Back

Notify interested personnel and affected parties when changes are made to the privacy policy.


CONTROL ID
06943
CONTROL TYPE
Behavior
CLASSIFICATION
Preventive

SUPPORTING AND SUPPORTED CONTROLS



This Control directly supports the implied Control(s):
  • Establish, implement, and maintain a privacy policy., CC ID: 06281

This Control has the following implementation support Control(s):
  • Document the notification of interested personnel and affected parties regarding privacy policy changes., CC ID: 06944


SELECTED AUTHORITY DOCUMENTS COMPLIED WITH



  • Every provider of information and communications services or similar shall, when he or she revises the policy on managing personal information under paragraph (1), give public notice of the reasons for and details of such revision without delay in a manner specified by Presidential Decree, and take … (Article 27-2(3), Act On Promotion of Information and Communications Network Utilization and Information Protection, Amended by Act No. 14080, Mar. 22, 2016)
  • If information that was previously collected is to be used for purposes not previously identified in the privacy notice, the new purpose is documented, the data subject is notified, and implicit or explicit consent is obtained prior to such new use or purpose. (C3.2 Documents and obtained consent for new purposes and uses, Privacy Management Framework, Updated March 1, 2020)
  • The entity has policies and procedures it follows when it is determined that changes are needed to its privacy agreements/ notices. The entity documents the reasons for such changes and these changes are formally approved by an authorized member of management prior to being implemented. When require… (N2.2 Changes to privacy agreements/notices, Privacy Management Framework, Updated March 1, 2020)
  • As is the case with respect to criminal law enforcement authorities, Privacy and Civil Liberties Officers exist at all intelligence agencies. The powers of these officers typically encompass the supervision of procedures to ensure that the respective department/agency is adequately considering priva… (3.2.2 (164), COMMISSION IMPLEMENTING DECISION of 10.7.2023 pursuant to Regulation (EU) 2016/679 of the European Parliament and of the Council on the adequate level of protection of personal data under the EU-US Data Privacy Framework)
  • Are clients notified upon changes to the CSP’s security and/or privacy policies? (Appendix D, Maintain an Information Security Policy Bullet 2, Information Supplement: PCI DSS Cloud Computing Guidelines, Version 2.0)
  • If information that was previously collected is to be used for purposes not previously identified in the privacy notice, the new purpose is documented, the data subject is notified, and implicit or explicit consent is obtained prior to such new use or purpose. (P2.1 ¶ 2 Bullet 4 Documents and Obtains Consent for New Purposes and Uses, 2017 Trust Services Criteria for Security, Availability, Processing Integrity, Confidentiality, and Privacy (with Revised Points of Focus – 2022))
  • Notice is provided to data subjects (1) at or before the time personal information is collected or as soon as practical thereafter, (2) at or before the entity changes its privacy notice or as soon as practical thereafter, or (3) before personal information is used for new purposes not previously id… (P1.1 ¶ 2 Bullet 2 Provides Notice to Data Subjects, 2017 Trust Services Criteria for Security, Availability, Processing Integrity, Confidentiality, and Privacy (with Revised Points of Focus – 2022))
  • The entity communicates, to external users, vendors, business partners, and others whose products or services, or both, are part of the system, the entity's objectives related to privacy and the protection of personal information, as well as changes to those objectives. (CC2.3 ¶ 5 Bullet 1 Communicates Objectives Related to Privacy and Changes to Those Objectives, 2017 Trust Services Criteria for Security, Availability, Processing Integrity, Confidentiality, and Privacy (with Revised Points of Focus – 2022))
  • Data subjects are informed when changes are made to the privacy notice and the nature of such changes. (P1.1 ¶ 2 Bullet 6 Communicates Changes to Notice, 2017 Trust Services Criteria for Security, Availability, Processing Integrity, Confidentiality, and Privacy (with Revised Points of Focus – 2022))
  • The organization should provide a notice to individuals at or before it changes the privacy policy and procedures, or as soon as practical after the change. (Generally Accepted Privacy Principles and Criteria § 2.2.1 (b), Appendix B: Trust Services Principles and Criteria for Security, Availability, Processing Integrity, Confidentiality, and Privacy, TSP Section 100 Principles and Criteria)
  • The organization should provide a notice to individuals at or before it changes the privacy policy and procedures, or as soon as practical after the change. (Table Ref 2.2.1.b, Generally Accepted Privacy Principles (GAPP), CPA and CA Practitioner Version, August 2009)
  • The organization should notify individuals of changes in the privacy policy by posting it on the website, sending an e-mail, or sending a written notice by the post office. (Table Ref 2.2.1, Generally Accepted Privacy Principles (GAPP), CPA and CA Practitioner Version, August 2009)
  • Notice is provided to data subjects (1) at or before the time personal information is collected or as soon as practical thereafter, (2) at or before the entity changes its privacy notice or as soon as practical thereafter, or (3) before personal information is used for new purposes not previously id… (P1.1 Provides Notice to Data Subjects, Trust Services Criteria)
  • If information that was previously collected is to be used for purposes not previously identified in the privacy notice, the new purpose is documented, the data subject is notified, and implicit or explicit consent is obtained prior to such new use or purpose. (P2.1 Documents and Obtains Consent for New Purposes and Uses, Trust Services Criteria)
  • If information that was previously collected is to be used for purposes not previously identified in the privacy notice, the new purpose is documented, the data subject is notified, and implicit or explicit consent is obtained prior to such new use or purpose. (P2.1 ¶ 2 Bullet 4 Documents and Obtains Consent for New Purposes and Uses, Trust Services Criteria, (includes March 2020 updates))
  • Notice is provided to data subjects (1) at or before the time personal information is collected or as soon as practical thereafter, (2) at or before the entity changes its privacy notice or as soon as practical thereafter, or (3) before personal information is used for new purposes not previously id… (P1.1 ¶ 2 Bullet 2 Provides Notice to Data Subjects, Trust Services Criteria, (includes March 2020 updates))
  • The entity provides notice to data subjects about its privacy practices to meet the entity’s privacy commitments and system requirements. The notice is updated and communicated to data subjects in a timely manner for changes to the entity’s privacy practices, including changes in the use of pers… (P1.1, TSP 100A - Trust Services Principles and Criteria for Security, Availability, Processing Integrity, Confidentiality, and Privacy)
  • A health plan that does not post its notice on a web site pursuant to paragraph (c)(3)(i) of this section must provide the revised notice, or information about the material change and how to obtain the revised notice, to individuals then covered by the plan within 60 days of the material revision to… (§ 164.520(c)(1)(v)(B), 45 CFR Part 164 - Security and Privacy, current as of July 6, 2020)
  • You may provide a revised privacy notice, under § 313.8, that covers the customer's new financial product or service; or (§ 313.4(d)(1), 16 CFR Part 313, Privacy of Consumer Financial Information)
  • Privacy values, policies, and training are reviewed and any updates are communicated. (GV.MT-P2, NIST Privacy Framework: A Tool For Improving Privacy Through Enterprise Risk Management, Version 1.0)
  • Describe the process by which the operator notifies consumers who use or visit its commercial Web site or online service of material changes to the operator's privacy policy for that Web site or online service. (§ 22575(b)(3), California Civil Code, Division 8, Chapter 22, § 22575 to 22579 -Internet Privacy Requirements)
  • Describe the process by which the operator notifies users of its commercial internet website, online or cloud computing service, online application, or mobile application of material changes to the operator's privacy policy for that internet website, online or cloud computing service, online applica… (§ 1205C(b)(3), Delaware Code, Title 6, Commerce and Trade, Subtitle II, Other Laws Relating to Commerce and Trade, Chapter 12C, Online and Personal Privacy Protection)