This Control directly supports the implied Control(s):
Establish, implement, and maintain a privacy policy., CC ID: 06281
This Control has the following implementation support Control(s):
Define the information being collected in the privacy policy., CC ID: 13115
Remove certification marks of privacy programs the organization is no longer a member of from the privacy policy., CC ID: 12368
Include roles and responsibilities in the privacy policy., CC ID: 14669
Include management commitment in the privacy policy., CC ID: 14668
Include coordination amongst entities in the privacy policy., CC ID: 14667
Include the policy for disclosing personal data of persons who have ceased to be customers in the privacy policy., CC ID: 14854
Include compliance requirements in the privacy policy., CC ID: 14666
Include the consequences of refusing to provide required information in the privacy policy., CC ID: 13111
Remove any privacy programs the organization is not a member of from the privacy policy., CC ID: 12367
Include independent recourse mechanisms in the privacy policy, as necessary., CC ID: 12366
Include the privacy programs the organization is a member of in the privacy policy., CC ID: 12365
Include a complaint form in the privacy policy., CC ID: 12364
Include the address where the files and hardware that support the data processing is located in the privacy policy., CC ID: 00405
Include the processing purpose in the privacy policy., CC ID: 00406
Include an overview of applicable information security controls in the privacy policy, as necessary., CC ID: 13117
Include the data subject categories being processed in the privacy policy., CC ID: 00407
Define the retention period for collected information in the privacy policy., CC ID: 13116
Include the time period for when the data processing will be carried out in the privacy policy., CC ID: 00408
Include other organizations that personal data is being disclosed to in the privacy policy., CC ID: 00409
Include how to gain access to personal data held by the organization in the privacy policy., CC ID: 00410
Include instructions on how to opt-out in the privacy policy., CC ID: 00411
Include the privacy policy's Uniform Resource Locator in the privacy policy., CC ID: 12363
Include instructions on how to disable devices that collect restricted data in the privacy policy., CC ID: 15454
Include a description of devices that collect restricted data in the privacy policy., CC ID: 15452
Define the audit method used to assess the privacy program in the privacy policy., CC ID: 12390
SELECTED AUTHORITY DOCUMENTS COMPLIED WITH
The rights and obligations of data subjects and legal representatives, and how to exercise the rights; (Article 30(1) (5), Personal Information Protection Act)
Other matters prescribed by Presidential Decree in relation to the processing of personal information. (Article 30(1) (8), Personal Information Protection Act)
The information commissioner may approve a privacy code only if the code states what organizations must follow the code or a way to determine which organizations must follow the code. (§ 18BB(2)(b), Act No. 119 of 1988 as amended, taking into account amendments up to Freedom of Information Amendment (Parliamentary Budget Office) Act 2012)
The information commissioner may approve a privacy code only if the code establishes procedures for making and dealing with complaints that may be an interference with the privacy of an individual. (§ 18BB(2)(e), Act No. 119 of 1988 as amended, taking into account amendments up to Freedom of Information Amendment (Parliamentary Budget Office) Act 2012)
The information commissioner must be satisfied that the privacy code provides that an adjudicator, in exercising his or her duties or performing his or her functions, has the same regard for the requirements of section 29(a) as the commissioner does before approving a privacy code that includes proc… (§ 18BB(3)(c), Act No. 119 of 1988 as amended, taking into account amendments up to Freedom of Information Amendment (Parliamentary Budget Office) Act 2012)
The information commissioner must be satisfied that the privacy code requires the annual report to include the number and nature of complaints made to the adjudicator during the financial year, before approving a privacy code that includes procedures for making and dealing with complaints. (§ 18BB(3)(k), Act No. 119 of 1988 as amended, taking into account amendments up to Freedom of Information Amendment (Parliamentary Budget Office) Act 2012)
The information commissioner must be satisfied that the privacy code requires the annual report to include a summary that identifies that nature of the complaint for each compliant that is dealt with by the adjudicator even if the adjudicator did not make a determination, declaration, order, finding… (§ 18BB§ (3)(ka)(i), Act No. 119 of 1988 as amended, taking into account amendments up to Freedom of Information Amendment (Parliamentary Budget Office) Act 2012)
The information commissioner must be satisfied that the privacy code requires the annual report to include a summary that identifies the outcome of each complaint that is dealt with by the adjudicator even if the adjudicator did not make a determination, declaration, order, finding, or direction for… (§ 18BB(3)(ka)(iii), Act No. 119 of 1988 as amended, taking into account amendments up to Freedom of Information Amendment (Parliamentary Budget Office) Act 2012)
(Art 6.2.a, Greece Law Protection of personal data and privacy in electronic telecommunications sector (Law 3471))
The organization must define and document the privacy policy with respect to notices. (Generally Accepted Privacy Principles and Criteria § 1.1.0 a, Appendix B: Trust Services Principles and Criteria for Security, Availability, Processing Integrity, Confidentiality, and Privacy, TSP Section 100 Principles and Criteria)
The organization must define and document the privacy policy with respect to choice and consent. (Generally Accepted Privacy Principles and Criteria § 1.1.0 b, Appendix B: Trust Services Principles and Criteria for Security, Availability, Processing Integrity, Confidentiality, and Privacy, TSP Section 100 Principles and Criteria)
The organization must define and document the privacy policy with respect to collection. (Generally Accepted Privacy Principles and Criteria § 1.1.0 c, Appendix B: Trust Services Principles and Criteria for Security, Availability, Processing Integrity, Confidentiality, and Privacy, TSP Section 100 Principles and Criteria)
The organization must define and document the privacy policy with respect to use, retention, and disposal. (Generally Accepted Privacy Principles and Criteria § 1.1.0 d, Appendix B: Trust Services Principles and Criteria for Security, Availability, Processing Integrity, Confidentiality, and Privacy, TSP Section 100 Principles and Criteria)
The organization must define and document the privacy policy with respect to Access. (Generally Accepted Privacy Principles and Criteria § 1.1.0 e, Appendix B: Trust Services Principles and Criteria for Security, Availability, Processing Integrity, Confidentiality, and Privacy, TSP Section 100 Principles and Criteria)
The organization must define and document the privacy policy with respect to disclosure to third parties. (Generally Accepted Privacy Principles and Criteria § 1.1.0 f, Appendix B: Trust Services Principles and Criteria for Security, Availability, Processing Integrity, Confidentiality, and Privacy, TSP Section 100 Principles and Criteria)
The organization must define and document the privacy policy with respect to security for privacy. (Generally Accepted Privacy Principles and Criteria § 1.1.0 g, Appendix B: Trust Services Principles and Criteria for Security, Availability, Processing Integrity, Confidentiality, and Privacy, TSP Section 100 Principles and Criteria)
The organization must define and document the privacy policy with respect to quality. (Generally Accepted Privacy Principles and Criteria § 1.1.0 h, Appendix B: Trust Services Principles and Criteria for Security, Availability, Processing Integrity, Confidentiality, and Privacy, TSP Section 100 Principles and Criteria)
The organization must define and document the privacy policy with respect to monitoring and enforcement. (Generally Accepted Privacy Principles and Criteria § 1.1.0 i, Appendix B: Trust Services Principles and Criteria for Security, Availability, Processing Integrity, Confidentiality, and Privacy, TSP Section 100 Principles and Criteria)
Personal information and sensitive personal information is covered by the privacy policy and related security policies and processes. (Generally Accepted Privacy Principles and Criteria § 1.2.3, Appendix B: Trust Services Principles and Criteria for Security, Availability, Processing Integrity, Confidentiality, and Privacy, TSP Section 100 Principles and Criteria)
The privacy policy should include providing notice to individuals. (Generally Accepted Privacy Principles and Criteria § 2.1.0, Appendix B: Trust Services Principles and Criteria for Security, Availability, Processing Integrity, Confidentiality, and Privacy, TSP Section 100 Principles and Criteria)
The privacy policy should include information about choice and consent. (Generally Accepted Privacy Principles and Criteria § 2.1.1 b, Appendix B: Trust Services Principles and Criteria for Security, Availability, Processing Integrity, Confidentiality, and Privacy, TSP Section 100 Principles and Criteria)
The privacy policy should include procedures for notifying individuals about how personal information is collected. (Generally Accepted Privacy Principles and Criteria § 2.1.1 c, Appendix B: Trust Services Principles and Criteria for Security, Availability, Processing Integrity, Confidentiality, and Privacy, TSP Section 100 Principles and Criteria)
The privacy policy should include procedures for the use, retention, and disposal of personal information. (Generally Accepted Privacy Principles and Criteria § 2.1.1 d, Appendix B: Trust Services Principles and Criteria for Security, Availability, Processing Integrity, Confidentiality, and Privacy, TSP Section 100 Principles and Criteria)
The privacy policy should include procedures for disclosing personal information to third parties. (Generally Accepted Privacy Principles and Criteria § 2.1.1 f, Appendix B: Trust Services Principles and Criteria for Security, Availability, Processing Integrity, Confidentiality, and Privacy, TSP Section 100 Principles and Criteria)
The privacy policy should include what type of security is used for personal information. (Generally Accepted Privacy Principles and Criteria § 2.1.1 g, Appendix B: Trust Services Principles and Criteria for Security, Availability, Processing Integrity, Confidentiality, and Privacy, TSP Section 100 Principles and Criteria)
The privacy policy should include procedures for ensuring the quality of the personal information. (Generally Accepted Privacy Principles and Criteria § 2.1.1 h, Appendix B: Trust Services Principles and Criteria for Security, Availability, Processing Integrity, Confidentiality, and Privacy, TSP Section 100 Principles and Criteria)
The privacy policy should include information on monitoring and enforcement of privacy policies. (Generally Accepted Privacy Principles and Criteria § 2.1.1 i, Appendix B: Trust Services Principles and Criteria for Security, Availability, Processing Integrity, Confidentiality, and Privacy, TSP Section 100 Principles and Criteria)
The privacy policy should include a description of the other sources that personal information is collected from, other than the individual. (Generally Accepted Privacy Principles and Criteria § 2.1.1 ¶ 2, Appendix B: Trust Services Principles and Criteria for Security, Availability, Processing Integrity, Confidentiality, and Privacy, TSP Section 100 Principles and Criteria)
The privacy policy should include a description of the organization's objectives and the activities that are covered in the privacy policy. (Generally Accepted Privacy Principles and Criteria § 2.2.2, Appendix B: Trust Services Principles and Criteria for Security, Availability, Processing Integrity, Confidentiality, and Privacy, TSP Section 100 Principles and Criteria)
The privacy policy should include what choices are available and when consent is needed. (Generally Accepted Privacy Principles and Criteria § 3.1.0, Appendix B: Trust Services Principles and Criteria for Security, Availability, Processing Integrity, Confidentiality, and Privacy, TSP Section 100 Principles and Criteria)
The privacy policy should include the collection of personal information. (Generally Accepted Privacy Principles and Criteria § 4.1.0, Appendix B: Trust Services Principles and Criteria for Security, Availability, Processing Integrity, Confidentiality, and Privacy, TSP Section 100 Principles and Criteria)
The privacy notice should include the types of personal information the organization collects. (Generally Accepted Privacy Principles and Criteria § 4.1.2, Appendix B: Trust Services Principles and Criteria for Security, Availability, Processing Integrity, Confidentiality, and Privacy, TSP Section 100 Principles and Criteria)
The privacy notice should include the collection methods, including cookies and other tracking techniques. (Generally Accepted Privacy Principles and Criteria § 4.1.2, Appendix B: Trust Services Principles and Criteria for Security, Availability, Processing Integrity, Confidentiality, and Privacy, TSP Section 100 Principles and Criteria)
The privacy policy should address the disposal of personal information. (Generally Accepted Privacy Principles and Criteria § 5.1.0, Appendix B: Trust Services Principles and Criteria for Security, Availability, Processing Integrity, Confidentiality, and Privacy, TSP Section 100 Principles and Criteria)
The privacy policy should address the use of personal information. (Generally Accepted Privacy Principles and Criteria § 5.1.0, Appendix B: Trust Services Principles and Criteria for Security, Availability, Processing Integrity, Confidentiality, and Privacy, TSP Section 100 Principles and Criteria)
The privacy policy should address the retention of personal information. (Generally Accepted Privacy Principles and Criteria § 5.1.0, Appendix B: Trust Services Principles and Criteria for Security, Availability, Processing Integrity, Confidentiality, and Privacy, TSP Section 100 Principles and Criteria)
The privacy policy should include how personal information is disclosed to third parties. (Generally Accepted Privacy Principles and Criteria § 7.1.0, Appendix B: Trust Services Principles and Criteria for Security, Availability, Processing Integrity, Confidentiality, and Privacy, TSP Section 100 Principles and Criteria)
The privacy policy should address the security of personal information. (Generally Accepted Privacy Principles and Criteria § 8.1.0, Appendix B: Trust Services Principles and Criteria for Security, Availability, Processing Integrity, Confidentiality, and Privacy, TSP Section 100 Principles and Criteria)
The privacy policy should include personal information quality. (Generally Accepted Privacy Principles and Criteria § 9.1.0, Appendix B: Trust Services Principles and Criteria for Security, Availability, Processing Integrity, Confidentiality, and Privacy, TSP Section 100 Principles and Criteria)
The privacy policy should include the monitoring and the enforcement of the organization's privacy policies and procedures. (Generally Accepted Privacy Principles and Criteria § 10.1.0, Appendix B: Trust Services Principles and Criteria for Security, Availability, Processing Integrity, Confidentiality, and Privacy, TSP Section 100 Principles and Criteria)
The organization must define and document the privacy policy, which includes notice, choice, consent, collection, use, retention, disposal, access, disclosure to third parties, security, quality, monitoring, and enforcement. (Table Ref 1.1.0, Generally Accepted Privacy Principles (GAPP), CPA and CA Practitioner Version, August 2009)
The privacy policy should include providing notice to individuals. (Table Ref 2.1.0, Generally Accepted Privacy Principles (GAPP), CPA and CA Practitioner Version, August 2009)
The privacy policy should include information about choice and consent. (Table Ref 2.1.1.b, Generally Accepted Privacy Principles (GAPP), CPA and CA Practitioner Version, August 2009)
The privacy policy should include procedures for notifying individuals about how personal information is collected. (Table Ref 2.1.1.c, Generally Accepted Privacy Principles (GAPP), CPA and CA Practitioner Version, August 2009)
The privacy policy should include procedures for the use, retention, and disposal of personal information. (Table Ref 2.1.1.d, Generally Accepted Privacy Principles (GAPP), CPA and CA Practitioner Version, August 2009)
The privacy policy should include what type of security is used for personal information. (Table Ref 2.1.1.g, Generally Accepted Privacy Principles (GAPP), CPA and CA Practitioner Version, August 2009)
The privacy policy should include procedures for ensuring the quality of the personal information. (Table Ref 2.1.1.h, Generally Accepted Privacy Principles (GAPP), CPA and CA Practitioner Version, August 2009)
The privacy notice should include a description of the organization's objectives and the activities that are covered in the privacy policy. (Table Ref 2.2.2, Generally Accepted Privacy Principles (GAPP), CPA and CA Practitioner Version, August 2009)
The privacy policy should include what choices are available and when consent is needed. (Table Ref 3.1.0, Generally Accepted Privacy Principles (GAPP), CPA and CA Practitioner Version, August 2009)
The privacy notice should describe, in a clear and concise way, the choices an individual has with respect to the collection, use, and disclosure of personal information. (Table Ref 3.1.1, Generally Accepted Privacy Principles (GAPP), CPA and CA Practitioner Version, August 2009)
The privacy notice should include the process an individual will take for each choice. (Table Ref 3.1.1, Generally Accepted Privacy Principles (GAPP), CPA and CA Practitioner Version, August 2009)
The privacy notice should include a description of the process individual's take to change their contact preferences. (Table Ref 3.1.1, Generally Accepted Privacy Principles (GAPP), CPA and CA Practitioner Version, August 2009)
The privacy policy should include the collection of personal information. (Table Ref 4.1.0, Generally Accepted Privacy Principles (GAPP), CPA and CA Practitioner Version, August 2009)
The privacy notice should include the types of personal information the organization collects. (Table Ref 4.1.1, Generally Accepted Privacy Principles (GAPP), CPA and CA Practitioner Version, August 2009)
The privacy notice should include the methods and the sources the organization uses to collect personal information. (Table Ref 4.1.1, Generally Accepted Privacy Principles (GAPP), CPA and CA Practitioner Version, August 2009)
The privacy notice should include if the organization develops or acquires personal information about individuals. (Table Ref 4.1.1, Generally Accepted Privacy Principles (GAPP), CPA and CA Practitioner Version, August 2009)
The privacy notice should include the types of personal information the organization collects. (Table Ref 4.1.2, Generally Accepted Privacy Principles (GAPP), CPA and CA Practitioner Version, August 2009)
The privacy notice should include the collection methods, including cookies and other tracking techniques. (Table Ref 4.1.2, Generally Accepted Privacy Principles (GAPP), CPA and CA Practitioner Version, August 2009)
The privacy notice should include if the organization uses cookies and web beacons, along with the consequences of refusing the cookies. (Table Ref 4.1.2, Generally Accepted Privacy Principles (GAPP), CPA and CA Practitioner Version, August 2009)
The privacy notice should state if the organization acquires and develops information about individuals using credit history, third party sources, browsing, purchasing history, and more. (Table Ref 4.2.4, Generally Accepted Privacy Principles (GAPP), CPA and CA Practitioner Version, August 2009)
The privacy policy should address the disposal of personal information. (Table Ref 5.1.0, Generally Accepted Privacy Principles (GAPP), CPA and CA Practitioner Version, August 2009)
The privacy policy should address the use of personal information. (Table Ref 5.1.0, Generally Accepted Privacy Principles (GAPP), CPA and CA Practitioner Version, August 2009)
The privacy policy should address the retention of personal information. (Table Ref 5.1.0, Generally Accepted Privacy Principles (GAPP), CPA and CA Practitioner Version, August 2009)
The privacy notice should include procedures for individuals to use to update and correct their personal information. (Table Ref 6.1.1, Generally Accepted Privacy Principles (GAPP), CPA and CA Practitioner Version, August 2009)
The privacy notice should include procedures to resolve disagreements related to personal information. (Table Ref 6.1.1, Generally Accepted Privacy Principles (GAPP), CPA and CA Practitioner Version, August 2009)
The privacy policy should include how personal information is disclosed to third parties. (Table Ref 7.1.0, Generally Accepted Privacy Principles (GAPP), CPA and CA Practitioner Version, August 2009)
The privacy notice should describe how personal information is shared with third parties and why it is shared. (Table Ref 7.1.1, Generally Accepted Privacy Principles (GAPP), CPA and CA Practitioner Version, August 2009)
The privacy notice should include a notification to individuals that personal information is only disclosed to third parties for identified purposes or when the individual has given consent. (Table Ref 7.1.1, Generally Accepted Privacy Principles (GAPP), CPA and CA Practitioner Version, August 2009)
The privacy notice should describe general types of security measures the organization uses to protect personal information, such as using authentication to prevent unauthorized access to electronic personal information. (Table Ref 8.1.1, Generally Accepted Privacy Principles (GAPP), CPA and CA Practitioner Version, August 2009)
The privacy notice should describe general types of security measures the organization uses to protect personal information, such as maintaining physical security of hard copy personal information. (Table Ref 8.1.1, Generally Accepted Privacy Principles (GAPP), CPA and CA Practitioner Version, August 2009)
The privacy notice should describe general types of security measures the organization uses to protect personal information, such as encrypting personal information that is sent over the Internet. (Table Ref 8.1.1, Generally Accepted Privacy Principles (GAPP), CPA and CA Practitioner Version, August 2009)
The organization should consider including the security obligations of individuals in the privacy notice, such as reporting security compromises and keeping User IDs and passwords secret. (Table Ref 8.1.1, Generally Accepted Privacy Principles (GAPP), CPA and CA Practitioner Version, August 2009)
The privacy policy should include personal information quality. (Table Ref 9.1.0, Generally Accepted Privacy Principles (GAPP), CPA and CA Practitioner Version, August 2009)
The privacy policy should explain that individuals are only required to keep their personal information accurate and complete when they have an ongoing relationship. (Table Ref 9.1.1, Generally Accepted Privacy Principles (GAPP), CPA and CA Practitioner Version, August 2009)
The privacy policy should include the monitoring and the enforcement of the organization's privacy policies and procedures. (Table Ref 10.1.0, Generally Accepted Privacy Principles (GAPP), CPA and CA Practitioner Version, August 2009)
The privacy policy should include a description of how individuals can make complaints, inquiries, and disputes. (Table Ref 10.1.1, Generally Accepted Privacy Principles (GAPP), CPA and CA Practitioner Version, August 2009)
The privacy policy should include the contact information to direct complaints to. (Table Ref 10.1.1, Generally Accepted Privacy Principles (GAPP), CPA and CA Practitioner Version, August 2009)
§ 312.4(b)(2): The information practices notice must state the following to be considered complete:
(1) the name, telephone number, e-mail address, and address of all operators that collect or maintain personal information on children, as long as only one name and contact information is listed for… (§ 312.4(b)(2), § 312.4(c)(1), 16 CFR Part 312, Children's Online Privacy Protection Rule)
(§ 1303(b)(1)(A)(i), Children's Online Privacy Protection Act of 1998)
The disclosure should include the policies and practices of the organization; the categories of persons who the organization may disclose the nonpublic personal information to; the categories of information collected by the organization, and the policies of the organization used to protect the confi… (§ 6803(b), Gramm-Leach-Bliley Act (GLB), Deprecated)
The Department will maintain the Privacy Shield List of organizations that file completed self-certification submissions, thereby assuring the availability of Privacy Shield benefits, and will update such list on the basis of annual self-recertification submissions and notifications received pursuan… (§ III.6.d., EU-U.S. Privacy Shield Framework Principles)
Under the self-assessment approach, such verification must indicate that an organization's published privacy policy regarding personal information received from the EU is accurate, comprehensive, prominently displayed, completely implemented and accessible. It must also indicate that its privacy pol… (§ III.7.c., EU-U.S. Privacy Shield Framework Principles)
For verification with the self-assessment method, the verification would have to show the privacy policy about personal information received from the European Union is comprehensive; accurate; completely implemented; prominently displayed; accessible; conforms to the safe harbor principles; has proc… (FAQ-Verification ¶ 2, US Department of Commerce EU Safe Harbor Privacy Principles, U.S. European Union Safe Harbor Framework)
The organization must state in the privacy policy that it adheres to the safe harbor principles. (FAQ-Self-Certification ¶ 4, US Department of Commerce EU Safe Harbor Privacy Principles, U.S. European Union Safe Harbor Framework)
If a covered entity chooses to limit the uses or disclosures, it may describe the more limited use or disclosure in the notice, provided the covered entity does not include a limitation affecting its right to make a use or disclosure required by law. (§ 164.520(b)(2), 45 CFR Part 164 - Security and Privacy, current as of January 17, 2013)
A covered entity that participates in organized health care arrangements may comply with the requirements by a joint notice, provided the joint notice meets the implementation specifications in § 164.520(b), except the statements may be modified to cover more than one covered entity; describes the … (§ 164.520(d)(2), 45 CFR Part 164 - Security and Privacy, current as of January 17, 2013)
Describes with reasonable specificity the service delivery sites, or classes of service delivery sites, to which the joint notice applies; and (§ 164.520(d)(2)(ii), 45 CFR Part 164 - Security and Privacy, current as of July 6, 2020)
The right of an individual, including an individual who has agreed to receive the notice electronically in accordance with paragraph (c)(3) of this section, to obtain a paper copy of the notice from the covered entity upon request. (§ 164.520(b)(1)(iv)(F), 45 CFR Part 164 - Security and Privacy, current as of July 6, 2020)
Describes with reasonable specificity the covered entities, or class of entities, to which the joint notice applies; (§ 164.520(d)(2)(i), 45 CFR Part 164 - Security and Privacy, current as of July 6, 2020)
If applicable, states that the covered entities participating in the organized health care arrangement will share protected health information with each other, as necessary to carry out treatment, payment, or health care operations relating to the organized health care arrangement. (§ 164.520(d)(2)(iii), 45 CFR Part 164 - Security and Privacy, current as of July 6, 2020)
Required elements. The covered entity must provide a notice that is written in plain language and that contains the elements required by this paragraph. (§ 164.520(b)(1), 45 CFR Part 164 - Security and Privacy, current as of July 6, 2020)
The right to receive confidential communications of protected health information as provided by §164.522(b), as applicable; (§ 164.520(b)(1)(iv)(B), 45 CFR Part 164 - Security and Privacy, current as of July 6, 2020)
The privacy notice must include the categories of nonpublic personal information that is collected; the categories of nonpublic personal information that is disclosed; the categories of affiliated and nonaffiliated third parties that nonpublic personal information is disclosed to; the categories of … (§ 313.6, 16 CFR Part 313, Privacy of Consumer Financial Information)
Are the privacy disclosures that are used on the Credit Union website designed to call attention to the nature and significance of the notice's information? (IT - Compliance Q 8, Automated Integrated Regulatory Examination System (AIRES) IT Exam Questionnaires, version 073106A)
Provide information needed by the public to make an informed decision about whether and how to interact with the organization; and (PM-20(1) ¶ 1(b), Control Baselines for Information Systems and Organizations, NIST SP 800-53B, Privacy Control Baseline, October 2020)
Addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and (PT-1a.1(a), Control Baselines for Information Systems and Organizations, NIST SP 800-53B, Privacy Control Baseline, October 2020)
Addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and (PT-1a.1(a), Cybersecurity Supply Chain Risk Management Practices for Systems and Organizations, NIST Special Publication 800-161, Revision 1, Appendix A, C-SCRM Flow Down Controls)
Addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and (PT-1a.1(a), Cybersecurity Supply Chain Risk Management Practices for Systems and Organizations, NIST Special Publication 800-161, Revision 1, Appendix A, C-SCRM Level 1 Controls)
Addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and (PT-1a.1(a), Cybersecurity Supply Chain Risk Management Practices for Systems and Organizations, NIST Special Publication 800-161, Revision 1, Appendix A, C-SCRM Level 2 Controls)
Addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and (PT-1a.1(a), Cybersecurity Supply Chain Risk Management Practices for Systems and Organizations, NIST Special Publication 800-161, Revision 1, Appendix A, C-SCRM Level 3 Controls)
Addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and (PT-1a.1(a), Security and Privacy Controls for Information Systems and Organizations, NIST SP 800-53, Revision 5)
Provide information needed by the public to make an informed decision about whether and how to interact with the organization; and (PM-20(1) ¶ 1(b), Security and Privacy Controls for Information Systems and Organizations, NIST SP 800-53, Revision 5)
Addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and (PT-1a.1(a), Security and Privacy Controls for Information Systems and Organizations, NIST SP 800-53, Revision 5.1.1)
Provide information needed by the public to make an informed decision about whether and how to interact with the organization; and (PM-20(1) ¶ 1(b), Security and Privacy Controls for Information Systems and Organizations, NIST SP 800-53, Revision 5.1.1)
Its online privacy policy or policies if the business has an online privacy policy or policies. (§ 1798.135 (c)(2)(A), California Civil Code Division 3 Part 4 Title 1.81.5 California Consumer Privacy Act of 2018, Amended November 3, 2020)
The privacy protection policy must protect the confidentiality of, limit access to, and prohibit the unlawful disclosure of Social Security numbers. (§ 1(b), Connecticut Public Act 08-167, An Act Concerning the Confidentiality of Social Security Numbers)
Disclose how the operator responds to web browser "do not track" signals or other mechanisms that provide users the ability to exercise choice regarding the collection of personally identifiable information about a user's online activities over time and across third-party internet websites, online o… (§ 1205C(b)(5), Delaware Code, Title 6, Commerce and Trade, Subtitle II, Other Laws Relating to Commerce and Trade, Chapter 12C, Online and Personal Privacy Protection)
