Back

Document privacy policies in clearly written and easily understood language.


CONTROL ID
00376
CONTROL TYPE
Establish/Maintain Documentation
CLASSIFICATION
Detective

SUPPORTING AND SUPPORTED CONTROLS



This Control directly supports the implied Control(s):
  • Establish, implement, and maintain a privacy policy., CC ID: 06281

This Control has the following implementation support Control(s):
  • Write privacy notices in the official languages required by law., CC ID: 16529


SELECTED AUTHORITY DOCUMENTS COMPLIED WITH



  • Without prejudice to the generality of section 68, where pursuant to a data access request or data correction request a data user is required to, or may, inform a requestor of any matter by notice in writing, then the requestor shall be deemed not to be so informed unless and until the requestor is … (Part 5 Division 3 Section 29 ¶ 1, Hong Kong Personal Data (Privacy) Ordinance, E.R. 1 of 2013)
  • To help users more easily understand the information being disclosed, the organization should use graphical representations and other means. (O105.4, FISC Security Guidelines on Computer Systems for Banking and Related Financial Institutions, 7th Edition)
  • A notice under subsection (1) shall be in the national and English languages, and the individual shall be provided with a clear and readily accessible means to exercise his choice, where necessary, in the national and English languages. (Part II Division 1 7. (3), Personal Data Protection Act 2010, Act 709, As at 15 June 2016)
  • The organization should use plain language to communicate security precautions and policies to customers. (Attach E ¶ 4, APRA Prudential Practice Guide 234: Management of security risk in information and information technology)
  • An organization must establish and maintain a document clearly expressing its policies on managing personal information. (Sched 3 § 5.1, Act No. 119 of 1988 as amended, taking into account amendments up to Freedom of Information Amendment (Parliamentary Budget Office) Act 2012)
  • "An organization must set out in a document clearly expressed policies on its management of personal information. The organization must make the document available to anyone who asks for it." (Sched 3.5.1, Australia Privacy Act 1988)
  • An APP entity must have a clearly expressed and up-to-date policy (the APP privacy policy) about the management of personal information by the entity. (Schedule 1 Part 1 Principle 1 Section 1.3, Australian Privacy Act 1988, Compilation No. 77)
  • The entity's privacy notice is conspicuous and uses clear language. (N2.1 Clear and conspicuous, Privacy Management Framework, Updated March 1, 2020)
  • The entity's privacy notice is current, dated, uses clear language, and is in a location that can be easily found by data subjects. (P1.1 ¶ 2 Bullet 4 Uses Clear Language and Presents a Current Privacy Notice in a Location Easily Found by Data Subjects, 2017 Trust Services Criteria for Security, Availability, Processing Integrity, Confidentiality, and Privacy (with Revised Points of Focus – 2022))
  • The organization should ensure it makes the policies and procedures for the management of personal information available to all individuals. (§ J1, Canadian Marketing Association Code of Ethics and Standards of Practice)
  • Public agencies will regularly update the information referred to in this chapter. The Commission will issue relevant operating agreements to establish friendly formats that are clear and understandable for querying the public entities information. The updating time must not exceed 3 months from the… (Art 18, Tlaxcala Law on Access to Public Information and Personal Data Protection)
  • The privacy notice is written in plain and simple language. (Generally Accepted Privacy Principles and Criteria § 2.2.3, Appendix B: Trust Services Principles and Criteria for Security, Availability, Processing Integrity, Confidentiality, and Privacy, TSP Section 100 Principles and Criteria)
  • The privacy notice should state the purpose in a way that it is clearly written and easy to understand. (Table Ref 2.1.1, Generally Accepted Privacy Principles (GAPP), CPA and CA Practitioner Version, August 2009)
  • The organization should ensure the privacy notice is written in plain and simple language. (Table Ref 2.2.3, Generally Accepted Privacy Principles (GAPP), CPA and CA Practitioner Version, August 2009)
  • The entity's privacy notice is conspicuous and uses clear language. (P1.1 Uses Clear and Conspicuous Language, Trust Services Criteria)
  • The entity's privacy notice is conspicuous and uses clear language. (P1.1 ¶ 2 Bullet 4 Uses Clear and Conspicuous Language, Trust Services Criteria, (includes March 2020 updates))
  • Unless a licensee is providing privacy notices directly to covered individuals described in Section 4F(2)(e)(i), (ii) or (iii), a licensee shall provide initial, annual and revised notices to the plan sponsor, group or blanket insurance policyholder or group annuity contractholder, or workers' compe… (Section 10. ¶1, Privacy of Consumer Financial and Health Information Regulation, NAIC MDL-672, Q2 2017)
  • Be clear and conspicuous; (Section 7.D(2)(a), Privacy of Consumer Financial and Health Information Regulation, NAIC MDL-672, Q2 2017)
  • The licensee has provided to the consumer a clear and conspicuous revised notice that accurately describes its policies and practices; (Section 9.A(1), Privacy of Consumer Financial and Health Information Regulation, NAIC MDL-672, Q2 2017)
  • General principles of notice. It shall be the obligation of the operator to provide notice and obtain verifiable parental consent prior to collecting, using, or disclosing personal information from children. Such notice must be clearly and understandably written, complete, and must contain no unrela… (§ 312.4(a), 16 CFR Part 312, Children's Online Privacy Protection Rule)
  • Notices must be written clearly and be understandable and complete and must not contain unrelated, contradictory, or confusing materials. (§ 312.4(a), 16 CFR Part 312, Children's Online Privacy Protection Rule)
  • Form of notice. Any written or electronic notice that the card issuer provides under this paragraph must be clear and conspicuous and be provided separately from its regular correspondence with the cardholder. (§ 248.202 (e), 17 CFR Part 248 Subpart C, Regulation S-ID - Identity Theft Red Flags)
  • The officials and authorities to whom the records are disclosed shall certify in writing to the educational agency or institution that the information will not be disclosed to any other party, except as provided under State law, without the prior written consent of the parent of the student. (§ 99.38(b), 34 CFR Part 99, Family Education Rights Privacy Act (FERPA))
  • The Federal banking agencies, the National Credit Union Association, and the Federal Trade Commission have jointly established and maintain guidelines about identity theft and are required to keep the guidelines updated. These agencies require financial institutions and creditors to establish polici… (§ 114, Fair and Accurate Credit Transactions Act of 2003 (FACT Act))
  • The Federal banking agencies, the National Credit Union Association, and the Federal Trade Commission have jointly established and maintain guidelines about identity theft and are required to keep the guidelines updated. These agencies require financial institutions and creditors to establish polici… (§ 615(e), Fair Credit Reporting Act (FCRA), July 30, 2004)
  • The organization must provide notices in clear and conspicuous language. (NOTICE, US Department of Commerce EU Safe Harbor Privacy Principles, U.S. European Union Safe Harbor Framework)
  • Are the privacy disclosures that are used on the Credit Union website reasonably understandable? (IT - Compliance Q 8, Automated Integrated Regulatory Examination System (AIRES) IT Exam Questionnaires, version 073106A)
  • Are the privacy disclosures that are used on the Credit Union website clear and conspicuous? (IT - Compliance Q 8, Automated Integrated Regulatory Examination System (AIRES) IT Exam Questionnaires, version 073106A)
  • Are written in plain language and organized in a way that is easy to understand and navigate; (PM-20(1) ¶ 1(a), Control Baselines for Information Systems and Organizations, NIST SP 800-53B, Privacy Control Baseline, October 2020)
  • Is clear and easy-to-understand, expressing information about personally identifiable information processing in plain language; (PT-5b., Control Baselines for Information Systems and Organizations, NIST SP 800-53B, Privacy Control Baseline, October 2020)
  • Work with legal counsel and management, key departments and committees to ensure the organization has and maintains appropriate privacy and confidentiality consent, authorization forms and information notices and materials reflecting current organization and legal practices and requirements. (T0862, National Initiative for Cybersecurity Education (NICE) Cybersecurity Workforce Framework, NIST Special Publication 800-181)
  • Work with legal counsel and management, key departments and committees to ensure the organization has and maintains appropriate privacy and confidentiality consent, authorization forms and information notices and materials reflecting current organization and legal practices and requirements. (T0862, Reference Spreadsheet for the Workforce Framework for Cybersecurity (NICE Framework)”, July 7, 2020)
  • Is clear and easy-to-understand, expressing information about personally identifiable information processing in plain language; (PT-5b., Security and Privacy Controls for Information Systems and Organizations, NIST SP 800-53, Revision 5)
  • Are written in plain language and organized in a way that is easy to understand and navigate; (PM-20(1) ¶ 1(a), Security and Privacy Controls for Information Systems and Organizations, NIST SP 800-53, Revision 5)
  • Is clear and easy-to-understand, expressing information about personally identifiable information processing in plain language; (PT-5b., Security and Privacy Controls for Information Systems and Organizations, NIST SP 800-53, Revision 5.1.1)
  • Are written in plain language and organized in a way that is easy to understand and navigate; (PM-20(1) ¶ 1(a), Security and Privacy Controls for Information Systems and Organizations, NIST SP 800-53, Revision 5.1.1)
  • A licensee shall provide a clear and conspicuous notice to customers that accurately reflects its privacy policies and practices not less than annually during the continuation of the customer relationship. Annually means at least once in any period of twelve (12) consecutive months during which that… (Regulation 6-4-1 § 6 A.1., Colorado Code of Regulations, Section 702-6, Consumer Protection (General))
  • Anyone who owns, stores, licenses, or maintains personal information about a Massachusetts resident must develop, implement, maintain, and monitor a written information security program. This program must be consistent with industry standards and contain technical, physical, and administrative safeg… (§ 17.03(1), § 17.03(3), § 17.04, Massachusetts 201 CMR 17.00: Standards for The Protection of Personal Information of Residents of the Commonwealth of Massachusetts)
  • Controllers shall provide consumers with a reasonably accessible, clear, and meaningful privacy notice that includes: (§ 59.1-578.C., Code of Virginia Title 59.1, Chapter 53, Consumer Data Protection Act)