Back

Refrain from subjecting individuals to retaliation or intimidation after a complaint is created.


CONTROL ID
06218
CONTROL TYPE
Testing
CLASSIFICATION
Detective

SUPPORTING AND SUPPORTED CONTROLS



This Control directly supports the implied Control(s):
  • Develop remedies and sanctions for privacy policy violations., CC ID: 00474

There are no implementation support Controls.


SELECTED AUTHORITY DOCUMENTS COMPLIED WITH



  • encourage the raising of concerns and prohibit any form of retaliation; (§ 5.2 ¶ 2 bullet 6, ISO 37301:2021 Compliance management systems — Requirements with guidance for use, First Edition, Edition 1)
  • encourage the raising of concerns and prohibits any form of retaliation; (§ 5.2 ¶ 2 e), ISO/DIS 37301, Compliance management systems — Requirements with guidance for use, DRAFT)
  • The entity that demonstrates open communication and transparency provides a variety of channels for both management and personnel to report concerns about potentially inappropriate or excessive risk taking, business conduct, or behavior without fear of retaliation or intimidation. The entity also pr… (Keeping Communication Open and Free from Retribution ¶ 4, Enterprise Risk Management - Integrating with Strategy and Performance, June 2017)
  • Filing of a complaint under §160.306; (§ 160.316 ¶ 1(a), 45 CFR Part 160 - General Administrative Requirements)
  • Testifying, assisting, or participating in an investigation, compliance review, proceeding, or hearing under this part; or (§ 160.316 ¶ 1(b), 45 CFR Part 160 - General Administrative Requirements)
  • Opposing any act or practice made unlawful by this subchapter, provided the individual or person has a good faith belief that the practice opposed is unlawful, and the manner of opposition is reasonable and does not involve a disclosure of protected health information in violation of subpart E of pa… (§ 160.316 ¶ 1(c), 45 CFR Part 160 - General Administrative Requirements)
  • Complaints. The notice must contain a statement that individuals may complain to the covered entity and to the Secretary if they believe their privacy rights have been violated, a brief description of how the individual may file a complaint with the covered entity, and a statement that the individua… (§ 164.520(b)(1)(vi), 45 CFR Part 164 - Security and Privacy, current as of July 6, 2020)
  • Must refrain from intimidation and retaliation as provided in §160.316 of this subchapter. (§ 164.530(g)(2), 45 CFR Part 164 - Security and Privacy, current as of July 6, 2020)
  • May not intimidate, threaten, coerce, discriminate against, or take other retaliatory action against any individual for the exercise by the individual of any right established, or for participation in any process provided for, by this subpart or subpart D of this part, including the filing of a comp… (§ 164.530(g)(1), 45 CFR Part 164 - Security and Privacy, current as of July 6, 2020)
  • Personal data concerning the regular exercise of rights by the data subject cannot be used to her/his detriment. (Art. 21, Brazilian Law No. 13709, of August 14, 2018)