PII Disclosure Procedure
ISO/IEC 27701 Toolkit: Version 1 ©CertiKit
PII Disclosure Procedure
Implementation guidance The header page and this section, up to and including Disclaimer, must be removed from the final version of the document. For more details on replacing the logo, yellow highlighted text and certain generic terms, see the Completion Instructions document.
Purpose of this document This document describes how PII disclosure requests will be processed and recorded.
Areas of the standard addressed The following areas of the ISO27701 standard are addressed by this document: •
Annex B o B.8.5 PII sharing, transfer and disclosure ▪ B.8.5.3 Records of PII disclosure to third parties ▪ B.8.5.4 Notification of PII disclosure requests ▪ B.8.5.5 Legally binding PII disclosures
General guidance Given the high potential size of fines for noncompliance, it pays to be careful when disclosing PII to organizations other than the customer. However, requests for such disclosure may become more common from law enforcement agencies and other official bodies and it’s important for employees handling such requests to know what they must and must not do in these circumstances. Note that the ISO27701 standard simply requires that disclosures are recorded; this procedure also records requests for disclosure, and whether or not they were approved.
Review frequency We would recommend that this document is reviewed at least annually.
Version 1
Page 2 of 11
[Insert date]
PII Disclosure Procedure
Document fields This document may contain fields which need to be updated with your own information, including a field for Organization Name that is linked to the custom document property “Organization Name”. To update this field (and any others that may exist in this document): 1. Update the custom document property “Organization Name” by clicking File > Info > Properties > Advanced Properties > Custom > Organization Name. 2. Press Ctrl A on the keyboard to select all text in the document (or use Select, Select All via the Editing header on the Home tab). 3. Press F9 on the keyboard to update all fields. 4. When prompted, choose the option to just update TOC page numbers. If you wish to permanently convert the fields in this document to text, for instance, so that they are no longer updateable, you will need to click into each occurrence of the field and press Ctrl Shift F9. If you would like to make all fields in the document visible, go to File > Options > Advanced > Show document content > Field shading and set this to “Always”. This can be useful to check you have updated all fields correctly. Further detail on the above procedure can be found in the toolkit Completion Instructions. This document also contains guidance on working with the toolkit documents with an Apple Mac, and in Google Docs/Sheets.
Copyright notice Except for any specifically identified third-party works included, this document has been authored by CertiKit, and is ©CertiKit except as stated below. CertiKit is a company registered in England and Wales with company number 6432088.
Licence terms This document is licensed on and subject to the standard licence terms of CertiKit, available on request, or by download from our website. All other rights are reserved. Unless you have purchased this product you only have an evaluation licence. If this product was purchased, a full licence is granted to the person identified as the licensee in the relevant purchase order. The standard licence terms include special terms relating to any third-party copyright included in this document.
Version 1
Page 3 of 11
[Insert date]
PII Disclosure Procedure
Disclaimer Please Note: Your use of and reliance on this document template is at your sole risk. Document templates are intended to be used as a starting point only from which you will create your own document and to which you will apply all reasonable quality checks before use. Therefore, please note that it is your responsibility to ensure that the content of any document you create that is based on our templates is correct and appropriate for your needs and complies with relevant laws in your country. You should take all reasonable and proper legal and other professional advice before using this document. CertiKit makes no claims, promises, or guarantees about the accuracy, completeness or adequacy of our document templates; assumes no duty of care to any person with respect its document templates or their contents; and expressly excludes and disclaims liability for any cost, expense, loss or damage suffered or incurred in reliance on our document templates, or in expectation of our document templates meeting your needs, including (without limitation) as a result of misstatements, errors and omissions in their contents.
Version 1
Page 4 of 11
[Insert date]
PII Disclosure Procedure [Insert classification]
PII Disclosure Procedure
Version 1
DOCUMENT CLASSIFICATION
[Insert classification]
DOCUMENT REF
PIMS-DOC-B85-2
VERSION
1
DATED
[Insert date]
DOCUMENT AUTHOR
[Insert name]
DOCUMENT OWNER
[Insert name/role]
Page 5 of 11
[Insert date]
PII Disclosure Procedure [Insert classification]
Revision history VERSION
DATE
REVISION AUTHOR
SUMMARY OF CHANGES
Distribution NAME
TITLE
Approval NAME
Version 1
POSITION
SIGNATURE
Page 6 of 11
DATE
[Insert date]
PII Disclosure Procedure [Insert classification]
Contents 1
Introduction ............................................................................................................... 8
2
PII disclosure procedure ............................................................................................. 9 2.1
Disclosure request received.......................................................................................... 9
2.2
Document the disclosure request ................................................................................. 9
2.3
Assess the disclosure request ..................................................................................... 10
2.4
Perform approved disclosure ..................................................................................... 10
Version 1
Page 7 of 11
[Insert date]
PII Disclosure Procedure [Insert classification]
1 Introduction [Organization Name] acts as a processor for a number of customers who entrust significant amounts of personally identifiable information (PII) to us for processing. In doing so, the customer retains responsibility as the controller of the PII and relies upon us to help them to meet their legal obligations. This procedure applies to PII that [Organization Name] processes on behalf of its customers. As the controller of the PII, the customer has the primary responsibility for ensuring that their legal obligations to the PII principal are met. The relationship between [Organization Name] as the processor and the customer as the controller of the PII is covered by a written contract which meets the requirements of the applicable privacy legislation. This procedure is intended to be used when a request has been received by [Organization Name] from a third party for the disclosure of PII for which one or more customers are the controller. Such requests may be received from a variety of sources and each request must be carefully evaluated when deciding how it should be processed. Given the potential sensitivity of such requests, any uncertainty or ambiguity regarding this procedure and its application must be raised with management, and clarification sought. This procedure should be considered in conjunction with the following related documents: • •
PII Processor Policy Records of Processor PII Disclosures
Version 1
Page 8 of 11
[Insert date]
PII Disclosure Procedure [Insert classification]
2 PII disclosure procedure The following steps must be taken when dealing with a request to disclose customer PII.
2.1 Disclosure request received Requests to disclose PII may originate from a variety of types of third party, including: • • • • • • •
Law enforcement agencies External auditors Suppliers Members of the public Courts Tribunals Administrative authorities
Note that this is not an exhaustive list, and other third parties may also request access to PII. A request to disclose PII may come into the organization via a number of routes, including: • • • •
The help desk Directly to senior management Via email Via employees
All requests for the disclosure of PII to third parties must be directed to the Data Protection Officer (DPO) in the first instance. The DPO must then take steps to confirm the main details of the request, including the identity of the requester.
2.2 Document the disclosure request It is a requirement that all requests for the disclosure of PII to third parties be documented. The form Records of Processor PII Disclosures is used for this purpose. The following information must be recorded about the request: • • • • • •
Date of disclosure request Name of party requesting PII disclosure Contact details of party requesting PII disclosure Description of PII requested Amount of PII requested Reason for requesting PII disclosure
Version 1
Page 9 of 11
[Insert date]
PII Disclosure Procedure [Insert classification] The intention of this procedure is that all requests for the disclosure of PII are recorded, whether or not they are later approved. This represents a more complete picture of disclosure activity, compared to the recording of approved requests only. All relevant documentation relating to the request (such as emails and official papers) must be retained securely, with access limited to authorised personnel only.
2.3 Assess the disclosure request Once the details of the request have been received, documented and confirmed, the DPO will decide whether the request should be approved or rejected. Unless the request is of a type that has been formally pre-approved by the customer (and documented in the relevant contract), the customer must be consulted as soon as possible about the request as part of the decision-making process. An exception to this is where there is a legal obligation to maintain the confidentiality of the request, in which case the customer must not be contacted. Legally binding requests which are submitted by an appropriate authority must be complied with. Otherwise, the decision whether to allow the request will generally be made by the customer. The assessment must also include consideration of the type and amount of PII requested and the reason for it; the principle of data minimisation should be followed so that only the PII that is required to fulfil the purpose of the request is disclosed. Once a decision has been made, the following information must be recorded: • • • • •
Decision regarding the disclosure Date of decision Person making the decision Reason for decision Reference to supporting information
In the event that the request is rejected, the requester must be informed of the decision, and the reasons for it.
2.4 Perform approved disclosure For an approved disclosure request, the DPO (or authorised deputy) will discuss with the requester the best method of making the PII available. This must be in an appropriately secure manner which takes account of the sensitivity and amount of PII involved. The following information must be recorded about the disclosure: • • •
Date of disclosure Description of PII disclosed Amount of PII disclosed
Version 1
Page 10 of 11
[Insert date]
PII Disclosure Procedure [Insert classification] • •
Method of disclosure Any further information relevant to the disclosure
If permitted by law, the customer should be informed that the disclosure has taken place.
Version 1
Page 11 of 11
[Insert date]