last sync: 2024-Apr-24 17:46:58 UTC

Document and distribute a privacy policy | Regulatory Compliance - Documentation

Azure BuiltIn Policy definition

Source Azure Portal
Display name Document and distribute a privacy policy
Id ee67c031-57fc-53d0-0cca-96c4c04345e8
Version 1.1.0
Details on versioning
Category Regulatory Compliance
Microsoft Learn
Description CMA_0188 - Document and distribute a privacy policy
Additional metadata Name/Id: CMA_0188 / CMA_0188
Category: Documentation
Title: Document and distribute a privacy policy
Ownership: Customer
Description: Microsoft recommends that your organization document a privacy policy establishing data privacy requirements. It is recommended that the policy include the operations of personal data processing and outline the following data privacy principles: purpose, period of retention, method of destruction, international and third-party data transfer, automatic collection, Data Protection Officer roles and responsibilities, suitability, necessity, free access, quality, transparency, security, prevention, non-discrimination, disciplinary actions on non-compliance, and accountability. Your organization may document a description of consumer rights along with the security requirements for systems processing personal data. These requirements can be developed as a stand-alone policy or incorporated into an existing policy within your organization. Your organization should consider distributing the privacy policy to all employees and make the policy available on your organization's site to inform consumers prior to their consent. Your organization may include basic information of the accountable person handling complaints, personal information made available to subsidiaries, and types of personal information held by the organization, including the uses and ways of gaining access. If any changes in privacy policy are made, your organization should then consider publishing a new policy publicly mentioning the reason and changes. Consider maintaining a central resource webpage on the organization's principal public website that serves as a central source of information about the organization's privacy program and that: a. provides public access to information about organizational privacy activities and the ability to communicate with its senior agency official for privacy; b. publishes privacy practices and reports; c. employs publicly facing email addresses and/or phone lines to enable the public to provide feedback and/or direct questions to privacy offices regarding privacy practices. Microsoft also recommends that your organizations to maintain a description of online service terms, contractual obligations and GDPR agreements along with the privacy policy.
Requirements: The customer is responsible for implementing this recommendation.
Mode All
Type BuiltIn
Preview False
Deprecated False
Effect Default
Manual, Disabled
RBAC role(s) none
Rule aliases none
Rule resource types IF (1)
The following 3 compliance controls are associated with this Policy definition 'Document and distribute a privacy policy' (ee67c031-57fc-53d0-0cca-96c4c04345e8)
Control Domain Control Name MetadataId Category Title Owner Requirements Description Info Policy#
hipaa 1902.06d1Organizational.2-06.d hipaa-1902.06d1Organizational.2-06.d 1902.06d1Organizational.2-06.d 19 Data Protection & Privacy 1902.06d1Organizational.2-06.d 06.01 Compliance with Legal Requirements Shared n/a When required, consent is obtained before any PII (e.g., about a client/customer) is emailed, faxed, or communicated by telephone conversation, or otherwise disclosed to parties external to the organization. 11
ISO27001-2013 A.10.1.1 ISO27001-2013_A.10.1.1 ISO 27001:2013 A.10.1.1 Cryptography Policy on the use of cryptographic controls Shared n/a A policy on the use of cryptographic controls for protection of information shall be developed and implemented. link 18
SOC_2 P1.1 SOC_2_P1.1 SOC 2 Type 2 P1.1 Additional Criteria For Privacy Privacy notice Shared The customer is responsible for implementing this recommendation. • Communicates to Data Subjects — Notice is provided to data subjects regarding the following: — Purpose for collecting personal information — Choice and consent — Types of personal information collected — Methods of collection (for example, use of cookies or other tracking techniques) — Use, retention, and disposal — Access — Disclosure to third parties — Security for privacy — Quality, including data subjects’ responsibilities for quality — Monitoring and enforcement • Provides Notice to Data Subjects — Notice is provided to data subjects (1) at or before the time personal information is collected or as soon as practical thereafter, (2) at or before the entity changes its privacy notice or as soon as practical thereafter, or (3) before personal information is used for new purposes not previously identified. • Covers Entities and Activities in Notice — An objective description of the entities and activities covered is included in the entity’s privacy notice. • Uses Clear and Conspicuous Language — The entity’s privacy notice is conspicuous and uses clear language. 5
Initiatives usage
Initiative DisplayName Initiative Id Initiative Category State Type
HITRUST/HIPAA a169a624-5599-4385-a696-c8d643089fab Regulatory Compliance GA BuiltIn
ISO 27001:2013 89c6cddc-1c73-4ac1-b19c-54d1a15a42f2 Regulatory Compliance GA BuiltIn
SOC 2 Type 2 4054785f-702b-4a98-9215-009cbd58b141 Regulatory Compliance GA BuiltIn
Date/Time (UTC ymd) (i) Change type Change detail
2022-09-27 16:35:32 change Minor (1.0.0 > 1.1.0)
2022-09-13 16:35:29 add ee67c031-57fc-53d0-0cca-96c4c04345e8
JSON compare
compare mode: version left: version right: