2 minute read
Privacy
The privacy category stands on its own and specifically addresses how service organizations collect, use, retain, disclose, and dispose of personal information. Do data subjects have rights to opt out of how their information is used? Do they have the ability to file a complaint and get a response on how their information is being utilized? The privacy category ensures that service organizations are handling person information in accordance with any commitments in its privacy notice, and with standards defined in the generally accepted privacy criteria issued by the AICPA.
The privacy category consists of the complete set of common criteria, as well the following additional criteria:
Advertisement
• Notice and Communication of Objectives Related to Privacy • Does the service organization provide notice to data subjects about its privacy practices, as well as communicate when the notice is updated? • Choice and Consent • Does the service organization inform data subjects about the choices available to them in relation to the collection, use, retention, disclosures, or disposal of their personal information? • Does the service organization inform data subjects about implicit and explicit consent? • Collection • Does the service organization limit the collection of personal information to that which is necessary to meet business objectives? • Does the service organization collect personal information in fair and lawful ways? • Does the service organization obtain explicit consent for sensitive information? • Use, Retention, and Disposal • Does the service organization limit the use of personal information only to intended purposes? • Does the service organization retain and protect personal information in a way that’s consistent with its business objectives? • Does the service organization dispose of personal information in a way that’s consistent with its business objectives? • Access • Does the service organization permit authorized data subjects to access their personal information? • Does the service organization correct, amend, or append personal information when data subjects provide updated information?
Privacy
• Disclosure and Notification • Does the service organization only disclose personal information to third parties when they have obtained explicit consent? • Does the service organization keep a complete, accurate, and timely record of authorized disclosures of personal information? • Does the service organization keep a complete, accurate, and timely record of detected or reported unauthorized disclosures or personal information? • Does the service organization obtain privacy commitments from vendors, business partners, and other third parties who have access to personal information? • Does the service organization obtain commitments from vendors, business partners, and other third parties to provide notification of suspected or actual unauthorized disclosures of personal information? • Does the service organization notify impacted data subjects and other appropriate parties of breaches or incidents? • Does the service organization give data subjects an accounting of their personal information held and disclosure of their personal information? • Quality • Does the service organization demonstrate a commitment to collect and maintain accurate, up-to-date, complete, and relevant personal information? • Monitoring and Enforcement • Does the service organization have a process for resolving inquiries, complaints, and disputes from data subjects?
