Back

Establish, implement, and maintain a personal data transparency program.


CONTROL ID
00375
CONTROL TYPE
Data and Information Management
CLASSIFICATION
Preventive

SUPPORTING AND SUPPORTED CONTROLS



This Control directly supports the implied Control(s):
  • Establish, implement, and maintain a privacy framework that protects restricted data., CC ID: 11850

This Control has the following implementation support Control(s):
  • Establish and maintain privacy notices, as necessary., CC ID: 13443
  • Refrain from delivering privacy notices to data subjects, as necessary., CC ID: 13445
  • Deliver privacy notices to data subjects, as necessary., CC ID: 13444
  • Update privacy notices, as necessary., CC ID: 13474
  • Redeliver privacy notices, as necessary., CC ID: 14850
  • Deliver privacy notices to third parties, as necessary., CC ID: 13473
  • Obtain acknowledgment of receipt of the privacy notice., CC ID: 14435
  • Document any reasons acknowledgment of the privacy notice was not received., CC ID: 14434
  • Establish and maintain short-form initial notifications of privacy notices that are clear and conspicuous., CC ID: 13466
  • Establish, implement, and maintain opt-out notices., CC ID: 13448
  • Deliver opt-out notices, as necessary., CC ID: 13449
  • Provide a copy of the organization's privacy program to statutory authorities, as necessary., CC ID: 12376
  • Notify data subjects about the organization's external requirements relevant to the privacy program., CC ID: 12354
  • Disseminate and communicate the critical third party list with relevance to the privacy program to all interested personnel and affected parties., CC ID: 12352
  • Require a data protection impact assessment when profiling the data subject., CC ID: 12680
  • Establish, implement, and maintain adequate openness procedures., CC ID: 00377
  • Refrain from providing information to the data subject, as necessary., CC ID: 12625
  • Provide adequate structures, policies, procedures, and mechanisms to support direct access by the data subject to personal data that is provided upon request., CC ID: 00393
  • Define the acceptable data modifications before presenting the data to a data subject., CC ID: 00400
  • Provide the data subject with information about the legitimate interests associated with personal data processing., CC ID: 12614


SELECTED AUTHORITY DOCUMENTS COMPLIED WITH



  • A public body that issues licenses, permits, and approvals may issue them in the form of a data message. (§ 20(b)(ii), The Electronic Communications and Transactions Act, 2002)
  • Data policies and practices regarding personal data must be made publicly available, and the kind of data they handle and what the purpose of the collection of that data is. (Sched 1 Principle 5, Hong Kong Personal Data (Privacy) Ordinance)
  • O105: The organization should disclose its information security practices to enable consumers to select appropriate financial services organizations and trading institutions. O105.2: The organization should disclose information about the following topics: how customer data is protected to ensure con… (O105, O105.2, O105.3, FISC Security Guidelines on Computer Systems for Banking and Related Financial Institutions, 7th Edition)
  • Personal information shall be processed according to law when it is necessary, with justified reason, and in good faith, and the processing may not involve misguidance, fraud, coercion, and the like. (Article 5, Personal Information Protection Law of the People's Republic of China)
  • The principles of openness and transparency shall be observed in the processing of personal information, the rules for processing personal information shall be disclosed, and the purposes, means, and scope of processing shall be explicitly indicated. (Article 7, Personal Information Protection Law of the People's Republic of China)
  • The information commissioner may approve a privacy code only if the public has been given adequate opportunity to comment on a draft of the code. (§ 18BB(2)(f), Act No. 119 of 1988 as amended, taking into account amendments up to Freedom of Information Amendment (Parliamentary Budget Office) Act 2012)
  • The information commissioner must make the register of approved privacy codes available to the public. (§ 18BG(3), Act No. 119 of 1988 as amended, taking into account amendments up to Freedom of Information Amendment (Parliamentary Budget Office) Act 2012)
  • The information commissioner may make a written determination if he or she is satisfied that an act or practice breaches or may breach an approved privacy code or a national privacy principle and the public interest in doing the practice or act substantially outweighs the public interest in complyin… (§ 72(2), Act No. 119 of 1988 as amended, taking into account amendments up to Freedom of Information Amendment (Parliamentary Budget Office) Act 2012)
  • The information commissioner must make the register of determinations available to the public. (§ 80E(3), Act No. 119 of 1988 as amended, taking into account amendments up to Freedom of Information Amendment (Parliamentary Budget Office) Act 2012)
  • Member States must ensure processing operations are publicized. Notifications received by the supervisory authority in accordance with Article 18 must be kept in a register and contain the information listed in Article 19.1. Any person may inspect the register. For processing operations that are not… (Art 21, Directive 95/46/EC of the European Parliament and of the Council of 24 October 1995 on the protection of individuals with regard to the processing of personal data and on the free movement of such data, Unofficial Translation)
  • processed lawfully, fairly and in a transparent manner in relation to the data subject (‘lawfulness, fairness and transparency’); (Art. 5.1.(a), Regulation (EU) 2016/679 of The European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation))
  • fair and transparent processing; (Art. 40.2.(a), Regulation (EU) 2016/679 of The European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation))
  • The online public register may be examined, free of charge, by any person, except for the information provided in Articles 13(1)(g) and 14(2)(i). The Commission Nationale may restrict disclosure to the register if necessary to safeguard national security; public safety; defense; preventing, tracking… (Art 15(4), Art 15(5), Law of 2 August 2002 on the Protection of Persons with Regard to the Processing of Personal Data)
  • In cooperation with the Authority for Communications Safeguards, the Guarantee will issue a provision for entering and using personal data contained in publicly available paper or electronic directories for any data that was collected prior to entry into force of this Code. This provision must lay d… (§ 129, Italy Personal Data Protection Code)
  • The General Data Protection Register may be consulted by anyone to learn if personal data exists, the purpose of the personal data, and the identity of the data controller. The General Register must be open and free of charge for public consultation. (Art 14, ORGANIC LAW 15/1999 of 13 December on the Protection of Personal Data)
  • The Data Protection Commission will establish a register for data applications for examining the legalities of the applications and to inform the data subjects. The register may be inspected by anyone and access will be granted if the person can demonstrate that he/she is a data subject and the data… (§ 16(1), § 16(2), Austria Data Protection Act)
  • The organization's information charter must provide data subjects with instructions on how to find out what personal information the organization holds about them; instructions on how to request the correction of mistakes; information on agreements with other organizations for sharing information; i… (¶ 4, Guidance on the Information Charter, March 2009)
  • The contractor must be provided access to the security policy framework (SPF) and any amendments. The normal method to access this is via the MOD DE&S DHSY/PSyA restricted website. The SPF provides detailed security requirements for senior managers, security staff, and line managers. (¶ 41, The Contractual process, Version 5.0 October 2010)
  • The controller must make available to data subjects the following information (whether by making the information generally available to the public or in any other way)— (§ 44(1), UK Data Protection Act 2018 Chapter 12)
  • fair and transparent. (§ 86(1)(b), UK Data Protection Act 2018 Chapter 12)
  • The controller must make available to data subjects the following information (whether by making the information generally available to the public or in any other way)— (§ 44(1), UK Data Protection Act 2018 Chapter 12, Revised 06/06/2022)
  • fair and transparent. (§ 86(1)(b), UK Data Protection Act 2018 Chapter 12, Revised 06/06/2022)
  • The CSP must have in place, and describe to CSCs the procedure to manage and respond to requests for disclosure of Personal Data by Law Enforcement Authorities according to applicable laws and regulations. The CSP must give special attention to the notification procedure to interested CSCs, unless o… (DSP-18, Cloud Controls Matrix, v4.0)
  • Define, implement and evaluate processes, procedures and technical measures to disclose the details of any personal or sensitive data access by sub-processors to the data owner prior to initiation of that processing. (DSP-14, Cloud Controls Matrix, v4.0)
  • Transparency: clearly disclosing information about data collection and data use practices (TC-IM-220a.1. 6.2, Internet Media & Services Sustainability Accounting Standard, Version 2018-10, Version 2018-10)
  • Transparency: clearly disclosing information about data collection and data use practices (TC-SI-220a.1. 6.2, Software & IT Services Sustainability Accounting Standard, Version 2018-10)
  • Transparency: clearly disclosing information about data collection and data use practices (TC-TL-220a.1. 6.2, Telecommunication Services Sustainability Accounting Standard, Version 2018-10)
  • An organization shall make readily available to individuals specific information about its policies and practices relating to the management of personal information. (Schedule 1 4.8 Principle 8 - Openness, Canada Personal Information Protection and Electronic Documents Act, S.C. 2000, c. 5, Last amended on June 23, 2015)
  • Specific information must be made readily available to individuals regarding the organization's policies and practices on managing personal information. (Sched 1 Clause 4.8, Canada Personal Information Protection Electronic Documents Act (PIPEDA), 2000, c.5)
  • The State Commission for Access to Public Information must develop and maintain a Data Protection Register. (Art 16.VI, Colima Personal Data Protection Law (Decree No. 356))
  • In order to exercise the right of access to public information, it is not needed to establish legitimate interests of the data subject or reasons for motivating the request, except for confidential or proprietary information. Every public agency must collate their information for facilitating access… (Art 7, Art 19, Tlaxcala Law on Access to Public Information and Personal Data Protection)
  • Notice: The entity provides notice about its privacy policies and procedures and identifies the purposes for which personal information is collected, used, retained, and disclosed. (Privacy Principle 2, Generally Accepted Privacy Principles (GAPP), CPA and CA Practitioner Version, August 2009)
  • § 422.128(b)(1): A Medicare Advantage (MA) organization must maintain written policies and procedures for advance directives regarding adult individuals receiving care. MA organizations must provide written information to these individuals about their rights under state law to make decisions about … (§ 422.128(b)(1), § 422.516(f), 42 CFR Parts 412, 413, 422 et al., Medicare and Medicaid Programs; Electronic Health Record Incentive Program, Final Rule)
  • When collecting children's personal information, the operator of the website or online service that did the collecting must "provide notice on the website of what information is collected from children by the operator, how the operator uses such information, and the operator's disclosure practices f… (§ 1303(b)(1)(A)(1), Children's Online Privacy Protection Act of 1998)
  • The consumer reporting agency should provide trained personnel to explain the information contained in the credit report to consumers. (§ 610(c), Fair Credit Reporting Act (FCRA), July 30, 2004)
  • Title IX of the Public Health Service Act (42 U.S.C. 299b-22), § 922(c)(3), is amended to state that a provider or patient safety organization, when voluntarily disclosed, shall treat nonidentifiable patient safety work product as unprivileged. (§ 2(a)(5), Patient Safety And Quality Improvement Act Of 2005, Public Law 109-41, 109th Congress)
  • In order to provide transparency in respect of lawful requests by public authorities to access personal information, participating organizations may voluntarily issue periodic transparency reports on the number of requests for personal information they receive by public authorities for law enforceme… (III.16.a., EU-U.S. DATA PRIVACY FRAMEWORK PRINCIPLES)
  • its commitment to subject to the Principles all personal data received from the EU in reliance on the Privacy Shield, (§ II.1.a.iii, EU-U.S. Privacy Shield Framework Principles)
  • The Department will maintain the Privacy Shield List of organizations that file completed self-certification submissions, thereby assuring the availability of Privacy Shield benefits, and will update such list on the basis of annual self-recertification submissions and notifications received pursuan… (§ III.6.d., EU-U.S. Privacy Shield Framework Principles)
  • In order to provide transparency in respect of lawful requests by public authorities to access personal information, Privacy Shield organizations may voluntarily issue periodic transparency reports on the number of requests for personal information they receive by public authorities for law enforcem… (§ III.16.a., EU-U.S. Privacy Shield Framework Principles)
  • In order to provide transparency in respect of lawful requests by public authorities to access personal information, participating organizations may voluntarily issue periodic transparency reports on the number of requests for personal information they receive by public authorities for law enforceme… (iii.16.a., SWISS-U.S. DATA PRIVACY FRAMEWORK PRINCIPLES)
  • In order to provide transparency in respect of lawful requests by public authorities to access personal information, participating organizations may voluntarily issue periodic transparency reports on the number of requests for personal information they receive by public authorities for law enforceme… (III.16.a., UK EXTENSION TO THE EU-U.S. DATA PRIVACY FRAMEWORK PRINCIPLES)
  • The Department of Commerce will maintain a public list of organizations that have self-certified and note on the list any notifications that it has received of persistent failure to comply after providing the organization 30 days notice and an opportunity to respond. (FAQ-Dispute Resolution and Enforcement "Persistent Failure to Comply" ¶ 2, US Department of Commerce EU Safe Harbor Privacy Principles, U.S. European Union Safe Harbor Framework)
  • The self-certification letters and the list of organizations that are assured of safe harbor benefits will be publicly available. (FAQ-Self-Certification ¶ 4, US Department of Commerce EU Safe Harbor Privacy Principles, U.S. European Union Safe Harbor Framework)
  • The public list of self-certified organizations maintained by the Department of Commerce will make clear which organizations are assured of safe harbor benefits and which are not. (FAQ-Dispute Resolution and Enforcement "Persistent Failure to Comply" ¶ 2, US Department of Commerce EU Safe Harbor Privacy Principles, U.S. European Union Safe Harbor Framework)
  • A covered entity may not threaten, discriminate against, intimidate, coerce, or take retaliatory action against individuals for exercising their rights, including filing a complaint or any individual or other person for assisting, testifying, or participating in an investigation, proceeding, hearing… (§ 164.530(g), 45 CFR Part 164 - Security and Privacy, current as of January 17, 2013)
  • If CSPs process attributes for purposes other than identity proofing, authentication, or attribute assertion (collectively "identity service"), related fraud mitigation, or to comply with law or legal process, CSPs SHALL implement measures to maintain predictability and manageability commensurate wi… (4.4 ¶ 2, Digital Identity Guidelines: Authentication and Lifecycle Management, NIST SP 800-63B)
  • If CSPs process attributes for purposes other than identity proofing, authentication, or attribute assertions (collectively "identity service"), related fraud mitigation, or to comply with law or legal process, CSPs SHALL implement measures to maintain predictability and manageability commensurate w… (4.2 ¶ 1.4, Digital Identity Guidelines: Enrollment and Identity Proofing, NIST SP 800-63A)
  • If an IdP discloses information on subscriber activities at an RP to any party, or processes the subscriber's information for any purpose other than identity proofing, authentication, or attribute assertions (collectively "identity service"), related fraud mitigation, to comply with law or legal pro… (5.2 ¶ 3, Digital Identity Guidelines: Federation and Assertions, NIST SP 800-63C)
  • Contextual factors related to the systems/products/services and the data actions are identified (e.g., individuals' demographics and privacy interests or perceptions, data sensitivity and/or types, visibility of data processing to individuals and third parties). (ID.RA-P1, NIST Privacy Framework: A Tool For Improving Privacy Through Enterprise Risk Management, Version 1.0)
  • Transparency policies, processes, and procedures for communicating data processing purposes, practices, and associated privacy risks are established and in place. (CM.PO-P1, NIST Privacy Framework: A Tool For Improving Privacy Through Enterprise Risk Management, Version 1.0)
  • Policies, processes, and procedures are maintained and used to increase transparency of the organization's data processing practices (e.g., purpose, scope, roles and responsibilities in the data processing ecosystem, and management commitment) and associated privacy risks. (Communication Policies, Processes, and Procedures (CM.PO-P), NIST Privacy Framework: A Tool For Improving Privacy Through Enterprise Risk Management, Version 1.0)
  • The organization should have a general policy of openness about personal data. (§ 2.3 ¶ 2 Bullet Openness, NIST SP 800-122 Guide to Protecting the Confidentiality of Personally Identifiable Information (PII))
  • The organization publishes Computer Matching Agreements on its public website. (DI-2(1), Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, Deprecated, Revision 4, Deprecated)
  • The organization publishes SORNs on its public website. (TR-2(1), Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, Deprecated, Revision 4, Deprecated)
  • A consumer credit reporting agency that provides prequalifying reports in connection with credit transactions not initiated by the consumer shall establish and maintain a notification system that allows a consumer to notify the credit reporting agency of the consumer's choice to have their names and… (§ 1785.11(e), Consumer Credit Reporting Agencies Act, California Civil Code 17851-1785.6)
  • A consumer credit reporting agency is not prevented from advising a third party that a security freeze is in place for the requested credit report. (§ 1785.11.2(a), Consumer Credit Reporting Agencies Act, California Civil Code 17851-1785.6)
  • The procedures used to avoid violations and to limit the providing of credit reports shall require prospective users to identify themselves, certify why the information is sought, and certify the information will not be used for other purposes. (§ 1785.14(a), Consumer Credit Reporting Agencies Act, California Civil Code 17851-1785.6)
  • The consumer credit reporting agency may require a consumer to submit a written statement granting the credit reporting agency permission to discuss the consumer's file in front of another person. (§ 1785.15(e), Consumer Credit Reporting Agencies Act, California Civil Code 17851-1785.6)
  • Regulations about creating, modifying, or suppressing registers, files, or data banks that belong to public bodies must be adopted by means of general provisions that have been published in the National Official Gazette or in the official journal. The regulations will define the purpose and characte… (§ 22, Argentina Personal Data Protection Act)
  • The controller shall adopt measures to ensure transparency of data processing based on her/his legitimate interests. (Art. 10.II § 2, Brazilian Law No. 13709, of August 14, 2018)
  • have the purpose of establishing a relationship of confidence with the data subject, by means of transparent operation, and that ensure mechanisms for the data subject to participate; (Art. 50 § 2 I(e), Brazilian Law No. 13709, of August 14, 2018)