Back

Create an investigative report in regards to a privacy rights violation complaint.


CONTROL ID
00495
CONTROL TYPE
Establish/Maintain Documentation
CLASSIFICATION
Corrective

SUPPORTING AND SUPPORTED CONTROLS



This Control directly supports the implied Control(s):
  • Develop remedies and sanctions for privacy policy violations., CC ID: 00474

There are no implementation support Controls.


SELECTED AUTHORITY DOCUMENTS COMPLIED WITH



  • (§ 37 thru § 39, Hong Kong Personal Data (Privacy) Ordinance)
  • Any organization or individual has the right to complain and report to a department with personal information protection duties about illegal personal information processing. The department that receives such a complaint or report shall handle it in a timely manner in accordance with the law, and no… (Article 65 ¶ 1, Personal Information Protection Law of the People's Republic of China)
  • The information commissioner must be satisfied that the determinations, directions, findings, declarations, and orders the adjudicator may make after investigating a complaint are the same that the commissioner may make after investigating a complaint before approving a privacy code that includes pr… (§ 18BB(3)(d), Act No. 119 of 1988 as amended, taking into account amendments up to Freedom of Information Amendment (Parliamentary Budget Office) Act 2012)
  • The information commissioner may make a determination to dismiss the complaint, after completing the investigation. (§ 52(1)(a), Act No. 119 of 1988 as amended, taking into account amendments up to Freedom of Information Amendment (Parliamentary Budget Office) Act 2012)
  • The information commissioner may find that the complaint is substantiated and make a determination that the agency or respondent has engaged in conduct that interfered with the privacy of an individual and should not repeat or continue the conduct. (§ 52(1)(b)(i), Act No. 119 of 1988 as amended, taking into account amendments up to Freedom of Information Amendment (Parliamentary Budget Office) Act 2012)
  • The information commissioner may find that the complaint was substantiated and make a determination that the respondent should perform reasonable acts or courses of conduct to redress damages or losses suffered by the complainant. (§ 52(1)(b)(ii), Act No. 119 of 1988 as amended, taking into account amendments up to Freedom of Information Amendment (Parliamentary Budget Office) Act 2012)
  • The information commissioner may find that the complaint was substantiated and make a determination that includes a declaration that the complainant is entitled to compensation for damage or loss suffered by the act or practice. (§ 52(1)(b)(iii), Act No. 119 of 1988 as amended, taking into account amendments up to Freedom of Information Amendment (Parliamentary Budget Office) Act 2012)
  • The information commissioner may find that a complaint is substantiated and make a determination that includes a declaration that further action would be inappropriate for this matter. (§ 52(1)(b)(iv), Act No. 119 of 1988 as amended, taking into account amendments up to Freedom of Information Amendment (Parliamentary Budget Office) Act 2012)
  • The information commissioner must give a copy of the determination to each agency to which services are or were to be provided under a contract and the commissioner considers if appropriate, when the respondent is a contracted service provider for a commonwealth contract. (§ 53A(1)(a), Act No. 119 of 1988 as amended, taking into account amendments up to Freedom of Information Amendment (Parliamentary Budget Office) Act 2012)
  • The information commissioner may give an agency a written recommendation of measures the commissioner considers appropriate, when the respondent is a contracted service provider for a commonwealth contract. (§ 53A(1)(b), Act No. 119 of 1988 as amended, taking into account amendments up to Freedom of Information Amendment (Parliamentary Budget Office) Act 2012)
  • It is required that parties be informed of the result of an investigation. "Where an investigation is made following a complaint, the Commissioner shall conduct the investigation with due expedition and shall inform the parties concerned, as soon as reasonably practicable after the conclusion of the… (§ 75, New Zealand Privacy Act 1993)
  • The delivered statement should also describe measures taken because of the Federal Commissioner's complaint. The bodies in Section 25(1).4 must also submit the statement to the competent supervisory authority. (§ 25(3), German Federal Data Protection Act, September 14, 1994)
  • The penalties in Articles 45.I and 45.II.1° will be announced in a report by one of the members of the "Commission Nationale de l'informatique et des libertés" (CNIL) appointed by the chairperson. The data controller will be notified of the report and may present his/her remarks and may be represe… (Art 46, France Data Processing, Data Files and Individual Liberties)
  • The Commission Nationale may notify the data subject of its investigation results. (Art 29(5), Law of 2 August 2002 on the Protection of Persons with Regard to the Processing of Personal Data)
  • After gathering all the necessary information, the Guarantee will order with a reasoned decision, if the complaint is grounded, that the data controller stop any unlawful conduct and will specify remedies to enforce a data subject's rights and set a deadline for implementing these measures. If no de… (§ 150, Italy Personal Data Protection Code)
  • The Commission for the protection of privacy will use mediation to try and settle any complaints. If a settlement is agreed upon, the Commission will produce a report explaining the solution that was reached. If a settlement cannot be obtained, the Commission will issue an opinion on the legitimacy … (Art 31.3 thru Art 31.5, Belgian Law of 8 December 1992 on the protection of privacy in relation to the processing of persona, Unofficial English Translation November 2008)
  • The Data Protection Commission must present its provisional findings to the responsible parties and allow them to present their views. If the investigation relates to the implementation of law, the findings must also be presented to the Minister of Justice. If the investigation was requested by an i… (Art 60.2, Art 60.3, Netherlands Personal Data Protection Act, Session 1999-2000 Nr.92, REVISED BILL (as approved by the Lower House on 23 November 1999), Unofficial Translation)
  • The Data Protection Commission can issue recommendations and set an appropriate period for compliance. If recommendations are not obeyed, the Data Protection Commission will, depending on the type of transgression and ex officio, initiate administrative inquiries to check the registration; bring cri… (§ 30(6), Austria Data Protection Act)
  • The Office must notify the informant, in writing, of the outcome of the investigation within 60 days and include the rights that were violated. If no violation was found, the Office must notify the informant, without undue delay and in writing, of this fact. Notifications about the same case may be … (§ 45(13) thru § 45(15), Slovak Republic Protection of Personal Data in Information Systems)
  • If, after investigation of a complaint, the Privacy Commissioner finds it is well-founded, he/she must provide to the head of the government institution that has control of the personal information a report that contains the investigation findings and recommendations the Commissioner considers appro… (§ 35, § 36(3), § 37(3), Canada Privacy Act, P-21)
  • The Privacy Commissioner must prepare a report within 1 year after the day he/she initiates or files a complaint. The report must contain findings and recommendations, any reached settlements, a request that the organization notify the Privacy Commissioner, within a specified time, about actions tha… (§ 13, Canada Personal Information Protection Electronic Documents Act (PIPEDA), 2000, c.5)
  • A person who was denied rights under this Act must file a complaint with the State Commission for Access to Public Information. The Commission must verify the complaint's validity and issue a resolution within a maximum period of 90 calendar days from the day the complaint was filed. (Art 8, Colima Personal Data Protection Law (Decree No. 356))
  • The general director of the Institute for Access to Public Information must resolve a complaint within 10 business days, amending, confirming, or repealing the act under appeal. The resolution of the complaint will be personally served to the appellant. If the decision is favorable to the appellant,… (Art 30, Guanajuato Personal Data Protection Law)
  • When the Commission receives a notice of review or has a hearing, he/she must notify the affected public body about the contested resolution or act, by the next business day, by forwarding copies of the records that make up the appeal and filing a justification report for the appeal in 5 days. (Art 87, Tlaxcala Law on Access to Public Information and Personal Data Protection)
  • The organization should document the resolution of each complaint and communicate that to the individual. (Generally Accepted Privacy Principles and Criteria § 10.2.2, Appendix B: Trust Services Principles and Criteria for Security, Availability, Processing Integrity, Confidentiality, and Privacy, TSP Section 100 Principles and Criteria)
  • § 422.564(e)(1): An enrollee must be notified by the Medicare Advantage (MA) organization on a decision as expeditiously as required, based on health status, but not later than 30 days after receiving the grievance. § 422.564(e)(3): The enrollee must be notified of the disposition of the grievance… (§ 422.564(e)(1), § 422.564(e)(3), § 422.564(f), 42 CFR Parts 412, 413, 422 et al., Medicare and Medicaid Programs; Electronic Health Record Incentive Program, Final Rule)
  • An investigative credit report (includes information about character, mode of living, and general reputation) should not be prepared, unless the consumer is notified not later than 3 days after the request was made. The notification should contain a disclosure that the consumer may request the addit… (§ 606, Fair Credit Reporting Act (FCRA), July 30, 2004)
  • Implementation specification: Documentation of complaints. As required by paragraph (j) of this section, a covered entity must document all complaints received, and their disposition, if any. (§ 164.530(d)(2), 45 CFR Part 164 - Security and Privacy, current as of July 6, 2020)
  • The notice on the results of the reinvestigation shall include that the reinvestigation is complete. (§ 1785.16(d)(1), Consumer Credit Reporting Agencies Act, California Civil Code 17851-1785.6)
  • The notice on the results of the reinvestigation shall include a credit report based on the information after the reinvestigation. (§ 1785.16(d)(2), Consumer Credit Reporting Agencies Act, California Civil Code 17851-1785.6)
  • The notice on the results of the reinvestigation shall include a description of any changes that were made, changes that were not made, and the reasons they were not made. (§ 1785.16(d)(3), Consumer Credit Reporting Agencies Act, California Civil Code 17851-1785.6)
  • The notice on the results of the reinvestigation shall include a notice that the consumer may request a description of the procedures for determining the accuracy and completeness of the information, including the name, address, and telephone number of any one who provided information. (§ 1785.16(d)(4), Consumer Credit Reporting Agencies Act, California Civil Code 17851-1785.6)
  • The notice on the results of the reinvestigation shall include a notice that the consumer may add a statement disputing the accuracy or completeness of the information in the file. (§ 1785.16(d)(5), Consumer Credit Reporting Agencies Act, California Civil Code 17851-1785.6)
  • The notice on the results of the reinvestigation shall include a notice that the consumer has the right to request the credit reporting agency provide notifications that the information has changed. (§ 1785.16(d)(6), Consumer Credit Reporting Agencies Act, California Civil Code 17851-1785.6)
  • The notice on the results of the reinvestigation shall include a notice that the dispute will remain in the file as long as the credit information is used. (§ 1785.16(d)(7), Consumer Credit Reporting Agencies Act, California Civil Code 17851-1785.6)
  • The notice on the results of the reinvestigation shall include a statement that the dispute details will be provided to any recipient as long as the credit information is kept in the agency's database. (§ 1785.16(d)(8), Consumer Credit Reporting Agencies Act, California Civil Code 17851-1785.6)
  • investigate, report, or prosecute a person responsible for an action described in Subsection (1)(h)(i); (13-61-304 (1)(h)(ii), Utah Code, Title 13, Chapter 61, Utah Consumer Privacy Act)