Back

Include how to gain access to personal data held by the organization in the privacy policy.


CONTROL ID
00410
CONTROL TYPE
Establish/Maintain Documentation
CLASSIFICATION
Preventive

SUPPORTING AND SUPPORTED CONTROLS



This Control directly supports the implied Control(s):
  • Define what is included in the privacy policy., CC ID: 00404

There are no implementation support Controls.


SELECTED AUTHORITY DOCUMENTS COMPLIED WITH



  • A recordkeeper shall maintain a record that states the steps a person who wishes to obtain access to the information should take. (§ 14 Prin. 5(3)(f), Act No. 119 of 1988 as amended, taking into account amendments up to Freedom of Information Amendment (Parliamentary Budget Office) Act 2012)
  • (§ 14.5.1(b)(iii), Australia Privacy Act 1988)
  • how an individual may access personal information about the individual that is held by the entity and seek the correction of such information; (Schedule 1 Part 1 Clause 1 Subclause 1.4(d), Australian Privacy Act 1988, Compilation No. 77)
  • that the APP privacy policy of the APP entity contains information about how the individual may access the personal information about the individual that is held by the entity and seek the correction of such information; (Schedule 1 Part 2 Clause 5 Subclause 5.2(g), Australian Privacy Act 1988, Compilation No. 77)
  • There should be a documented information privacy policy that covers the rights of individuals about whom Personally Identifiable Information is held. (SR.02.02.04b, The Standard of Good Practice for Information Security)
  • There should be a documented information privacy policy that covers the rights of individuals about whom Personally Identifiable Information is held. (SR.02.02.04b, The Standard of Good Practice for Information Security, 2013)
  • The organization should have procedures in place for individuals to figure out if an organization holds any personal information on them, and, if so, procedures should be in place to allow them access to their personal information. (ID 6.2.1, AICPA/CICA Privacy Framework)
  • The privacy policy should include how to gain Access to personal information. (Generally Accepted Privacy Principles and Criteria § 2.1.1 e, Appendix B: Trust Services Principles and Criteria for Security, Availability, Processing Integrity, Confidentiality, and Privacy, TSP Section 100 Principles and Criteria)
  • The privacy policy should address how individuals are provided Access to their personal information. (Generally Accepted Privacy Principles and Criteria § 6.1.0, Appendix B: Trust Services Principles and Criteria for Security, Availability, Processing Integrity, Confidentiality, and Privacy, TSP Section 100 Principles and Criteria)
  • The organization should inform individuals about how they may Access their personal information for reviewing, updating, and correcting. (Generally Accepted Privacy Principles and Criteria § 6.1.1, Appendix B: Trust Services Principles and Criteria for Security, Availability, Processing Integrity, Confidentiality, and Privacy, TSP Section 100 Principles and Criteria)
  • The privacy policy should include how to gain access to personal information. (Table Ref 2.1.1.e, Generally Accepted Privacy Principles (GAPP), CPA and CA Practitioner Version, August 2009)
  • The privacy notice should explain how individuals may gain access to their personal information. (Table Ref 6.1.1, Generally Accepted Privacy Principles (GAPP), CPA and CA Practitioner Version, August 2009)
  • The organization should inform individuals about how they may access their personal information for reviewing, updating, and correcting. (Table Ref 6.1.1, Generally Accepted Privacy Principles (GAPP), CPA and CA Practitioner Version, August 2009)
  • The organization should have implemented procedures for communicating the steps individuals must take to gain access to their personal information. (Table Ref 6.2.1, Generally Accepted Privacy Principles (GAPP), CPA and CA Practitioner Version, August 2009)
  • The information practices notice must state the name, address, e-mail address, and telephone number of each operator collecting or maintaining personal information from children. The website or online service may list the name, address, e-mail address, and telephone number of only one operator, if t… (§ 312.4(b)(2)(i), 16 CFR Part 312, Children's Online Privacy Protection Rule)
  • Notices must contain the individual's rights and how the rights may be exercised, including the right to request use and disclosure restrictions; the right to receive confidential communications; the right to inspect and copy protected health information; the right to correct protected health inform… (§ 164.520(b)(1)(iv), 45 CFR Part 164 - Security and Privacy, current as of January 17, 2013)
  • Notices must contain a statement that the covered entity is required by law to maintain the privacy of protected health information and to provide individuals with notice of its legal duties and privacy practices with respect to protected health information. (§ 164.520(b)(1)(v), 45 CFR Part 164 - Security and Privacy, current as of January 17, 2013)
  • The designated record set subject to access by individuals and the titles of the offices or persons responsible to receive and process requests for individual access must be documented and retained in accordance with § 164.530(j). (§ 164.524(e), 45 CFR Part 164 - Security and Privacy, current as of January 17, 2013)
  • The organization describes how individuals may obtain access to PII. (TR-1b.(v), Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, Deprecated, Revision 4, Deprecated)
  • how individuals may obtain access to PII; and (TR-1b.(v), Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, Revision 4)
  • A description of a consumer's rights pursuant to Sections 1798.100, 1798.105, 1798.106, 1798.110, 1798.115, and 1798.125 and two or more designated methods for submitting requests, except as provided in subparagraph (A) of paragraph (1) of subdivision (a). (§ 1798.130 (a)(5)(A), California Civil Code Division 3 Part 4 Title 1.81.5 California Consumer Privacy Act of 2018, Amended November 3, 2020)
  • A description of a consumer's rights pursuant to Sections 1798.110, 1798.115, and 1798.125 and one or more designated methods for submitting requests. (§ 1798.130 (a)(5)(A), California Civil Code Division 3 Part 4 Title 1.81.5 California Consumer Privacy Act of 2018, Assembly Bill No. 375)
  • the procedures by which a user may gain access to the collected information pertaining to that user; (§ 203.1(d), New York State Technology Law, Article 2 Internet Security and Privacy Act)
  • a description of the methods required under Section 541.055 through which consumers can submit requests to exercise their consumer rights under this chapter. (§ 541.102 (a)(6), Texas Business and Commercial Code, Title 11, Subtitle C, Chapter 541, Subchapter A, Section 541)