Back

Check that restricted data is complete.


CONTROL ID
00090
CONTROL TYPE
Data and Information Management
CLASSIFICATION
Preventive

SUPPORTING AND SUPPORTED CONTROLS



This Control directly supports the implied Control(s):
  • Establish, implement, and maintain a Customer Information Management program., CC ID: 00084

There are no implementation support Controls.


SELECTED AUTHORITY DOCUMENTS COMPLIED WITH



  • A data user shall take reasonable steps to ensure that the personal data is accurate, complete, not misleading and kept up-todate by having regard to the purpose, including any directly related purpose, for which the personal data was collected and further processed. (Part II Division 1 11., Personal Data Protection Act 2010, Act 709, As at 15 June 2016)
  • the Data Fiduciary processing such personal data shall ensure its completeness, accuracy and consistency. (§ 8.(3) ¶ 2, Digital Personal Data Protection Act, 2023, August 11, 2023)
  • The personal information controller shall ensure personal information is accurate, complete, and up to date to the extent necessary in relation to the purposes for which the personal information is processed. (Article 3(3), Personal Information Protection Act)
  • The FI should ensure that information processed, stored or transmitted between the FI and its customers is accurate, reliable and complete. With internet connection to internal networks, financial systems and devices may now be potentially accessed by anyone from anywhere at any time. The FI should … (§ 12.1.4, Monetary Authority of Singapore: Technology Risk Management Guidelines)
  • An organisation shall make a reasonable effort to ensure that personal data collected by or on behalf of the organisation is accurate and complete, if the personal data— (Part VI Section 23 ¶ 1, Singapore Personal Data Protection Act 2012 (No. 26 of 2012))
  • The organisation must ensure that the copy of the personal data it preserves for the purposes of subsection (1) is a complete and accurate copy of the personal data concerned. (§ 22A.(2), Singapore Personal Data Protection Act 2012 (No. 26 of 2012), Revised Edition 2021)
  • An organisation shall make a reasonable effort to ensure that personal data collected by or on behalf of the organisation is accurate and complete, if the personal data — (§ 23., Singapore Personal Data Protection Act 2012 (No. 26 of 2012), Revised Edition 2021)
  • A collector who collects personal information for inclusion in a generally available publication or a record and solicits the information shall take the necessary steps to reasonably ensure that the collected information is relevant to the purpose and is up to date and complete. (§ 14 Prin. 3(c), Act No. 119 of 1988 as amended, taking into account amendments up to Freedom of Information Amendment (Parliamentary Budget Office) Act 2012)
  • A recordkeeper who possesses or controls records containing personal information shall not use the information absent taking reasonable steps to verify the personal information is accurate, complete, and up-to-date. (§ 14 Prin. 8, Act No. 119 of 1988 as amended, taking into account amendments up to Freedom of Information Amendment (Parliamentary Budget Office) Act 2012)
  • A credit reporting agency that possesses or controls a credit information file or a credit reporting agency or credit provider that possesses or controls a credit report must take reasonable steps to verify the personal information that is contained in the credit report or the credit information fil… (§ 18G(a), Act No. 119 of 1988 as amended, taking into account amendments up to Freedom of Information Amendment (Parliamentary Budget Office) Act 2012)
  • An organization must take reasonable steps to ensure the personal information is accurate, complete, and up-to-date. (Sched 3 § 3, Act No. 119 of 1988 as amended, taking into account amendments up to Freedom of Information Amendment (Parliamentary Budget Office) Act 2012)
  • Data collected must be complete. A record keeper who has possession or control of a record that contains personal information shall not use the information unless it is complete. The accuracy and completeness of credit information and credit reports is addressed, indicating that the person handling … (§ 14.3(c), § 14.8, § 18G, Australia Privacy Act 1988)
  • An APP entity must take such steps (if any) as are reasonable in the circumstances to ensure that the personal information that the entity collects is accurate, up-to-date and complete. (Schedule 1 Part 4 Clause 10 Subclause 10.1, Australian Privacy Act 1988, Compilation No. 77)
  • An APP entity must take such steps (if any) as are reasonable in the circumstances to ensure that the personal information that the entity uses or discloses is, having regard to the purpose of the use or disclosure, accurate, up-to-date, complete and relevant. (Schedule 1 Part 4 Clause 10 Subclause 10.2, Australian Privacy Act 1988, Compilation No. 77)
  • Personal data may be processed, only if it is accurate, complete, and up to date. Appropriate steps must be taken to ensure inaccurate and incomplete data is deleted and corrected, with consideration to the purpose(s) for which they were obtained and collected. (Art 6.4°, France Data Processing, Data Files and Individual Liberties)
  • Personal data must be complete. (Art 7(1)(b), Hungary Protection of Personal Data and Disclosure of Data of Public Interest)
  • The data controller must ensure the data is accurate, complete, and up to date. (§ 2(1)(b), Ireland Consolidated Data Protection Acts of 1988 and 2003)
  • Personal data that is being processed must be complete, relevant, and not excessive in relation to the purpose for collection and processing. Public bodies must regularly check to ensure the data is complete, relevant, not excessive, and indispensable for the stated purposes, including data provided… (§ 11.1(d), § 22.5, Italy Personal Data Protection Code)
  • Personal data that is inaccurate, in whole or part, or incomplete must be erased and replaced by corrected or supplemented data. (Art 4.4, ORGANIC LAW 15/1999 of 13 December on the Protection of Personal Data)
  • The personal data controller must ensure all reasonable measures have been taken to block, erase, or correct any personal data that is incomplete or incorrect with regard to the purpose of the processing. (§ 9 ¶ 1(h), Sweden Personal Data Act (1998:204))
  • The data controller must ensure the personal data that is processed is complete. (§ 9(2), Finland Personal Data Protection Act (523/1999))
  • The data controller must only process data that is accurate, complete, and updated. (§ 6(1)(f), Slovak Republic Protection of Personal Data in Information Systems)
  • section 37 sets out the third data protection principle (requirement that personal data be adequate, relevant and not excessive); (§ 34(1)(c), UK Data Protection Act 2018 Chapter 12)
  • section 38(1) sets out the fourth data protection principle (requirement that personal data be accurate and kept up to date); (§ 34(1)(d), UK Data Protection Act 2018 Chapter 12)
  • The third data protection principle is that personal data processed for any of the law enforcement purposes must be adequate, relevant and not excessive in relation to the purpose for which it is processed. (§ 37 ¶ 1, UK Data Protection Act 2018 Chapter 12)
  • Where personal data is inaccurate because it is incomplete, the controller must, if so requested by a data subject, complete it. (§ 46(2), UK Data Protection Act 2018 Chapter 12)
  • The duty under subsection (2) may, in appropriate cases, be fulfilled by the provision of a supplementary statement. (§ 46(3), UK Data Protection Act 2018 Chapter 12)
  • section 37 sets out the third data protection principle (requirement that personal data be adequate, relevant and not excessive); (§ 34(1)(c), UK Data Protection Act 2018 Chapter 12, Revised 06/06/2022)
  • section 38(1) sets out the fourth data protection principle (requirement that personal data be accurate and kept up to date); (§ 34(1)(d), UK Data Protection Act 2018 Chapter 12, Revised 06/06/2022)
  • The third data protection principle is that personal data processed for any of the law enforcement purposes must be adequate, relevant and not excessive in relation to the purpose for which it is processed. (§ 37 ¶ 1, UK Data Protection Act 2018 Chapter 12, Revised 06/06/2022)
  • Where personal data is inaccurate because it is incomplete, the controller must, if so requested by a data subject, complete it. (§ 46(2), UK Data Protection Act 2018 Chapter 12, Revised 06/06/2022)
  • The duty under subsection (2) may, in appropriate cases, be fulfilled by the provision of a supplementary statement. (§ 46(3), UK Data Protection Act 2018 Chapter 12, Revised 06/06/2022)
  • The entity has a process for preserving and periodically re-validating the quality and integrity of PI and verifying (e.g., confirming with data subjects) its continued accuracy, completeness and correctness. Refer to Component Q8.0. (M1.0 Data quality and integrity, Privacy Management Framework, Updated March 1, 2020)
  • The entity collects and maintains accurate, reliable, up to date, complete and relevant PI to meet the entity's objectives related to privacy. (Q8.1, Privacy Management Framework, Updated March 1, 2020)
  • PI is accurate and complete for the purposes for which it is to be used. (Q8.1 Ensures accuracy and completeness of PI, Privacy Management Framework, Updated March 1, 2020)
  • Personal data should be complete to the extent needed for the purpose for which it is to be used. (¶ 8, OECD Guidelines on the Protection of Privacy and Transborder Flows of Personal Data)
  • Data should be accurate and, where necessary, kept up to date. It should also be adequate, relevant and not excessive in relation to the purposes for which it is processed, and in principle be kept for no longer than is necessary for the purposes for which the personal data is processed. (2.2.3 (20), COMMISSION IMPLEMENTING DECISION of 10.7.2023 pursuant to Regulation (EU) 2016/679 of the European Parliament and of the Council on the adequate level of protection of personal data under the EU-US Data Privacy Framework)
  • Under the Data Integrity and Purpose Limitation Principle, personal data must be limited to what is relevant for the purpose of the processing. In addition, organisations must, to the extent necessary for the purposes of the processing, take reasonable steps to ensure that personal data is reliable … (2.2.3 (21), COMMISSION IMPLEMENTING DECISION of 10.7.2023 pursuant to Regulation (EU) 2016/679 of the European Parliament and of the Council on the adequate level of protection of personal data under the EU-US Data Privacy Framework)
  • In accordance with authority provided by the Clinger-Cohen Act (P.L. 104-106, Division E) and the Computer Security Act of 1987 (P.L. 100-235), the Office of Management and Budget (OMB) issued Circular No. A-130 to establish general binding guidance that applies to all federal agencies (including la… (3.1.1.2 (102), COMMISSION IMPLEMENTING DECISION of 10.7.2023 pursuant to Regulation (EU) 2016/679 of the European Parliament and of the Council on the adequate level of protection of personal data under the EU-US Data Privacy Framework)
  • The organization should ensure and document that PII is as accurate, complete and up-to-date as is necessary for the purposes for which it is processed, throughout the life-cycle of the PII. (§ 7.4.3 Control, ISO/IEC 27701:2019, Security techniques - Extension to ISO/IEC 27001 and ISO/IEC 27002 for privacy information management - Requirements and guidelines)
  • The organization is responsible for ensuring recorded data is kept as complete as possible to prevent errors of omission. (A.2, UN Guidelines for the Regulation of Computerized Personal Data Files (1990))
  • The entity collects and maintains accurate, up-to-date, complete, and relevant personal information to meet the entity's objectives related to privacy. (P7.1 ¶ 1, 2017 Trust Services Criteria for Security, Availability, Processing Integrity, Confidentiality, and Privacy (with Revised Points of Focus – 2022))
  • Personal information is accurate and complete for the purposes for which it is to be used. (P7.1 ¶ 2 Bullet 1 Ensures Accuracy and Completeness of Personal Information, 2017 Trust Services Criteria for Security, Availability, Processing Integrity, Confidentiality, and Privacy (with Revised Points of Focus – 2022))
  • The personal information that is used for an administrative purpose by a government institution must be as accurate, complete, and as up-to-date as possible. (§ 6(2), Canada Privacy Act, P-21)
  • Personal information shall be as accurate, complete, and up-to-date as is necessary for the purposes for which it is to be used. (Schedule 1 4.6 Principle 6 - Accuracy, Canada Personal Information Protection and Electronic Documents Act, S.C. 2000, c. 5, Last amended on June 23, 2015)
  • Personal information must be as accurate, complete, and up-to-date as needed for the purposes for which it is being used. The degree of the accuracy, completeness, and update status will depend on how the information is used, considering the individual's interests. It should be sufficiently accurate… (Sched 1 Clause 4.6, Sched 1 Clause 4.6.1, Canada Personal Information Protection Electronic Documents Act (PIPEDA), 2000, c.5)
  • The organization should ensure the collected information is complete. (§ J1, Canadian Marketing Association Code of Ethics and Standards of Practice)
  • Completeness is addressed by stating that all data gathered shall be "certain." Data that is incomplete must be supplemented, updated or corrected, as applicable. (Art 5.1, Mexico Federal Personal Data Protection Law, November 2005)
  • The organization should ensure personal information being collected is complete. (ID 9.2.1, AICPA/CICA Privacy Framework)
  • Personal information is complete and accurate for its purpose. (Generally Accepted Privacy Principles and Criteria § 9.2.1, Appendix B: Trust Services Principles and Criteria for Security, Availability, Processing Integrity, Confidentiality, and Privacy, TSP Section 100 Principles and Criteria)
  • The organization should have implemented procedures that define how personal information received from third parties is verified to be accurate and complete. (Table Ref 9.2.1, Generally Accepted Privacy Principles (GAPP), CPA and CA Practitioner Version, August 2009)
  • The organization should have implemented procedures that define how personal information received directly from individuals is verified to be accurate and complete. (Table Ref 9.2.1, Generally Accepted Privacy Principles (GAPP), CPA and CA Practitioner Version, August 2009)
  • The organization should have implemented procedures that define how personal information disclosed to a third party is verified to be accurate and complete. (Table Ref 9.2.1, Generally Accepted Privacy Principles (GAPP), CPA and CA Practitioner Version, August 2009)
  • The organization should verify personal information that is used on an ongoing basis is accurate and complete enough to make decisions, unless there are limits for the need for accuracy. (Table Ref 9.2.1, Generally Accepted Privacy Principles (GAPP), CPA and CA Practitioner Version, August 2009)
  • The system description, when addressing privacy controls, must contain a statement that the service organization is responsible for providing its privacy practices to the user entities and the privacy practice statement must include a description of the process for determining if personal informatio… (¶ 1.35.e.vii, Reporting on Controls at a Service Organization: Relevant to Security, Availability, Processing Integrity, Confidentiality, or Privacy (SOC2))
  • Personal information is accurate and complete for the purposes for which it is to be used. (P7.1 Ensures Accuracy and Completeness of Personal Information, Trust Services Criteria)
  • The entity collects and maintains accurate, up-to-date, complete, and relevant personal information to meet the entity's objectives related to privacy. (P7.1, Trust Services Criteria)
  • The entity collects and maintains accurate, up-to-date, complete, and relevant personal information to meet the entity's objectives related to privacy. (P7.1 ¶ 1, Trust Services Criteria, (includes March 2020 updates))
  • Personal information is accurate and complete for the purposes for which it is to be used. (P7.1 ¶ 2 Bullet 1 Ensures Accuracy and Completeness of Personal Information, Trust Services Criteria, (includes March 2020 updates))
  • Consistent with the Principles, personal information must be limited to the information that is relevant for the purposes of processing. An organization may not process personal information in a way that is incompatible with the purposes for which it has been collected or subsequently authorized by … (II.5.a., EU-U.S. DATA PRIVACY FRAMEWORK PRINCIPLES)
  • Consistent with the Principles, personal information must be limited to the information that is relevant for the purposes of processing. An organization may not process personal information in a way that is incompatible with the purposes for which it has been collected or subsequently authorized by … (§ II.5.a., EU-U.S. Privacy Shield Framework Principles)
  • Consistent with the Principles, personal information must be limited to the information that is relevant for the purposes of processing. An organization may not process personal information in a way that is incompatible with the purposes for which it has been collected or subsequently authorized by … (ii.5.a., SWISS-U.S. DATA PRIVACY FRAMEWORK PRINCIPLES)
  • Consistent with the Principles, personal information must be limited to the information that is relevant for the purposes of processing. An organization may not process personal information in a way that is incompatible with the purposes for which it has been collected or subsequently authorized by … (II.5.a., UK EXTENSION TO THE EU-U.S. DATA PRIVACY FRAMEWORK PRINCIPLES)
  • The organization should take reasonable steps to verify data it collects is complete. (DATA INTEGRITY, US Department of Commerce EU Safe Harbor Privacy Principles, U.S. European Union Safe Harbor Framework)
  • Check the accuracy, relevance, timeliness, and completeness of personally identifiable information across the information life cycle [Assignment: organization-defined frequency]; and (SI-18a., Control Baselines for Information Systems and Organizations, NIST SP 800-53B, Privacy Control Baseline, October 2020)
  • Personal data should be accurate, complete, and kept up-to-date. (§ 2.3 ¶ 2 Bullet Data Quality, NIST SP 800-122 Guide to Protecting the Confidentiality of Personally Identifiable Information (PII))
  • The organization confirms to the greatest extent practicable upon collection or creation of personally identifiable information (PII), the accuracy, relevance, timeliness, and completeness of that information. (DI-1a., Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, Deprecated, Revision 4, Deprecated)
  • Confirms to the greatest extent practicable upon collection or creation of personally identifiable information (PII), the accuracy, relevance, timeliness, and completeness of that information; (DI-1a., Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, Revision 4)
  • Check the accuracy, relevance, timeliness, and completeness of personally identifiable information across the information life cycle [Assignment: organization-defined frequency]; and (SI-18a., Security and Privacy Controls for Information Systems and Organizations, NIST SP 800-53, Revision 5)
  • Check the accuracy, relevance, timeliness, and completeness of personally identifiable information across the information life cycle [Assignment: organization-defined frequency]; and (SI-18a., Security and Privacy Controls for Information Systems and Organizations, NIST SP 800-53, Revision 5.1.1)