last sync: 2024-Jun-18 16:46:26 UTC

Incorporate security and data privacy practices in research processing | Regulatory Compliance - Operational

Azure BuiltIn Policy definition

Source Azure Portal
Display name Incorporate security and data privacy practices in research processing
Id 834b7a4a-83ab-2188-1a26-9c5033d8173b
Version 1.1.0
Details on versioning
Category Regulatory Compliance
Microsoft Learn
Description CMA_0331 - Incorporate security and data privacy practices in research processing
Additional metadata Name/Id: CMA_0331 / CMA_0331
Category: Operational
Title: Incorporate security and data privacy practices in research processing
Ownership: Customer
Description: Microsoft recommends that your organization incorporate security and data privacy practices during research processing. It is recommended that your organization store personal data used for carrying out studies and research in a controlled and secure environment, along with pseudonymize or de-identify the personal data. Various data privacy regulations require that disclosure of the results or of any portion of the study or the research do not reveal personal data under any circumstances. The research plan should state the affiliation of each person involved in the research and the purpose and anticipated scientific or public benefit of the research. Additionally, your organization should ensure that the researcher do the following: - Use the information only for the purposes set out in the research plan - Not publish or disclose the information except as required by law and subject to the exceptions - Not make contact or attempt to contact the individual - Notify the organization immediately in writing if the researcher becomes aware of any breach - Comply with conditions and restrictions imposed by your organization related to the use, security, disclosure, return or disposal of the information - Not use the data for making a decision that produces legal or significant effects on the data subject. The General Data Protection Regulation (GDPR) states that the data subject, where personal data are processed for scientific or historical research purposes or statistical purposes, shall have the right to object to processing of personal data concerning him or her, unless the processing is necessary for the performance of a task carried out for reasons of public interest. The Canada Personal Health Information Protection Act (PHIPA) states that your organization may disclose personal health information with a researcher under certain conditions, such as if the research uses personal health information originating outside of Ontario, the research has been approved by a body outside Ontario that has the function of approving research, and the prescribed requirements are met. The Canada PHIPA also recommends that your organization ensure that the researcher complies with conditions set out by the research board and that a research plan is established. As per Estonia Personal Data Protection Act, scientific and historical research based on special categories of personal information shall undergo a prior verification by the ethics committee for the purpose of evaluating the organization's compliance activities. If there is no ethics committee in the scientific area, your organization may have to verify compliance through the Estonian Data Protection Inspectorate. The Belgium's Act on the Protection of Natural Persons with regard to the Processing of Personal Data require organizations processing personal data for historical, scientific or statistical purposes to not engage in activities designed to convert the anonymous or pseudonymized data into non-anonymous or non-pseudonymized data. Organizations may only de-pseudonymize data if it is necessary for the research or statistical purposes, and, where applicable, after consulting the Data Protection Officer. The Act also requires the controllers to anonymize or pseudonymize the data before sharing with any other controller tasked with the further processing and ensure that the third party is unable to reproduce the data communicated. Only the controller of the original processing who pseudonymized the data or the trusted third party shall have access to the pseudonymization keys
Requirements: The customer is responsible for implementing this recommendation.
Mode All
Type BuiltIn
Preview False
Deprecated False
Effect Default
Manual
Allowed
Manual, Disabled
RBAC role(s) none
Rule aliases none
Rule resource types IF (1)
Microsoft.Resources/subscriptions
Compliance
The following 4 compliance controls are associated with this Policy definition 'Incorporate security and data privacy practices in research processing' (834b7a4a-83ab-2188-1a26-9c5033d8173b)
Control Domain Control Name MetadataId Category Title Owner Requirements Description Info Policy#
ISO27001-2013 A.12.1.4 ISO27001-2013_A.12.1.4 ISO 27001:2013 A.12.1.4 Operations Security Separation of development, testing and operational environments Shared n/a Development, testing, and operational environments shall be separated to reduce the risks of unauthorized access or changes to the operational environment. link 10
mp.sw.1 IT Aplications development mp.sw.1 IT Aplications development 404 not found n/a n/a 51
mp.sw.2 Acceptance and commissioning mp.sw.2 Acceptance and commissioning 404 not found n/a n/a 60
PCI_DSS_v4.0 6.5.5 PCI_DSS_v4.0_6.5.5 PCI DSS v4.0 6.5.5 Requirement 06: Develop and Maintain Secure Systems and Software Changes to all system components are managed securely Shared n/a Live PANs are not used in pre-production environments, except where those environments are included in the CDE and protected in accordance with all applicable PCI DSS requirements. link 1
Initiatives usage
Initiative DisplayName Initiative Id Initiative Category State Type
ISO 27001:2013 89c6cddc-1c73-4ac1-b19c-54d1a15a42f2 Regulatory Compliance GA BuiltIn
PCI DSS v4 c676748e-3af9-4e22-bc28-50feed564afb Regulatory Compliance GA BuiltIn
Spain ENS 175daf90-21e1-4fec-b745-7b4c909aa94c Regulatory Compliance GA BuiltIn
History
Date/Time (UTC ymd) (i) Change type Change detail
2022-09-27 16:35:32 change Minor (1.0.0 > 1.1.0)
2022-09-19 17:41:40 add 834b7a4a-83ab-2188-1a26-9c5033d8173b
JSON compare
compare mode: version left: version right:
JSON
api-version=2021-06-01
EPAC