last sync: 2024-Oct-04 17:51:30 UTC

Document the legal basis for processing personal information | Regulatory Compliance - Documentation

Azure BuiltIn Policy definition

Source Azure Portal
Display name Document the legal basis for processing personal information
Id 79c75b38-334b-1a69-65e0-a9d929a42f75
Version 1.1.0
Details on versioning
Versioning Versions supported for Versioning: 1
1.1.0
Built-in Versioning [Preview]
Category Regulatory Compliance
Microsoft Learn
Description CMA_0206 - Document the legal basis for processing personal information
Additional metadata Name/Id: CMA_0206 / CMA_0206
Category: Documentation
Title: Document the legal basis for processing personal information
Ownership: Customer
Description: Microsoft recommends that your organization determine and document the legal basis for processing personal data. Various data privacy regulations require organizations to be clear and transparent about which lawful basis is being used for processing personal data prior to or at the time of collection such as data subject consent, legal obligations, research studies, contractual obligations, protection of credit, protection of life or safety, or legitimate interests pursued by the controller or a third party. Processing of personal data can be irregular when it does not comply with regulatory requirements or when it does not provide the security expected by the data subject considering the following circumstances: the way the data was collected, the result and the risks that one can reasonably expect of the data processing, and techniques for processing personal data available at the time it was done. Microsoft also recommends that your organization do not collect, use, or disclose personal data for other purposes different from what has been informed unless the data subject is already informed of the new purposes and his or her consent has been given prior to such collection, use, or disclosure. If your organization intends to further process the personal data for a purpose other than that for which the personal data were collected, your organization may provide the data subject prior to that further processing with information on that other purpose and with any relevant further information. Additionally, consider establishing procedures for processing sensitive information such as individual's Social Security number to govern: - Publicly posting or display - Printing - Transmittal over internet - Use to access a web site It is also recommended to not collect personal information of other individuals related or not related through an end-user unless there is a legitimate reason such as national interest or requested by regulatory authority. The General Data Protection Regulation (GDPR) prohibits the processing of personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade-union membership, and the processing of genetic data, biometric data for the purpose of uniquely identifying a natural person, data concerning health or data concerning a natural person's sex life or sexual orientation. NIST 800-53 recommends prohibiting the processing of information describing how any individual exercises rights guaranteed by the First Amendment unless expressly authorized by statute or by the individual or unless pertinent to and within the scope of an authorized law enforcement activity. Malta's Data Protection Act requires to process an identity document only when such processing is clearly justified by the importance of a secure identification, or any other valid reason provided by law.
Requirements: The customer is responsible for implementing this recommendation.
Mode All
Type BuiltIn
Preview False
Deprecated False
Effect Default
Manual
Allowed
Manual, Disabled
RBAC role(s) none
Rule aliases none
Rule resource types IF (1)
Microsoft.Resources/subscriptions
Compliance
The following 14 compliance controls are associated with this Policy definition 'Document the legal basis for processing personal information' (79c75b38-334b-1a69-65e0-a9d929a42f75)
Control Domain Control Name MetadataId Category Title Owner Requirements Description Info Policy#
hipaa 1713.03c1Organizational.3-03.c hipaa-1713.03c1Organizational.3-03.c 1713.03c1Organizational.3-03.c 17 Risk Management 1713.03c1Organizational.3-03.c 03.01 Risk Management Program Shared n/a The organization mitigates any harmful effect that is known to the organization of a use or disclosure of sensitive information (e.g., PII) by the organization or its business partners, vendors, contractors, or similar third-parties in violation of its policies and procedures. 9
hipaa 1911.06d1Organizational.13-06.d hipaa-1911.06d1Organizational.13-06.d 1911.06d1Organizational.13-06.d 19 Data Protection & Privacy 1911.06d1Organizational.13-06.d 06.01 Compliance with Legal Requirements Shared n/a Records with sensitive personal information are protected during transfer to organizations lawfully collecting such information. 5
hipaa 19242.06d1Organizational.14-06.d hipaa-19242.06d1Organizational.14-06.d 19242.06d1Organizational.14-06.d 19 Data Protection & Privacy 19242.06d1Organizational.14-06.d 06.01 Compliance with Legal Requirements Shared n/a Covered information storage is kept to a minimum. 4
hipaa 19243.06d1Organizational.15-06.d hipaa-19243.06d1Organizational.15-06.d 19243.06d1Organizational.15-06.d 19 Data Protection & Privacy 19243.06d1Organizational.15-06.d 06.01 Compliance with Legal Requirements Shared n/a The organization specifies where covered information can be stored. 9
hipaa 19245.06d2Organizational.2-06.d hipaa-19245.06d2Organizational.2-06.d 19245.06d2Organizational.2-06.d 19 Data Protection & Privacy 19245.06d2Organizational.2-06.d 06.01 Compliance with Legal Requirements Shared n/a The organization has implemented technical means to ensure covered information is stored in organization-specified locations. 7
ISO27001-2013 A.12.4.1 ISO27001-2013_A.12.4.1 ISO 27001:2013 A.12.4.1 Operations Security Event Logging Shared n/a Event logs recording user activities, exceptions, faults and information security events shall be produced, kept and regularly reviewed. link 53
op.exp.8 Recording of the activity op.exp.8 Recording of the activity 404 not found n/a n/a 67
PCI_DSS_v4.0 3.2.1 PCI_DSS_v4.0_3.2.1 PCI DSS v4.0 3.2.1 Requirement 03: Protect Stored Account Data Storage of account data is kept to a minimum Shared n/a Account data storage is kept to a minimum through implementation of data retention and disposal policies, procedures, and processes that include at least the following: • Coverage for all locations of stored account data. • Coverage for any sensitive authentication data (SAD) stored prior to completion of authorization. This bullet is a best practice until its effective date; refer to Applicability Notes below for details. • Limiting data storage amount and retention time to that which is required for legal or regulatory, and/or business requirements. • Specific retention requirements for stored account data that defines length of retention period and includes a documented business justification. • Processes for secure deletion or rendering account data unrecoverable when no longer needed per the retention policy. • A process for verifying, at least once every three months, that stored account data exceeding the defined retention period has been securely deleted or rendered unrecoverable. link 8
PCI_DSS_v4.0 3.3.1 PCI_DSS_v4.0_3.3.1 PCI DSS v4.0 3.3.1 Requirement 03: Protect Stored Account Data Sensitive authentication data (SAD) is not stored after authorization Shared n/a SAD is not retained after authorization, even if encrypted. All sensitive authentication data received is rendered unrecoverable upon completion of the authorization process. link 8
PCI_DSS_v4.0 3.3.1.1 PCI_DSS_v4.0_3.3.1.1 PCI DSS v4.0 3.3.1.1 Requirement 03: Protect Stored Account Data Sensitive authentication data (SAD) is not stored after authorization Shared n/a The full contents of any track are not retained upon completion of the authorization process. link 8
PCI_DSS_v4.0 3.3.1.2 PCI_DSS_v4.0_3.3.1.2 PCI DSS v4.0 3.3.1.2 Requirement 03: Protect Stored Account Data Sensitive authentication data (SAD) is not stored after authorization Shared n/a The card verification code is not retained upon completion of the authorization process. link 5
PCI_DSS_v4.0 3.3.1.3 PCI_DSS_v4.0_3.3.1.3 PCI DSS v4.0 3.3.1.3 Requirement 03: Protect Stored Account Data Sensitive authentication data (SAD) is not stored after authorization Shared n/a The personal identification number (PIN) and the PIN block are not retained upon completion of the authorization process. link 8
PCI_DSS_v4.0 3.3.3 PCI_DSS_v4.0_3.3.3 PCI DSS v4.0 3.3.3 Requirement 03: Protect Stored Account Data Sensitive authentication data (SAD) is not stored after authorization Shared n/a Additional requirement for issuers and companies that support issuing services and store sensitive authentication data: Any storage of sensitive authentication data is: • Limited to that which is needed for a legitimate issuing business need and is secured. • Encrypted using strong cryptography. This bullet is a best practice until its effective date; refer to Applicability Notes below for details. link 13
SOC_2 P4.1 SOC_2_P4.1 SOC 2 Type 2 P4.1 Additional Criteria For Privacy Personal information use Shared The customer is responsible for implementing this recommendation. • Uses Personal Information for Intended Purposes — Personal information is used only for the intended purposes for which it was collected and only when implicit or explicit consent has been obtained, unless a law or regulation specifically requires otherwise. 5
Initiatives usage
Initiative DisplayName Initiative Id Initiative Category State Type
HITRUST/HIPAA a169a624-5599-4385-a696-c8d643089fab Regulatory Compliance GA BuiltIn
ISO 27001:2013 89c6cddc-1c73-4ac1-b19c-54d1a15a42f2 Regulatory Compliance GA BuiltIn
PCI DSS v4 c676748e-3af9-4e22-bc28-50feed564afb Regulatory Compliance GA BuiltIn
SOC 2 Type 2 4054785f-702b-4a98-9215-009cbd58b141 Regulatory Compliance GA BuiltIn
Spain ENS 175daf90-21e1-4fec-b745-7b4c909aa94c Regulatory Compliance GA BuiltIn
History
Date/Time (UTC ymd) (i) Change type Change detail
2022-09-27 16:35:32 change Minor (1.0.0 > 1.1.0)
2022-09-13 16:35:29 add 79c75b38-334b-1a69-65e0-a9d929a42f75
JSON compare
compare mode: version left: version right:
JSON
api-version=2021-06-01
EPAC