Back

Include the processing purpose in the privacy policy.


CONTROL ID
00406
CONTROL TYPE
Establish/Maintain Documentation
CLASSIFICATION
Preventive

SUPPORTING AND SUPPORTED CONTROLS



This Control directly supports the implied Control(s):
  • Define what is included in the privacy policy., CC ID: 00404

There are no implementation support Controls.


SELECTED AUTHORITY DOCUMENTS COMPLIED WITH



  • The name of the person (referring to the name of a legal entity, if the person is a legal entity) to whom personal information is furnished, if the personal information is furnished to a third party, purposes of use of the person to whom the personal information is furnished, and items of the person… (Article 27-2(2)(2), Act On Promotion of Information and Communications Network Utilization and Information Protection, Amended by Act No. 14080, Mar. 22, 2016)
  • Purposes of collection and use of personal information, items of personal information collected, and methods of collection; (Article 27-2(2)(1), Act On Promotion of Information and Communications Network Utilization and Information Protection, Amended by Act No. 14080, Mar. 22, 2016)
  • Details of business affairs subject to the entrustment of management of personal information and the trustee (they shall be included in the policy on management, only where this subparagraph is applicable); (Article 27-2(2)(4), Act On Promotion of Information and Communications Network Utilization and Information Protection, Amended by Act No. 14080, Mar. 22, 2016)
  • The purposes for which personal information is processed; (Article 30(1) (1), Personal Information Protection Act)
  • A recordkeeper shall maintain a record that states the purpose of each record type that is kept. (§ 14 Prin. 5(3)(b), Act No. 119 of 1988 as amended, taking into account amendments up to Freedom of Information Amendment (Parliamentary Budget Office) Act 2012)
  • the purposes for which the entity collects, holds, uses and discloses personal information; (Schedule 1 Part 1 Clause 1 Subclause 1.4(c), Australian Privacy Act 1988, Compilation No. 77)
  • (Art 11.a, Bosnia Law on Protection of Personal Data)
  • (Art 6.2.c, Greece Law Protection of personal data and privacy in electronic telecommunications sector (Law 3471))
  • The privacy notice should include the purpose for which the personal information is collected. (Generally Accepted Privacy Principles and Criteria § 2.1.1 a, Appendix B: Trust Services Principles and Criteria for Security, Availability, Processing Integrity, Confidentiality, and Privacy, TSP Section 100 Principles and Criteria)
  • The privacy notice should include the purpose for which the personal information is collected. (Table Ref 2.1.1, Generally Accepted Privacy Principles (GAPP), CPA and CA Practitioner Version, August 2009)
  • The privacy notice should include the purpose for collecting sensitive personal information and if the collection is legally required. (Table Ref 2.1.1, Generally Accepted Privacy Principles (GAPP), CPA and CA Practitioner Version, August 2009)
  • The information practices notice must state how personal information collected from a child is or may be used, including fulfilling a requested transaction, marketing back to a child, recordkeeping, or making the information publicly available. (§ 312.4(b)(2)(iii), 16 CFR Part 312, Children's Online Privacy Protection Rule)
  • (§ 551(a)(1)(B), Cable Communications Privacy Act Title 47 § 551)
  • Notices must contain the following: a description and example of the types of uses and disclosures allowed for treatment, payment, and health care operations; a description of other purposes that is allowed or required to use or disclose protected health information without written authorization; us… (§ 164.520(b)(1)(ii), 45 CFR Part 164 - Security and Privacy, current as of January 17, 2013)
  • Notices must contain an appropriate header, ensuring the reader reviews it carefully. (§ 164.520(b)(1)(i), 45 CFR Part 164 - Security and Privacy, current as of January 17, 2013)
  • Describes management commitment, compliance, and the strategic goals and objectives of the privacy program; (PM-18a.4., Control Baselines for Information Systems and Organizations, NIST SP 800-53B, Privacy Control Baseline, October 2020)
  • Addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and (PT-1a.1(a), Control Baselines for Information Systems and Organizations, NIST SP 800-53B, Privacy Control Baseline, October 2020)
  • Describe the purpose(s) in the public privacy notices and policies of the organization; (PT-3b., Control Baselines for Information Systems and Organizations, NIST SP 800-53B, Privacy Control Baseline, October 2020)
  • Describes management commitment, compliance, and the strategic goals and objectives of the privacy program; (PM-18a.4., Cybersecurity Supply Chain Risk Management Practices for Systems and Organizations, NIST Special Publication 800-161, Revision 1, Appendix A, C-SCRM Flow Down Controls)
  • Addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and (PT-1a.1(a), Cybersecurity Supply Chain Risk Management Practices for Systems and Organizations, NIST Special Publication 800-161, Revision 1, Appendix A, C-SCRM Flow Down Controls)
  • Addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and (PT-1a.1(a), Cybersecurity Supply Chain Risk Management Practices for Systems and Organizations, NIST Special Publication 800-161, Revision 1, Appendix A, C-SCRM Level 1 Controls)
  • Describes management commitment, compliance, and the strategic goals and objectives of the privacy program; (PM-18a.4., Cybersecurity Supply Chain Risk Management Practices for Systems and Organizations, NIST Special Publication 800-161, Revision 1, Appendix A, C-SCRM Level 1 Controls)
  • Addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and (PT-1a.1(a), Cybersecurity Supply Chain Risk Management Practices for Systems and Organizations, NIST Special Publication 800-161, Revision 1, Appendix A, C-SCRM Level 2 Controls)
  • Describes management commitment, compliance, and the strategic goals and objectives of the privacy program; (PM-18a.4., Cybersecurity Supply Chain Risk Management Practices for Systems and Organizations, NIST Special Publication 800-161, Revision 1, Appendix A, C-SCRM Level 2 Controls)
  • Addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and (PT-1a.1(a), Cybersecurity Supply Chain Risk Management Practices for Systems and Organizations, NIST Special Publication 800-161, Revision 1, Appendix A, C-SCRM Level 3 Controls)
  • The purposes for the data actions are inventoried. (ID.IM-P5, NIST Privacy Framework: A Tool For Improving Privacy Through Enterprise Risk Management, Version 1.0)
  • The organization describes the purpose(s) for which personally identifiable information (PII) is collected, used, maintained, and shared in its privacy notices. (AP-2 Control, Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, Revision 4)
  • the choices, if any, individuals may have regarding how the organization uses PII and the consequences of exercising or not exercising those choices; and (TR-1a.(iii), Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, Revision 4)
  • Describe the purpose(s) in the public privacy notices and policies of the organization; (PT-3b., Security and Privacy Controls for Information Systems and Organizations, NIST SP 800-53, Revision 5)
  • Addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and (PT-1a.1(a), Security and Privacy Controls for Information Systems and Organizations, NIST SP 800-53, Revision 5)
  • Describes management commitment, compliance, and the strategic goals and objectives of the privacy program; (PM-18a.4., Security and Privacy Controls for Information Systems and Organizations, NIST SP 800-53, Revision 5)
  • Describe the purpose(s) in the public privacy notices and policies of the organization; (PT-3b., Security and Privacy Controls for Information Systems and Organizations, NIST SP 800-53, Revision 5.1.1)
  • Addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and (PT-1a.1(a), Security and Privacy Controls for Information Systems and Organizations, NIST SP 800-53, Revision 5.1.1)
  • Describes management commitment, compliance, and the strategic goals and objectives of the privacy program; (PM-18a.4., Security and Privacy Controls for Information Systems and Organizations, NIST SP 800-53, Revision 5.1.1)
  • The purposes for which the categories of personal data are processed; (§ 6-1-1308 (1)(a)(II), Colorado Revised Statutes, Title 6, Article 1, Part 13, Colorado Privacy Act)
  • the purpose for processing personal data; (§ 6 (c)(2), Connecticut Public Act No. 22-15, An Act Concerning Personal Data Privacy and Online Monitoring)
  • If a controller sells personal data to third parties or processes personal data for targeted advertising, the controller shall clearly and conspicuously disclose such processing, as well as the manner in which a consumer may exercise the right to opt out of such processing. (§ 12D-106.(d), Delaware Code, Title 6, Subtitle II, Chapter 12D. Delaware Personal Data Privacy Act)
  • The purpose of processing personal data. (§ 501.711(1)(b), Florida Statutes, Title XXXIII, Chapter 501, Sections 701-721, Florida Digital Bill of Rights)
  • the purpose for processing personal data; (IC 24-15-4-3 ¶ 1(2), Indiana Code, Title 24, Article 15, Consumer Data Protection)
  • If a controller sells personal data to third parties or processes personal data for targeted advertising, the controller shall clearly and conspicuously disclose the processing, as well as the way a consumer may exercise the right to opt out of the processing (§ Section 7. (4), Montana Consumer Data Privacy Act 2023)
  • the purpose for processing personal data; (§ Section 7. (5)(b), Montana Consumer Data Privacy Act 2023)
  • the circumstances under which information, including personal information, collected may be disclosed; (§ 203.1(b), New York State Technology Law, Article 2 Internet Security and Privacy Act)
  • a statement of any information, including personal information, the state agency website will collect with respect to the user and the use of the information; (§ 203.1(a), New York State Technology Law, Article 2 Internet Security and Privacy Act)
  • Describes the controller's purposes for processing the personal data; (Section 5 (4)(b), 82nd Oregon Legislative Assembly, Senate Bill 619)
  • Provides a clear and conspicuous description of any processing of personal data in which the controller engages for the purpose of targeted advertising or for the purpose of profiling the consumer in furtherance of decisions that produce legal effects or effects of similar significance, and a proced… (Section 5 (4)(h), 82nd Oregon Legislative Assembly, Senate Bill 619)
  • Specify in the privacy notice described in subsection (4) of this section the express purposes for which the controller is collecting and processing personal data; (Section 5 (1)(a), 82nd Oregon Legislative Assembly, Senate Bill 619)
  • Provides a clear and conspicuous description of any processing of personal data in which the controller engages for the purpose of targeted advertising or for the purpose of profiling the consumer in furtherance of decisions that produce legal effects or effects of similar significance, and a proced… (Section 5 (4)(h), 82nd Oregon Legislative Assembly, Senate Bill 619)
  • the purpose for processing personal data; (§ 541.102 (a)(2), Texas Business and Commercial Code, Title 11, Subtitle C, Chapter 541, Subchapter A, Section 541)
  • If a controller sells personal data to third parties or processes personal data for targeted advertising, the controller shall clearly and conspicuously disclose such processing, as well as the manner in which a consumer may exercise the right to opt out of such processing. (§ 59.1-578.D., Code of Virginia Title 59.1, Chapter 53, Consumer Data Protection Act)