Back

Keep restricted data up-to-date and valid.


CONTROL ID
00091
CONTROL TYPE
Data and Information Management
CLASSIFICATION
Preventive

SUPPORTING AND SUPPORTED CONTROLS



This Control directly supports the implied Control(s):
  • Establish, implement, and maintain a Customer Information Management program., CC ID: 00084

There are no implementation support Controls.


SELECTED AUTHORITY DOCUMENTS COMPLIED WITH



  • Personal data must be kept accurate and up to date. (Art 16, Japan Handbook Concerning Protection Of Personal Data, February 1998)
  • Business operators that handle personal information must attempt to accurately maintain the personal data and keep it up to date within the scope that is necessary to achieve its purpose. (Art 19, Japan Act on the Protection of Personal Information Protection (Law No. 57 of 2003))
  • A data user shall take reasonable steps to ensure that the personal data is accurate, complete, not misleading and kept up-todate by having regard to the purpose, including any directly related purpose, for which the personal data was collected and further processed. (Part II Division 1 11., Personal Data Protection Act 2010, Act 709, As at 15 June 2016)
  • Any operator of a credit information business is mandated to manage credit information properly so as to keep it up-to-date. (Art 18(1), Korea Act Relating to Use and Protection of Credit Information)
  • The personal information controller shall ensure personal information is accurate, complete, and up to date to the extent necessary in relation to the purposes for which the personal information is processed. (Article 3(3), Personal Information Protection Act)
  • A collector who collects personal information for inclusion in a generally available publication or a record and solicits the information shall take the necessary steps to reasonably ensure that the collected information is relevant to the purpose and is up to date and complete. (§ 14 Prin. 3(c), Act No. 119 of 1988 as amended, taking into account amendments up to Freedom of Information Amendment (Parliamentary Budget Office) Act 2012)
  • A recordkeeper who possesses or controls records containing personal information shall not use the information absent taking reasonable steps to verify the personal information is accurate, complete, and up-to-date. (§ 14 Prin. 8, Act No. 119 of 1988 as amended, taking into account amendments up to Freedom of Information Amendment (Parliamentary Budget Office) Act 2012)
  • A credit reporting agency that possesses or controls a credit information file or a credit reporting agency or credit provider that possesses or controls a credit report must take reasonable steps to verify the personal information that is contained in the credit report or the credit information fil… (§ 18G(a), Act No. 119 of 1988 as amended, taking into account amendments up to Freedom of Information Amendment (Parliamentary Budget Office) Act 2012)
  • An organization must take reasonable steps to ensure the personal information is accurate, complete, and up-to-date. (Sched 3 § 3, Act No. 119 of 1988 as amended, taking into account amendments up to Freedom of Information Amendment (Parliamentary Budget Office) Act 2012)
  • That data collected must be up-to-date. The up-to-dateness of credit information and credit reports is addressed, indicating that the person handling this information must take steps to ensure it is up-to-date. (§ 14.3(c), 18G, Australia Privacy Act 1988)
  • An APP entity must take such steps (if any) as are reasonable in the circumstances to ensure that the personal information that the entity collects is accurate, up-to-date and complete. (Schedule 1 Part 4 Clause 10 Subclause 10.1, Australian Privacy Act 1988, Compilation No. 77)
  • An APP entity must take such steps (if any) as are reasonable in the circumstances to ensure that the personal information that the entity uses or discloses is, having regard to the purpose of the use or disclosure, accurate, up-to-date, complete and relevant. (Schedule 1 Part 4 Clause 10 Subclause 10.2, Australian Privacy Act 1988, Compilation No. 77)
  • Personal data must be kept up-to-date. (Art 4.d, Bosnia Law on Protection of Personal Data)
  • The data controller must take appropriate measures to update the data, if necessary, without undue delays. This includes blocking the processing, correcting or supplementing the personal data, or destroying the personal data. (Art 5(1)(c), Czech Republic Personal Data Protection Act, April 4, 2000)
  • Member States must ensure that information is compiled by them on their behalf is current, accurate, and comparable. (Art 8.1, Directive 2003/4/EC Of The European Parliament)
  • Member States must ensure personal data is kept up to date, where necessary. (Art 6.1(d), Directive 95/46/EC of the European Parliament and of the Council of 24 October 1995 on the protection of individuals with regard to the processing of personal data and on the free movement of such data, Unofficial Translation)
  • accurate and, where necessary, kept up to date; every reasonable step must be taken to ensure that personal data that are inaccurate, having regard to the purposes for which they are processed, are erased or rectified without delay (‘accuracy’); (Art. 5.1.(d), Regulation (EU) 2016/679 of The European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation))
  • Personal data may be processed, only if it is accurate, complete, and up to date. Appropriate steps must be taken to ensure inaccurate and incomplete data is deleted and corrected, with consideration to the purpose(s) for which they were obtained and collected. (Art 6.4°, France Data Processing, Data Files and Individual Liberties)
  • Personal data must be kept up to date, where necessary. (Art 4(1)(c), Law of 2 August 2002 on the Protection of Persons with Regard to the Processing of Personal Data)
  • For example, take a look at the list of laws below, that all say exactly the same thing: personal data must be kept up-to-date. • Bosnia's Law on Protection of Personal Data Article 4(d) • Greece's Law on the Protection of Individuals with regard to the Processing of Personal Data Article 4(1)(c… (Art 4.1.c, Greece Law Protection of personal data and privacy in electronic telecommunications sector (Law 3471))
  • Personal data must be kept up to date, where necessary. (Art 7(1)(b), Hungary Protection of Personal Data and Disclosure of Data of Public Interest)
  • Personal data being processed must be kept up to date. (Art 7 ¶ 1.4, Iceland Protection of Privacy as regards the Processing of Personal Data)
  • The data controller must ensure the data is accurate, complete, and up to date. Back-up data does not need to be kept up to date. (§ 2(1)(b), § 2(4), Ireland Consolidated Data Protection Acts of 1988 and 2003)
  • Personal data that is being processed must be accurate and kept up to date, as necessary. Public bodies must regularly check to ensure the data is accurate, up to date, and indispensable for the stated purposes, including data provided by the data subject. To ensure judicial and sensitive data is in… (§ 11.1(c), § 22.5, Italy Personal Data Protection Code)
  • Personal data must be kept up-to-date. (Art 9.1(c), Italy Protection of Individuals Other Subject with regard to the Processing of Personal Data)
  • Personal data that is collected must be kept up to date. Incomplete or inaccurate data must be erased or rectified. (Art 4.1, Belgian Law of 8 December 1992 on the protection of privacy in relation to the processing of persona, Unofficial English Translation November 2008)
  • Data must be updated. (§ 5(4), Denmark, The Act on Processing of Personal Data)
  • The personal data controller must ensure that the personal data is correct and up to date, if necessary. (§ 9 ¶ 1(g), Sweden Personal Data Act (1998:204))
  • Personal data must be kept up to date, where necessary. (Art 5.1(d), Portuguese Act on the Protection of Personal Data 67/98)
  • Personal data must be kept up to date, when necessary. (§ 6(1)4, Austria Data Protection Act)
  • The data controller must ensure the personal data that is processed is not obsolete. (§ 9(2), Finland Personal Data Protection Act (523/1999))
  • Personal data should be kept up-to-date, when necessary for the purposes of processing. (Art 3(3), Lithuania Law on Legal Protection of Personal Data)
  • The data controller must only process data that is accurate, complete, and updated. The data controller must ensure that all personal data is kept up-to-date. (§ 6(1)(f), § 12(1), Slovak Republic Protection of Personal Data in Information Systems)
  • When collecting personal information, the organization must inform data subjects that they should give the organization accurate information and let the organization know, as soon as possible, when there are changes to the information, in order to keep the personal information up to date and reliabl… (¶ 3, Guidance on the Information Charter, March 2009)
  • section 38(1) sets out the fourth data protection principle (requirement that personal data be accurate and kept up to date); (§ 34(1)(d), UK Data Protection Act 2018 Chapter 12)
  • personal data processed for any of the law enforcement purposes must be accurate and, where necessary, kept up to date, and (§ 38(1)(a), UK Data Protection Act 2018 Chapter 12)
  • The fourth data protection principle is that personal data undergoing processing must be accurate and, where necessary, kept up to date. (§ 89 ¶ 1, UK Data Protection Act 2018 Chapter 12)
  • section 38(1) sets out the fourth data protection principle (requirement that personal data be accurate and kept up to date); (§ 34(1)(d), UK Data Protection Act 2018 Chapter 12, Revised 06/06/2022)
  • personal data processed for any of the law enforcement purposes must be accurate and, where necessary, kept up to date, and (§ 38(1)(a), UK Data Protection Act 2018 Chapter 12, Revised 06/06/2022)
  • The fourth data protection principle is that personal data undergoing processing must be accurate and, where necessary, kept up to date. (§ 89 ¶ 1, UK Data Protection Act 2018 Chapter 12, Revised 06/06/2022)
  • Personal data must be accurate and kept up to date. (Sched 1 Part I.4, UK Data Protection Act of 1998)
  • The entity has a process for preserving and periodically re-validating the quality and integrity of PI and verifying (e.g., confirming with data subjects) its continued accuracy, completeness and correctness. Refer to Component Q8.0. (M1.0 Data quality and integrity, Privacy Management Framework, Updated March 1, 2020)
  • The entity collects and maintains accurate, reliable, up to date, complete and relevant PI to meet the entity's objectives related to privacy. (Q8.1, Privacy Management Framework, Updated March 1, 2020)
  • Personal data should be kept up-to-date to the extent needed to the purpose for which it is to be used. (¶ 8, OECD Guidelines on the Protection of Privacy and Transborder Flows of Personal Data)
  • Data should be accurate and, where necessary, kept up to date. It should also be adequate, relevant and not excessive in relation to the purposes for which it is processed, and in principle be kept for no longer than is necessary for the purposes for which the personal data is processed. (2.2.3 (20), COMMISSION IMPLEMENTING DECISION of 10.7.2023 pursuant to Regulation (EU) 2016/679 of the European Parliament and of the Council on the adequate level of protection of personal data under the EU-US Data Privacy Framework)
  • Under the Data Integrity and Purpose Limitation Principle, personal data must be limited to what is relevant for the purpose of the processing. In addition, organisations must, to the extent necessary for the purposes of the processing, take reasonable steps to ensure that personal data is reliable … (2.2.3 (21), COMMISSION IMPLEMENTING DECISION of 10.7.2023 pursuant to Regulation (EU) 2016/679 of the European Parliament and of the Council on the adequate level of protection of personal data under the EU-US Data Privacy Framework)
  • The organization should ensure and document that PII is as accurate, complete and up-to-date as is necessary for the purposes for which it is processed, throughout the life-cycle of the PII. (§ 7.4.3 Control, ISO/IEC 27701:2019, Security techniques - Extension to ISO/IEC 27001 and ISO/IEC 27002 for privacy information management - Requirements and guidelines)
  • The organization is responsible for ensuring recorded data is kept up to date regularly or when the information is used. (A.2, UN Guidelines for the Regulation of Computerized Personal Data Files (1990))
  • Accuracy and being up to date, where necessary. (Art 4(2)(b), Turkish Law on The Protection of Personal Data no. 6698)
  • The entity collects and maintains accurate, up-to-date, complete, and relevant personal information to meet the entity's objectives related to privacy. (P7.1 ¶ 1, 2017 Trust Services Criteria for Security, Availability, Processing Integrity, Confidentiality, and Privacy (with Revised Points of Focus – 2022))
  • The personal information that is used for an administrative purpose by a government institution must be as accurate, complete, and as up-to-date as possible. (§ 6(2), Canada Privacy Act, P-21)
  • Personal information that is used on an ongoing basis, including information that is disclosed to third parties, should generally be accurate and up-to-date, unless limits to the requirement for accuracy are clearly set out. (Schedule 1 4.6.3, Canada Personal Information Protection and Electronic Documents Act, S.C. 2000, c. 5, Last amended on June 23, 2015)
  • Personal information shall be as accurate, complete, and up-to-date as is necessary for the purposes for which it is to be used. (Schedule 1 4.6 Principle 6 - Accuracy, Canada Personal Information Protection and Electronic Documents Act, S.C. 2000, c. 5, Last amended on June 23, 2015)
  • Personal information must be as accurate, complete, and up-to-date as needed for the purposes for which it is being used. The degree of the accuracy, completeness, and update status will depend on how the information is used, considering the individual's interests. It should be sufficiently accurate… (Sched 1 Clause 4.6, Sched 1 Clause 4.6.1, Sched 1 Clause 4.6.2, Sched 1 Clause 4.6.3, Canada Personal Information Protection Electronic Documents Act (PIPEDA), 2000, c.5)
  • The organization should ensure the collected information is up to date. (§ J1, Canadian Marketing Association Code of Ethics and Standards of Practice)
  • Data processed must be up-to-date. The data must conform to any other actual data kept on the data subject and each interested individual involved. (Art 5.4, Mexico Federal Personal Data Protection Law, November 2005)
  • Personal data must be updated to accurately reflect the data owner's situation in order to process the data. (Art 4.III, Colima Personal Data Protection Law (Decree No. 356))
  • Processed personal data should be updated, as necessary. (Art 40 ¶ 2, Tlaxcala Law on Access to Public Information and Personal Data Protection)
  • The system should state when personal information is no longer valid. (Table Ref 9.2.1, Generally Accepted Privacy Principles (GAPP), CPA and CA Practitioner Version, August 2009)
  • The entity collects and maintains accurate, up-to-date, complete, and relevant personal information to meet the entity's objectives related to privacy. (P7.1, Trust Services Criteria)
  • The entity collects and maintains accurate, up-to-date, complete, and relevant personal information to meet the entity's objectives related to privacy. (P7.1 ¶ 1, Trust Services Criteria, (includes March 2020 updates))
  • Consistent with the Principles, personal information must be limited to the information that is relevant for the purposes of processing. An organization may not process personal information in a way that is incompatible with the purposes for which it has been collected or subsequently authorized by … (II.5.a., EU-U.S. DATA PRIVACY FRAMEWORK PRINCIPLES)
  • Consistent with the Principles, personal information must be limited to the information that is relevant for the purposes of processing. An organization may not process personal information in a way that is incompatible with the purposes for which it has been collected or subsequently authorized by … (§ II.5.a., EU-U.S. Privacy Shield Framework Principles)
  • Consistent with the Principles, personal information must be limited to the information that is relevant for the purposes of processing. An organization may not process personal information in a way that is incompatible with the purposes for which it has been collected or subsequently authorized by … (ii.5.a., SWISS-U.S. DATA PRIVACY FRAMEWORK PRINCIPLES)
  • Consistent with the Principles, personal information must be limited to the information that is relevant for the purposes of processing. An organization may not process personal information in a way that is incompatible with the purposes for which it has been collected or subsequently authorized by … (II.5.a., UK EXTENSION TO THE EU-U.S. DATA PRIVACY FRAMEWORK PRINCIPLES)
  • The organization should take reasonable steps to verify data it collects is current. (DATA INTEGRITY, US Department of Commerce EU Safe Harbor Privacy Principles, U.S. European Union Safe Harbor Framework)
  • Make available protected health information for amendment and incorporate any amendments to protected health information in accordance with §164.526; (§ 164.504(f)(2)(ii)(F), 45 CFR Part 164 - Security and Privacy, current as of July 6, 2020)
  • Check the accuracy, relevance, timeliness, and completeness of personally identifiable information across the information life cycle [Assignment: organization-defined frequency]; and (SI-18a., Control Baselines for Information Systems and Organizations, NIST SP 800-53B, Privacy Control Baseline, October 2020)
  • Personal data should be accurate, complete, and kept up-to-date. (§ 2.3 ¶ 2 Bullet Data Quality, NIST SP 800-122 Guide to Protecting the Confidentiality of Personally Identifiable Information (PII))
  • Assess the validity of source data and subsequent findings. (T0347, Reference Spreadsheet for the Workforce Framework for Cybersecurity (NICE Framework)”, July 7, 2020)
  • The organization requests that the individual or individual's authorized representative revalidate that PII collected is still accurate {organizationally documented frequency}. (DI-1(2), Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, Deprecated, Revision 4, Deprecated)
  • Confirms to the greatest extent practicable upon collection or creation of personally identifiable information (PII), the accuracy, relevance, timeliness, and completeness of that information; (DI-1a., Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, Revision 4)
  • The organization requests that the individual or individual's authorized representative revalidate that PII collected is still accurate [Assignment: organization-defined frequency]. (DI-1(2) ¶ 1, Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, Revision 4)
  • Check the accuracy, relevance, timeliness, and completeness of personally identifiable information across the information life cycle [Assignment: organization-defined frequency]; and (SI-18a., Security and Privacy Controls for Information Systems and Organizations, NIST SP 800-53, Revision 5)
  • Check the accuracy, relevance, timeliness, and completeness of personally identifiable information across the information life cycle [Assignment: organization-defined frequency]; and (SI-18a., Security and Privacy Controls for Information Systems and Organizations, NIST SP 800-53, Revision 5.1.1)
  • Personal data must be updated, if necessary. (§ 4.4, Argentina Personal Data Protection Act)