Back

Define and assign the Privacy Officer's roles and responsibilities.


CONTROL ID
00714
CONTROL TYPE
Establish Roles
CLASSIFICATION
Preventive

SUPPORTING AND SUPPORTED CONTROLS



This Control directly supports the implied Control(s):
  • Establish, implement, and maintain high level operational roles and responsibilities., CC ID: 00806

There are no implementation support Controls.


SELECTED AUTHORITY DOCUMENTS COMPLIED WITH



  • Art 22: The organization must designate a person from within the organization as the manager of personal data. He/she must understand these guidelines and have the skills to put them into practice. Art 23: The personal data manager must understand and observe the requirements of these guidelines, ac… (Art 22, Art 23, Japan Handbook Concerning Protection Of Personal Data, February 1998)
  • A personal information processor that processes personal information up to the amount prescribed by the national cyberspace department shall designate a person in charge of personal information protection, who shall supervise the personal information processing activities of the processor as well as… (Article 52 ¶ 1, Personal Information Protection Law of the People's Republic of China)
  • A provider of information and communications services whose the average number of users per day, sales, and other related factors fall under the criteria prescribed by Presidential Decree shall designate a person responsible for protection of juvenile to keep juvenile from unwholesome information to… (Article 42-3(1), Act On Promotion of Information and Communications Network Utilization and Information Protection, Amended by Act No. 14080, Mar. 22, 2016)
  • The person responsible for protection of juvenile shall be chosen from among executive officers of the relevant business operator or the persons in a position equivalent to the head of a department responsible for business affairs related to protection of juvenile. (Article 42-3(2), Act On Promotion of Information and Communications Network Utilization and Information Protection, Amended by Act No. 14080, Mar. 22, 2016)
  • Other functions prescribed by Presidential Decree for the appropriate processing of personal information. (Article 31(2) (7), Personal Information Protection Act)
  • To treat grievances and remedial compensation in relation to personal information processing; (Article 31(2) (3), Personal Information Protection Act)
  • To build the internal control system to prevent the divulgence, abuse, and misuse of personal information; (Article 31(2) (4), Personal Information Protection Act)
  • To prepare and implement an education program about personal information protection; (Article 31(2) (5), Personal Information Protection Act)
  • To protect, control, and manage the personal information files; (Article 31(2) (6), Personal Information Protection Act)
  • A personal information controller shall designate a privacy officer who comprehensively takes charge of personal information processing. (Article 31(1), Personal Information Protection Act)
  • The entity has a governance and legal structure that establishes accountability for information privacy policy creation, oversight, monitoring and compliance. (M1.2 Established accountability, Privacy Management Framework, Updated March 1, 2020)
  • A privacy audit should be performed and should, at a minimum, consider if a chief privacy officer has been assigned and his/her responsibilities defined. (App A.5 (Recommendations for Privacy), IIA Global Technology Audit Guide (GTAG) 4: Management of IT Auditing)
  • The organization should develop a position of privacy ombudsman, officer, or organization to act as a focal point for coordinating privacy-related matters and for handling issues and complaints. The organization should designate a primary coordinator or contact who is principally responsible for pri… (§ 4.5 (Privacy Best Practices), § 5.4 (Legal and Organizational Risks), 5.5 (Understanding Personal Data Processing), IIA Global Technology Audit Guide (GTAG) 5: Managing and Auditing Privacy Risks)
  • An individual should be appointed to co-ordinate information privacy activity (e.g., a Chief Privacy Officer or a data protection manager). (SR.02.02.01-2, The Standard of Good Practice for Information Security)
  • An individual should be appointed to co-ordinate information privacy activity (e.g., a Chief Privacy Officer or a data protection manager). (SR.02.02.01-2, The Standard of Good Practice for Information Security, 2013)
  • Every country shall legally designate a responsible authority for supervising observance of the principles of the United Nations guidelines concerning computerized personal data files. The authority shall be impartial, independent from parties responsible for processing and establishing the data, an… (A.8, UN Guidelines for the Regulation of Computerized Personal Data Files (1990))
  • The organization must assign responsibility and accountability for developing, documenting, implementing, enforcing, monitoring, and updating the privacy policy to an individual or group. (Table Ref 1.1.2, Generally Accepted Privacy Principles (GAPP), CPA and CA Practitioner Version, August 2009)
  • The organization should clearly document the responsibilities of the Privacy Officer. (Table Ref 1.1.2, Generally Accepted Privacy Principles (GAPP), CPA and CA Practitioner Version, August 2009)
  • The privacy officer's responsibility should include establishing standards for classifying the sensitivity of personal information. (Table Ref 1.1.2, Generally Accepted Privacy Principles (GAPP), CPA and CA Practitioner Version, August 2009)
  • The privacy officer's responsibility should include establishing standards for determining the required protection level. (Table Ref 1.1.2, Generally Accepted Privacy Principles (GAPP), CPA and CA Practitioner Version, August 2009)
  • The privacy officer's responsibility should include developing and maintaining the privacy policy. (Table Ref 1.1.2, Generally Accepted Privacy Principles (GAPP), CPA and CA Practitioner Version, August 2009)
  • The privacy officer's responsibility should include monitoring and updating the privacy policy. (Table Ref 1.1.2, Generally Accepted Privacy Principles (GAPP), CPA and CA Practitioner Version, August 2009)
  • The privacy officer's responsibility should include delegating the authority to enforce the privacy policy. (Table Ref 1.1.2, Generally Accepted Privacy Principles (GAPP), CPA and CA Practitioner Version, August 2009)
  • The privacy officer's responsibility should include monitoring the degree of compliance to the privacy policy. (Table Ref 1.1.2, Generally Accepted Privacy Principles (GAPP), CPA and CA Practitioner Version, August 2009)
  • The privacy officer's responsibility should include improving the training or clarification of privacy policies or practices. (Table Ref 1.1.2, Generally Accepted Privacy Principles (GAPP), CPA and CA Practitioner Version, August 2009)
  • The chief privacy officer should be responsible for the overall privacy incident and breach management program, supported by the security steering committee and the privacy steering committee, and assisted by the breach team. (Table Ref 1.2.7, Generally Accepted Privacy Principles (GAPP), CPA and CA Practitioner Version, August 2009)
  • The privacy officer should be authorized to respond to privacy related complaints and disputes. (Table Ref 10.2.1, Generally Accepted Privacy Principles (GAPP), CPA and CA Practitioner Version, August 2009)
  • The Department of Justice must designate a department-wide Chief Privacy Officer who will report directly to the Deputy Attorney General. The Chief Privacy Officer will oversee the implementation of the requirements to conduct privacy impact assessments of the use by the Department of commercial dat… (§ 404, Leahy Personal Data Privacy and Security Act of 2009, Senate Bill 1490, 111th Congress)
  • A privacy official must be designated by the covered entity and must be responsible for developing and implementing policies and procedures. (§ 164.530(a)(1)(i), 45 CFR Part 164 - Security and Privacy, current as of January 17, 2013)
  • A covered entity must designate a privacy official who is responsible for the development and implementation of the policies and procedures of the entity. (§ 164.530(a)(1)(i), 45 CFR Part 164 - Security and Privacy, current as of July 6, 2020)
  • Appoint a senior agency official for privacy with the authority, mission, accountability, and resources to coordinate, develop, and implement, applicable privacy requirements and manage privacy risks through the organization-wide privacy program. (PM-19 Control, Control Baselines for Information Systems and Organizations, NIST SP 800-53B, Privacy Control Baseline, October 2020)
  • Appoint a senior agency official for privacy with the authority, mission, accountability, and resources to coordinate, develop, and implement, applicable privacy requirements and manage privacy risks through the organization-wide privacy program. (PM-19 Control, Cybersecurity Supply Chain Risk Management Practices for Systems and Organizations, NIST Special Publication 800-161, Revision 1, Appendix A, C-SCRM Level 1 Controls)
  • The organization shall assign a senior agency official for privacy who oversees privacy-related matters for the personal identity verification (PIV) system and is responsible for implementing this standard's privacy requirements. This person may not have any other operational roles in the PIV system… (§ 2.4 ¶ 3, FIPS Pub 201-1, Personal Identity Verification (PIV) of Federal Employees and Contractors, Change Notice 1)
  • Assign an individual to the role of privacy official. The privacy official is the individual who oversees privacy-related matters in the PIV system and is responsible for implementing the privacy requirements in the Standard. The individual serving in this role SHALL NOT assume any other operational… (2.11 ¶ 3 Bullet 1, FIPS Pub 201-3, Personal Identity Verification (PIV) of Federal Employees and Contractors)
  • The Privacy Officer should provide advice on privacy issues dealing with the disposition of privacy information and the media that it is stored on. (§ 3.9, Guidelines for Media Sanitization, NIST SP 800-88, September 2006)
  • The organization's mission, objectives, stakeholders, and activities are understood and prioritized; this information is used to inform privacy roles, responsibilities, and risk management decisions. (Business Environment (ID.BE-P), NIST Privacy Framework: A Tool For Improving Privacy Through Enterprise Risk Management, Version 1.0)
  • The organization appoints a Senior Agency Official for Privacy (SAOP)/Chief Privacy Officer (CPO) accountable for developing, implementing, and maintaining an organization-wide governance and privacy program to ensure compliance with all applicable laws and regulations regarding the collection, use,… (AR-1a., Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, Deprecated, Revision 4, Deprecated)
  • Appoints a Senior Agency Official for Privacy (SAOP)/Chief Privacy Officer (CPO) accountable for developing, implementing, and maintaining an organization-wide governance and privacy program to ensure compliance with all applicable laws and regulations regarding the collection, use, maintenance, sha… (AR-1a., Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, Revision 4)
  • Appoint a senior agency official for privacy with the authority, mission, accountability, and resources to coordinate, develop, and implement, applicable privacy requirements and manage privacy risks through the organization-wide privacy program. (PM-19 Control, Security and Privacy Controls for Information Systems and Organizations, NIST SP 800-53, Revision 5)
  • Appoint a senior agency official for privacy with the authority, mission, accountability, and resources to coordinate, develop, and implement, applicable privacy requirements and manage privacy risks through the organization-wide privacy program. (PM-19 Control, Security and Privacy Controls for Information Systems and Organizations, NIST SP 800-53, Revision 5.1.1)