privacy Act of 1974))
  • Determine whether audit procedures for operations consider ▪ The adequacy of security policies, procedures, and practices in all units and at all levels of the financial institution and service providers. ▪ The adequacy of data controls over preparation, input, processing, and output. ▪ The ad… (Exam Tier II Obj C.1, FFIEC IT Examination Handbook - Audit, August 2003)
  • The organization should implement appropriate procedures to safeguard customers' sensitive or confidential information. (Pg C-1, FFIEC IT Examination Handbook - Business Continuity Planning, March 2008)
  • The organization should comply with all regulations for protecting customer data and providing appropriate disclosures. (Pg 37, FFIEC IT Examination Handbook - E-Banking, August 2003)
  • The organization should protect the security and confidentiality of customer information. The information should be protected against unauthorized access, inappropriate use, and anticipated threats. (Pg 30, FFIEC IT Examination Handbook - Management)
  • Organizations must develop, document, periodically update, and implement security plans for organizational information systems that describe the security controls in place or planned for the information systems and the rules of behavior for individuals accessing the information systems. (§ 3, FIPS Pub 200, Minimum Security Requirements for Federal Information and Information Systems, March 2006)
  • § 2.4 ¶ 1: The organization shall implement the personal identity verification (PIV) system in accordance with the spirit and letter of all privacy controls specified in this standard and in federal privacy laws and policies, including but not limited to the Privacy Act of 1974, the E-Government A… (§ 2.4 ¶ 1, § 2.4 p3, FIPS Pub 201-1, Personal Identity Verification (PIV) of Federal Employees and Contractors, Change Notice 1)
  • Organizational records and documents should be examined to ensure a privacy impact assessment has been performed, the privacy impact assessment is conducted at regular intervals, and specific responsibilities and actions are defined for the implementation of the privacy impact assessment control. An… (PL-5, Guide for Assessing the Security Controls in Federal Information Systems, NIST SP 800-53A)
  • If the organization owns, licenses, or acquires personal information about Arkansas residents, it must maintain and implement appropriate security procedures to protect the information from unauthorized access, use, disclosure, modification, or destruction. (§ 4-110-104(b), Arkansas Code, Title 4 Business and Commercial Law, Subtitle 7 Consumer Protection, Chapter 110 Personal Information, Sections 4-110-103 thru 4 -110-105, Personal Information Protection Act)
  • The organization must implement appropriate security measures in accordance with the size and nature of the business and its operations and the sensitivity of the personal information to protect it from unauthorized access, disclosure, use, or modification. (§ 14-3503(a), Maryland Commercial Law, Subtitle 35, Maryland Personal Information Protection Act, Sections 14-3501 thru 14-3508)
  • The Department of Consumer Affairs and Business Regulation is required to develop security regulations for the organization to protect personal information about Massachusetts residents that is owned or licensed. The security regulations must be consistent with the federal regulations by which the o… (Ch 93H § 2(a), General Laws of Massachusetts, Part I, Title XV, Chapter 93H, Security Breaches)
  • The organization must implement appropriate security measures to protect personal information from unauthorized access, disclosure, use, modification, or destruction. (§ 603A.210(1), Nevada Revised Statutes, Chapter 603A, Security of Personal Information)
  • The organization must ensure procedures are implemented and maintained, including taking correction actions, as appropriate, to protect sensitive personal information from being used or disclosed unlawfully. This section doesn't apply to financial organizations defined in 15 U.S.C. Section 6809. (§ 521.052(a), Texas Business and Commercial Code, Title 11, Subtitle B, Chapter 521, Subchapter A, Section 521)
  • If the organization is conducting business in Utah, it must implement security procedures to ensure the unlawful use or disclosure of any personal information collected or maintained is prevented. (§ 13-44-201(1)(a), Utah Code, Title 13-44, Protection of Personal Information Act)