Back

Maintain restricted data in a form that does not permit the identification of data subjects for longer than the processing purpose.


CONTROL ID
00092
CONTROL TYPE
Data and Information Management
CLASSIFICATION
Preventive

SUPPORTING AND SUPPORTED CONTROLS




This Control directly supports the implied Control(s):
  • Establish, implement, and maintain a Customer Information Management program., CC ID: 00084

There are no implementation support Controls.


SELECTED AUTHORITY DOCUMENTS COMPLIED WITH




  • When biometric information and the media that holds that information is no longer necessary for personal identification and the customer requests that it be deleted, the information should be deleted without delay based on predefined deletion procedures. (O53-1.2(5), FISC Security Guidelines on Computer Systems for Banking and Related Financial Institutions, 7th Edition)
  • Conduct periodic checks for personal data stored in ICT systems. For personal data that is not required in any form anymore, securely dispose the data (refer to section 8). If there is a need to retain the data but not in identifiable form, e.g. for performing data analytics, consider anonymising th… (Annex A1: Classification and tracking 10, Singapore(PDPC) Guide to Securing Personal Data in Electronic Medium, Revised 20 January 2017)
  • An organization must take reasonable steps to destroy or permanently deidentify personal information that is no longer needed for its purpose. (Sched 3 § 4.2, Act No. 119 of 1988 as amended, taking into account amendments up to Freedom of Information Amendment (Parliamentary Budget Office) Act 2012)
  • The data controller must ensure personal data is only kept for as long as necessary for the processing. After this time period, the personal data may be preserved for scientific, state statistical service, or archive purposes. When the personal data is used for one of these purposes, it must be made… (Art 5(1)(e), Czech Republic Personal Data Protection Act, April 4, 2000)
  • Member States must ensure personal data is kept in a form that does not allow data subjects to be identified for longer than is necessary for the purposes for which the data was collected or further processed. (Art 6.1(e), Directive 95/46/EC of the European Parliament and of the Council of 24 October 1995 on the protection of individuals with regard to the processing of personal data and on the free movement of such data, Unofficial Translation)
  • kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed; personal data may be stored for longer periods insofar as the personal data will be processed solely for archiving purposes in the public interest,… (Art. 5.1.(e), Regulation (EU) 2016/679 of The European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation))
  • the pseudonymisation and encryption of personal data; (Art. 32.1.(a), Regulation (EU) 2016/679 of The European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation))
  • Personal data must be made anonymous as soon as possible as the purpose of the research allows it. Until then, the characteristics about personal or material circumstances that are attributed to an identified or identifiable individual must be stored separately. This information may be combined only… (§ 40(2), German Federal Data Protection Act, September 14, 1994)
  • Personal data may be processed, only if it is stored in a form that allows an individual to be identified only as long as is necessary for the purpose(s) for which the data was obtained and processed. (Art 6.5°, France Data Processing, Data Files and Individual Liberties)
  • Personal data must be kept in a form that permits data subjects to be identified for no longer than necessary. (Art 4(1)(d), Law of 2 August 2002 on the Protection of Persons with Regard to the Processing of Personal Data)
  • Personal data undergoing processing must be stored to only allow the identification of data subjects for the amount of time required for the purpose for which the data is stored. Personal data must be made anonymous as soon as possible after the research allows it. Data that identifies a person must… (Art 7(1)(c), Art 32(2), Hungary Protection of Personal Data and Disclosure of Data of Public Interest)
  • Personal data being processed must be kept in a form that does not permit the data subject's identification for a longer than necessary for the processing. (Art 7 ¶ 1.5, Iceland Protection of Privacy as regards the Processing of Personal Data)
  • Personal data that is being processed must be kept in a form that does not allow the data subject to be identified for longer than necessary to the purposes that the data is collected and processed for. Public bodies must regularly check to ensure the data is accurate, up to date, complete, relevant… (§ 11.1(e), § 22.5, Italy Personal Data Protection Code)
  • Data should be "kept in a form which permits identification of the data subject for no longer than is necessary for the purposes for which the data were collected or subsequently processed." (Art 9.1(e), Italy Protection of Individuals Other Subject with regard to the Processing of Personal Data)
  • Personal data must be stored in a form where the identification of data subjects is not kept longer than necessary for the purpose(s) for which it was collected or processed. (Art 4.1, Belgian Law of 8 December 1992 on the protection of privacy in relation to the processing of persona, Unofficial English Translation November 2008)
  • Collected data must not be kept in a form in which the data subject can be identified for longer than necessary for the purposes for which the data is processed. (§ 5(5), Denmark, The Act on Processing of Personal Data)
  • Personal data must not be kept in a form that identifies the data subject for longer than is necessary for the purposes of processing. Personal data that is stored for police purposes must be canceled when it no longer necessary for investigations. Special consideration must be given to the data sub… (Art 4.5, Art 22.4, ORGANIC LAW 15/1999 of 13 December on the Protection of Personal Data)
  • The personal data controller must ensure personal data is not kept for longer than necessary for the purpose of the processing. If the personal data is kept for statistical, historical, or scientific purposes, it may kept for a longer time period, but not longer than is necessary for the statistical… (§ 9 ¶ 1(i), § 9 ¶ 3, Sweden Personal Data Act (1998:204))
  • Personal data cannot be kept in a form in which the data subject can be identified for longer than necessary for achieving the purpose for which it was collected or subsequently processed. (Art 10.1, Netherlands Personal Data Protection Act, Session 1999-2000 Nr.92, REVISED BILL (as approved by the Lower House on 23 November 1999), Unofficial Translation)
  • Personal data must be kept in a form in which identification of the data subject is allowed only for as long as is necessary for the purposes for which the data was collected or for which it is further processed. Storage for longer periods for legitimate statistical, historical, or scientific purpos… (Art 5.1(e), Art 5.2, Portuguese Act on the Protection of Personal Data 67/98)
  • Personal data must be kept in a form to permit the data subject's identification only as long as is necessary for the collection purpose. A longer storage period may be specified by law. When the use of data in a form that identifies the data subject is legal for scientific research or statistics, t… (§ 6(1)5, § 46(5), Austria Data Protection Act)
  • Data should be "kept in a form which permits identification of the data subject for no longer than is necessary for the purposes for which the data were collected or subsequently processed." (Art 3(5), Lithuania Law on Legal Protection of Personal Data)
  • The data controller processing data should protect the data subject's interests with due care and ensure the data is kept in a form that identifies the data subject for no longer than is necessary for the purpose of the processing. (Art 26.1(4), Poland Protection of Personal Data Act)
  • The data controller must ensure that data subjects can be identified only for the time necessary for achieving the purpose of the processing. (§ 6(1)(g), Slovak Republic Protection of Personal Data in Information Systems)
  • The organization will not keep personal information provided by data subjects longer than necessary. (¶ 2, Guidance on the Information Charter, March 2009)
  • Personal data processed for any purpose(s) must not be kept any longer than is necessary for that purpose. (Sched 1 Part I.5, UK Data Protection Act of 1998)
  • PI no longer retained is anonymized, disposed of or destroyed in a manner that prevents loss, theft, misuse or unauthorized access. (U4.3 Disposes of, destroys and redacts PI, Privacy Management Framework, Updated March 1, 2020)
  • The organization should either delete PII or render it in a form which does not permit identification or re-identification of PII principals, as soon as the original PII is no longer necessary for the identified purpose(s). (§ 7.4.5 Control, ISO/IEC 27701:2019, Security techniques - Extension to ISO/IEC 27001 and ISO/IEC 27002 for privacy information management - Requirements and guidelines)
  • The organization should ensure the purpose and use of a file is specified, legitimate, and publicized or is brought to the concerned person's attention, in order to ensure all collected personal data remains relevant and adequate to the specified purposes; no personal data is disclosed or used for i… (A.3, UN Guidelines for the Regulation of Computerized Personal Data Files (1990))
  • Personal information no longer retained is anonymized, disposed of, or destroyed in a manner that prevents loss, theft, misuse, or unauthorized access. (P4.3 ¶ 2 Bullet 2 Disposes of, Destroys, and Redacts Personal Information, 2017 Trust Services Criteria for Security, Availability, Processing Integrity, Confidentiality, and Privacy (with Revised Points of Focus – 2022))
  • Personal data cannot be kept when it is no longer necessary or pertinent for the purpose for the collection or the preservation term has expired. Corresponding regulations will state any exceptions of when data is authorized to be retained, by virtue of statistical, scientific, or historical value. (Art 4.IV, Colima Personal Data Protection Law (Decree No. 356))
  • The organization should inform individuals that personal information is only retained for as long as necessary, or a period as required by law or regulation. (Generally Accepted Privacy Principles and Criteria § 5.1.1 (b), Appendix B: Trust Services Principles and Criteria for Security, Availability, Processing Integrity, Confidentiality, and Privacy, TSP Section 100 Principles and Criteria)
  • The organization should keep personal information for no longer than is necessary for the identified purposes, unless specifically required by a law or regulation. (Generally Accepted Privacy Principles and Criteria § 5.2.2, Appendix B: Trust Services Principles and Criteria for Security, Availability, Processing Integrity, Confidentiality, and Privacy, TSP Section 100 Principles and Criteria)
  • The organization should anonymize, destroy, or dispose of personal information when it is no longer required, in a way that prevents misuse, theft, unauthorized access, or loss. (Generally Accepted Privacy Principles and Criteria § 5.2.3, Appendix B: Trust Services Principles and Criteria for Security, Availability, Processing Integrity, Confidentiality, and Privacy, TSP Section 100 Principles and Criteria)
  • The organization should inform individuals that personal information is only retained for as long as necessary, or a period as required by law or regulation. (Table Ref 5.1.1.b, Generally Accepted Privacy Principles (GAPP), CPA and CA Practitioner Version, August 2009)
  • The organization should keep personal information for no longer than is necessary for the identified purposes, unless specifically required by a law or regulation. (Table Ref 5.2.2, Generally Accepted Privacy Principles (GAPP), CPA and CA Practitioner Version, August 2009)
  • The organization should anonymize, destroy, or dispose of personal information when it is no longer required, in a way that prevents misuse, theft, unauthorized access, or loss. (Table Ref 5.2.3, Generally Accepted Privacy Principles (GAPP), CPA and CA Practitioner Version, August 2009)
  • The system description, when addressing privacy controls, must contain a statement that the service organization is responsible for providing its privacy practices to the user entities and the privacy practice statement must include a statement that personal information will be kept for a period no … (¶ 1.35.e.iv, Reporting on Controls at a Service Organization: Relevant to Security, Availability, Processing Integrity, Confidentiality, or Privacy (SOC2))
  • Personal information no longer retained is anonymized, disposed of, or destroyed in a manner that prevents loss, theft, misuse, or unauthorized access. (P4.3 Disposes of, Destroys, and Redacts Personal Information, Trust Services Criteria)
  • Personal information no longer retained is anonymized, disposed of, or destroyed in a manner that prevents loss, theft, misuse, or unauthorized access. (P4.3 ¶ 2 Bullet 2 Disposes of, Destroys, and Redacts Personal Information, Trust Services Criteria, (includes March 2020 updates))
  • Be protected in a manner that does not permit personal identification of individuals by anyone other than the State or local educational authority or agency headed by an official listed in §99.31(a)(3) and their authorized representatives, except that the State or local educational authority or age… (§ 99.35(b)(1), 34 CFR Part 99, Family Education Rights Privacy Act (FERPA))
  • Health information that does not identify an individual and there is no reason to believe the information can be used to identify the individual is not considered individually identifiable health information. (§ 164.514(a), 45 CFR Part 164 - Security and Privacy, current as of January 17, 2013)
  • Health information may be determined to not be individually identifiable health information only if a person with knowledge and experience with statistical and scientific principles and methods for rendering information not individually identifiable uses these principles and methods and determines t… (§ 164.514(b)(1), 45 CFR Part 164 - Security and Privacy, current as of January 17, 2013)