Privacy The privacy category stands on its own and specifically addresses how service organizations collect, use, retain, disclose, and dispose of personal information. Do data subjects have rights to opt out of how their information is used? Do they have the ability to file a complaint and get a response on how their information is being utilized? The privacy category ensures that service organizations are handling person information in accordance with any commitments in its privacy notice, and with standards defined in the generally accepted privacy criteria issued by the AICPA. The privacy category consists of the complete set of common criteria, as well the following additional criteria: • Notice and Communication of Objectives Related to Privacy • Does the service organization provide notice to data subjects about its privacy practices, as well as communicate when the notice is updated? • Choice and Consent • Does the service organization inform data subjects about the choices available to them in relation to the collection, use, retention, disclosures, or disposal of their personal information? • Does the service organization inform data subjects about implicit and explicit consent? • Collection • Does the service organization limit the collection of personal information to that which is necessary to meet business objectives? • Does the service organization collect personal information in fair and lawful ways? • Does the service organization obtain explicit consent for sensitive information? • Use, Retention, and Disposal • Does the service organization limit the use of personal information only to intended purposes? • Does the service organization retain and protect personal information in a way that’s consistent with its business objectives? • Does the service organization dispose of personal information in a way that’s consistent with its business objectives? • Access • Does the service organization permit authorized data subjects to access their personal information? • Does the service organization correct, amend, or append personal information when data subjects provide updated information?
8
Privacy
