How To Protect Your Privacy Online From Your Company Or Affiliates



Similar documents
Disclosure is the action of making new or secret information known.

DESTINATION MELBOURNE PRIVACY POLICY

2. What personal information do we collect and hold?

GlaxoSmithKline Single Sign On Portal for ClearView and Campaign Tracker - Privacy Statement

QUEENSLAND COUNTRY HEALTH FUND. privacy policy. Queensland Country Health Fund Ltd ABN better health cover shouldn t hurt

The kinds of personal information we collect and hold vary depending on the services we are providing, but generally can include:

Please read this Policy carefully. Your continued use of our sites means that you understand and consent to the terms of this Policy.

Privacy Statement. April 2015

Rise Broadband Networks, Inc. Privacy Policy and Customer California Privacy Rights. Effective date: January, 2016

Carriers Insurance Brokers Pty. Limited

Privacy Policy. February, 2015 Page: 1

An Executive Overview of GAPP. Generally Accepted Privacy Principles

JOB APPLICANT PRIVACY NOTICE

PRIVACY POLICY Personal information and sensitive information Information we request from you

Information Handling Policy

AlixPartners, LLP. General Data Protection Statement

Troy Cablevision, Inc. Subscriber Privacy Policy

Merthyr Tydfil County Borough Council. Data Protection Policy

BLUE BADGE INSURANCE PTY LTD BLUE BADGE COMMUNITY AUSTRALIA PTY LTD PRIVACY POLICY

The privacy of DataLogic CRM, Inc. s customers and affiliates is important to us. Therefore:

DATA PROTECTION LAWS OF THE WORLD. India

Privacy and Data Policy

Privacy Policy Fletcher Building Limited and Fletcher Building (Australia) Pty Ltd

H&R Block Digital Tax Preparation, Online, and Mobile Application Privacy Practices and Principles

AMC PRIVACY POLICY INFORMATION COLLECTION

CPA Global North America LLC SAFE HARBOR PRIVACY POLICY. Introduction

How We Use Your Personal Information On An Afinion International Ab And Afion International And Afinion Afion Afion

ATMD Bird & Bird. Singapore Personal Data Protection Policy

This Applicant Privacy Notice Continental Europe is dated: July 2012 WILLIS.COM: PRIVACY NOTICE

RPM INTERNATIONAL INC. AND ITS SUBSIDIARIES AND OPERATING COMPANIES SAFE HARBOR PRIVACY NOTICE. EFFECTIVE AS OF: August 12, 2015

SAFE HARBOR PRIVACY NOTICE EFFECTIVE: July 1, 2005 AMENDED: July 15, 2014

APPOMENSE HOPE FOR AFRICA PRIVACY POLICY

Coverage is subject to a Deductible

Career Connection, Inc. Data Privacy. Bringing Talent Together With Opportunity

Abilities Centre collects personal information for the following purposes:

4.7 Website Privacy Policy

Privacy Policy for Data Collected by Blue State Digital s Clients

PRIVACY POLICY Our privacy policy discloses how we gather and use your data. In short we do not collect sensitive personal information.

Data protection registration: nature of work descriptions

At Cambrian, Your Privacy is Our Priority. Regardless of how you deal with us on the phone, online, or in person we have strict security measures

Data protection policy

Next Business Telecom is also subject to other laws relating to the protection of personal information.

Privacy Policy. log in to the Services with social networking credentials;

1. Definitions As used in this Privacy Policy, the following terms have the following meanings:

University of Liverpool Online Programmes - Privacy Policy for Visitors and Students

COMPLIANCE ALERT 10-12

YOUR PRIVACY IS IMPORTANT TO SANDERSONS ARCHIVING SOLUTIONS LIMITED

Data Protection Policy.

Privacy Policy. Board for Lutheran Education Australia. Policy. Purpose. Exclusion

HIPAA Privacy Rule Policies

FIRST DATA CORPORATION PROCESSOR DATA PROTECTION STANDARDS

New Ross Credit Union Web Site Statement

Iowa Student Loan Online Privacy Statement

Index All entries in the index reference page numbers.

FOUR BLOCK FOUNDATION, INC. PRIVACY POLICY November 6, 2015

PRIVACY POLICY. What Information Is Collected

Privacy Statement. What Personal Information We Collect. Australia

PRIVACY POLICY. The effective date of this Privacy Policy is December 15, Last Updated September 29, Overview

Privacy Policy. Last Update: January 28, 2016

GSK Public policy positions

The supplier shall have appropriate policies and procedures in place to ensure compliance with

PRIVACY BREACH MANAGEMENT POLICY

We use such personal information collected through this Site for the purposes of:

CYBERSECURITY: THREATS, SOLUTIONS AND PROTECTION. Robert N. Young, Director Carruthers & Roth, P.A. rny@crlaw.com Phone: (336)

Maximum Global Business Online Privacy Statement

The Winnipeg Foundation Privacy Policy

1. TYPES OF INFORMATION WE COLLECT.

PRIVACY AND CREDIT REPORTING POLICY

Credit Union Code for the Protection of Personal Information

Hume Bank Limited Privacy Policy

BUSINESS CHICKS, INC. Privacy Policy

GUESTBOOK REWARDS, INC. Privacy Policy

General Statement and Verification of Standards

Comeet Privacy Policy

PRIVACY POLICY. comply with the Australian Privacy Principles ("APPs"); ensure that we manage your personal information openly and transparently;

GUIDELINES FOR THE PROVISION OF INTERNET SERVICE PUBLISHED BY THE NIGERIAN COMMUNICATIONS COMMISSION

Synapse Privacy Policy

Health Care Information Privacy The HIPAA Regulations What Has Changed and What You Need to Know

1. The information we collect and how we collect it.

FIDELITY APPLICANT PRIVACY AND PROTECTION NOTICE

ADMINISTRATIVE MANUAL Policy and Procedure

Corporate Policy. Data Protection for Data of Customers & Partners.

HIPAA PRIVACY AND SECURITY AWARENESS

PRIVACY POLICY PO Box Miami Beach, FL Tel

Alliance for Fertility Preservation Website and Fertility Preservation Services Locator and Referral System Terms and Conditions of Use

Estée Lauder Companies Global Jobs Website Privacy Policy

Privacy Policy Australian Construction Products Pty Limited

WISCONSIN IDENTITY THEFT RANKING BY STATE: Rank 15, Complaints Per 100,000 Population, 9852 Complaints (2007) Updated January 16, 2009

Quorum Privacy Policy

FINAL May Guideline on Security Systems for Safeguarding Customer Information

To this end ERCI fully endorses and adheres to the Principles of Personal Data Protection Act (2012). 1. The Purpose:

Data Compliance. And. Your Obligations

ROYAL AUSTRALASIAN COLLEGE OF SURGEONS

INDEX PRIVACY POLICY...2

WEBSITE & SOCIAL MEDIA PRIVACY POLICY

WidePoint Solutions Corp. SAFE HARBOR PRIVACY POLICY

Website Privacy Policy Statement York Rd Lutherville, MD We may be reached via at

Alpha Securities. Privacy Policy. Issued by Alpha Securities Pty Ltd

RezScore SM Privacy Policy

What information we collect and how we collect it.

Transcription:

Data Security and Privacy Proposed Threshold Questions and Initial Due Diligence Personal information means any information that can be used to identify a specific individual, for example, such individual s name, physical address, telephone number, fax number, email address. Sensitive Personal Information means information that requires special protection such as Social Security number, government identification number, credit card number, bank account information, driver s license number, information regarding an individual s health, race, ethnicity, religious or philosophical belief, trade union membership, political beliefs, sexual orientation, criminal background. Issue Threshold Question Annotation Privacy: Types of Data Collected Privacy: Locations of Company and Data Collection Privacy: Direct Marketing Activities List all the categories of Personal Information and/or Sensitive Personal Information the Company and its affiliates collect, use, or process (i.e., employee, customer, supplier, consumer data, payment card data, biometrics, any information about children, healthcare/medical information, government identifiers or driver s license information). In what countries does Company or its affiliates have a presence, including employees, offices, data centers, or bases of operation? From which countries does Company or affiliates collect Personal Information from individuals, including employees, customers and consumers? Is Personal Information shared between or among affiliates? If yes, which types? Does Company or its affiliates (or a vendor on behalf of Company or its affiliates) use Personal Information to engage in direct marketing (i.e., e-mail It is important to get an understanding regarding the types of Personal Information and/or Sensitive Personal Information the target and its affiliates are collecting, using, and/or processing. This understanding helps determine the overall privacy risk of the target. Enforcement of privacy legislation centers either on: (1) the jurisdictions in which the target, its employees, and its data resides, or (2) the jurisdictions in which the data is collected or processed. It s also important to understand the target s philosophy regarding the sharing of data with affiliates. Many of today s privacy regulations have been promulgated to regulate the use of data in 1

Privacy: Tracking Functionality Privacy: Use of De- Identified/Anonymized Personal Information Privacy: Information Collected or Held as a Vendor or Service Provider for Others postal mail, telemarketing [inbound or outbound], delivery of marketing and non-marketing text messages, fax advertising, delivery of marketing and non-marketing prerecorded messages, use of an autodialer to place marketing and non-marketing calls to cell phones)? vendor on behalf of Company or its affiliates) use Sensitive Personal Information to engage in direct marketing? vendor on behalf of Company and its affiliates) use technical or other tracking functionality to track individuals for the purpose of online behavioral advertising, retargeting, content personalization, content delivery through methods such as cookies, beacons/tags, JavaScript, local storage, browser fingerprinting, or other, similar means? vendor on behalf of Company and its affiliates) de-identify/anonymize Personal Information for any purpose including but not limited to improvement of internal systems, research or academia (e.g. white papers), or marketing of any kind? If so, please describe the means of deidentification or anonymization and provide copies of any applicable or legally required employee and customer consents for such use. Does Company or its affiliates host Personal Information on behalf of another company as a service provider? Does Company or its affiliates have access to the Personal marketing activities. So it s imperative to understand the target s use of data in such marketing activities, and whether the target or its affiliate also uses Sensitive Personal Information in marketing activities (for which there is a higher use standard and penalty in almost all jurisdictions). In response to recent Cookie legislation worldwide, this question is now imperative to ensure target compliance with the use of tracker technologies. Many jurisdictions now regulate even the use of de-identified/anonymized data. So it s important to ask the target whether it has business models or other uses of de-identified data, and whether appropriate consents are in place. Many jurisdictions now have a higher privacy standard for companies operating as ISPs or hosting providers, and thus it s important to understand if this is also 2

Privacy: Compliance Policies and Documents Privacy: Notices Privacy and Data Security: Data Security Breach Privacy and Data Security: Existing/Prior Privacy or Data Security Investigation Information of its customers customers? Provide copies of the Company s internal policies relating to privacy and data security activities (i.e., technology use policy, product development guidelines, privacy impact assessments, breach notification procedure). Provide copies of all Data Protection Authority ( DPA ) registrations, notifications and/or authorizations. Please provide copies of all current or prior notices to individuals provided by Company or its affiliates relating to employees, consumers, websites, and customers. Has Company or any affiliate had a data security breach or an unauthorized access or acquisition of Personal Information ( Breach )? If yes, please describe any actual Breaches that have occurred in the last 5 years. Has Company or any affiliate received any complaint, notice of suspicious activities on systems, regulatory inquiries, consent decrees, citations, fines, administrative actions and pending, resolved, or threatened litigation regarding privacy or data security? If yes, please describe. part of the target s business model and, if so, what kinds of data are hosted and whether affiliates have access to such data. Best practices today require internal policies with respect to target s privacy practices vis-à-vis its employees and contingent workers. Several jurisdictions also require registration of databases (DPA) so copies of the registrations are necessary. A basic requirement of nearly every jurisdiction today is an appropriate external privacy notice. It is important to know whether target has experienced any data breaches. This understanding is required since some companies have longer term requirements from regulators in order to resolve past data breaches. It also demonstrates what type of organization the target is from a data protection perspective (if the target has experienced several breaches). It is also important to understand whether the target is a usual target for regulatory or 3 rd party investigation for perceived or actual data protection violations. 3

Privacy and Data Security: Data Disclosure to Third Parties and Vendors Data Security: Policies and Procedures Data Security: Malware Attacks and Response Data Security: Audits and Controls Assessments Does Company or its affiliates share, disclose, sell, or rent Personal Information with unaffiliated third parties (including sharing customers, service providers and other third parties)? If so, please explain and provide all contracts relating to such sharing. Provide any policy documentation relating to administrative, technical, and physical controls to protect against the unauthorized access, use, or disclosure of Personal Information or Sensitive Personal information and describe: (i) practices and procedures associated with such policies; and (ii) capabilities used to protect Personal Information and access to the Company network(including but not limited to anti-virus/security software, physical security controls to facilities and sensitive areas, password policies, access controls, Internet access and firewall policies, security of data in storage and in transmission, retention periods). Has the Company, affiliates, or supplier supported functions ever had any significant outages or had to rebuild any systems supporting the Company, in whole or in part, due to virus outbreak, breach, or malware infestation? Provide any external audit reports or standard evaluations regarding the integrity of your systems/network controls (i.e., SAS70, ISO27001 certification, SOC II. response to customer/partner queries) for the past 5 years While many statutes world-wide allow sharing of data with affiliates, far fewer allow sharing of data with non-affiliates. So it s important to understand the target s practices in this regard, and the mechanism by which they justify sharing of data with non-affiliates. Many regulations require information security policy and procedures or other detailed documentation or controls which govern the target s physical, administrative, or technical security safeguards. This threshold question reveals whether a target has been injured or otherwise affected, in-fact, by attacks (which helps reveal the level of scrutiny given to the target s security systems and controls). Whether the security audit is conducted at the target s request, or at 3 rd party request, it s important to be able to review the results of such audits. 4

Data Security / Regulatory Compliance Does Company or its affiliates have access to information that touches on sectoral regulations including but not limited to payment card information, healthcare, financial, marketing, children, etc? This residuary question is important in determining which sectors (and related sectoral regulations) affect the target. 5

2024 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information