Back

Provide notice of proposed penalties.


CONTROL ID
06216
CONTROL TYPE
Establish/Maintain Documentation
CLASSIFICATION
Preventive

SUPPORTING AND SUPPORTED CONTROLS



This Control directly supports the implied Control(s):
  • Develop remedies and sanctions for privacy policy violations., CC ID: 00474

There are no implementation support Controls.


SELECTED AUTHORITY DOCUMENTS COMPLIED WITH



  • The accreditation authority shall not revoke or suspend an accreditation or recognition of an Authentication Service provider unless it has notified the Authentication Service provider of its intention in writing. (§ 31(2)(a), The Electronic Communications and Transactions Act, 2002)
  • The accreditation authority shall not revoke or suspend an accreditation or recognition of an Authentication Service provider unless it has given them a description of the alleged breach of any conditions, requirements, or restrictions. (§ 31(2)(b), The Electronic Communications and Transactions Act, 2002)
  • specifying the adverse action it proposes to take and the reasons therefor; and (Part 6 Section 30(5)(a)(i), Hong Kong Personal Data (Privacy) Ordinance, E.R. 1 of 2013)
  • An authorized person may give a person an infringement notice, when the authorized person has reasonable grounds to believe that the person has committed 1 or more violations of a civil penalty provision. (Sched 3 § 3(1), Australian Government Spam Act 2003)
  • Infringement notices must be given inside of 12 months after the day when the violation are alleged to have taken place. (Sched 3 § 3(2), Australian Government Spam Act 2003)
  • An infringement notice must the name of the person the notice is being given to. (Sched 3 § 4(1)(a), Australian Government Spam Act 2003)
  • An infringement notice must include the name of the authorized person who gave the notice. (Sched 3 § 4(1)(b), Australian Government Spam Act 2003)
  • An infringement notice must include brief details for each of the alleged violations or be accompanied by a data processing device that contains the details of the alleged violations in electronic form. (Sched 3 § 4(1)(c), Australian Government Spam Act 2003)
  • An infringement notice must include a statement that the violations will not be dealt with in federal court, if the penalty stated in the notice is paid inside of 28 days after the notice is given or the longer period, if a longer period is allowed. (Sched 3 § 4(1)(d), Australian Government Spam Act 2003)
  • An infringement notice must include an explanation of how to pay the penalty. (Sched 3 § 4(1)(e), Australian Government Spam Act 2003)
  • An infringement notice must include any other matters stated in the regulations. (Sched 3 § 4(1)(f), Australian Government Spam Act 2003)
  • The brief details included in the infringement notice must include the date of the alleged violation. (Sched 3 § 4(2)(a), Australian Government Spam Act 2003)
  • The brief details included in the infringement notice must include the civil penalty provision that was allegedly violated. (Sched 3 § 4(2)(b), Australian Government Spam Act 2003)
  • When the infringement notice for a corporate body is about a single alleged violation of sections 16(1), 16(6), or 16(9), the penalty stated in the notice must be a pecuniary penalty equal to 20 penalty units. (Sched 3 § 5(1) Table Item 1, Australian Government Spam Act 2003)
  • When the infringement notice for a corporate body is about more than 1 and fewer than 50 alleged violations of sections 16(1), 16(6), or 16(9), the penalty stated in the notice must be a pecuniary penalty equal to the number of penalty units obtained by multiplying the number of alleged violations b… (Sched 3 § 5(1) Table Item 2, Australian Government Spam Act 2003)
  • When the infringement notice for a corporate body is about 50 or more alleged violations of sections 16(1), 16(6), or 16(9), the penalty stated in the notice must be a pecuniary penalty equal to 1,000 penalty units. (Sched 3 § 5(1) Table Item 3, Australian Government Spam Act 2003)
  • When the infringement notice for a corporate body is about a single alleged violation of a civil penalty provision other than sections 16(1), 16(6), or 16(9), the penalty stated in the notice must be a pecuniary penalty equal to 10 penalty units. (Sched 3 § 5(1) Table Item 4, Australian Government Spam Act 2003)
  • When the infringement notice for a corporate body is about more than 1 and fewer than 50 alleged violations of a civil penalty provision other than sections 16(1), 16(6), or 16(9), the penalty stated in the notice must be a pecuniary penalty equal to the number of penalty units obtained by multiplyi… (Sched 3 § 5(1) Table Item 5, Australian Government Spam Act 2003)
  • When the infringement notice for a corporate body is about more than 50 alleged violations of a civil penalty provision other than sections 16(1), 16(6), or 16(9), the penalty stated in the notice must be a pecuniary penalty equal to the number of penalty units obtained by multiplying the number of … (Sched 3 § 5(1) Table Item 6, Australian Government Spam Act 2003)
  • When the infringement notice for an individual is about a single alleged violation of sections 16(1), 16(6), or 16(9), the penalty stated in the notice must be a pecuniary penalty equal to 4 penalty units. (Sched 3 § 5(2) Table Item 1, Australian Government Spam Act 2003)
  • When the infringement notice for an individual is about more than 1 and fewer than 50 alleged violations of sections 16(1), 16(6), or 16(9), the penalty stated in the notice must be a pecuniary penalty equal to the number of penalty units obtained by multiplying the number of alleged violations by 4… (Sched 3 § 5(2) Table Item 2, Australian Government Spam Act 2003)
  • When the infringement notice for an individual is about more than 50 alleged violations of sections 16(1), 16(6), or 16(9), the penalty stated in the notice must be a pecuniary penalty equal to 200 penalty units. (Sched 3 § 5(2) Table Item 3, Australian Government Spam Act 2003)
  • When the infringement notice for an individual is about a single alleged violation of a civil penalty provision other than sections 16(1), 16(6), or 16(9), the penalty stated in the notice must be a pecuniary penalty equal to 2 penalty units. (Sched 3 § 5(2) Table Item 4, Australian Government Spam Act 2003)
  • When the infringement notice for an individual is about more than 1 and fewer than 50 alleged violations of a civil penalty provision other than sections 16(1), 16(6), or 16(9), the penalty stated in the notice must be a pecuniary penalty equal to the number of penalty units obtained by multiplying … (Sched 3 § 5(2) Table Item 5, Australian Government Spam Act 2003)
  • When the infringement notice for an individual is about more than 50 alleged violations of a civil penalty provision other than sections 16(1), 16(6), or 16(9), the penalty stated in the notice must be a pecuniary penalty equal to 100 penalty units. (Sched 3 § 5(2) Table Item 6, Australian Government Spam Act 2003)
  • An authorized person may withdraw the infringement notice by giving a written withdrawal notice to the person. (Sched 3 § 6(2), Australian Government Spam Act 2003)
  • The withdrawal notice must be given to the person inside of 28 days after the infringement notice was given to the person, in order for the withdrawal notice to be effective. (Sched 3 § 6(3), Australian Government Spam Act 2003)
  • When an infringement notice is withdrawn after a penalty is paid, the penalty is to be refunded. (Sched 3 § 6(4), Australian Government Spam Act 2003)
  • Member States shall allow their competent authorities to disclose to the public any administrative penalty that is imposed for infringement of the measures adopted in the transposition of this Directive, unless such disclosure would seriously jeopardise the financial markets or cause disproportionat… (Art 103(2), DIRECTIVE (EU) 2015/2366 OF THE EUROPEAN PARLIAMENT AND OF THE COUNCIL of 25 November 2015 on payment services in the internal market, amending Directives 2002/65/EC, 2009/110/EC and 2013/36/EU and Regulation (EU) No 1093/2010, and repealing Directive 2007/64/EC)
  • set out the administrative monetary penalty that the person is liable to pay and the time and manner of payment; (Section 22(2)(c), An Act to promote the efficiency and adaptability of the Canadian economy by regulating certain activities that discourage reliance on electronic means of carrying out commercial activities, and to amend the Canadian Radio-television and Telecommunications Commission Act, the Competition Act, the Personal Information Protection and Electronic Documents Act and the Telecommunications Act)
  • inform the person that, if they do not pay the penalty or make representations in accordance with the notice, they will be deemed to have committed the violation and that the penalty set out in the notice will be imposed; and (Section 22(2)(e), An Act to promote the efficiency and adaptability of the Canadian economy by regulating certain activities that discourage reliance on electronic means of carrying out commercial activities, and to amend the Canadian Radio-television and Telecommunications Commission Act, the Competition Act, the Personal Information Protection and Electronic Documents Act and the Telecommunications Act)
  • inform the person that if they are found or are deemed to have committed a violation they may be made the subject of an order requiring them to do what this Act requires them to do, or forbidding them to do what this Act prohibits them from doing, and that the order can be enforced as an order of a … (Section 22(2)(f), An Act to promote the efficiency and adaptability of the Canadian economy by regulating certain activities that discourage reliance on electronic means of carrying out commercial activities, and to amend the Canadian Radio-television and Telecommunications Commission Act, the Competition Act, the Personal Information Protection and Electronic Documents Act and the Telecommunications Act)
  • IN GENERAL.—Each Government agency and health plan shall report any final adverse action (not including settle- ments in which no findings of liability have been made) taken against a health care provider, supplier, or practitioner. (§ 1128E(b)(1), Health Insurance Portability and Accountability Act of 1996 (HIPAA), Public Law 104-191, 104th Congress)
  • disclosure of the information, upon request, to the health care provider, supplier, or licensed practitioner, and (§ 1128E(c)(1)(A), Health Insurance Portability and Accountability Act of 1996 (HIPAA), Public Law 104-191, 104th Congress)
  • The informal panel of Data Protection Authorities will notify an organization that fails to comply with the advice of the Data Protection Authority inside of 25 days and offers no explanation for the delay of its intention to submit the matter to the Federal Trade Commission or to conclude that the … (FAQ-The Role of the Data Protection Authorities ¶ 4, US Department of Commerce EU Safe Harbor Privacy Principles, U.S. European Union Safe Harbor Framework)
  • If, following action pursuant to paragraph (a)(3)(i) of this section, the Secretary finds that a civil money penalty should be imposed, inform the covered entity or business associate of such finding in a notice of proposed determination in accordance with §160.420 of this part. (§ 160.312(a)(3)(ii), 45 CFR Part 160 - General Administrative Requirements)
  • Provide individuals with notice and an opportunity to contest the findings before taking adverse action against an individual. (PT-8e., Control Baselines for Information Systems and Organizations, NIST SP 800-53B, Privacy Control Baseline, October 2020)
  • Provide individuals with notice and an opportunity to contest the findings before taking adverse action against an individual. (PT-8e., Security and Privacy Controls for Information Systems and Organizations, NIST SP 800-53, Revision 5)
  • Provide individuals with notice and an opportunity to contest the findings before taking adverse action against an individual. (PT-8e., Security and Privacy Controls for Information Systems and Organizations, NIST SP 800-53, Revision 5.1.1)