last sync: 2024-Jul-16 18:17:33 UTC

Document and implement privacy complaint procedures | Regulatory Compliance - Operational

Azure BuiltIn Policy definition

Source Azure Portal
Display name Document and implement privacy complaint procedures
Id eab4450d-9e5c-4f38-0656-2ff8c78c83f3
Version 1.1.0
Details on versioning
Category Regulatory Compliance
Microsoft Learn
Description CMA_0189 - Document and implement privacy complaint procedures
Additional metadata Name/Id: CMA_0189 / CMA_0189
Category: Operational
Title: Document and implement privacy complaint procedures
Ownership: Customer
Description: Microsoft recommends that your organization implement a complaint procedure to resolve disputes in a fair and efficient way, inclusive of the following: - Designation of an accountable owner to address the lodged complaints - Documentation/recording of all received complaints - Investigation and appropriate measures on justified complaints within reasonable time frame - Documentation of unresolved challenges that can be made available to required third parties - Requirements to follow in response to complaints (e.g. prohibition of abbreviations or codes, etc.) - Communication process for decisions to the interested party, including if the decision is to not address the claim or if there will be a delay in the response It is recommended to determine the information that the interested party must include in their petition or consultation, such as who to address, the interested party's identification, a description of the facts behind the claim, among others relevant details. It is also recommended to determine a process for submitting complaints on behalf of your organization to relevant regulatory authorities. This can include escalating a petition against an individual or an entity that has violated a privacy policy. The New Zealand Health Information Privacy Code requires every health agency to: - Designate a person or persons to deal with and facilitate the fair, simple, speedy, and efficient resolution of complaints - Implement a complaints procedure which: - Provides the acknowledgement of a complaint in writing, within 5 working days of receipt, unless it has been resolved to the satisfaction of the complainant within that period - Informs the complainant of any relevant internal and external complaints procedures - Documents the complaint and the actions of the health agency regarding that complaint - Accepts or rejects the complaint within 10 working days from the acknowledgement the complaint - If more time is needed to investigate the complaint, determines how much additional time is needed, and if that additional time is more than 20 working days, informs the complainant of that determination and of the informs the complainant of that determination and of the reasons for it - In case of complaint rejection, provides the complainant the reasons for the decision, any actions the agency proposes to take, any appeal procedure the agency has in place, and the right to complain to the Privacy Commissioner as soon as practicable after the agency decision
Requirements: The customer is responsible for implementing this recommendation.
Mode All
Type BuiltIn
Preview False
Deprecated False
Effect Default
Manual
Allowed
Manual, Disabled
RBAC role(s) none
Rule aliases none
Rule resource types IF (1)
Microsoft.Resources/subscriptions
Compliance
The following 4 compliance controls are associated with this Policy definition 'Document and implement privacy complaint procedures' (eab4450d-9e5c-4f38-0656-2ff8c78c83f3)
Control Domain Control Name MetadataId Category Title Owner Requirements Description Info Policy#
ISO27001-2013 A.6.1.1 ISO27001-2013_A.6.1.1 ISO 27001:2013 A.6.1.1 Organization of Information Security Information security roles and responsibilities Shared n/a All information security responsibilities shall be clearly defined and allocated. link 73
org.1 Security policy org.1 Security policy 404 not found n/a n/a 94
org.4 Authorization process org.4 Authorization process 404 not found n/a n/a 127
SOC_2 P8.1 SOC_2_P8.1 SOC 2 Type 2 P8.1 Additional Criteria For Privacy Privacy complaint management and compliance management Shared The customer is responsible for implementing this recommendation. • Communicates to Data Subjects — Data subjects are informed about how to contact the entity with inquiries, complaints, and disputes. • Addresses Inquiries, Complaints, and Disputes — A process is in place to address inquiries, complaints, and disputes. • Documents and Communicates Dispute Resolution and Recourse — Each complaint is addressed and the resolution is documented and communicated to the individual. • Documents and Reports Compliance Review Results — Compliance with objectives related to privacy are reviewed and documented and the results of such reviews are reported to management. If problems are identified, remediation plans are developed and implemented. • Documents and Reports Instances of Noncompliance — Instances of noncompliance with objectives related to privacy are documented and reported and, if needed, corrective and disciplinary measures are taken on a timely basis. • Performs Ongoing Monitoring — Ongoing procedures are performed for monitoring the effectiveness of controls over personal information and for taking timely corrective actions when necessary. 5
Initiatives usage
Initiative DisplayName Initiative Id Initiative Category State Type
ISO 27001:2013 89c6cddc-1c73-4ac1-b19c-54d1a15a42f2 Regulatory Compliance GA BuiltIn
SOC 2 Type 2 4054785f-702b-4a98-9215-009cbd58b141 Regulatory Compliance GA BuiltIn
Spain ENS 175daf90-21e1-4fec-b745-7b4c909aa94c Regulatory Compliance GA BuiltIn
History
Date/Time (UTC ymd) (i) Change type Change detail
2022-09-27 16:35:32 change Minor (1.0.0 > 1.1.0)
2022-09-13 16:35:29 add eab4450d-9e5c-4f38-0656-2ff8c78c83f3
JSON compare
compare mode: version left: version right:
JSON
api-version=2021-06-01
EPAC