last sync: 2024-Apr-24 17:46:58 UTC

Provide privacy notice | Regulatory Compliance - Operational

Azure BuiltIn Policy definition

Source Azure Portal
Display name Provide privacy notice
Id 098a7b84-1031-66d8-4e78-bd15b5fd2efb
Version 1.1.0
Details on versioning
Category Regulatory Compliance
Microsoft Learn
Description CMA_0414 - Provide privacy notice
Additional metadata Name/Id: CMA_0414 / CMA_0414
Category: Operational
Title: Provide privacy notice
Ownership: Customer
Description: Microsoft recommends that your organization understand the legal requirements for collecting personal data and provide clear, conspicuous, and prominent notice to data subjects, or a person authorized by the data subject, prior to collecting and processing any of their personal data. It is recommended at a minimum include your organization's identity, location and contact details, the purpose(s) of processing, the nature of the personal data processed, any recipients of the data, details of any international transfers of the personal data that might occur, the period of storage or use of the personal data, the location of stored data, and the data subject rights on the collection, use of (including selling), correction and/or deletion of personal information by the business. It is also recommended to provide such notices in applicable and acceptable languages, and in a reasonably discoverable and accessible format (e.g., a webpage link). Microsoft recommends that your organization provide a notice to customers that accurately reflects your privacy policies and practices annually during the continuation of the customer relationship. Consider providing the initial privacy notice, annual notice, or revised notice to customers with the ability to retain the notice in written or electronic form. These notices may include the categories of nonpublic personal information that you collect or disclose, the categories of affiliates and non-affiliated third parties to whom you disclose nonpublic personal information, and the categories of nonpublic personal information about your former customers. It is recommended to notify the user about any new data that has been collected on them, how long the data will be held, deletion method, transferring of their data due to merger and acquisition, method to withdraw consent, and business transferee details. In cases where notice was not provided to data subject prior to processing of personal data, it is recommended that clear notice be provided as soon as practicable. In case of automated processing of data, Microsoft recommends that your organization inform the concerned authority before processing data. When using the data subject's data for marketing purposes, it is recommended that your organization inform the data subject of their right to request your organization to cease the processing of their data, free of cost. Microsoft also recommends that your organization determine the legal requirements for providing the privacy notification orally. Various data privacy regulations do not consider oral explanations of privacy notices in person or over the telephone as sufficient privacy notifications. Therefore, it is important for your organization to understand the permissibility and requirements for oral notifications. Additionally, your organization may be required to have the burden to prove that the privacy notice is presented to the data subject. It is recommended that your organization do not, directly or through any affiliate, disclose any personal information about a consumer to a non-affiliated third party other than as described in the initial notice that you provided to that consumer, unless: - You have provided to the consumer a clear and conspicuous revised notice that accurately describes your policies and practices - You have provided to the consumer a new opt out notice - You have given the consumer a reasonable opportunity, before you disclose the information to the non-affiliated third party, to opt out of the disclosure - The consumer does not opt out Microsoft recommends that your organization add both your global privacy contact and your organization's privacy statement, so your internal employees and external guests can review your policies. Because privacy statements are uniquely created and tailored for each business, it is recommended that you contact a lawyer for assistance. The General Data Protection Regulation (GDPR) allows organizations to provide the information orally when requested by the data subject provided that the identity of the data subject is proven by other means. Hong Kong's Cyber Law recommends that your organization notify the individual about the consequences of carrying out matching procedures and what adverse action could be taken against them. When personal data is collected indirectly from the data subject, Mexico's Federal Data Protection Law requires organizations to inform the data subject of changes made to the privacy notice prior to using the data. The Korean Act on Promotion Of Information And Communications Network Utilization And Data Protection requires organizations to notify the recess plan and period to users 30 days prior to the start day and repeal plan to users 60 days in advance, and report of recess and repeal plan to the Korea Communications Commission. Your organization may be required to notify third parties about responding to an individual request to access records that could invade the personal privacy of the third party. In the case that your organization suspects an individual or an entity has personal information in their possession without proper authorization, it is recommended that your organization provide a notice to the individual or entity to request appropriate action is taken, such as returning or disposing of the information. The Belgium's act on the protection of natural persons regarding the processing of personal data requires organizations to provide information to data subjects regarding their right to lodge a complaint with the supervisory authority along with contact details of the concerned authority along with informing them regarding their data being rendered anonymously and the reasons why facilitating the data subject request will hinder in achieving the purpose of processing. The New Mexico Information Privacy Act requires the privacy notice to include at least two designated methods for submitting verifiable consumer requests, including a toll-free telephone number and a website address if the business maintains a website. It also mandates businesses not to require a consumer to create an account to make a verifiable consumer request. If a business sells consumers' personal information to third parties, the New Mexico Information Privacy Act requires to provide a clear and conspicuous link to an internet web page titled "Do Not Sell My Personal Information" that enables a consumer to opt out. The CMS Information Systems Security and Privacy Policy standard requires your organization to develop, document and distribute privacy notice to all Medicare Fee-for-Service beneficiaries as required by the HIPAA standard. The notice must include Medicare's duties, guidelines on Medicare enrollment, Medicare's legal duties and such notices should be reviewed and provided to data subject annually in several ways as prescribed by the standard. The FTC Privacy of Consumer Financial Information: - Requires providing conspicuous notice to customers that accurately reflects your privacy policies and practices not less than annually during the continuation of the customer relationship - Requires providing any privacy notices and opt out notices, including short-form initial notices, so that each consumer can reasonably be expected to receive actual notice in writing or, if the consumer agrees, electronically - Define oral description of notice insufficient (notifications may not be solely by orally explaining the notice, either in person or over the telephone)
Requirements: The customer is responsible for implementing this recommendation.
Mode All
Type BuiltIn
Preview False
Deprecated False
Effect Default
Manual
Allowed
Manual, Disabled
RBAC role(s) none
Rule aliases none
Rule resource types IF (1)
Microsoft.Resources/subscriptions
Compliance
The following 19 compliance controls are associated with this Policy definition 'Provide privacy notice' (098a7b84-1031-66d8-4e78-bd15b5fd2efb)
Control Domain Control Name MetadataId Category Title Owner Requirements Description Info Policy#
hipaa 1201.06e1Organizational.2-06.e hipaa-1201.06e1Organizational.2-06.e 1201.06e1Organizational.2-06.e 12 Audit Logging & Monitoring 1201.06e1Organizational.2-06.e 06.01 Compliance with Legal Requirements Shared n/a The organization provides notice that the employee's actions may be monitored, and that the employee consents to such monitoring. 12
hipaa 1902.06d1Organizational.2-06.d hipaa-1902.06d1Organizational.2-06.d 1902.06d1Organizational.2-06.d 19 Data Protection & Privacy 1902.06d1Organizational.2-06.d 06.01 Compliance with Legal Requirements Shared n/a When required, consent is obtained before any PII (e.g., about a client/customer) is emailed, faxed, or communicated by telephone conversation, or otherwise disclosed to parties external to the organization. 11
hipaa 19243.06d1Organizational.15-06.d hipaa-19243.06d1Organizational.15-06.d 19243.06d1Organizational.15-06.d 19 Data Protection & Privacy 19243.06d1Organizational.15-06.d 06.01 Compliance with Legal Requirements Shared n/a The organization specifies where covered information can be stored. 9
ISO27001-2013 A.10.1.1 ISO27001-2013_A.10.1.1 ISO 27001:2013 A.10.1.1 Cryptography Policy on the use of cryptographic controls Shared n/a A policy on the use of cryptographic controls for protection of information shall be developed and implemented. link 18
ISO27001-2013 A.13.2.2 ISO27001-2013_A.13.2.2 ISO 27001:2013 A.13.2.2 Communications Security Agreements on information transfer Shared n/a Agreements shall address the secure transfer of business information between the organization and external parties. link 11
ISO27001-2013 A.7.1.2 ISO27001-2013_A.7.1.2 ISO 27001:2013 A.7.1.2 Human Resources Security Terms and conditions of employment Shared n/a The contractual agreements with employees and contractors shall state their and the organization's responsibilities for information security. link 24
PCI_DSS_v4.0 3.3.1 PCI_DSS_v4.0_3.3.1 PCI DSS v4.0 3.3.1 Requirement 03: Protect Stored Account Data Sensitive authentication data (SAD) is not stored after authorization Shared n/a SAD is not retained after authorization, even if encrypted. All sensitive authentication data received is rendered unrecoverable upon completion of the authorization process. link 8
PCI_DSS_v4.0 3.3.1.1 PCI_DSS_v4.0_3.3.1.1 PCI DSS v4.0 3.3.1.1 Requirement 03: Protect Stored Account Data Sensitive authentication data (SAD) is not stored after authorization Shared n/a The full contents of any track are not retained upon completion of the authorization process. link 8
PCI_DSS_v4.0 3.3.1.2 PCI_DSS_v4.0_3.3.1.2 PCI DSS v4.0 3.3.1.2 Requirement 03: Protect Stored Account Data Sensitive authentication data (SAD) is not stored after authorization Shared n/a The card verification code is not retained upon completion of the authorization process. link 5
PCI_DSS_v4.0 3.3.1.3 PCI_DSS_v4.0_3.3.1.3 PCI DSS v4.0 3.3.1.3 Requirement 03: Protect Stored Account Data Sensitive authentication data (SAD) is not stored after authorization Shared n/a The personal identification number (PIN) and the PIN block are not retained upon completion of the authorization process. link 8
PCI_DSS_v4.0 3.3.3 PCI_DSS_v4.0_3.3.3 PCI DSS v4.0 3.3.3 Requirement 03: Protect Stored Account Data Sensitive authentication data (SAD) is not stored after authorization Shared n/a Additional requirement for issuers and companies that support issuing services and store sensitive authentication data: Any storage of sensitive authentication data is: • Limited to that which is needed for a legitimate issuing business need and is secured. • Encrypted using strong cryptography. This bullet is a best practice until its effective date; refer to Applicability Notes below for details. link 13
PCI_DSS_v4.0 3.4.1 PCI_DSS_v4.0_3.4.1 PCI DSS v4.0 3.4.1 Requirement 03: Protect Stored Account Data Access to displays of full PAN and ability to copy cardholder data are restricted Shared n/a PAN is masked when displayed (the BIN and last four digits are the maximum number of digits to be displayed), such that only personnel with a legitimate business need can see more than the BIN and last four digits of the PAN. link 3
PCI_DSS_v4.0 3.4.2 PCI_DSS_v4.0_3.4.2 PCI DSS v4.0 3.4.2 Requirement 03: Protect Stored Account Data Access to displays of full PAN and ability to copy cardholder data are restricted Shared n/a When using remote-access technologies, technical controls prevent copy and/or relocation of PAN for all personnel, except for those with documented, explicit authorization and a legitimate, defined business need. link 3
SOC_2 CC2.3 SOC_2_CC2.3 SOC 2 Type 2 CC2.3 Communication and Information COSO Principle 15 Shared The customer is responsible for implementing this recommendation. Communicates to External Parties — Processes are in place to communicate relevant and timely information to external parties, including shareholders, partners, owners, regulators, customers, financial analysts, and other external parties. • Enables Inbound Communications — Open communication channels allow input from customers, consumers, suppliers, external auditors, regulators, financial analysts, and others, providing management and the board of directors with relevant information. • Communicates With the Board of Directors — Relevant information resulting from assessments conducted by external parties is communicated to the board of directors. • Provides Separate Communication Lines — Separate communication channels, such as whistle-blower hotlines, are in place and serve as fail-safe mechanisms to enable anonymous or confidential communication when normal channels are inoperative or ineffective. • Selects Relevant Method of Communication — The method of communication considers the timing, audience, and nature of the communication and legal, regulatory, and fiduciary requirements and expectations. Additional point of focus that applies only to an engagement using the trust services criteria for confidentiality: • Communicates Objectives Related to Confidentiality and Changes to Objectives — The entity communicates, to external users, vendors, business partners, and others whose products and services are part of the system, objectives and changes to objectives related to confidentiality.Page 20 TSP Ref. # TRUST SERVICES CRITERIA AND POINTS OF FOCUS Additional point of focus that applies only to an engagement using the trust services criteria for privacy: • Communicates Objectives Related to Privacy and Changes to Objectives — The entity communicates, to external users, vendors, business partners, and others whose products and services are part of the system, objectives related to privacy and changes to those objectives. Additional points of focus that apply only when an engagement using the trust services criteria is performed at the system level: • Communicates Information About System Operation and Boundaries — The entity prepares and communicates information about the design and operation of the system and its boundaries to authorized external users to permit users to understand their role in the system and the results of system operation. • Communicates System Objectives — The entity communicates its system objectives to appropriate external users. • Communicates System Responsibilities — External users with responsibility for designing, developing, implementing, operating, maintaining, and monitoring system controls receive communications about their responsibilities and have the information necessary to carry out those responsibilities. • Communicates Information on Reporting System Failures, Incidents, Concerns, and Other Matters — External users are provided with information on how to report systems failures, incidents, concerns, and other complaints to appropriate personnel. 14
SOC_2 P1.1 SOC_2_P1.1 SOC 2 Type 2 P1.1 Additional Criteria For Privacy Privacy notice Shared The customer is responsible for implementing this recommendation. • Communicates to Data Subjects — Notice is provided to data subjects regarding the following: — Purpose for collecting personal information — Choice and consent — Types of personal information collected — Methods of collection (for example, use of cookies or other tracking techniques) — Use, retention, and disposal — Access — Disclosure to third parties — Security for privacy — Quality, including data subjects’ responsibilities for quality — Monitoring and enforcement • Provides Notice to Data Subjects — Notice is provided to data subjects (1) at or before the time personal information is collected or as soon as practical thereafter, (2) at or before the entity changes its privacy notice or as soon as practical thereafter, or (3) before personal information is used for new purposes not previously identified. • Covers Entities and Activities in Notice — An objective description of the entities and activities covered is included in the entity’s privacy notice. • Uses Clear and Conspicuous Language — The entity’s privacy notice is conspicuous and uses clear language. 5
SOC_2 P2.1 SOC_2_P2.1 SOC 2 Type 2 P2.1 Additional Criteria For Privacy Privacy consent Shared The customer is responsible for implementing this recommendation. • Communicates to Data Subjects — Data subjects are informed (a) about the choices available to them with respect to the collection, use, and disclosure of personal information and (b) that implicit or explicit consent is required to collect, use, and disclose personal information, unless a law or regulation specifically requires or allows otherwise. • Communicates Consequences of Denying or Withdrawing Consent — When personal information is collected, data subjects are informed of the consequences of refusing to provide personal information or denying or withdrawing consent to use personal information for purposes identified in the notice. • Obtains Implicit or Explicit Consent — Implicit or explicit consent is obtained from data subjects at or before the time personal information is collected or soon there-after. The individual’s preferences expressed in his or her consent are confirmed and implemented. • Documents and Obtains Consent for New Purposes and Uses — If information that was previously collected is to be used for purposes not previously identified in the privacy notice, the new purpose is documented, the data subject is notified, and implicit or explicit consent is obtained prior to such new use or purpose. • Obtains Explicit Consent for Sensitive Information — Explicit consent is obtained directly from the data subject when sensitive personal information is collected, used, or disclosed, unless a law or regulation specifically requires otherwise. • Obtains Consent for Data Transfers — Consent is obtained before personal information is transferred to or from an individual’s computer or other similar device. 4
SOC_2 P4.1 SOC_2_P4.1 SOC 2 Type 2 P4.1 Additional Criteria For Privacy Personal information use Shared The customer is responsible for implementing this recommendation. • Uses Personal Information for Intended Purposes — Personal information is used only for the intended purposes for which it was collected and only when implicit or explicit consent has been obtained, unless a law or regulation specifically requires otherwise. 5
SOC_2 P6.7 SOC_2_P6.7 SOC 2 Type 2 P6.7 Additional Criteria For Privacy Accounting of disclosure of personal information Shared The customer is responsible for implementing this recommendation. • Identifies Types of Personal Information and Handling Process — The types of personal information and sensitive personal information and the related processes, systems, and third parties involved in the handling of such information are identified. • Captures, Identifies, and Communicates Requests for Information — Requests for an accounting of personal information held and disclosures of the data subjects’ personal information are captured and information related to the requests is identified and communicated to data subjects to meet the entity’s objectives related to privacy. 5
SOC_2 PI1.1 SOC_2_PI1.1 SOC 2 Type 2 PI1.1 Additional Criteria For Processing Integrity Data processing definitions Shared The customer is responsible for implementing this recommendation. • Identifies Information Specifications — The entity identifies information specifications required to support the use of products and services. • Defines Data Necessary to Support a Product or Service — When data is provided as part of a service or product or as part of a reporting obligation related to a product or service: 1. The definition of the data is available to the users of the data 2. The definition of the data includes the following information: a. The population of events or instances included in the data b. The nature of each element (for example, field) of the data (that is, the event or instance to which the data element relates, for example, transaction price of a sale of XYZ Corporation stock for the last trade in that stock on a given day) c. Source(s) of the data d. The unit(s) of measurement of data elements (for example, fields) e. The accuracy/correctness/precision of measurement f. The uncertainty or confidence interval inherent in each data element and in the population of those elements g. The date the data was observed or the period of time during which the events relevant to the data occurred h. The factors in addition to the date and period of time used to determine the inclusion and exclusion of items in the data elements and population 3. The definition is complete and accurate. 4. The description of the data identifies any information that is necessary to understand each data element and the population in a manner consistent with its definition and intended purpose (metadata) that has not been included within the data. The following point of focus, which applies only to an engagement using the trust services criteria for processing integrity for a system that produces, manufactures, or distributes products, highlights important characteristics relating to this criterion: • Defines Information Necessary to Support the Use of a Good or Product — When information provided by the entity is needed to use the good or product in accordance with its specifications: 1. The required information is available to the user of the good or product. 2. The required information is clearly identifiable. 3. The required information is validated for completeness and accuracy 3
Initiatives usage
Initiative DisplayName Initiative Id Initiative Category State Type
HITRUST/HIPAA a169a624-5599-4385-a696-c8d643089fab Regulatory Compliance GA BuiltIn
ISO 27001:2013 89c6cddc-1c73-4ac1-b19c-54d1a15a42f2 Regulatory Compliance GA BuiltIn
PCI DSS v4 c676748e-3af9-4e22-bc28-50feed564afb Regulatory Compliance GA BuiltIn
SOC 2 Type 2 4054785f-702b-4a98-9215-009cbd58b141 Regulatory Compliance GA BuiltIn
History
Date/Time (UTC ymd) (i) Change type Change detail
2022-09-27 16:35:32 change Minor (1.0.0 > 1.1.0)
2022-09-13 16:35:29 add 098a7b84-1031-66d8-4e78-bd15b5fd2efb
JSON compare
compare mode: version left: version right:
JSON
api-version=2021-06-01
EPAC