Back

Establish, implement, and maintain a privacy policy.


CONTROL ID
06281
CONTROL TYPE
Establish/Maintain Documentation
CLASSIFICATION
Preventive

SUPPORTING AND SUPPORTED CONTROLS




This Control directly supports the implied Control(s):
  • Establish, implement, and maintain a privacy framework that protects restricted data., CC ID: 11850

This Control has the following implementation support Control(s):
  • Include the data subject's rights in the privacy policy., CC ID: 16355
  • Establish, implement, and maintain a privacy policy model document., CC ID: 14720
  • Document privacy policies in clearly written and easily understood language., CC ID: 00376
  • Notify interested personnel and affected parties when changes are made to the privacy policy., CC ID: 06943
  • Define what is included in the privacy policy., CC ID: 00404
  • Post the privacy policy in an easily seen location., CC ID: 00401
  • Disseminate and communicate the privacy policy to interested personnel and affected parties., CC ID: 13346
  • Establish, implement, and maintain privacy procedures., CC ID: 14665
  • Disseminate and communicate the privacy procedures to all interested personnel and affected parties., CC ID: 14664
  • Establish, implement, and maintain a privacy plan., CC ID: 14672


SELECTED AUTHORITY DOCUMENTS COMPLIED WITH




  • Every provider of information and communications services or similar shall, when he or she manages personal information of users, establish and disclose its policy on managing personal information to the public in a manner specified by Presidential Decree so that users become aware of the policy eas… (Article 27-2(1), Act On Promotion of Information and Communications Network Utilization and Information Protection, Amended by Act No. 14080, Mar. 22, 2016)
  • Where there exist discrepancies between the Privacy Policy and the agreement executed by and between the personal information controller and data subjects, what is beneficial to the data subjects prevails. (Article 30(3), Personal Information Protection Act)
  • Every personal information controller shall establish the personal information processing policy including the following matters (hereinafter referred to as "Privacy Policy"). In this case, the public institutions shall establish the Privacy Policy for the personal information files to be registered… (Article 30(1), Personal Information Protection Act)
  • The information commissioner may approve a privacy code only if the code includes all the national privacy principles or sets requirements that are at least equivalent to the requirements in the principles. (§ 18BB(2)(a), Act No. 119 of 1988 as amended, taking into account amendments up to Freedom of Information Amendment (Parliamentary Budget Office) Act 2012)
  • The information commissioner must satisfied that the privacy is requires the annual report to include a summary that identifies the is provisions applied to code with each complaint that if make with by the adjudicator even be the adjudicator did not deal a determination, declaration, dealt, finding… (§ 18BB(3)(ka)(ii), Act No. 119 of 1988 as amended, taking into account amendments up to Freedom of Information Amendment (Parliamentary Budget Office) Act 2012)
  • The information commissioner may develop written guidelines for assisting organizations with the writing and applying privacy codes. (§ 18BF(1)(a), Act No. 119 of 1988 as amended, taking into account amendments up to Freedom of Information Amendment (Parliamentary Budget Office) Act 2012)
  • The information commissioner may develop written guidelines that relate to the making and dealing with complaints under an approved privacy code. (§ 18BF(1)(b), Act No. 119 of 1988 as amended, taking into account amendments up to Freedom of Information Amendment (Parliamentary Budget Office) Act 2012)
  • The information commissioner may develop written guidelines about what the commissioner may consider when determining whether to approve a privacy code or a variation of an approved privacy code. (§ 18BF(1)(c), Act No. 119 of 1988 as amended, taking into account amendments up to Freedom of Information Amendment (Parliamentary Budget Office) Act 2012)
  • An organization must establish and maintain a document clearly expressing its policies on managing personal information. (Sched 3 § 5.1, Act No. 119 of 1988 as amended, taking into account amendments up to Freedom of Information Amendment (Parliamentary Budget Office) Act 2012)
  • Taking into account the nature, scope, context and purposes of processing as well as the risks of varying likelihood and severity for the rights and freedoms of natural persons, the controller shall implement appropriate technical and organisational measures to ensure and to be able to demonstrate t… (Art. 24.1., Regulation (EU) 2016/679 of The European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation))
  • Where proportionate in relation to processing activities, the measures referred to in paragraph 1 shall include the implementation of appropriate data protection policies by the controller. (Art. 24.2., Regulation (EU) 2016/679 of The European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation))
  • the measures and procedures referred to in Articles 24 and 25 and the measures to ensure security of processing referred to in Article 32; (Art. 40.2.(h), Regulation (EU) 2016/679 of The European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation))
  • Specification of data protection principles (processing of personally identifiable data) in a documented company-internal data protection policy (e.g. company-internal guideline). (9.2 Requirements Bullet 1, Information Security Assessment, Version 5.1)
  • To certify under the EU-U.S. DPF (or re-certify on an annual basis), organisations are required to publicly declare their commitment to comply with the Principles, make their privacy policies available and fully implement them. As part of their (re-)certification application, organisations have to s… (2.3.1 (48), COMMISSION IMPLEMENTING DECISION of 10.7.2023 pursuant to Regulation (EU) 2016/679 of the European Parliament and of the Council on the adequate level of protection of personal data under the EU-US Data Privacy Framework)
  • The requirements laid down in this Executive Order issued by the President are binding on the entire Intelligence Community. They must be further implemented through agency policies and procedures that transpose them into concrete directions for day-to-day operations. In this respect, EO 14086 provi… (3.2.1.1 (126), COMMISSION IMPLEMENTING DECISION of 10.7.2023 pursuant to Regulation (EU) 2016/679 of the European Parliament and of the Council on the adequate level of protection of personal data under the EU-US Data Privacy Framework)
  • Once an organisation has voluntarily decided to certify under the EU-U.S. DPF, its effective compliance with the Principles is compulsory and enforceable. Under the Recourse, Enforcement and Liability Principle, EU-U.S. DPF organisations must provide effective mechanisms to ensure compliance with th… (2.2.7 (45), COMMISSION IMPLEMENTING DECISION of 10.7.2023 pursuant to Regulation (EU) 2016/679 of the European Parliament and of the Council on the adequate level of protection of personal data under the EU-US Data Privacy Framework)
  • In accordance with authority provided by the Clinger-Cohen Act (P.L. 104-106, Division E) and the Computer Security Act of 1987 (P.L. 100-235), the Office of Management and Budget (OMB) issued Circular No. A-130 to establish general binding guidance that applies to all federal agencies (including la… (3.1.1.2 (102), COMMISSION IMPLEMENTING DECISION of 10.7.2023 pursuant to Regulation (EU) 2016/679 of the European Parliament and of the Council on the adequate level of protection of personal data under the EU-US Data Privacy Framework)
  • The entity shall describe the nature, scope, and implementation of its policies and practices related to user privacy, with a specific focus on how it addresses the collection, usage, and retention of user information. (TC-IM-220a.1. 1, Internet Media & Services Sustainability Accounting Standard, Version 2018-10, Version 2018-10)
  • The entity shall describe the nature, scope, and implementation of its policies and practices related to user privacy, with a specific focus on how it addresses the collection, usage, and retention of user information. (TC-SI-220a.1. 1, Software & IT Services Sustainability Accounting Standard, Version 2018-10)
  • The entity shall describe the nature, scope, and implementation of its policies and practices related to customer privacy, with a specific focus on how it addresses the collection, usage, and retention of customer information. (TC-TL-220a.1. 1, Telecommunication Services Sustainability Accounting Standard, Version 2018-10)
  • Review and approve the security and privacy plans for the system and the environment of operation. (TASK S-6, Risk Management Framework for Information Systems and Organizations, A System Life Cycle Approach for Security and Privacy, NIST SP 800-37, Revision 2)
  • Update plans, assessment reports, and plans of action and milestones based on the results of the continuous monitoring process. (Task M-4, Risk Management Framework for Information Systems and Organizations, A System Life Cycle Approach for Security and Privacy, NIST SP 800-37, Revision 2)
  • The entity's privacy notice is current, dated, uses clear language, and is in a location that can be easily found by data subjects. (P1.1 ¶ 2 Bullet 4 Uses Clear Language and Presents a Current Privacy Notice in a Location Easily Found by Data Subjects, 2017 Trust Services Criteria for Security, Availability, Processing Integrity, Confidentiality, and Privacy (with Revised Points of Focus – 2022))
  • The organization implements and maintains a documented policy or policies that address customer data privacy, and is approved by a designated officer or the organization's appropriate governing body (e.g., the Board or one of its committees). (GV.PL-3.3, CRI Profile, v1.2)
  • The organization implements and maintains a documented policy or policies that address customer data privacy, and is approved by a designated officer or the organization's appropriate governing body (e.g., the Board or one of its committees). (GV.PL-3.3, Financial Services Sector Cybersecurity Profile, Version 1.0.0)
  • The entity defines, documents, communicates, and assigns accountability for its privacy policies and procedures. (Generally Accepted Privacy Principles and Criteria § 1.0, Appendix B: Trust Services Principles and Criteria for Security, Availability, Processing Integrity, Confidentiality, and Privacy, TSP Section 100 Principles and Criteria)
  • The organization must define and document the privacy policy with respect to notices. (Generally Accepted Privacy Principles and Criteria § 1.1.0 a, Appendix B: Trust Services Principles and Criteria for Security, Availability, Processing Integrity, Confidentiality, and Privacy, TSP Section 100 Principles and Criteria)
  • The organization must define and document the privacy policy with respect to choice and consent. (Generally Accepted Privacy Principles and Criteria § 1.1.0 b, Appendix B: Trust Services Principles and Criteria for Security, Availability, Processing Integrity, Confidentiality, and Privacy, TSP Section 100 Principles and Criteria)
  • The organization must define and document the privacy policy with respect to collection. (Generally Accepted Privacy Principles and Criteria § 1.1.0 c, Appendix B: Trust Services Principles and Criteria for Security, Availability, Processing Integrity, Confidentiality, and Privacy, TSP Section 100 Principles and Criteria)
  • The organization must define and document the privacy policy with respect to use, retention, and disposal. (Generally Accepted Privacy Principles and Criteria § 1.1.0 d, Appendix B: Trust Services Principles and Criteria for Security, Availability, Processing Integrity, Confidentiality, and Privacy, TSP Section 100 Principles and Criteria)
  • The organization must define and document the privacy policy with respect to Access. (Generally Accepted Privacy Principles and Criteria § 1.1.0 e, Appendix B: Trust Services Principles and Criteria for Security, Availability, Processing Integrity, Confidentiality, and Privacy, TSP Section 100 Principles and Criteria)
  • The organization must define and document the privacy policy with respect to disclosure to third parties. (Generally Accepted Privacy Principles and Criteria § 1.1.0 f, Appendix B: Trust Services Principles and Criteria for Security, Availability, Processing Integrity, Confidentiality, and Privacy, TSP Section 100 Principles and Criteria)
  • The organization must define and document the privacy policy with respect to security for privacy. (Generally Accepted Privacy Principles and Criteria § 1.1.0 g, Appendix B: Trust Services Principles and Criteria for Security, Availability, Processing Integrity, Confidentiality, and Privacy, TSP Section 100 Principles and Criteria)
  • The organization must define and document the privacy policy with respect to quality. (Generally Accepted Privacy Principles and Criteria § 1.1.0 h, Appendix B: Trust Services Principles and Criteria for Security, Availability, Processing Integrity, Confidentiality, and Privacy, TSP Section 100 Principles and Criteria)
  • The organization must define and document the privacy policy with respect to monitoring and enforcement. (Generally Accepted Privacy Principles and Criteria § 1.1.0 i, Appendix B: Trust Services Principles and Criteria for Security, Availability, Processing Integrity, Confidentiality, and Privacy, TSP Section 100 Principles and Criteria)
  • The organization must update privacy policies and procedures to meet the requirements of laws and regulations when they change. (Generally Accepted Privacy Principles and Criteria § 1.2.2, Appendix B: Trust Services Principles and Criteria for Security, Availability, Processing Integrity, Confidentiality, and Privacy, TSP Section 100 Principles and Criteria)
  • The organization must update privacy policies and procedures whenever there are changes to the requirements. (Generally Accepted Privacy Principles and Criteria § 1.2.11 ¶ 2, Appendix B: Trust Services Principles and Criteria for Security, Availability, Processing Integrity, Confidentiality, and Privacy, TSP Section 100 Principles and Criteria)
  • Management: The entity defines, documents, communicates, and assigns accountability for its privacy policies and procedures. (Privacy Principle 1, Generally Accepted Privacy Principles (GAPP), CPA and CA Practitioner Version, August 2009)
  • The organization must define and document the privacy policy, which includes notice, choice, consent, collection, use, retention, disposal, access, disclosure to third parties, security, quality, monitoring, and enforcement. (Table Ref 1.1.0, Generally Accepted Privacy Principles (GAPP), CPA and CA Practitioner Version, August 2009)
  • The organization should have the privacy policy in writing. (Table Ref 1.1.0, Generally Accepted Privacy Principles (GAPP), CPA and CA Practitioner Version, August 2009)
  • The organization must update privacy policies and procedures to meet the requirements of laws and regulations when they change. (Table Ref 1.2.2, Generally Accepted Privacy Principles (GAPP), CPA and CA Practitioner Version, August 2009)
  • The organization must update privacy policies and procedures whenever there are changes to the requirements. (Table Ref 1.2.11, Generally Accepted Privacy Principles (GAPP), CPA and CA Practitioner Version, August 2009)
  • The system description, when addressing privacy controls, must contain a statement that the privacy notice was prepared in compliance with the requirements of the applicable trust services criteria, in order to meet the criteria for being fairly presented, if the service organization provides the pr… (¶ 1.35.d, Reporting on Controls at a Service Organization: Relevant to Security, Availability, Processing Integrity, Confidentiality, or Privacy (SOC2))
  • The entity provides notice to data subjects about its privacy practices to meet the entity’s privacy commitments and system requirements. The notice is updated and communicated to data subjects in a timely manner for changes to the entity’s privacy practices, including changes in the use of pers… (P1.1, TSP 100A - Trust Services Principles and Criteria for Security, Availability, Processing Integrity, Confidentiality, and Privacy)
  • Is there a documented privacy and information security program with administrative, technical, and physical safeguards for the protection of client confidential information? (§ P.1.1, Shared Assessments Standardized Information Gathering Questionnaire - P. Privacy, 7.0)
  • Is there a documented privacy policy or procedures for the protection of information accessed, processed, or maintained on behalf of the client? (§ P.5, Shared Assessments Standardized Information Gathering Questionnaire - P. Privacy, 7.0)
  • Are the privacy policies and procedures reviewed and revised (as needed) on a regular basis (e.g., annually)? (§ P.5.1, Shared Assessments Standardized Information Gathering Questionnaire - P. Privacy, 7.0)
  • Under the self-assessment approach, such verification must indicate that an organization's published privacy policy regarding personal information received from the EU is accurate, comprehensive, prominently displayed, completely implemented and accessible. It must also indicate that its privacy pol… (§ III.7.c., EU-U.S. Privacy Shield Framework Principles)
  • When a notice is revised, it must be made available upon request and promptly comply with the § 164.520(c)(2)(iii) requirements. (§ 164.520(c)(2)(iv), 45 CFR Part 164 - Security and Privacy, current as of January 17, 2013)
  • A covered entity must complete the following to make a change to its privacy practices: ensure the revisions to the policies or procedures complies with the requirements, standards, and implementation specifications; document the revised policies or procedures; and revise the notice and make the rev… (§ 164.530(i)(4), 45 CFR Part 164 - Security and Privacy, current as of January 17, 2013)
  • Document the policy or procedure, as revised, as required by paragraph (j) of this section; and (§ 164.530(i)(4)(i)(B), 45 CFR Part 164 - Security and Privacy, current as of July 6, 2020)
  • Are updated whenever the organization makes a substantive change to the practices it describes and includes a time/date stamp to inform the public of the date of the most recent changes. (PM-20(1) ¶ 1(c), Control Baselines for Information Systems and Organizations, NIST SP 800-53B, Privacy Control Baseline, October 2020)
  • [Selection (one or more): organization-level; mission/business process-level; system-level] personally identifiable information processing and transparency policy that: (PT-1a.1., Control Baselines for Information Systems and Organizations, NIST SP 800-53B, Privacy Control Baseline, October 2020)
  • Is consistent with applicable laws, executive orders, directives, regulations, policies, standards, and guidelines; and (PT-1a.1(b), Control Baselines for Information Systems and Organizations, NIST SP 800-53B, Privacy Control Baseline, October 2020)
  • Policy [Assignment: organization-defined frequency] and following [Assignment: organization-defined events]; and (PT-1c.1., Control Baselines for Information Systems and Organizations, NIST SP 800-53B, Privacy Control Baseline, October 2020)
  • [Selection (one or more): organization-level; mission/business process-level; system-level] personally identifiable information processing and transparency policy that: (PT-1a.1., Cybersecurity Supply Chain Risk Management Practices for Systems and Organizations, NIST Special Publication 800-161, Revision 1, Appendix A, C-SCRM Flow Down Controls)
  • Is consistent with applicable laws, executive orders, directives, regulations, policies, standards, and guidelines; and (PT-1a.1(b), Cybersecurity Supply Chain Risk Management Practices for Systems and Organizations, NIST Special Publication 800-161, Revision 1, Appendix A, C-SCRM Flow Down Controls)
  • Policy [Assignment: organization-defined frequency] and following [Assignment: organization-defined events]; and (PT-1c.1., Cybersecurity Supply Chain Risk Management Practices for Systems and Organizations, NIST Special Publication 800-161, Revision 1, Appendix A, C-SCRM Flow Down Controls)
  • Policy [Assignment: organization-defined frequency] and following [Assignment: organization-defined events]; and (PT-1c.1., Cybersecurity Supply Chain Risk Management Practices for Systems and Organizations, NIST Special Publication 800-161, Revision 1, Appendix A, C-SCRM Level 1 Controls)
  • [Selection (one or more): organization-level; mission/business process-level; system-level] personally identifiable information processing and transparency policy that: (PT-1a.1., Cybersecurity Supply Chain Risk Management Practices for Systems and Organizations, NIST Special Publication 800-161, Revision 1, Appendix A, C-SCRM Level 1 Controls)
  • Is consistent with applicable laws, executive orders, directives, regulations, policies, standards, and guidelines; and (PT-1a.1(b), Cybersecurity Supply Chain Risk Management Practices for Systems and Organizations, NIST Special Publication 800-161, Revision 1, Appendix A, C-SCRM Level 1 Controls)
  • Policy [Assignment: organization-defined frequency] and following [Assignment: organization-defined events]; and (PT-1c.1., Cybersecurity Supply Chain Risk Management Practices for Systems and Organizations, NIST Special Publication 800-161, Revision 1, Appendix A, C-SCRM Level 2 Controls)
  • [Selection (one or more): organization-level; mission/business process-level; system-level] personally identifiable information processing and transparency policy that: (PT-1a.1., Cybersecurity Supply Chain Risk Management Practices for Systems and Organizations, NIST Special Publication 800-161, Revision 1, Appendix A, C-SCRM Level 2 Controls)
  • Is consistent with applicable laws, executive orders, directives, regulations, policies, standards, and guidelines; and (PT-1a.1(b), Cybersecurity Supply Chain Risk Management Practices for Systems and Organizations, NIST Special Publication 800-161, Revision 1, Appendix A, C-SCRM Level 2 Controls)
  • Policy [Assignment: organization-defined frequency] and following [Assignment: organization-defined events]; and (PT-1c.1., Cybersecurity Supply Chain Risk Management Practices for Systems and Organizations, NIST Special Publication 800-161, Revision 1, Appendix A, C-SCRM Level 3 Controls)
  • [Selection (one or more): organization-level; mission/business process-level; system-level] personally identifiable information processing and transparency policy that: (PT-1a.1., Cybersecurity Supply Chain Risk Management Practices for Systems and Organizations, NIST Special Publication 800-161, Revision 1, Appendix A, C-SCRM Level 3 Controls)
  • Is consistent with applicable laws, executive orders, directives, regulations, policies, standards, and guidelines; and (PT-1a.1(b), Cybersecurity Supply Chain Risk Management Practices for Systems and Organizations, NIST Special Publication 800-161, Revision 1, Appendix A, C-SCRM Level 3 Controls)
  • Provide development guidance and assist in the identification, implementation and maintenance of organization information privacy policies and procedures in coordination with organization management and administration and legal counsel (T0900, National Initiative for Cybersecurity Education (NICE) Cybersecurity Workforce Framework, NIST Special Publication 800-181)
  • Organizations should have policies regarding privacy and sensitive information. (§ 6.5 bullet 1, NIST 800-86: Guide to Integrating Forensic Techniques into Incident Response, August 2006)
  • Organizational privacy values and policies (e.g., conditions on data processing such as data uses or retention periods, individuals' prerogatives with respect to data processing) are established and communicated. (GV.PO-P1, NIST Privacy Framework: A Tool For Improving Privacy Through Enterprise Risk Management, Version 1.0)
  • Privacy values, policies, and training are reviewed and any updates are communicated. (GV.MT-P2, NIST Privacy Framework: A Tool For Improving Privacy Through Enterprise Risk Management, Version 1.0)
  • The organization should establish a comprehensive privacy program by establishing policies and procedures that address all of the Organization for Economic Cooperation and Development Fair Information Practices. (§ 2.3 ¶ 3, NIST SP 800-122 Guide to Protecting the Confidentiality of Personally Identifiable Information (PII))
  • The organization should consider developing privacy policies and associated procedures for the Access rules for Personally Identifiable Information in the system. (§ 4.1.1 ¶ 1 Bullet 1, NIST SP 800-122 Guide to Protecting the Confidentiality of Personally Identifiable Information (PII))
  • The organization should consider developing privacy policies and associated procedures for the Personally Identifiable Information retention schedules and procedures. (§ 4.1.1 ¶ 1 Bullet 2, NIST SP 800-122 Guide to Protecting the Confidentiality of Personally Identifiable Information (PII))
  • The organization should consider developing privacy policies and associated procedures for Personally Identifiable Information Incident Response and data breach notification. (§ 4.1.1 ¶ 1 Bullet 3, NIST SP 800-122 Guide to Protecting the Confidentiality of Personally Identifiable Information (PII))
  • The organization should consider developing privacy policies and associated procedures for privacy in the System Development Lifecycle process. (§ 4.1.1 ¶ 1 Bullet 4, NIST SP 800-122 Guide to Protecting the Confidentiality of Personally Identifiable Information (PII))
  • The organization should consider developing privacy policies and associated procedures for limitations on the collection, disclosure, sharing, and use of Personally Identifiable Information. (§ 4.1.1 ¶ 1 Bullet 5, NIST SP 800-122 Guide to Protecting the Confidentiality of Personally Identifiable Information (PII))
  • The organization should consider developing privacy policies and associated procedures for the consequences for failing to follow the privacy Rules of Behavior. (§ 4.1.1 ¶ 1 Bullet 6, NIST SP 800-122 Guide to Protecting the Confidentiality of Personally Identifiable Information (PII))
  • Provide development guidance and assist in the identification, implementation and maintenance of organization information privacy policies and procedures in coordination with organization management and administration and legal counsel (T0900, Reference Spreadsheet for the Workforce Framework for Cybersecurity (NICE Framework)”, July 7, 2020)
  • The organization describes the purpose(s) for which personally identifiable information (PII) is collected, used, maintained, and shared in its privacy notices. (AP-2 Control, Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, Deprecated, Revision 4, Deprecated)
  • The organization develops a strategic organizational privacy plan for implementing applicable privacy controls, policies, and procedures. (AR-1d., Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, Deprecated, Revision 4, Deprecated)
  • The organization develops, disseminates, and implements operational privacy policies and procedures that govern the appropriate privacy and security controls for programs, information systems, or technologies involving PII. (AR-1e., Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, Deprecated, Revision 4, Deprecated)
  • The organization revises its public notices to reflect changes in practice or policy that affect PII or changes in its activities that impact privacy, before or as soon as practicable after the change. (TR-1c., Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, Deprecated, Revision 4, Deprecated)
  • Policy [Assignment: organization-defined frequency] and following [Assignment: organization-defined events]; and (PT-1c.1., Security and Privacy Controls for Information Systems and Organizations, NIST SP 800-53, Revision 5)
  • [Selection (one or more): organization-level; mission/business process-level; system-level] personally identifiable information processing and transparency policy that: (PT-1a.1., Security and Privacy Controls for Information Systems and Organizations, NIST SP 800-53, Revision 5)
  • Is consistent with applicable laws, executive orders, directives, regulations, policies, standards, and guidelines; and (PT-1a.1(b), Security and Privacy Controls for Information Systems and Organizations, NIST SP 800-53, Revision 5)
  • Prove that the formal policy model is internally consistent and sufficient to enforce the defined elements of the organizational security and privacy policy when implemented. (SA-17(1) ¶ 1(b), Security and Privacy Controls for Information Systems and Organizations, NIST SP 800-53, Revision 5)
  • Are updated whenever the organization makes a substantive change to the practices it describes and includes a time/date stamp to inform the public of the date of the most recent changes. (PM-20(1) ¶ 1(c), Security and Privacy Controls for Information Systems and Organizations, NIST SP 800-53, Revision 5)
  • Policy [Assignment: organization-defined frequency] and following [Assignment: organization-defined events]; and (PT-1c.1., Security and Privacy Controls for Information Systems and Organizations, NIST SP 800-53, Revision 5.1.1)
  • [Selection (one or more): organization-level; mission/business process-level; system-level] personally identifiable information processing and transparency policy that: (PT-1a.1., Security and Privacy Controls for Information Systems and Organizations, NIST SP 800-53, Revision 5.1.1)
  • Is consistent with applicable laws, executive orders, directives, regulations, policies, standards, and guidelines; and (PT-1a.1(b), Security and Privacy Controls for Information Systems and Organizations, NIST SP 800-53, Revision 5.1.1)
  • Prove that the formal policy model is internally consistent and sufficient to enforce the defined elements of the organizational security and privacy policy when implemented. (SA-17(1) ¶ 1(b), Security and Privacy Controls for Information Systems and Organizations, NIST SP 800-53, Revision 5.1.1)
  • Are updated whenever the organization makes a substantive change to the practices it describes and includes a time/date stamp to inform the public of the date of the most recent changes. (PM-20(1) ¶ 1(c), Security and Privacy Controls for Information Systems and Organizations, NIST SP 800-53, Revision 5.1.1)
  • Agencies' privacy programs have responsibilities under the Risk Management Framework. The Risk Management Framework provides a disciplined and structured process that integrates information security, privacy, and risk management activities into the information system development life cycle. Agencies… (Section VII (A) ¶ 8 Risk Management Framework., OMB Circular No. A-123, Management’s Responsibility for Enterprise Risk Management and Internal Control)
  • Agency Privacy Programs. In order to manage Federal information resources that involve PII, agencies must develop, implement, document, maintain, and oversee agency-wide privacy programs that include people, processes, and technologies. Agencies' privacy programs are led by the Senior Agency Officia… (Section VII (A) ¶ 3, OMB Circular No. A-123, Management’s Responsibility for Enterprise Risk Management and Internal Control)
  • Disclose the following information in its online privacy policy or policies if the business has an online privacy policy or policies and in any California-specific description of consumers' privacy rights, or if the business does not maintain those policies, on its internet website, and update that … (§ 1798.130 (a)(5), California Civil Code Division 3 Part 4 Title 1.81.5 California Consumer Privacy Act of 2018, Amended November 3, 2020)
  • Disclose the following information in its online privacy policy or policies if the business has an online privacy policy or policies and in any California-specific description of consumers' privacy rights, or if the business does not maintain those policies, on its Internet Web site, and update that… (§ 1798.130 (a)(5), California Civil Code Division 3 Part 4 Title 1.81.5 California Consumer Privacy Act of 2018, Assembly Bill No. 375)
  • Each state agency that maintains a state agency website shall adopt an internet privacy policy which shall, at a minimum, include the information required by the model internet privacy policy. Each state agency shall post its internet privacy policy on its website. Such posting shall include a consp… (§ 203.2, New York State Technology Law, Article 2 Internet Security and Privacy Act)
  • A controller or processor has an affirmative defense to a cause of action for a violation of this part if the controller or processor creates, maintains, and complies with a written privacy policy that: (§ 47-18-3213.(a), Tennessee Code Annotated, Title 47, Chapter 18, Parts 3201 through 3213, Tennessee Information Protection Act)
  • Is updated to reasonably conform with a subsequent revision to the NIST or comparable privacy framework within two (2) years of the publication date stated in the most recent revision to the NIST or comparable privacy framework; and (§ 47-18-3213.(a)(1)(B), Tennessee Code Annotated, Title 47, Chapter 18, Parts 3201 through 3213, Tennessee Information Protection Act)
  • A controller or processor has an affirmative defense to a cause of action for a violation of this part if the controller or processor creates, maintains, and complies with a written privacy policy that: (§ 47-18-3213.(a), Tennessee Code Annotated, Title 47, Chapter 18, Parts 3201 through 3213, Tennessee Information Protection Act)
  • Is updated to reasonably conform with a subsequent revision to the NIST or comparable privacy framework within two (2) years of the publication date stated in the most recent revision to the NIST or comparable privacy framework; and (§ 47-18-3213.(a)(1)(B), Tennessee Code Annotated, Title 47, Chapter 18, Parts 3201 through 3213, Tennessee Information Protection Act)
  • are constantly updated based on information obtained from continuous monitoring and periodic evaluations; (Art. 50 § 2 I(h), Brazilian Law No. 13709, of August 14, 2018)