6. Protect: Policies

Question 1

Privacy Policy vs Privacy Notice

Answer 1

Privacy Policy - an internal document addressed to employees that clearly states how the organization handles personal information.

Privacy Notice- an external communication to data subjects

“Privacy Policy - should be clear and easy to understand, accessible to all employees, comprehensive yet concise, action-oriented, measurable, and testable.

Question 2

Types of Privacy Policies and Goals of Info Sec Policies (PPPP)

Answer 2

Types of Privacy Policies:
- Acceptable Use
- Info Sec
- Procurement
- HR
- Data Retention

Goals of Info Sec Policies:
- Protect against unauthorized access
- provide stakeholder information
- promote compliance
- promote data quality

Vendors should be held to the same standards as the organization they serve.
Cloud Computing Services Vendors - pose distinct privacy challenges.

Question 3

Policies of High Risk Areas

Answer 3

HR - handles diverse employee PII and typically has policies to guide processing.

Data Retention Policies - should support the idea that personal information should only be retain for as long as necessary

Question 4

Data retention

Answer 4

Determine what data is being retained, how and where stored

Understand legal requirements for data

Brainstorm scenarios that would require data retention

Estimate business impacts of retaining vs storing data

Develop and implement a policy

Question 5

Procurement: “Vendor Policy”

Answer 5

Identify vendors and their legal obligations

Evaluate risk, policies and server location

Develop a thorough contract

Monitor vendors practices and performance

Use a vendor policy