Back

Establish, implement, and maintain a personal data collection program.


CONTROL ID
06487
CONTROL TYPE
Establish/Maintain Documentation
CLASSIFICATION
Preventive

SUPPORTING AND SUPPORTED CONTROLS



This Control directly supports the implied Control(s):
  • Establish, implement, and maintain a privacy framework that protects restricted data., CC ID: 11850

This Control has the following implementation support Control(s):
  • Identify any adverse effects the collection of personal data will have on the data subject., CC ID: 15279
  • Refrain from collecting personal data, as necessary., CC ID: 15269
  • Determine the financial impact for the unauthorized disclosure of privacy-related data and privacy-related information., CC ID: 06488
  • Establish, implement, and maintain personal data collection limitation boundaries., CC ID: 00507


SELECTED AUTHORITY DOCUMENTS COMPLIED WITH



  • The entity has defined policies and procedures for collecting and creating a data subject's PI. Refer to Component C3.0. (M1.0 Collection and creation, Privacy Management Framework, Updated March 1, 2020)
  • The entity has a process to collect and create (rendering and aggregating from multiple sources or information providers) PI as identified in the entity's privacy agreements. The process is consistent with its objectives related to privacy. (C3.1 PI collection and creation, Privacy Management Framework, Updated March 1, 2020)
  • The analysis of confidentiality requirements should determine how the disclosure of confidential information could have a financial impact on the organisation in terms of loss of sales, loss of orders, or loss of contracts (e.g., sales opportunities missed, orders not taken, or contracts not signed)… (SR.01.03.02a, The Standard of Good Practice for Information Security)
  • The analysis of confidentiality requirements should determine how the disclosure of confidential information could have a customer-related impact on the organization in terms of loss of confidence by key institutions (e.g., adverse criticism by investors, regulators, customers, or suppliers). (SR.01.03.04c, The Standard of Good Practice for Information Security)
  • The high-level working group should be aware of how and when Personally Identifiable Information (i.e., information that can be used to identify an individual person) is used. (SR.02.02.02c, The Standard of Good Practice for Information Security)
  • The information privacy policy should require that where Personally Identifiable Information is stored or processed, there should be a process to ensure that it is appropriately managed. (SR.02.02.05, The Standard of Good Practice for Information Security)
  • The analysis of confidentiality requirements should determine how the disclosure of confidential information could have a financial impact on the organisation in terms of loss of sales, loss of orders, or loss of contracts (e.g., sales opportunities missed, orders not taken, or contracts not signed)… (SR.01.03.02a, The Standard of Good Practice for Information Security, 2013)
  • The analysis of confidentiality requirements should determine how the disclosure of confidential information could have a customer-related impact on the organization in terms of loss of confidence by key institutions (e.g., adverse criticism by investors, regulators, customers, or suppliers). (SR.01.03.04c, The Standard of Good Practice for Information Security, 2013)
  • The high-level working group should be aware of how and when Personally Identifiable Information (i.e., information that can be used to identify an individual person) is used. (SR.02.02.02c, The Standard of Good Practice for Information Security, 2013)
  • The information privacy policy should require that where Personally Identifiable Information is stored or processed, there should be a process to ensure that it is appropriately managed. (SR.02.02.05, The Standard of Good Practice for Information Security, 2013)
  • exercise its right and responsibility to determine and receive the information it requires, including determining the appropriate data collection methods, preparation and timely delivery of information; (§ 6.8.3.2.1 ¶ 1 f), ISO 37000:2021, Governance of organizations — Guidance, First Edition)
  • A party should consider the applicable privacy rights of customers, employees, and third parties during the discovery process. (Comment 10.e ¶ 2, The Sedona Principles Addressing Electronic Document Production)
  • Privacy. Personal information is collected, used, retained, disclosed, and disposed of to meet the entity's objectives. (¶ 1.48 e., SOC 2® Reporting on an Examination of Controls at a Service Organization Relevant to Security, Availability, Processing Integrity, Confidentiality, or Privacy, October 15, 2022)
  • The safe harbor principles are only relevant when the employment personal information contains individually identified records and are transferred or accessed. (FAQ-Human Resources Question 1 ¶ 2, US Department of Commerce EU Safe Harbor Privacy Principles, U.S. European Union Safe Harbor Framework)
  • Ensure the confidentiality, integrity, and availability of all electronic protected health information the covered entity creates, receives, maintains, or transmits. (§ 164.306(a)(1), 45 CFR Part 164 - Security and Privacy, current as of January 17, 2013)
  • Protect against any reasonably anticipated uses or disclosures of such information that are not permitted or required under subpart E of this part. (§ 164.306(a)(3), 45 CFR Part 164 - Security and Privacy, current as of January 17, 2013)
  • The proper use, access to, and dissemination of data from national crime information center restricted files shall be consistent with the use, access, and dissemination policies described in the national crime information center operating manual and the code of federal regulations, title 28, part 20… (§ 4.2.2, Criminal Justice Information Services (CJIS) Security Policy, CJISD-ITS-DOC-08140-5.2, Version 5.2)
  • The agency SHALL consult with their Senior Agency Official for Privacy (SAOP) to conduct an analysis determining whether the collection of PII to conduct identity proofing triggers Privacy Act requirements. (4.2 ¶ 1.12.d, Digital Identity Guidelines: Enrollment and Identity Proofing, NIST SP 800-63A)
  • The agency SHALL consult with their SAOP to conduct an analysis determining whether the collection of PII to conduct identity proofing triggers E-Government Act of 2002 requirements. (4.2 ¶ 1.12.f, Digital Identity Guidelines: Enrollment and Identity Proofing, NIST SP 800-63A)
  • The organization determines and documents the legal authority that permits the collection, use, maintenance, and sharing of personally identifiable information (PII), either generally or in support of a specific program or information system need. (AP-1 Control, Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, Deprecated, Revision 4, Deprecated)
  • The organization describes the PII the organization collects and the purpose(s) for which it collects that information. (TR-1b.(i), Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, Deprecated, Revision 4, Deprecated)
  • The requirements imposed on controllers and processors under this part may not restrict a controller's or processor's ability to collect, use, or retain data to do any of the following: (§ 501.717(1), Florida Statutes, Title XXXIII, Chapter 501, Sections 701-721, Florida Digital Bill of Rights)
  • The requirements imposed on controllers and processors under this part may not restrict a controller's or processor's ability to collect, use, or retain data to do any of the following: (§ 501.717(1), Florida Statutes, Title XXXIII, Chapter 501, Sections 701-721, Florida Digital Bill of Rights)
  • The obligations imposed on controllers or processors under this chapter shall not restrict a controller's or processor's ability to collect, use, or retain data to: (§ 59.1-582.B., Code of Virginia Title 59.1, Chapter 53, Consumer Data Protection Act)