Back

Establish, implement, and maintain an accuracy resolution policy.


CONTROL ID
00460
CONTROL TYPE
Establish/Maintain Documentation
CLASSIFICATION
Preventive

SUPPORTING AND SUPPORTED CONTROLS



This Control directly supports the implied Control(s):
  • Establish, implement, and maintain a privacy dispute resolution program., CC ID: 12526

There are no implementation support Controls.


SELECTED AUTHORITY DOCUMENTS COMPLIED WITH



  • If a person is a relevant person in relation to an individual only because the person has been authorized in writing by the individual to make a data access request on behalf of the individual, the person is not entitled to make a data correction request. (Added 18 of 2012 s. 15) (Part 5 Division 2 Section 22(1A), Hong Kong Personal Data (Privacy) Ordinance, E.R. 1 of 2013)
  • Subject to subsection (2), a data user shall refuse to comply with section 23(1) in relation to a data correction request if the data user is not supplied with such information as the data user may reasonably require- (Part 5 Division 2 Section 24(1), Hong Kong Personal Data (Privacy) Ordinance, E.R. 1 of 2013)
  • as to the identity of the individual in relation to whom the requestor purports to be such a person; and (Part 5 Division 2 Section 24(1)(b)(i), Hong Kong Personal Data (Privacy) Ordinance, E.R. 1 of 2013)
  • in order to satisfy the data user as to the identity of the requestor; (Part 5 Division 2 Section 24(1)(a), Hong Kong Personal Data (Privacy) Ordinance, E.R. 1 of 2013)
  • that the requestor is such a person in relation to that individual. (Part 5 Division 2 Section 24(1)(b)(ii), Hong Kong Personal Data (Privacy) Ordinance, E.R. 1 of 2013)
  • Subsection (1) shall not apply to a data correction request where the requestor is the same person as the requestor in respect of the data access request which gave rise to the data correction request. (Part 5 Division 2 Section 24(2), Hong Kong Personal Data (Privacy) Ordinance, E.R. 1 of 2013)
  • subject to subsection (4), any other data user controls the processing of the personal data to which the request relates in such a way as to prohibit the first-mentioned data user from complying (whether in whole or in part) with that section. (Part 5 Division 2 Section 24(3)(e), Hong Kong Personal Data (Privacy) Ordinance, E.R. 1 of 2013)
  • as to the identity of the data subject in relation to whom the requestor claims to be the relevant person; and (Part II Division 4 36. (1) (a) (ii) (A), Personal Data Protection Act 2010, Act 709, As at 15 June 2016)
  • in order to satisfy himself as to the identity of the requestor; or (Part II Division 4 36. (1) (a) (i), Personal Data Protection Act 2010, Act 709, As at 15 June 2016)
  • the first-mentioned data user shall immediately transfer the data correction request to such data user, and notify the requestor of this fact; and (Part II Division 4 35. (5) (a), Personal Data Protection Act 2010, Act 709, As at 15 June 2016)
  • the data user is not supplied with such information as he may reasonably require— (Part II Division 4 36. (1) (a), Personal Data Protection Act 2010, Act 709, As at 15 June 2016)
  • that the requestor is the relevant person in relation to the data subject; (Part II Division 4 36. (1) (a) (ii) (B), Personal Data Protection Act 2010, Act 709, As at 15 June 2016)
  • subject to subsection (2), any other data user controls the processing of the personal data to which the data correction request relates in such a way as to prohibit the first-mentioned data user from complying, whether in whole or in part, with the data correction request. (Part II Division 4 36. (1) (e), Personal Data Protection Act 2010, Act 709, As at 15 June 2016)
  • where paragraph 36(1)(e) is applicable, of the name and address of the other data user concerned. ( (Part II Division 4 37. (1) (b), Personal Data Protection Act 2010, Act 709, As at 15 June 2016)
  • (Art 13, Taiwan Computer-Processed Personal Data Protection Law 1995)
  • The requirements of sections 27(1) to 27(8) will be applied to criminal records, and also public books and registers kept by public sector controllers and the obligation to correct and erase are carried out by the organization or the ability to decide about corrections and erasures of data is not re… (§ 27(9), Austria Data Protection Act)
  • Secondly, individuals can also bring a complaint directly to the independent dispute resolution body (either in the United States or in the Union) designated by an organisation to investigate and resolve individual complaints (unless they are obviously unfounded or frivolous) and to provide appropri… (2.4 (70), COMMISSION IMPLEMENTING DECISION of 10.7.2023 pursuant to Regulation (EU) 2016/679 of the European Parliament and of the Council on the adequate level of protection of personal data under the EU-US Data Privacy Framework)
  • Data processors must develop procedures for processing information requests and for correcting or deleting personal data. (Art 6.II, Guanajuato Personal Data Protection Law)
  • The person in charge of the data should block the personal data that is being supplemented, corrected, updated, stayed, or cancelled until it has been completed. (Art 72, Tlaxcala Law on Access to Public Information and Personal Data Protection)
  • An individual may ask an organization to include a statement of disagreement with the personal information that the individual and organization do not agree is complete and accurate. (Table Ref 6.2.6, Generally Accepted Privacy Principles (GAPP), CPA and CA Practitioner Version, August 2009)
  • The data controller must develop an accuracy resolution process. The data broker must determine, within 30 days, if the information in the system accurately and completely records the available information. If the information is not from a public record or licensor, the data broker must, within 30 d… (§ 201(e)(1)(A), § 201(e)(2), § 201(e)(3), § 201(e)(4), Leahy Personal Data Privacy and Security Act of 2009, Senate Bill 1490, 111th Congress)
  • Is not part of the designated record set; (§ 164.526(a)(2)(ii), 45 CFR Part 164 - Security and Privacy, current as of July 6, 2020)
  • Was not created by the covered entity, unless the individual provides a reasonable basis to believe that the originator of protected health information is no longer available to act on the requested amendment; (§ 164.526(a)(2)(i), 45 CFR Part 164 - Security and Privacy, current as of July 6, 2020)
  • Is accurate and complete. (§ 164.526(a)(2)(iv), 45 CFR Part 164 - Security and Privacy, current as of July 6, 2020)
  • Would not be available for inspection under §164.524; or (§ 164.526(a)(2)(iii), 45 CFR Part 164 - Security and Privacy, current as of July 6, 2020)
  • Amendments. Enable a user to select the record affected by a patient's request for amendment and perform the capabilities specified in paragraph (d)(4)(i) or (ii) of this section. (§ 170.315 (d) (4), 45 CFR Part 170 Health Information Technology Standards, Implementation Specifications, and Certification Criteria and Certification Programs for Health Information Technology, current as of January 2024)
  • Amendments. Enable a user to select the record affected by a patient's request for amendment and perform the capabilities specified in paragraph (d)(4)(i) or (ii) of this section. (§ 170.315 (d) (4), 45 CFR Part 170, Health Information Technology: Initial Set of Standards, Implementation Specifications, and Certification Criteria for Electronic Health Record Technology, current as of July 14, 2020)
  • A consumer credit reporting agency shall review and consider all relevant information furnished by the consumer in connection with a dispute. (§ 1785.16(b), Consumer Credit Reporting Agencies Act, California Civil Code 17851-1785.6)
  • A consumer credit reporting agency shall maintain reasonable procedures to prevent information that was deleted from reappearing in the consumer's credit file and credit report. (§ 1785.16(i), Consumer Credit Reporting Agencies Act, California Civil Code 17851-1785.6)