Back

Conduct personal data processing training.


CONTROL ID
13757
CONTROL TYPE
Training
CLASSIFICATION
Preventive

SUPPORTING AND SUPPORTED CONTROLS



This Control directly supports the implied Control(s):
  • Establish, implement, and maintain training plans., CC ID: 00828

This Control has the following implementation support Control(s):
  • Include in personal data processing training how to provide the contact information for the categories of personal data the organization may disclose., CC ID: 13758


SELECTED AUTHORITY DOCUMENTS COMPLIED WITH



  • Protection of confidential information, and customer data (C14.3. ¶ 1(2), FISC Security Guidelines on Computer Systems for Financial Institutions, Ninth Edition, Revised March 2020)
  • reasonably determining the operational authority of personal information processing, and regularly conducting safety education and training for practitioners; (Article 51 ¶ 1(4), Personal Information Protection Law of the People's Republic of China)
  • A personal information controller shall provide personal information handlers with necessary educational programs on a regular basis in order to ensure the appropriate handling of personal information. (Article 28(2), Personal Information Protection Act)
  • Obligatory training of employees entrusted with the processing of personally identifiable data of the customer (e.g. classroom training, WBT). (9.3 Requirements Bullet 4, Information Security Assessment, Version 5.1)
  • Firstly, each intelligence agency must ensure appropriate data security and prevent access by unauthorised persons to personal data collected through signals intelligence. In this respect, different instruments, including statute, guidelines and standards further specify the minimum information secu… (3.2.1.3 (155), COMMISSION IMPLEMENTING DECISION of 10.7.2023 pursuant to Regulation (EU) 2016/679 of the European Parliament and of the Council on the adequate level of protection of personal data under the EU-US Data Privacy Framework)
  • Education: participation in educational efforts for consumers about behavioral online advertising (TC-IM-220a.1. 6.1, Internet Media & Services Sustainability Accounting Standard, Version 2018-10, Version 2018-10)
  • Education: participation in educational efforts for consumers about behavioral online advertising (TC-SI-220a.1. 6.1, Software & IT Services Sustainability Accounting Standard, Version 2018-10)
  • Education: participation in educational efforts for consumers about behavioral online advertising (TC-TL-220a.1. 6.1, Telecommunication Services Sustainability Accounting Standard, Version 2018-10)
  • the need for training persons who have access to health information; (§ 1173(d)(1)(A)(iii), Health Insurance Portability and Accountability Act of 1996 (HIPAA), Public Law 104-191, 104th Congress)
  • Standard: Training. A covered entity must train all members of its workforce on the policies and procedures with respect to protected health information required by this subpart and subpart D of this part, as necessary and appropriate for the members of the workforce to carry out their functions wit… (§ 164.530(b)(1), 45 CFR Part 164 - Security and Privacy, current as of July 6, 2020)
  • Dissemination and destruction. (§ 5.2.1.2 ¶ 1(6), Criminal Justice Information Services (CJIS) Security Policy, CJISD-ITS-DOC-08140-5.8, Version 5.8)
  • Dissemination and destruction. (§ 5.2.1.2 ¶ 1 6., Criminal Justice Information Services (CJIS) Security Policy, CJISD-ITS-DOC-08140-5.9.1, Version 5.9.1)
  • Employ the following techniques to increase the security and privacy awareness of system users [Assignment: organization-defined awareness techniques]; (AT-2b., FedRAMP Security Controls High Baseline, Version 5)
  • Employ the following techniques to increase the security and privacy awareness of system users [Assignment: organization-defined awareness techniques]; (AT-2b., FedRAMP Security Controls Low Baseline, Version 5)
  • Employ the following techniques to increase the security and privacy awareness of system users [Assignment: organization-defined awareness techniques]; (AT-2b., FedRAMP Security Controls Moderate Baseline, Version 5)
  • Employ the following techniques to increase the security and privacy awareness of system users [Assignment: organization-defined awareness techniques]; (AT-2b., Control Baselines for Information Systems and Organizations, NIST SP 800-53B, High Impact Baseline, October 2020)
  • Employ the following techniques to increase the security and privacy awareness of system users [Assignment: organization-defined awareness techniques]; (AT-2b., Control Baselines for Information Systems and Organizations, NIST SP 800-53B, Low Impact Baseline, October 2020)
  • Employ the following techniques to increase the security and privacy awareness of system users [Assignment: organization-defined awareness techniques]; (AT-2b., Control Baselines for Information Systems and Organizations, NIST SP 800-53B, Moderate Impact Baseline, October 2020)
  • Employ the following techniques to increase the security and privacy awareness of system users [Assignment: organization-defined awareness techniques]; (AT-2b., Control Baselines for Information Systems and Organizations, NIST SP 800-53B, Privacy Control Baseline, October 2020)
  • Provide [Assignment: organization-defined personnel or roles] with initial and [Assignment: organization-defined frequency] training in the employment and operation of personally identifiable information processing and transparency controls. (AT-3(5) ¶ 1, Control Baselines for Information Systems and Organizations, NIST SP 800-53B, Privacy Control Baseline, October 2020)
  • Oversee, direct, deliver or ensure delivery of initial privacy training and orientation to all employees, volunteers, contractors, alliances, business associates and other appropriate third parties (T0881, National Initiative for Cybersecurity Education (NICE) Cybersecurity Workforce Framework, NIST Special Publication 800-181)
  • Oversee, direct, deliver or ensure delivery of initial privacy training and orientation to all employees, volunteers, contractors, alliances, business associates and other appropriate third parties (T0881, Reference Spreadsheet for the Workforce Framework for Cybersecurity (NICE Framework)”, July 7, 2020)
  • Monitors, audits, and trains its staff on the authorized sharing of PII with third parties and on the consequences of unauthorized use or sharing of PII; and (UL-2c., Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, Revision 4)
  • Employ the following techniques to increase the security and privacy awareness of system users [Assignment: organization-defined awareness techniques]; (AT-2b., Security and Privacy Controls for Information Systems and Organizations, NIST SP 800-53, Revision 5)
  • Provide [Assignment: organization-defined personnel or roles] with initial and [Assignment: organization-defined frequency] training in the employment and operation of personally identifiable information processing and transparency controls. (AT-3(5) ¶ 1, Security and Privacy Controls for Information Systems and Organizations, NIST SP 800-53, Revision 5)
  • Employ the following techniques to increase the security and privacy awareness of system users [Assignment: organization-defined awareness techniques]; (AT-2b., Security and Privacy Controls for Information Systems and Organizations, NIST SP 800-53, Revision 5.1.1)
  • Provide [Assignment: organization-defined personnel or roles] with initial and [Assignment: organization-defined frequency] training in the employment and operation of personally identifiable information processing and transparency controls. (AT-3(5) ¶ 1, Security and Privacy Controls for Information Systems and Organizations, NIST SP 800-53, Revision 5.1.1)