12.6 Data Privacy
(Last Modified on June 4, 2021)
The USG is committed to protecting privacy. Personal information will only be disclosed to third parties when allowed by law or with the consent of the data subject.
USG provides additional data privacy compliance guidance at /policies/dataprivacy.
12.6.1 Data Inventory
(Last Modified on August 26, 2021)
Compliance due by December 31, 2023
See supporting RoPA Process Guide at /policies/dataprivacy.
Processing of organizational data by systems, products or services must be understood and used to inform management of privacy risk. Inventorying data is a foundational step in identifying the assets that are to be protected. Organizations must:
- Inventory systems, products or services managing individuals’ (data subjects) data;
- Inventory the data actions of the systems, products or services managing data; and,
- Inventory the purposes for the data actions managing data.
12.6.2 Data Risk Management
(Last Modified on August 26, 2021)
Compliance due by December 31, 2023
See supporting RoPA Process Guide at /policies/dataprivacy.
Establishing priorities, constraints, risk tolerance, and assumptions are the next steps to support risk decisions associated with managing privacy risk and third parties. Organizations shall confirm:
- All parties in the data processing ecosystem are identified, assessed and prioritized to support operational risk decisions; and,
- Contracts or multi-party approaches are used to achieve data privacy objectives and manage data privacy risks.
12.6.3 Data Processing Documentation
(Last Modified on August 26, 2021)
Compliance due by December 31, 2023
See supporting RoPA Process Guide at /policies/dataprivacy.
For data systems determined in the inventory to contain personal information (Section 12.6.1), it is essential that written documentation is used to manage data processing to protect individuals (data subjects) and reduce organizational risk. Organizations must document both their policies, processes and procedures regarding, and execution of:
- Authorizing data processing, revoking authorizations and maintaining authorizations; and,
- Enabling individuals’ data processing preferences and requests that are required by law/policy.
12.6.4 Disassociation and De-identification
(Last Modified on June 4, 2021)
Compliance due by December 31, 2022
See supporting DSR Process Guide at /policies/dataprivacy.
As an objective of data privacy, data processing solutions shall increase disassociability to protect individuals’ (data subject’s) privacy and enable implementation of privacy principles (e.g., data minimization). Organizations must process privacy protected data to limit to the extent possible:
- Observability and linkability (e.g., encryption);
- Identification of individuals;
- Formulation of inferences about individuals’ behavior or activities;
- Collection or disclosure of data elements; and,
- Attribute values, substitute with attribute references.
12.6.5 Data Processing Awareness
(Last Modified on August 26, 2021)
Compliance due by December 31, 2022
See supporting DSR Process Guide at /policies/dataprivacy.
Awareness of data processing practices and associated privacy risks must be shared with individual (data subject) and organizational stakeholders. To support awareness, organizations must:
- Implement mechanisms (e.g., notices, internal or public reports) for communicating data processing purposes, practices, associated privacy risks and options for enabling individual’s (data subject’s) preferences and requests where allowable by law;
- Maintain records of unintended data disclosures to be accessed for investigative review;
- Develop and implement policies and processes for receiving, tracking and responding to complaints, concerns and questions from individuals about organizational privacy practices;
- Communicate requested data corrections or deletions to individuals (data subjects) or organizations making such requests;
- Notify impacted individuals (data subjects) and/or organizations as required by law concerning a privacy breach or event; and,
- Provide individuals (data subjects) with mitigation mechanisms as required by law to address impacts of a privacy breach or event.
12.6.6 Communication
(Last Modified on June 4, 2021)
Compliance due by December 31, 2022
See supporting DSR Process Guide at /policies/dataprivacy.
Beyond awareness, communication must be employed to increase transparency of the organization’s data processing practices and associated privacy risks. Organizations shall promote communications through written policies, processes and procedures that include:
- Establishing roles and responsibilities (e.g., public relations) for communicating data processing purposes, practices and associated privacy risks to external stakeholders; and,
- Communicating data processing purposes, practices and associated privacy values, policies and risks.
↑ Top